Virus.Org IT Security News and Information Portal. We offer the latest IT security news, updates, product reviews, books, and articles for all you IT security professionals out there. Enter and get the best IT security information on the Internet.

 
. Welcome to the Virus.Org Mailing List Archive  
.
.


[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]


Re: RPC DCOM exploit
.

  • To: "Barry Fitzgerald" <[EMAIL PROTECTED]>
  • Subject: Re: RPC DCOM exploit
  • From: "morning_wood" <[EMAIL PROTECTED]>
  • Date: Fri, 1 Aug 2003 10:03:37 -0700
  • Cc: "Peter Fry" <[EMAIL PROTECTED]>, <[EMAIL PROTECTED]>
  • References: <[EMAIL PROTECTED]> <[EMAIL PROTECTED]> <[EMAIL PROTECTED]>
.
 
thanks alot, i was not aware, however i did notice the "univ-offset"
version didnt reboot a box in testing last night.

donnie

----- Original Message ----- 
From: "Barry Fitzgerald" <[EMAIL PROTECTED]>
To: "morning_wood" <[EMAIL PROTECTED]>
Cc: "Peter Fry" <[EMAIL PROTECTED]>; <[EMAIL PROTECTED]>
Sent: Friday, August 01, 2003 9:51 AM
Subject: Re: RPC DCOM exploit


> As an FYI:
>
> I've recently been testing dcom.c for pen testing on my network and the
> Windows 2000 SP3 and SP4 boxes that I was able to penetrate did not
> reboot after exiting from the shell.  I was using  the dcom.c that  H D
> Moore released (Based on Flasksky's code) via a cygwin environment.
> Therefore, not having the system reboot, in my mind, is not a sign that
> an exploit did not take place.
>
> Now, there could be a matrix of different patch levels that could cause
> the system to reboot or not reboot.  Who knows why we're getting
> different results...
>
> Is anyone else on the list seeing that at least some of their target
> systems are not rebooting after executing this code?
>
>        -Barry
>
>
> morning_wood wrote:
>
> >could be...  but .. they are two seperate issues,
> >if the box rebooted its a sign it was rpc-dcom, if not.. proally just a
> >pop-up
> >
> >wood
> >
> >
> >----- Original Message ----- 
> >From: "Peter Fry" <[EMAIL PROTECTED]>
> >To: <[EMAIL PROTECTED]>
> >Sent: Thursday, July 31, 2003 10:54 AM
> >Subject: RPC DCOM exploit
> >
> >
> >
> >
> >>We had what looks like an exploit for this vulnerability go around our
> >>office network and only one machine was (seriously) affected.  Somone
> >>managed to get the machine to start spamming random IPs with what
looked
> >>like the exploit, sending out about 700 RPC pings per second.  About
the
> >>same time, we had a NET SEND
> >>message pop up on our windows boxen advertizing www.freeautobot.com.
> >>Could this be a new tactic to propigate their spamulous message
prompts?
> >>
> >>Peter
> >>
> >>
> >>
> >>
>
>>-------------------------------------------------------------------------
> >>
> >>
> >--
> >
> >
>
>>-------------------------------------------------------------------------
> >>
> >>
> >---
> >
> >
> >>
> >>
> >
>
>--------------------------------------------------------------------------
-
>
>--------------------------------------------------------------------------
--
> >
> >
> >
> >
> >
>
>
>

---------------------------------------------------------------------------
----------------------------------------------------------------------------
 
.
.
 
Copyright (c) Virus.Org 1997-2006.
All Trademarks Acknowledged.
Please view our Terms and Conditions and our Privacy Policy.