Virus.Org IT Security News and Information Portal. We offer the latest IT security news, updates, product reviews, books, and articles for all you IT security professionals out there. Enter and get the best IT security information on the Internet.

 
. Welcome to the Virus.Org Mailing List Archive  
.
.


[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]


Re: RPC DCOM exploit
.

  • To: morning_wood <[EMAIL PROTECTED]>
  • Subject: Re: RPC DCOM exploit
  • From: Barry Fitzgerald <[EMAIL PROTECTED]>
  • Date: Fri, 01 Aug 2003 12:51:21 -0400
  • Cc: Peter Fry <[EMAIL PROTECTED]>, [EMAIL PROTECTED]
  • In-reply-to: <[EMAIL PROTECTED]>
  • References: <[EMAIL PROTECTED]> <[EMAIL PROTECTED]>
.
 
As an FYI:
I've recently been testing dcom.c for pen testing on my network and the Windows 2000 SP3 and SP4 boxes that I was able to penetrate did not reboot after exiting from the shell. I was using the dcom.c that H D Moore released (Based on Flasksky's code) via a cygwin environment. Therefore, not having the system reboot, in my mind, is not a sign that an exploit did not take place.
Now, there could be a matrix of different patch levels that could cause the system to reboot or not reboot. Who knows why we're getting different results...
Is anyone else on the list seeing that at least some of their target systems are not rebooting after executing this code? 

      -Barry


morning_wood wrote:


could be...  but .. they are two seperate issues,
if the box rebooted its a sign it was rpc-dcom, if not.. proally just a
pop-up

wood
----- Original Message ----- From: "Peter Fry" <[EMAIL PROTECTED]> 
To: <[EMAIL PROTECTED]>
Sent: Thursday, July 31, 2003 10:54 AM
Subject: RPC DCOM exploit



We had what looks like an exploit for this vulnerability go around our
office network and only one machine was (seriously) affected.  Somone
managed to get the machine to start spamming random IPs with what looked
like the exploit, sending out about 700 RPC pings per second.  About the
same time, we had a NET SEND
message pop up on our windows boxen advertizing www.freeautobot.com.
Could this be a new tactic to propigate their spamulous message prompts?

Peter




-------------------------------------------------------------------------

--

-------------------------------------------------------------------------

---


---------------------------------------------------------------------------
----------------------------------------------------------------------------







---------------------------------------------------------------------------
----------------------------------------------------------------------------
 
.
.
 
Copyright (c) Virus.Org 1997-2006.
All Trademarks Acknowledged.
Please view our Terms and Conditions and our Privacy Policy.