Re: DCOM attack against NT using VB6

[Matt_Hargett () NAI COM (Hargett, Matt)]

forwarding the followup from NTBUGTRAQ..

-----Original Message-----
From: Rob Lempke [mailto:rlempke () ADNET2000 COM]
Sent: Monday, August 23, 1999 6:13 AM
To: NTBUGTRAQ () LISTSERV NTBUGTRAQ COM
Subject: Re: DCOM attack against NT using VB6

Sorry for the late response, but I was on vacation from August 14 - 22. I
received about 75 e-mail on this post, so if you want to post this reply to
the mailing list that would be great. A Long Story short, the target (DCOM
or server) which must be running the DCOM object (exe, not dll's or ocx's),
must be Windows NT, sp3 or sp4 with the rpc service running and the no TCP
filters running. The client can be any win32 platform with DCOM installed.
(DCOM comes with NT/98 but not 95).
        The bug is that before service pack 5 (at least here) the Everyone
group has DEFAULT ACCESS and LAUNCH permissions.

        DCOM attack against NT using VB6 FAQ:
Q: Did you use a user that had permissions on target? Are you in the same
domain?

A: The target and I are on the same domain, both as Users (with default user
permissions, i.e. not ADMIN). I am an Everyone/Authenticated user from the
targets point of view. I can see his/her shares

Q: What were the Default DCOM permissions set to on the target?
Access:
        Interactive-Allow Access
        (This Machine)\Administrator-Allow Access
        System-Allow Access
        Everyone-Allow Access
Launch:
        Interactive-Allow Launch
        (This Machine)\Administrator- Allow Launch
        System-Allow Launch
        Everyone- Allow Launch
Configuration:
        Interactive
        (This Machine)\Administrator-full
        System-full
        Creator Owner -special
        Everyone-read
Q: What versions of VB and excel where used?
A: I am using VB6, a must to get the CreateObject with the system parameter.
It works with both word and excel ver 97 and 2000.

Q: What apps use the Default permissions?
A: Any that do not provide their own, which seems to be most. This includes
office.

Q: Can I do this with an ActiveX control?
A: NO, DCOM object are ActiveX exe 's.  this does not work with ActiveX
dll's components in MTS.

Q:Does this work with Service Pack 5?, Why not?
A: No, because the Everyone group is removed from the default Access(allow)
and Launch(allow) permissions groups in DCOMCNFG.

Q: Did you modify the access or launch permissions on the target? Where you
logged in to the target machine. Did you have an account on that machine?
A: No, No and No.
-----Original Message-----
From: Windows NT BugTraq Mailing List
[mailto:NTBUGTRAQ () LISTSERV NTBUGTRAQ COM]On Behalf Of Rob Lempke
Sent: Wednesday, August 11, 1999 3:27 PM
To: NTBUGTRAQ () LISTSERV NTBUGTRAQ COM
Subject: DCOM attack against NT using VB6

Using the code below I was able to create 20 instances of Excel on my
co-workers machines without modifying their machines at all.  The target
must be Windows NT Workstation/Server running sp3 or sp4. sp5 seems to
prevent the attack.

Private Sub Command1_Click()
    Dim xlObj As Object
    Dim xlCollection As New Collection
    Dim i As Long
    For i = 1 To 20
        Set xlObj = CreateObject("Excel.Application", "\\NTBox")
        xlCollection.Add xlObj
    Next i

    i = 1
    'clean up
    While xlCollection.Count > 0
        xlCollection.Remove (xlCollection.Count)
    Wend
    Set xlCollection = Nothing
End Sub

-Robert E. Lempke
--------------------------------------------
Steven Wright one Liners:
"Black holes are where God divided by zero."
"Quantum Mechanics:  The dreams stuff is made of."
"Early bird gets the worm, but the second mouse gets the cheese."
"If everything seems to be going well, you have obviously overlooked
something."
"Join the Army, meet interesting people, kill them."
"Success always occurs in private, and failure in full view."
"Ambition is a poor excuse for not having enough sense to be lazy."
"Hard work pays off in the future.  Laziness pays off now."
"Everyone has a photographic memory.  Some don't have film."
"Drink until she's cute, but stop before the wedding."
--------------------------------------------