In an almost completly irresponsable post (since i have not RTFS or even the fine manual) i would suggest sending an RPC request for PROC_NULL err NULLPROC ( 0 ) This takes no arguments and receives nothing but an error code in return.. errcode = client_call(....,NULLPROC,...) any meaningfull RPC errcode implies that there is something on the other end that understands RPC as opposed to some random listener. while this does not prove that it is the WND program it is probably a good enough test and pretty easy to develop too -i --- "Understanding. A cerebral secretion that enables one having it to know a house from a horse by the roof on the house, Its nature and laws have been exhaustively expounded by Locke, who rode a house, and Kant, who lived in a horse." - Ambrose Bierce Ivan Arce CTO CORE SECURITY TECHNOLOGIES 44 Wall Street - New York, NY 10005 Ph: (212) 461-2345 Fax: (212) 461-2346 http://www.corest.com PGP Fingerprint: C7A8 ED85 8D7B 9ADC 6836 B25D 207B E78E 2AD1 F65A ----- Original Message ----- From: Bennett Todd <core.lists.exploit-dev@core-sdi.com> To: <vuln-devat_private> Sent: Tuesday, May 07, 2002 5:12 PM Subject: vxWorks WND checker? > Doing some routine auditing of a wireless net, I found that some of the access > points were listening on UDP port 17185. Turns out that makes sense, that's > the wndrpc port, for WindRiver Network Debugging --- it uses a private ONCRPC > protocol (according to docs turned up through google, on RPC program number > 55555555 version 1) to support remote debugging. This is a scary thing to find > left enabled in a shipped product. > > Does anybody have any idea how someone who doesn't own a copy of vxWorks could > test to find out for sure whether this port is really active, or whether the > IP stack is just failing to return an error for packets thrown at it despite > having WND disabled? > > NB: I don't need an exploit, or even a dos; a simple ping would be fine. Or > even enough details about the protocol to craft one. Seems I can't find any of > the fine details for the over-the-wire protocol, and the rpc header files are > part of the vxWorks product, not publicly available. > > -Bennett --- for a personal reply use: =?iso-8859-1?Q?Iv=E1n_Arce?= <ivan.arceat_private>
This archive was generated by hypermail 2b30 : Tue May 07 2002 - 19:50:49 PDT