Full Disclosure mailing list archives

Previous By Date Next
Previous By Thread Next

Re: DCOM RPC exploit (dcom.c)

From: Robert Wesley McGrew <rwm8 () CSE MsState EDU>
Date: Mon, 28 Jul 2003 12:40:17 -0500 (CDT)

To answer my own question, I just noticed this on the metasploit site :

"Update: A return address has been identified for both Windows 2000 and
Windows XP that works independent of the service pack. This information
can be easily obtained by analyzing the DLL's that are loaded by the
svchost.exe process"

On Mon, 28 Jul 2003, Robert Wesley McGrew wrote:


2) For this DCOM RPC problem in particular, everyone's talking about
worms.  How would the worm know what return address to use?  Remote OS
fingerprinting would mean it would be relatively large, slow, and
unreliable (compared with Slammer), and sticking with one would cause more
machines to just crash than to spread the worm.  I haven't looked into
this very closely yet to see if it can be generalized.


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html
Previous By Date Next
Previous By Thread Next

Current thread: