Re: is it even possible for a worm with dcom vuln?

[H D Moore <sflist () digitaloffense net>]

A highly-effective worm would be not be difficult to write for the reasons 
below. Residential ISP's should start blocking 445 and 135 immediately. 
Corporate networks should block these ports in both directions at every 
major gateway as soon as possible. 

It would only take one compromised node to turn a corporation's internal 
network to mush. Coupled with an email or web-based delivery system, a 
DCOM worm could easily start spawning itself in the center of even the 
most security-concious organizations. 

1) There *are* universal return address for both Win2K and WinXP. No I am 
not going to post these anywhere, people can find them for themselves. 
The non-english versions may or may not work with these, I have not had 
the chance to test. 

2) You can determine whether a host is 2K or XP using a number of 
different ways. The easiest method is by looking at the Native LanMan 
version you recieve when establishing a SMB session. I have heard that 
there are ways to identify a system through DCOM queries as well, but 
have no code in hand to prove it.

3) Since the easiest targets are Win2K and WinXP, simply scanning for 445, 
determining XP/2K, and exploiting 135 would be very simple to do. All 
systems with 445/tcp open are more than likely XP/2K. Any system with 
445/tcp open more than likely has 135 open as well. 

-HD

On Sunday 27 July 2003 12:09 pm, wirepair wrote:
> I would imagine the worm would need to
> be pretty advanced in finding the correct offsets prior to
> exploitation, without crashing svchost.exe. Now I am in no way down
> playing the threat of this vulnerability and I find it to probably
> be the largest thing to ever hit windows. I just want to hear other
> peoples thoughts on this subject. Or a worm could attack a single
> operating system/sp but that wouldn't be nearly as damaging as a worm
> that could attack all versions of windows (nt4-win2k3) and sp's.
>
> Any thoughts?
> -wire