RE: DCOM RPC exploit (dcom.c)

From: Marc Maiffret (marcat_private)
Date: Mon Jul 28 2003 - 16:15:57 PDT

Next message: James Wolfe: "IE6 SP1 - Trivial Crash"

Previous message: Papa loves Mambo: "NetScreen ScreenOS 4.0.3r2 DOS"
In reply to: S G Masood: "Re: DCOM RPC exploit (dcom.c)"
Next in thread: sk@scan-associates.net: "Re: DCOM RPC exploit (dcom.c)"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

We just updated the tool a few minutes ago and fixed some bugs that should
clear up any left over inaccuracies. Also fixed a bug keeping NT 4.0
detection from working correctly. If you find any bugs please let us know.

RPC/DCOM Scanner 1.0.3
http://www.eeye.com/html/Research/Tools/RPCDCOM.html

Signed,
Marc Maiffret
Chief Hacking Officer
eEye Digital Security
T.949.349.9062
F.949.349.9538
http://eEye.com/Retina - Network Security Scanner
http://eEye.com/Iris - Network Traffic Analyzer
http://eEye.com/SecureIIS - Stop known and unknown IIS vulnerabilities

| -----Original Message-----
| From: S G Masood [mailto:sgmasoodat_private]
| Sent: Saturday, July 26, 2003 7:53 PM
| To: bugtraqat_private
| Subject: Re: DCOM RPC exploit (dcom.c)
|
|
| Hello list,
|
|
| The Dcom.c compiles neatly on Cygwin with GCC 3.2 when
| the "#include <error.h>" line is removed.
|
| *Very* accurate. If the machine is vulnerable, the
| exploit will almost always succeed on the first
| attempt.
|
| I've successfully tested it on about 16 boxes and each
| one was rooted on the first try. Among these were
| Win2k with SP0, SP1, SP3 while two were WinXP(SP level
| not known). Before running the exploit, the machines
| were confirmed as vulnerable with the Eeye tool(on a
| side note, while the Eeye tool did recognise many
| vulnerable boxes, it failed to recognise some of them,
| though, they were vulnerable).
|
| One glitch is that the exploitation is not very
| stealth. All RPC/COM based functions stop working
| completely after exploitation and fail to heal until
| the machine is restarted. Many of these functions are
| quite visible and easily noticeable(drag&drop,
| clipboard, property sheets, etc., for example). This
| happens without exception.
|
| The exploit mostly times out when run against remote
| hosts.
|
| Hope we are all patched before Tim Mullen's
| "Mescaline"(http://securityfocus.com/columnists/174)
| becomes a reality.
|
| One last advice - think twice before doing any thing
| risky with the exploit. Though highly accurate, it is
| very noisy.
|
|
| Regards,
|
| S.G.Masood
|
| Hyderabad,
| India.
|
| __________________________________
| Do you Yahoo!?
| Yahoo! SiteBuilder - Free, easy-to-use web site design software
| http://sitebuilder.yahoo.com
|

Next message: James Wolfe: "IE6 SP1 - Trivial Crash"
Previous message: Papa loves Mambo: "NetScreen ScreenOS 4.0.3r2 DOS"
In reply to: S G Masood: "Re: DCOM RPC exploit (dcom.c)"
Next in thread: sk@scan-associates.net: "Re: DCOM RPC exploit (dcom.c)"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Tue Jul 29 2003 - 12:32:20 PDT