Virus.Org IT Security News and Information Portal. We offer the latest IT security news, updates, product reviews, books, and articles for all you IT security professionals out there. Enter and get the best IT security information on the Internet.

 
. Welcome to the Virus.Org Mailing List Archive  
.
.


[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]


RE: RPC DCOM exploit
.

  • To: 'Barry Fitzgerald' <[EMAIL PROTECTED]>, 'morning_wood' <[EMAIL PROTECTED]>
  • Subject: RE: RPC DCOM exploit
  • From: "Esler, Joel Contractor" <[EMAIL PROTECTED]>
  • Date: Fri, 1 Aug 2003 14:40:41 -0400
  • Cc: 'Peter Fry' <[EMAIL PROTECTED]>, "'[EMAIL PROTECTED]'" <[EMAIL PROTECTED]>
.
 
Win XP automatically reboots...

-----Original Message-----
From: Barry Fitzgerald [mailto:[EMAIL PROTECTED] 
Sent: Friday, August 01, 2003 12:51 PM
To: morning_wood
Cc: Peter Fry; [EMAIL PROTECTED]
Subject: Re: RPC DCOM exploit


As an FYI:

I've recently been testing dcom.c for pen testing on my network and the 
Windows 2000 SP3 and SP4 boxes that I was able to penetrate did not 
reboot after exiting from the shell.  I was using  the dcom.c that  H D 
Moore released (Based on Flasksky's code) via a cygwin environment.  
Therefore, not having the system reboot, in my mind, is not a sign that 
an exploit did not take place.

Now, there could be a matrix of different patch levels that could cause 
the system to reboot or not reboot.  Who knows why we're getting 
different results...

Is anyone else on the list seeing that at least some of their target 
systems are not rebooting after executing this code?

       -Barry


morning_wood wrote:

>could be...  but .. they are two seperate issues,
>if the box rebooted its a sign it was rpc-dcom, if not.. proally just a 
>pop-up
>
>wood
>
>
>----- Original Message -----
>From: "Peter Fry" <[EMAIL PROTECTED]>
>To: <[EMAIL PROTECTED]>
>Sent: Thursday, July 31, 2003 10:54 AM
>Subject: RPC DCOM exploit
>
>
>  
>
>>We had what looks like an exploit for this vulnerability go around our 
>>office network and only one machine was (seriously) affected.  Somone 
>>managed to get the machine to start spamming random IPs with what 
>>looked like the exploit, sending out about 700 RPC pings per second.  
>>About the same time, we had a NET SEND message pop up on our windows 
>>boxen advertizing www.freeautobot.com. Could this be a new tactic to 
>>propigate their spamulous message prompts?
>>
>>Peter
>>
>>
>>
>>
>>----------------------------------------------------------------------
>>---
>>    
>>
>--
>  
>
>>----------------------------------------------------------------------
>>---
>>    
>>
>---
>  
>
>>    
>>
>
>-----------------------------------------------------------------------
>----
>---------------------------------------------------------------------------
-
>
>
>
>  
>



---------------------------------------------------------------------------
----------------------------------------------------------------------------

---------------------------------------------------------------------------
----------------------------------------------------------------------------
 
.
.
 
Copyright (c) Virus.Org 1997-2006.
All Trademarks Acknowledged.
Please view our Terms and Conditions and our Privacy Policy.