Re: RPC DCOM exploit

From: Jan Soubusta (jacekat_private)
Date: Sat Aug 02 2003 - 06:54:22 PDT

Next message: Jason Alexander: "Pdmin / Trojaned csrss.exe"

Previous message: Rodrigo Barbosa: "Re: Scan of TCP 552-554"
In reply to: Barry Fitzgerald: "Re: RPC DCOM exploit"
Next in thread: Peter Fry: "Re: RPC DCOM exploit"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

hi all,
I tested about 50 boxes in our college network, mostly w2k sp4 and XP sp1.
Almost all of them gave me shell, a few cases only got down service on 
port 135.

                            Jacek




>
>
> I've recently been testing dcom.c for pen testing on my network and 
> the Windows 2000 SP3 and SP4 boxes that I was able to penetrate did 
> not reboot after exiting from the shell.  I was using  the dcom.c 
> that  H D Moore released (Based on Flasksky's code) via a cygwin 
> environment.  Therefore, not having the system reboot, in my mind, is 
> not a sign that an exploit did not take place.
>
> Now, there could be a matrix of different patch levels that could 
> cause the system to reboot or not reboot.  Who knows why we're getting 
> different results...
>
> Is anyone else on the list seeing that at least some of their target 
> systems are not rebooting after executing this code?
>
>       -Barry
>



---------------------------------------------------------------------------
----------------------------------------------------------------------------

Next message: Jason Alexander: "Pdmin / Trojaned csrss.exe"
Previous message: Rodrigo Barbosa: "Re: Scan of TCP 552-554"
In reply to: Barry Fitzgerald: "Re: RPC DCOM exploit"
Next in thread: Peter Fry: "Re: RPC DCOM exploit"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Sat Aug 02 2003 - 10:38:53 PDT