We are aware of a new 0-day exploit that was posted on Milw0rm today.

According the exploit, it was suppose to work on both IIS 5.0 and 6.0, on the FTP module.

Also according it, it affects IIS 6.0 with stack cookie protection.

The latest on this is that HDMoore is porting it to the MetaSploit framework.

We will update this diary with more info as we get it.

UPDATE4: Microsoft released its advisory on IIS vulnerability and 0day. Seems that IIS 5.0, 5.1 and 6.0 are affected, running on WIndows 2000, XP and 2003. Read more here:  http://www.microsoft.com/technet/security/advisory/975191.mspx

UPDATE3: SourceFire Blog about it

UPDATE2: US-CERT released an advisory on it: https://www.kb.cert.org/vuls/id/276653

UPDATE: Emerging Threats have released a signature for the milw0rm IIS-FTP
exploit. It's available in the signature tarballs and a history is available in CVS:
http://www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/EXPLOIT/EXPLOIT_IISFTP
Wiki: http://doc.emergingthreats.net/bin/view/Main/2009828

---------------------------------------------------------------

Handler on Duty: Pedro Bueno (pbueno /%%/ isc. sans. org)

Twitter: http://twitter.com/besecure