After the release of the few exploits which take advantage of the dcom / rpc vulnerability I began thinking to myself how this could possibly be turned into a worm. The exploits that have already been written use hard coded offsets for the different sp's/os's. So this would not work for a worm template. Also it requires a few requests so this would not be a very fast worm in theory. Also after the service is exploited the service fails. I could see a few issues with a 'universal offset' for a jmp esp/call esp or any other way to get the worm instructions to begin executing. The vast differences in operating systems could make the threat of this being a worm smaller in my mind. With the IIS worms (code red) they had it easy because the service would just restart itself, and is only attacking one particular version with the same base addresses. So I guess what I'm asking is, is it even feasible to write a worm for this particular vulnerability? I would imagine the worm would need to be pretty advanced in finding the correct offsets prior to exploitation, without crashing svchost.exe. Now I am in no way down playing the threat of this vulnerability and I find it to probably be the largest thing to ever hit windows. I just want to hear other peoples thoughts on this subject. Or a worm could attack a single operating system/sp but that wouldn't be nearly as damaging as a worm that could attack all versions of windows (nt4-win2k3) and sp's. Any thoughts? -wire -- Visit Things From Another World for the best comics, movies, toys, collectibles and more. http://www.tfaw.com/?qt=wmf
This archive was generated by hypermail 2b30 : Mon Jul 28 2003 - 12:37:18 PDT