Re: RPC DCOM exploit

From: morning_wood (se_cur_ityat_private)
Date: Fri Aug 01 2003 - 10:03:37 PDT

Next message: MARLON BORBA: "Re: Suspicious firewall logs"

Previous message: De Doncker, Steve: "RE: Command Line RPC vulnerability scanner?"
In reply to: Barry Fitzgerald: "Re: RPC DCOM exploit"
Next in thread: wirepair: "Re: RPC DCOM exploit"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

thanks alot, i was not aware, however i did notice the "univ-offset"
version didnt reboot a box in testing last night.

donnie

----- Original Message ----- 
From: "Barry Fitzgerald" <bkfsecat_private>
To: "morning_wood" <se_cur_ityat_private>
Cc: "Peter Fry" <pafat_private>; <incidentsat_private>
Sent: Friday, August 01, 2003 9:51 AM
Subject: Re: RPC DCOM exploit


> As an FYI:
>
> I've recently been testing dcom.c for pen testing on my network and the
> Windows 2000 SP3 and SP4 boxes that I was able to penetrate did not
> reboot after exiting from the shell.  I was using  the dcom.c that  H D
> Moore released (Based on Flasksky's code) via a cygwin environment.
> Therefore, not having the system reboot, in my mind, is not a sign that
> an exploit did not take place.
>
> Now, there could be a matrix of different patch levels that could cause
> the system to reboot or not reboot.  Who knows why we're getting
> different results...
>
> Is anyone else on the list seeing that at least some of their target
> systems are not rebooting after executing this code?
>
>        -Barry
>
>
> morning_wood wrote:
>
> >could be...  but .. they are two seperate issues,
> >if the box rebooted its a sign it was rpc-dcom, if not.. proally just a
> >pop-up
> >
> >wood
> >
> >
> >----- Original Message ----- 
> >From: "Peter Fry" <pafat_private>
> >To: <incidentsat_private>
> >Sent: Thursday, July 31, 2003 10:54 AM
> >Subject: RPC DCOM exploit
> >
> >
> >
> >
> >>We had what looks like an exploit for this vulnerability go around our
> >>office network and only one machine was (seriously) affected.  Somone
> >>managed to get the machine to start spamming random IPs with what
looked
> >>like the exploit, sending out about 700 RPC pings per second.  About
the
> >>same time, we had a NET SEND
> >>message pop up on our windows boxen advertizing www.freeautobot.com.
> >>Could this be a new tactic to propigate their spamulous message
prompts?
> >>
> >>Peter
> >>
> >>
> >>
> >>
>
>>-------------------------------------------------------------------------
> >>
> >>
> >--
> >
> >
>
>>-------------------------------------------------------------------------
> >>
> >>
> >---
> >
> >
> >>
> >>
> >
>
>--------------------------------------------------------------------------
-
>
>--------------------------------------------------------------------------
--
> >
> >
> >
> >
> >
>
>
>

---------------------------------------------------------------------------
----------------------------------------------------------------------------

Next message: MARLON BORBA: "Re: Suspicious firewall logs"
Previous message: De Doncker, Steve: "RE: Command Line RPC vulnerability scanner?"
In reply to: Barry Fitzgerald: "Re: RPC DCOM exploit"
Next in thread: wirepair: "Re: RPC DCOM exploit"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Fri Aug 01 2003 - 11:01:57 PDT