Full Disclosure mailing list archives
RE: RE: RE: Re: Bad news on RPC DCOM vulnerabil ity
From: Michael Acker <Michael.Acker () PREMERA com>
Date: Tue, 14 Oct 2003 12:18:23 -0700
I Have been working with this exploit for several days in the test lab. I could not get the code to add a new user/passwd under an unpatched win2k server, but rather get a ""The instruction at 0x77fc9e82 referenced at memory"0x28030700". The memory could not be written." Did the same thing on a win2k server +SP2. RPC crashes and needs to be restarted. I do get this in the app. log: 10/6/2003 10:37:05 AM EventSystem Error Event System 4097 N/A TESTSERVER The COM+ Event System detected a bad return code during its internal processing. HRESULT was 800706BA from line 42 of .\eventsystemobj.cpp. Please contact Microsoft Product Support Services to report this error. 10/6/2003 10:36:25 AM EventSystem Error Event System 4097 N/A TESTSERVER The COM+ Event System detected a bad return code during its internal processing. HRESULT was 800706BF from line 42 of .\eventsystemobj.cpp. Please contact Microsoft Product Support Services to report this error. And the system log: 10/6/2003 10:21:53 AM Service Control Manager Error None 7031 N/A TESTSERVER The Remote Procedure Call (RPC) service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 0 milliseconds: No action. 10/6/2003 10:20:06 AM Application Popup Information None 26 N/A TESTSERVER "Application popup: svchost.exe - Application Error : The instruction at ""0x77fc9e82"" referenced memory at ""0x28030700"". The memory could not be ""written"". -----Original Message----- From: Gordon, Mike [mailto:mike.gordon () lmco com] Sent: Tuesday, October 14, 2003 9:47 AM To: 'brett.moore () security-assessment com' Cc: 'full-disclosure () lists netsys com' Subject: [Full-disclosure] RE: RE: Re: Bad news on RPC DCOM vulnerability Brett: Are you using the version of the code from the Russian Web Site? I compiled and tested it against XP. Forces the machine to crash both patched and unpatched. (MS is aware of this). None of the code ever added a user to the device. Did this happen on the 2K unpatched machine? I've seen some other versions of the code that don't seem to require the external bshell file but incorporates the shell into the C code but I haven't really had much time to investigate. Yes the code does work against an unpatched system.. Code execution reaches 77FCC992 mov dword ptr [edx],ecx 77FCC994 mov dword ptr [eax+4],ecx Where EDX is critical address and ECX is heap offset It then reaches 77FCC663 mov dword ptr [ecx],eax 77FCC665 mov dword ptr [eax+4],ecx Where ECX is heap offset and EAX is jump instruction.. This is what flashsky was referring to in his post about a universal way to exploit heap overflows.. Its not 100% reliable tho, as sometimes execution reaches the second code segment first, which will cause a crash. We also saw execution reaching 77D399FD call dword ptr [esi+8] where ESI points into the overflow buffer, but also causes a crash.. After installig the MS03-039 patch, the exploit code had no affect on our test system... Test system is Win2k English SP4+MS03-039.. It is possible however that other versions of Win2K are vulnerable to the denial of service that has been discussed... Has anybody confirmed this with details of the vulnerable systems? Brett Michael A. Gordon Information Security Services LM Aero - Fort Worth 817-935-1646 Mail Zone: 9381 <<Gordon, Mike.vcf>> _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- RE: RE: RE: Re: Bad news on RPC DCOM vulnerabil ity Michael Acker (Oct 14)