lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <3F254FBF.1060106@edelweb.fr>
From: ruff.lists at edelweb.fr (Nicolas RUFF (lists))
Subject: DCOM Exploit : FAQ

	Hi,

Since many people seem to have the same problems again and again, I 
think it is time to write a little FAQ about the "dcom.c" exploit ...

1/ How do I find the right return address for my system ?

- Get the right KERNEL32.DLL file (you can find it directly in the SP file).
- Open it in your favorite disassembler (IDA, WDASM, ...).
- Look for the following byte sequence : "FF D3" (call ebx).
- Note the corresponding address (should look like 0x7???????, otherwise 
your disassembler is not smart enough to add the section base address to 
relative addresses).

2/ Why is it so difficult to make the thing work ?

Apart from the return address, there is another harcoded value in the 
provided exploit : the thread data block. This memory location must be 
writable otherwise the exploit will fail (see 5) with an "access 
violation" error before reaching the shellcode.

3/ Could it work with Windows NT4 ?

I think the exploit is not directly useable with Windows NT4, because 
there is a major change between Windows NT4 and Windows 2000+ :
- Windows NT4 RPC Service is "RPCSS.EXE"
- Windows 2000+ RPC Service is "SVCHOST.EXE RPCSS.DLL"
Chances are that such a change will affect the exploit portability. The 
thread data block can have changed location too.

4/ Could it work with Windows 2003 ?

I had a few tests and it seems like there is 4 bytes less in the Windows 
2003 stack at the time of RET (maybe an internal RPC function of 
RPCSS.DLL has a different parameter count). Slight changes to the 
exploit code are also needed.

5/ Why does my computer reboot (on first time, on second time, etc.) ?

If the exploit fails for any reason, the RPCSS service will SEGFAULT and 
the default Windows configuration is to reboot the computer within 1 
minute. You can configure this behaviour with the "services" 
administrative component.

If you are lucky enough to get a shell, as soon as you close it the RPC 
service stops. This will make your computer reboot too ...


Conclusion : if you want to have the damn thing work, you'd better be an 
assembly guru, because it's not plug-and-play (but still valuable :-).

I think the occurence of a worm is quite possible, for if you have 
access to the RPC port you can remotely access the registry (the service 
is started by default) and get the "ProductVersion" value anonymously. 
This greatly helps !

Regards,
- Nicolas RUFF
-----------------------------------
Security Consultant
EdelWeb (http://www.edelweb.fr/)
-----------------------------------

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ