RE: DCOM RPC exploit (dcom.c)

["Thiago Campos" <th.campos () bol com br>]

You would kill the process. Sometimes the system will 
continue to run but not properly. Other times a reboot 
is necessary.

- Thiago Campos

> What if it just kept an internal list of return address
es and simply cycled
> through them each in a separate thread until it was abl
e to gain access to
> the machine?
>
> -----Original Message-----
> From: full-disclosure-admin () lists netsys com
> [mailto:full-disclosure-
admin () lists netsys com] On Behalf Of Robert Wesley
> McGrew
> Sent: Monday, July 28, 2003 1:11 PM
> To: full-disclosure () lists netsys com
> Subject: RE: [Full-
Disclosure] DCOM RPC exploit (dcom.c)
> On Mon, 28 Jul 2003, Schmehl, Paul L wrote:
>
> > > 2) For this DCOM RPC problem in particular, everyon
e's
> > > talking about worms.  How would the worm know what 
return
> > > address to use?  Remote OS fingerprinting would mea
n it would
> > > be relatively large, slow, and unreliable (compared
 with
> > > Slammer), and sticking with one would cause more ma
chines to
> > > just crash than to spread the worm.  I haven't look
ed into
> > > this very closely yet to see if it can be generaliz
ed.
> > What fingerprinting?  If you've got 135/UDP open to t
he Internet, you're
> > screwed.  Slammer didn't fingerprint.  It simply hit 
every box it could
> > find on port 1434/UDP, and the exploit either worked 
or it didn't.  Most
> > worms do the same.  They attack indiscriminately, and
 infect those Oses
> > that are susceptible.  And with Windows, that's enoug
h boxes to cause a
> > real problem.
>
> Thanks for responding.  I realize that having 135 open 
on any Windows
> machine makes you vulnerable, and that you wouldn't nee
d to differentiate
> Windows/OtherOSes.  My question is about different Wind
ows versions.  The
> version (NT/2000/XP), service pack, and language at lea
st have to be known
> to get the return address right.  If it's "guessed" wro
ng, the system goes
> down with no shell executed.
>
> Any worm using this would need to know the return addre
ss before
> attempting to exploit If a worm were to stick to target
ting one return
> address (say, English XP  SP1), everytime it ran across
 something slightly
> different (SP0, german, win2k, etc) it would simply cra
sh it and not
> spread.  One of three things would happen in the case o
f this worm :
> 1) Sticks with one return address, makes a spectacular 
DoS against all
> other languages/versions/SPs.  This could limit how qui
ckly it spreads.
> 2) Somehow finds out ahead of time what the remote lang
uage/version/SP is.
> Could be very unreliable and slow.
>
> 3) There is some way of generalizing the return address
 in a way that
> would work on at least a large portion of installs.  Th
is is what would
> bring it into the league of Very Scary Worms.
>
> Has anyone seen any indication in the private exploits 
or in their
> research that there's a way to get it to work reliably 
on systems without
> having to know version/SP/etc?
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.netsys.com/full-disclosure-
charter.html
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.netsys.com/full-disclosure-
charter.html
>

 
__________________________________________________________________________
Acabe com aquelas janelinhas que pulam na sua tela.
AntiPop-up UOL - É grátis!
http://antipopup.uol.com.br/


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html