Re: RPC DCOM exploit

From: Barry Fitzgerald (bkfsecat_private)
Date: Fri Aug 01 2003 - 09:51:21 PDT

Next message: De Doncker, Steve: "RE: Command Line RPC vulnerability scanner?"

Previous message: Wong Wai Kit: "Suspicious firewall logs"
Next in thread: morning_wood: "Re: RPC DCOM exploit"
Reply: morning_wood: "Re: RPC DCOM exploit"
Reply: wirepair: "Re: RPC DCOM exploit"
Reply: Jan Soubusta: "Re: RPC DCOM exploit"
Reply: Peter Fry: "Re: RPC DCOM exploit"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

As an FYI:

I've recently been testing dcom.c for pen testing on my network and the 
Windows 2000 SP3 and SP4 boxes that I was able to penetrate did not 
reboot after exiting from the shell.  I was using  the dcom.c that  H D 
Moore released (Based on Flasksky's code) via a cygwin environment.  
Therefore, not having the system reboot, in my mind, is not a sign that 
an exploit did not take place.

Now, there could be a matrix of different patch levels that could cause 
the system to reboot or not reboot.  Who knows why we're getting 
different results...

Is anyone else on the list seeing that at least some of their target 
systems are not rebooting after executing this code?

       -Barry

morning_wood wrote:

>could be...  but .. they are two seperate issues,
>if the box rebooted its a sign it was rpc-dcom, if not.. proally just a
>pop-up
>
>wood
>
>
>----- Original Message ----- 
>From: "Peter Fry" <pafat_private>
>To: <incidentsat_private>
>Sent: Thursday, July 31, 2003 10:54 AM
>Subject: RPC DCOM exploit
>
>
>  
>
>>We had what looks like an exploit for this vulnerability go around our
>>office network and only one machine was (seriously) affected.  Somone
>>managed to get the machine to start spamming random IPs with what looked
>>like the exploit, sending out about 700 RPC pings per second.  About the
>>same time, we had a NET SEND
>>message pop up on our windows boxen advertizing www.freeautobot.com.
>>Could this be a new tactic to propigate their spamulous message prompts?
>>
>>Peter
>>
>>
>>
>>
>>-------------------------------------------------------------------------
>>    
>>
>--
>  
>
>>-------------------------------------------------------------------------
>>    
>>
>---
>  
>
>>    
>>
>
>---------------------------------------------------------------------------
>----------------------------------------------------------------------------
>
>
>
>  
>

---------------------------------------------------------------------------
----------------------------------------------------------------------------

Next message: De Doncker, Steve: "RE: Command Line RPC vulnerability scanner?"
Previous message: Wong Wai Kit: "Suspicious firewall logs"
Next in thread: morning_wood: "Re: RPC DCOM exploit"
Reply: morning_wood: "Re: RPC DCOM exploit"
Reply: wirepair: "Re: RPC DCOM exploit"
Reply: Jan Soubusta: "Re: RPC DCOM exploit"
Reply: Peter Fry: "Re: RPC DCOM exploit"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Fri Aug 01 2003 - 10:57:15 PDT