Full Disclosure mailing list archives
Re: DCOM RPC exploit (dcom.c)
From: Valdis.Kletnieks () vt edu
Date: Mon, 28 Jul 2003 16:23:15 -0400
On Mon, 28 Jul 2003 12:10:56 CDT, Robert Wesley McGrew <rwm8 () CSE MsState EDU> said:
Any worm using this would need to know the return address before attempting to exploit If a worm were to stick to targetting one return address (say, English XP SP1), everytime it ran across something slightly different (SP0, german, win2k, etc) it would simply crash it and not spread. One of three things would happen in the case of this worm : 1) Sticks with one return address, makes a spectacular DoS against all other languages/versions/SPs. This could limit how quickly it spreads. 2) Somehow finds out ahead of time what the remote language/version/SP is. Could be very unreliable and slow. 3) There is some way of generalizing the return address in a way that would work on at least a large portion of installs. This is what would bring it into the league of Very Scary Worms.
4) For each target pick one of the known return addresses at random. Do something to "close the door" once you get it. Then eventually, each machine will get infected after several reboots... the best/worst of all worlds - a sustained DDoS *and* a hack. ;)
Attachment:
_bin
Description:
Current thread:
- Re: Re: DCOM RPC exploit (dcom.c), (continued)
- Re: Re: DCOM RPC exploit (dcom.c) Dan Stromberg (Jul 28)
- Re: DCOM RPC exploit (dcom.c) Curt Purdy (Jul 31)
- Re: Re: DCOM RPC exploit (dcom.c) Jennifer Bradley (Jul 27)
- Re: DCOM RPC exploit (dcom.c) dhtml (Jul 27)
- Re: DCOM RPC exploit (dcom.c) dhtml (Jul 27)
- Re: DCOM RPC exploit (dcom.c) CHeeKY (Jul 27)
- RE: DCOM RPC exploit (dcom.c) Schmehl, Paul L (Jul 28)
- RE: DCOM RPC exploit (dcom.c) Ron DuFresne (Jul 28)
- RE: DCOM RPC exploit (dcom.c) Robert Wesley McGrew (Jul 28)
- RE: DCOM RPC exploit (dcom.c) gml (Jul 28)
- Re: DCOM RPC exploit (dcom.c) Valdis . Kletnieks (Jul 28)
- RE: DCOM RPC exploit (dcom.c) Marc Maiffret (Jul 28)
- RE: DCOM RPC exploit (dcom.c) Schmehl, Paul L (Jul 28)
- RE: DCOM RPC exploit (dcom.c) Ron DuFresne (Jul 28)
- RE: DCOM RPC exploit (dcom.c) Admin GSecur (Jul 28)
- RE: DCOM RPC exploit (dcom.c) Nick FitzGerald (Jul 28)
- RE: DCOM RPC exploit (dcom.c) Thiago Campos (Jul 28)
- RE: DCOM RPC exploit (dcom.c) John . Airey (Jul 29)
- RE: DCOM RPC exploit (dcom.c) Nick FitzGerald (Jul 29)
- RE: DCOM RPC exploit (dcom.c) Schmehl, Paul L (Jul 29)
- Re: DCOM RPC exploit (dcom.c) Robert Banniza (Jul 29)