Virus.Org IT Security News and Information Portal. We offer the latest IT security news, updates, product reviews, books, and articles for all you IT security professionals out there. Enter and get the best IT security information on the Internet.

 
. Welcome to the Virus.Org Mailing List Archive  
.
.


[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]


RE: DCOM RPC exploit (dcom.c)
.

  • To: "S G Masood" <[EMAIL PROTECTED]>, <[EMAIL PROTECTED]>
  • Subject: RE: DCOM RPC exploit (dcom.c)
  • From: "Marc Maiffret" <[EMAIL PROTECTED]>
  • Date: Mon, 28 Jul 2003 16:15:57 -0700
  • In-reply-to: <[EMAIL PROTECTED]>
.
 
We just updated the tool a few minutes ago and fixed some bugs that should
clear up any left over inaccuracies. Also fixed a bug keeping NT 4.0
detection from working correctly. If you find any bugs please let us know.

RPC/DCOM Scanner 1.0.3
http://www.eeye.com/html/Research/Tools/RPCDCOM.html

Signed,
Marc Maiffret
Chief Hacking Officer
eEye Digital Security
T.949.349.9062
F.949.349.9538
http://eEye.com/Retina - Network Security Scanner
http://eEye.com/Iris - Network Traffic Analyzer
http://eEye.com/SecureIIS - Stop known and unknown IIS vulnerabilities

| -----Original Message-----
| From: S G Masood [mailto:[EMAIL PROTECTED]
| Sent: Saturday, July 26, 2003 7:53 PM
| To: [EMAIL PROTECTED]
| Subject: Re: DCOM RPC exploit (dcom.c)
|
|
| Hello list,
|
|
| The Dcom.c compiles neatly on Cygwin with GCC 3.2 when
| the "#include <error.h>" line is removed.
|
| *Very* accurate. If the machine is vulnerable, the
| exploit will almost always succeed on the first
| attempt.
|
| I've successfully tested it on about 16 boxes and each
| one was rooted on the first try. Among these were
| Win2k with SP0, SP1, SP3 while two were WinXP(SP level
| not known). Before running the exploit, the machines
| were confirmed as vulnerable with the Eeye tool(on a
| side note, while the Eeye tool did recognise many
| vulnerable boxes, it failed to recognise some of them,
| though, they were vulnerable).
|
| One glitch is that the exploitation is not very
| stealth. All RPC/COM based functions stop working
| completely after exploitation and fail to heal until
| the machine is restarted. Many of these functions are
| quite visible and easily noticeable(drag&drop,
| clipboard, property sheets, etc., for example). This
| happens without exception.
|
| The exploit mostly times out when run against remote
| hosts.
|
| Hope we are all patched before Tim Mullen's
| "Mescaline"(http://securityfocus.com/columnists/174)
| becomes a reality.
|
| One last advice - think twice before doing any thing
| risky with the exploit. Though highly accurate, it is
| very noisy.
|
|
| Regards,
|
| S.G.Masood
|
| Hyderabad,
| India.
|
| __________________________________
| Do you Yahoo!?
| Yahoo! SiteBuilder - Free, easy-to-use web site design software
| http://sitebuilder.yahoo.com
|
 
.
.
 
Copyright (c) Virus.Org 1997-2006.
All Trademarks Acknowledged.
Please view our Terms and Conditions and our Privacy Policy.