Full Disclosure mailing list archives
RE: RE: Re: Bad news on RPC DCOM vulnerability
From: "Brett Moore" <brett.moore () security-assessment com>
Date: Tue, 14 Oct 2003 13:48:42 +1300
Yes the code does work against an unpatched system.. Code execution reaches 77FCC992 mov dword ptr [edx],ecx 77FCC994 mov dword ptr [eax+4],ecx Where EDX is critical address and ECX is heap offset It then reaches 77FCC663 mov dword ptr [ecx],eax 77FCC665 mov dword ptr [eax+4],ecx Where ECX is heap offset and EAX is jump instruction.. This is what flashsky was referring to in his post about a universal way to exploit heap overflows.. Its not 100% reliable tho, as sometimes execution reaches the second code segment first, which will cause a crash. We also saw execution reaching 77D399FD call dword ptr [esi+8] where ESI points into the overflow buffer, but also causes a crash.. After installig the MS03-039 patch, the exploit code had no affect on our test system... Test system is Win2k English SP4+MS03-039.. It is possible however that other versions of Win2K are vulnerable to the denial of service that has been discussed... Has anybody confirmed this with details of the vulnerable systems? Brett -----Original Message----- From: full-disclosure-admin () lists netsys com [mailto:full-disclosure-admin () lists netsys com]On Behalf Of Alex Sent: Monday, October 13, 2003 5:33 PM To: full-disclosure () lists netsys com Subject: Re: [Full-disclosure] RE: Re: Bad news on RPC DCOM vulnerability Importance: Low This code doesn't work without shellcode. The simple version of a "battle" shellcode can be found here: http://www.SecurityLab.ru/_exploits/bshell2 (add user 'a' with pass 'a' in administrator group) You can change this shellcode as you need. On system with MS03-39 installed, this code only crash systems, because nature of new vulnerability is not known. See more: http://www.securitylab.ru/40757.html ----- Original Message ----- From: Mike Gordon To: full-disclosure () lists netsys com Sent: Monday, October 13, 2003 1:41 AM Subject: [Full-disclosure] RE: Re: Bad news on RPC DCOM vulnerability A compiled version is found at http://www.SecurityLab.ru/_exploits/rpc3.zip But it seems to only crash systems. Does any one have a clean complile of the "better code" from http://www.cyberphreak.ch/sploitz/MS03-039.txt _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- Re: Re: Bad news on RPC DCOM vulnerability, (continued)
- Re: Re: Bad news on RPC DCOM vulnerability Vladimir Parkhaev (Oct 10)
- Re: Re: Bad news on RPC DCOM vulnerability V.O. (Oct 10)
- Re: Re: Bad news on RPC DCOM vulnerability Irwan Hadi (Oct 10)
- RE: Re: Bad news on RPC DCOM vulnerability Matthew D. Lammers (Oct 10)
- Re: Re: Bad news on RPC DCOM vulnerability Vladimir Parkhaev (Oct 10)
- RE: Re: Bad news on RPC DCOM vulnerability Dimitri Limanovski (Oct 10)
- RE: Bad news on RPC DCOM vulnerability VigilantMinds Security Operations Center (Oct 10)
- RE: Re: Bad news on RPC DCOM vulnerability Mike Gordon (Oct 12)
- Re: RE: Re: Bad news on RPC DCOM vulnerability Paul Tinsley (Oct 12)
- RE: RE: Re: Bad news on RPC DCOM vulnerability Mike Gordon (Oct 12)
- Re: RE: Re: Bad news on RPC DCOM vulnerability Alex (Oct 12)
- RE: RE: Re: Bad news on RPC DCOM vulnerability Brett Moore (Oct 14)
- Re: RE: Re: Bad news on RPC DCOM vulnerability Paul Tinsley (Oct 12)
- RE: RE: Re: Bad news on RPC DCOM vulnerability Mike Gordon (Oct 12)
- Re: RE: Re: Bad news on RPC DCOM vulnerability webheadport80 (Oct 13)
- RE: RE: Re: Bad news on RPC DCOM vulnerability Schmehl, Paul L (Oct 13)
- RE: RE: Re: Bad news on RPC DCOM vulnerability Gordon, Mike (Oct 14)