RE: Exploit for Windows RPC may be in the wild!

From: Eric Appelboom (ericat_private)
Date: Mon Jul 28 2003 - 10:15:17 PDT

Next message: Russell Harding: "Re: www.google.com reference in directory-traversal attack"

Previous message: Dowling, Gabrielle: "RE: email worm? Newsletter, aaa.exe, caraoke ksp.exe"
Maybe in reply to: Compton, Rich: "Exploit for Windows RPC may be in the wild!"
Next in thread: Paul Tinsley: "RE: Exploit for Windows RPC may be in the wild!"
Next in thread: James C. Slora, Jr.: "RE: Exploit for Windows RPC may be in the wild!"
Reply: Paul Tinsley: "RE: Exploit for Windows RPC may be in the wild!"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

 
Yeah, the exploit works way to well for my liking.
The win32 binary didn't seem to work though.

I usually found that one can try once to get the os\sp pair correct
If not the machine carries on its merry way even if you get the os\sp
pair correct.

A nice indicator that a machine has been exploited is that after you
quit from 
The shell it causes NTAuthority to panic and shut the machine down after
60 seconds.

Some snort sigs I came across, don't know how good they are.

alert tcp $EXTERNAL_NET any -> $HOME_NET 135 (msg:"NETBIOS DCERPC
invalid bind attempt"; flow:to_server,established; content:"|05|";
distance:0; within:1; content:"|0b|"; distance:1; within:1;
byte_test:1,&,1,0,relative; content:"|00|"; distance:21; within:1;
classtype:attempted-dos; sid:2190; rev:1;) 

alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB DCERPC
invalid bind attempt"; flow:to_server,established;
content:"|FF|SMB|25|"; nocase; offset:4; depth:5; content:"|26 00|";
distance:56; within:2; content:"|5c 00|P|00|I|00|P|00|E|00 5c 00|";
nocase; distance:5; within:12; content:"|05|"; distance:2; within:1;
content:"|0b|"; distance:1; within:1; byte_test:1,&,1,0,relative;
content:"|00|"; distance:21; within:1; classtype:attempted-dos;
sid:2191; rev:1;)

On a side note to those in ISP scenarios, any thoughts about blocking
netbios inbound to pops?

Eric

-----Original Message-----
From: morning_wood [mailto:se_cur_ityat_private] 
Sent: 27 July 2003 10:17 PM
To: Compton, Rich; incidentsat_private

it is in the wild and very very effective, in random testing im findin
80%
of all XP/2k boxes affected...

Donnie Werner
http://exploitlabs.com

----- Original Message ----- 
From: "Compton, Rich" <RComptonat_private>
To: <incidentsat_private>
Sent: Friday, July 25, 2003 12:45 PM
Subject: Exploit for Windows RPC may be in the wild!


> FYI,
> ISPs are reporting a dramatic increase in traffic on TCP port 135.  No
> exploit code has been captured as of yet but the increase in traffic
on
this
> port probably indicates that exploit code is being executed!  Block
ports
> 135 through 139 and 445!
>
> More info:
>
http://www.microsoft.com/technet/treeview/?url=/technet/security/bulleti
n/MS
> 03-026.asp
>
> -Rich Compton
>
>
>
------------------------------------------------------------------------
-
--
>
------------------------------------------------------------------------
-
---
>
>

------------------------------------------------------------------------
---
------------------------------------------------------------------------
----


---------------------------------------------------------------------------
----------------------------------------------------------------------------

Next message: Russell Harding: "Re: www.google.com reference in directory-traversal attack"
Previous message: Dowling, Gabrielle: "RE: email worm? Newsletter, aaa.exe, caraoke ksp.exe"
Maybe in reply to: Compton, Rich: "Exploit for Windows RPC may be in the wild!"
Next in thread: Paul Tinsley: "RE: Exploit for Windows RPC may be in the wild!"
Next in thread: James C. Slora, Jr.: "RE: Exploit for Windows RPC may be in the wild!"
Reply: Paul Tinsley: "RE: Exploit for Windows RPC may be in the wild!"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Mon Jul 28 2003 - 12:32:08 PDT