Full Disclosure mailing list archives

RE: EXPLOIT : RPC DCOM (MS03-039)

From: "Jerry Heidtke" <jheidtke () fmlh edu>
Date: Tue, 16 Sep 2003 21:04:50 -0500


The exploit at http://www.k-otik.com/exploits/09.16.MS03-039-exp.c.php is rather limited. It only creates a local 
administrator account named "e" with a password of "asd#321". But, it only works against Windows 2000 (English) with 
SP3 or SP4, if it works at all.

I've seen references to other exploits out there, along with some source and executables, including one that is much 
more capable. It allegedly works against all SP and language versions of both Windows 2000 and XP. It gives access to a 
command shell that has Local System rights, and might easily be modified to work as part of a universal worm package. 
Remember that Blaster and Welchia/Nachia both had to "guess" whether they were attacking W2K or XP. This new exploit 
works either way.

Here's a link to a screen shot of it:

http://haiyangtop.533.net/1.jpg

Rather than a sleeping bag, a one-way ticket to a nice uninhabited island sounds better.

Jerry

-----Original Message-----
From: pdt () jackhammer org [mailto:pdt () jackhammer org]
Sent: Tuesday, September 16, 2003 8:05 PM
To: full-disclosure () lists netsys com
Subject: RE: [Full-disclosure] EXPLOIT : RPC DCOM (MS03-039)


Has anyone tested this exploit successfully?  I havn't been able to make
it work as of yet.  I tried the Target 0 type and have the exact DLL
versions referenced.  Just wondering if this is BS or there is some other
dependency on my test systems that isn't quite lining up.


Reguardless I think I am going to throw a sleeping bag in the back of the
car on the way to work tomorrow, I think there are some long days coming
up soon.

RPC DCOM long filename heap overflow Exploit (MS03-039)

http://www.k-otik.com/exploits/09.16.MS03-039-exp.c.php

blaster.b soon ?




_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Confidentiality Notice: This e-mail message, including any attachments,
is for the sole use of the intended recipient(s) and may contain
confidential and privileged information.  Any unauthorized review, use,
disclosure or distribution is prohibited.  If you are not the intended
recipient, please contact the sender by reply e-mail and destroy all
copies of the original message.

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Current thread:

EXPLOIT : RPC DCOM (MS03-039) Elv1S (Sep 16)
- RE: EXPLOIT : RPC DCOM (MS03-039) Jason Coombs (Sep 16)
- <Possible follow-ups>
- RE: EXPLOIT : RPC DCOM (MS03-039) pdt (Sep 16)
  - Re: EXPLOIT : RPC DCOM (MS03-039) Florian Weimer (Sep 17)
- RE: EXPLOIT : RPC DCOM (MS03-039) Jerry Heidtke (Sep 16)
  - RE: EXPLOIT : RPC DCOM (MS03-039) Paul Tinsley (Sep 16)