lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
From: delacruzma at msn.com (Michael De La Cruz)
Subject: RPC DCOM footprints

Hello all,

     Just in case some other security professionals are looking at 
identifying if their boxes have been exploited, I've typed up some 
occurences after a successful DCOM exploit.

     - Windows XP SP 0 (haven't tried it on SP 1 yet)
       Generates a System Shutdown message after a disconnect.  The message 
indicates that Windows must now restart because the RPC service terminated 
unexpectedly.

     - Windows 2000 Professional all SP's
       A Service Control Manager error is reported on the Application Logs 
with a message ID of 7031 indicating that RPC terminated unexpectedly.  The 
W2K boxes I've tested this on didn't allow me to view the event logs after 
exploitation.  A few mmc.exe error messages also appeared.  A quick reboot 
appeared alleviate the event log viewing issue.

*Note* This is using the final universal DCOM exploit that was found on 
http://cyruxnet.com.ar/rpcxploit2.htm.  I've heard there is an exploit that 
does not crash the port though, so an error may not be generated with that 
exploit.

     I'll try to include any new effect I manage to gather from my tests.  
Did anyone else experience these types of behaviors?  Thanks.

Michael De La Cruz
Information Security Officer
delacruzma@....com

_________________________________________________________________
MSN 8 with e-mail virus protection service: 2 months FREE*  
http://join.msn.com/?page=features/virus


Powered by blists - more mailing lists