| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
From: Valdis.Kletnieks at vt.edu (Valdis.Kletnieks@...edu) Subject: DCOM RPC exploit (dcom.c) On Mon, 28 Jul 2003 12:10:56 CDT, Robert Wesley McGrew <rwm8@....MsState.EDU> said: > Any worm using this would need to know the return address before > attempting to exploit If a worm were to stick to targetting one return > address (say, English XP SP1), everytime it ran across something slightly > different (SP0, german, win2k, etc) it would simply crash it and not > spread. One of three things would happen in the case of this worm : > > 1) Sticks with one return address, makes a spectacular DoS against all > other languages/versions/SPs. This could limit how quickly it spreads. > > 2) Somehow finds out ahead of time what the remote language/version/SP is. > Could be very unreliable and slow. > > 3) There is some way of generalizing the return address in a way that > would work on at least a large portion of installs. This is what would > bring it into the league of Very Scary Worms. 4) For each target pick one of the known return addresses at random. Do something to "close the door" once you get it. Then eventually, each machine will get infected after several reboots... the best/worst of all worlds - a sustained DDoS *and* a hack. ;) -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 226 bytes Desc: not available Url : http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20030728/3183b127/attachment.bin
Powered by blists - more mailing lists