thanks alot, i was not aware, however i did notice the "univ-offset" version didnt reboot a box in testing last night. donnie ----- Original Message ----- From: "Barry Fitzgerald" <bkfsecat_private> To: "morning_wood" <se_cur_ityat_private> Cc: "Peter Fry" <pafat_private>; <incidentsat_private> Sent: Friday, August 01, 2003 9:51 AM Subject: Re: RPC DCOM exploit > As an FYI: > > I've recently been testing dcom.c for pen testing on my network and the > Windows 2000 SP3 and SP4 boxes that I was able to penetrate did not > reboot after exiting from the shell. I was using the dcom.c that H D > Moore released (Based on Flasksky's code) via a cygwin environment. > Therefore, not having the system reboot, in my mind, is not a sign that > an exploit did not take place. > > Now, there could be a matrix of different patch levels that could cause > the system to reboot or not reboot. Who knows why we're getting > different results... > > Is anyone else on the list seeing that at least some of their target > systems are not rebooting after executing this code? > > -Barry > > > morning_wood wrote: > > >could be... but .. they are two seperate issues, > >if the box rebooted its a sign it was rpc-dcom, if not.. proally just a > >pop-up > > > >wood > > > > > >----- Original Message ----- > >From: "Peter Fry" <pafat_private> > >To: <incidentsat_private> > >Sent: Thursday, July 31, 2003 10:54 AM > >Subject: RPC DCOM exploit > > > > > > > > > >>We had what looks like an exploit for this vulnerability go around our > >>office network and only one machine was (seriously) affected. Somone > >>managed to get the machine to start spamming random IPs with what looked > >>like the exploit, sending out about 700 RPC pings per second. About the > >>same time, we had a NET SEND > >>message pop up on our windows boxen advertizing www.freeautobot.com. > >>Could this be a new tactic to propigate their spamulous message prompts? > >> > >>Peter > >> > >> > >> > >> > >>------------------------------------------------------------------------- > >> > >> > >-- > > > > > >>------------------------------------------------------------------------- > >> > >> > >--- > > > > > >> > >> > > > >-------------------------------------------------------------------------- - > >-------------------------------------------------------------------------- -- > > > > > > > > > > > > > --------------------------------------------------------------------------- ----------------------------------------------------------------------------
This archive was generated by hypermail 2b30 : Fri Aug 01 2003 - 11:01:57 PDT