RE: Exploit for Windows RPC may be in the wild!

From: Stuart (secmailat_private)
Date: Wed Jul 30 2003 - 19:03:45 PDT

Next message: Chris Shepherd: "Re: Scan of TCP 552-554"

Previous message: jchaserat_private: "Scans for 17300/tcp starting again"
In reply to: Christian Kieft: "Re: Exploit for Windows RPC may be in the wild!"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

 
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

I also ran it on an XP machine (Pro) that was up to date except for
the latest patch for RPC and it worked perfect. Telnet to port 4444
and had a shell, then as soon as I typed "exit" the host shutdown and
rebooted.

Stu

- -----Original Message-----
From: Christian Kieft [mailto:christianat_private] 
Sent: 30 July 2003 17:16
To: Jeff Adams
Cc: incidentsat_private
Subject: Re: Exploit for Windows RPC may be in the wild!

On Tue, Jul 29, 2003 at 01:09:33PM -0400, Jeff Adams wrote:
> It seems as though the success rate on un-patched machines is
> not 100% On un-patched machines I was getting it to work maybe 60
> to 70% of the time. 

I tried a few XP machines (patched up-to-date except the patch for
this RPC
hole) and it didn't work perfectly - the daemon simply crashed and XP
rebooted.


chr

- ----------------------------------------------------------------------
- -----
- ----------------------------------------------------------------------
- ------


-----BEGIN PGP SIGNATURE-----
Version: PGP 8.0.2

iQIVAwUBPyh5AZMRMj30dWmZAQL5oRAAgFqBWmrzRSWoR+g92qmS9UbbtnDnqGW5
yYwYBwjtwyKxHavqTO0FN8n0Jbjv2WQAmq4tFK/scqIa6RSW3kAz8wwkA6K6O7Lf
zYTdOHVvgIs9IoqlGNeIP+43fzvbnGefXyt2A4J5BIe3FKocCPfQlQhip5z0pPt9
aYkWx89HJKjDA5WSQMkxlPO1ODFvnftWPGzpvQhRC1c+22CqvDlptLN63npEjD72
LO+nRRMJ0MaR5OLvUYLNQRRGSP1Yyl4F2QqVsF+ubBABsTdRH9nfoGGonCPjI7so
DV5Jg0NX6s9WKSdQrNeLAR8NVj1PbqKqdQmWYGLMFRtn4i2xcWAWWvzGgOB5578k
4F0rt0DgOfXX+Jx957xS2aRBer/MeLd5YcfIkACHevT0mWgD9IX0CfZm931+82ye
lYQ78LzIcz+dP2wb5ZhGCH1s2fp3qQDJIr0Av17yeaIYIDQiuFonNzYyPgCNHHv2
Pprfk4OD2GMcXctJo8kzJ9diXET3o4SCnZ3D1NfhO97jk4X/6cm0PJwqS32cHJJz
FC/7YGjUAbEq9vjosv//7uJR+VfJ/3pcE04mt6zKkdfwMoOhx2qV48Z8n7vIQEeq
LddobUH83lh5rDyxVF+ZtslkfdRYpAwe+SIKda0GipYCBQV7JeEA0JJZjCAI2YPw
Qe7abVwBEL8=
=c7BI
-----END PGP SIGNATURE-----


---------------------------------------------------------------------------
----------------------------------------------------------------------------

Next message: Chris Shepherd: "Re: Scan of TCP 552-554"
Previous message: jchaserat_private: "Scans for 17300/tcp starting again"
In reply to: Christian Kieft: "Re: Exploit for Windows RPC may be in the wild!"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Thu Jul 31 2003 - 07:51:29 PDT