lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <MKEAIJIPCGAHEFEJGDOCAEADLEAA.marc@eeye.com>
Date: Mon, 28 Jul 2003 16:15:57 -0700
From: "Marc Maiffret" <marc@...e.com>
To: "S G Masood" <sgmasood@...oo.com>, <bugtraq@...urityfocus.com>
Subject: RE: DCOM RPC exploit (dcom.c)


We just updated the tool a few minutes ago and fixed some bugs that should
clear up any left over inaccuracies. Also fixed a bug keeping NT 4.0
detection from working correctly. If you find any bugs please let us know.

RPC/DCOM Scanner 1.0.3
http://www.eeye.com/html/Research/Tools/RPCDCOM.html

Signed,
Marc Maiffret
Chief Hacking Officer
eEye Digital Security
T.949.349.9062
F.949.349.9538
http://eEye.com/Retina - Network Security Scanner
http://eEye.com/Iris - Network Traffic Analyzer
http://eEye.com/SecureIIS - Stop known and unknown IIS vulnerabilities

| -----Original Message-----
| From: S G Masood [mailto:sgmasood@...oo.com]
| Sent: Saturday, July 26, 2003 7:53 PM
| To: bugtraq@...urityfocus.com
| Subject: Re: DCOM RPC exploit (dcom.c)
|
|
| Hello list,
|
|
| The Dcom.c compiles neatly on Cygwin with GCC 3.2 when
| the "#include <error.h>" line is removed.
|
| *Very* accurate. If the machine is vulnerable, the
| exploit will almost always succeed on the first
| attempt.
|
| I've successfully tested it on about 16 boxes and each
| one was rooted on the first try. Among these were
| Win2k with SP0, SP1, SP3 while two were WinXP(SP level
| not known). Before running the exploit, the machines
| were confirmed as vulnerable with the Eeye tool(on a
| side note, while the Eeye tool did recognise many
| vulnerable boxes, it failed to recognise some of them,
| though, they were vulnerable).
|
| One glitch is that the exploitation is not very
| stealth. All RPC/COM based functions stop working
| completely after exploitation and fail to heal until
| the machine is restarted. Many of these functions are
| quite visible and easily noticeable(drag&drop,
| clipboard, property sheets, etc., for example). This
| happens without exception.
|
| The exploit mostly times out when run against remote
| hosts.
|
| Hope we are all patched before Tim Mullen's
| "Mescaline"(http://securityfocus.com/columnists/174)
| becomes a reality.
|
| One last advice - think twice before doing any thing
| risky with the exploit. Though highly accurate, it is
| very noisy.
|
|
| Regards,
|
| S.G.Masood
|
| Hyderabad,
| India.
|
| __________________________________
| Do you Yahoo!?
| Yahoo! SiteBuilder - Free, easy-to-use web site design software
| http://sitebuilder.yahoo.com
|



Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ