Full Disclosure mailing list archives
RE: DCOM RPC exploit (dcom.c)
From: "Thiago Campos" <th.campos () bol com br>
Date: Mon, 28 Jul 2003 20:35:19 -0300
You would kill the process. Sometimes the system will continue to run but not properly. Other times a reboot is necessary. - Thiago Campos
What if it just kept an internal list of return address
es and simply cycled
through them each in a separate thread until it was abl
e to gain access to
the machine? -----Original Message----- From: full-disclosure-admin () lists netsys com [mailto:full-disclosure-
admin () lists netsys com] On Behalf Of Robert Wesley
McGrew Sent: Monday, July 28, 2003 1:11 PM To: full-disclosure () lists netsys com Subject: RE: [Full-
Disclosure] DCOM RPC exploit (dcom.c)
On Mon, 28 Jul 2003, Schmehl, Paul L wrote:2) For this DCOM RPC problem in particular, everyon
e's
talking about worms. How would the worm know what
return
address to use? Remote OS fingerprinting would mea
n it would
be relatively large, slow, and unreliable (compared
with
Slammer), and sticking with one would cause more ma
chines to
just crash than to spread the worm. I haven't look
ed into
this very closely yet to see if it can be generaliz
ed.
What fingerprinting? If you've got 135/UDP open to t
he Internet, you're
screwed. Slammer didn't fingerprint. It simply hit
every box it could
find on port 1434/UDP, and the exploit either worked
or it didn't. Most
worms do the same. They attack indiscriminately, and
infect those Oses
that are susceptible. And with Windows, that's enoug
h boxes to cause a
real problem.Thanks for responding. I realize that having 135 open
on any Windows
machine makes you vulnerable, and that you wouldn't nee
d to differentiate
Windows/OtherOSes. My question is about different Wind
ows versions. The
version (NT/2000/XP), service pack, and language at lea
st have to be known
to get the return address right. If it's "guessed" wro
ng, the system goes
down with no shell executed. Any worm using this would need to know the return addre
ss before
attempting to exploit If a worm were to stick to target
ting one return
address (say, English XP SP1), everytime it ran across
something slightly
different (SP0, german, win2k, etc) it would simply cra
sh it and not
spread. One of three things would happen in the case o
f this worm :
1) Sticks with one return address, makes a spectacular
DoS against all
other languages/versions/SPs. This could limit how qui
ckly it spreads.
2) Somehow finds out ahead of time what the remote lang
uage/version/SP is.
Could be very unreliable and slow. 3) There is some way of generalizing the return address
in a way that
would work on at least a large portion of installs. Th
is is what would
bring it into the league of Very Scary Worms. Has anyone seen any indication in the private exploits
or in their
research that there's a way to get it to work reliably
on systems without
having to know version/SP/etc? _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-
charter.html
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-
charter.html
__________________________________________________________________________ Acabe com aquelas janelinhas que pulam na sua tela. AntiPop-up UOL - É grátis! http://antipopup.uol.com.br/ _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- RE: DCOM RPC exploit (dcom.c), (continued)
- RE: DCOM RPC exploit (dcom.c) Schmehl, Paul L (Jul 28)
- RE: DCOM RPC exploit (dcom.c) Ron DuFresne (Jul 28)
- RE: DCOM RPC exploit (dcom.c) Robert Wesley McGrew (Jul 28)
- RE: DCOM RPC exploit (dcom.c) gml (Jul 28)
- Re: DCOM RPC exploit (dcom.c) Valdis . Kletnieks (Jul 28)
- RE: DCOM RPC exploit (dcom.c) Marc Maiffret (Jul 28)
- RE: DCOM RPC exploit (dcom.c) Schmehl, Paul L (Jul 28)
- RE: DCOM RPC exploit (dcom.c) Ron DuFresne (Jul 28)
- RE: DCOM RPC exploit (dcom.c) Admin GSecur (Jul 28)
- RE: DCOM RPC exploit (dcom.c) Nick FitzGerald (Jul 28)
- RE: DCOM RPC exploit (dcom.c) Thiago Campos (Jul 28)
- RE: DCOM RPC exploit (dcom.c) John . Airey (Jul 29)
- RE: DCOM RPC exploit (dcom.c) Nick FitzGerald (Jul 29)
- RE: DCOM RPC exploit (dcom.c) Schmehl, Paul L (Jul 29)
- Re: DCOM RPC exploit (dcom.c) Robert Banniza (Jul 29)
- Re: DCOM RPC exploit (dcom.c) Preston Newton (Jul 30)
- RE: DCOM RPC exploit (dcom.c) Ron DuFresne (Jul 29)
- Re: DCOM RPC exploit (dcom.c) Robert Banniza (Jul 29)
- RE: DCOM RPC exploit (dcom.c) Schmehl, Paul L (Jul 29)
- Re: DCOM RPC exploit (dcom.c) Kain (Jul 29)
- RE: DCOM RPC exploit (dcom.c) Myers, Marvin (Jul 29)
- RE: DCOM RPC exploit (dcom.c) Schmehl, Paul L (Jul 29)
(Thread continues...)
- RE: DCOM RPC exploit (dcom.c) Schmehl, Paul L (Jul 28)