RE: RE: Re: Bad news on RPC DCOM vulnerability

["Gordon, Mike" <mike.gordon () lmco com>]

Brett:

Are you using the version of the code from the Russian Web Site?  I compiled
and tested it against XP.  Forces the machine to crash both patched and
unpatched.  (MS is aware of this).  None of the code ever added a user to
the device.  Did this happen on the 2K unpatched machine?  I've seen some
other versions of the code that don't seem to require the external bshell
file but incorporates the shell into the C code but I haven't really had
much time to investigate.





Yes the code does work against an unpatched system.. 
Code execution reaches 
77FCC992 mov dword ptr [edx],ecx 
77FCC994 mov dword ptr [eax+4],ecx 
Where EDX is critical address and ECX is heap offset 
It then reaches 
77FCC663 mov dword ptr [ecx],eax 
77FCC665 mov dword ptr [eax+4],ecx 
Where ECX is heap offset and EAX is jump instruction.. 
This is what flashsky was referring to in his post about a universal way 
to exploit heap overflows.. 
Its not 100% reliable tho, as sometimes execution reaches the second code 
segment first, which will cause a crash. 
We also saw execution reaching 
77D399FD call dword ptr [esi+8] 
where ESI points into the overflow buffer, but also causes a crash.. 
After installig the MS03-039 patch, the exploit code had no affect on our 
test system... 
Test system is Win2k English SP4+MS03-039.. 
It is possible however that other versions of Win2K are vulnerable to the 
denial of service that has been discussed... 
Has anybody confirmed this with details of the vulnerable systems? 
Brett 


Michael A. Gordon
Information Security Services
LM Aero - Fort Worth
817-935-1646
Mail Zone: 9381
 <<Gordon, Mike.vcf>>

Attachment: Gordon, Mike.vcf
Description: