[<prev] [next>] [day] [month] [year] [list]
Message-ID: <HIRDIV$IGERN8vGQ4cjwkNS9Lgz4EzNgHMxxuCo5z0J9K@bol.com.br>
From: th.campos at bol.com.br (Thiago Campos)
Subject: DCOM RPC exploit (dcom.c)
You would kill the process. Sometimes the system will
continue to run but not properly. Other times a reboot
is necessary.
- Thiago Campos
> What if it just kept an internal list of return address
es and simply cycled
> through them each in a separate thread until it was abl
e to gain access to
> the machine?
>
> -----Original Message-----
> From: full-disclosure-admin@...ts.netsys.com
> [mailto:full-disclosure-
admin@...ts.netsys.com] On Behalf Of Robert Wesley
> McGrew
> Sent: Monday, July 28, 2003 1:11 PM
> To: full-disclosure@...ts.netsys.com
> Subject: RE: [Full-
Disclosure] DCOM RPC exploit (dcom.c)
>
>
>
> On Mon, 28 Jul 2003, Schmehl, Paul L wrote:
>
> > > 2) For this DCOM RPC problem in particular, everyon
e's
> > > talking about worms. How would the worm know what
return
> > > address to use? Remote OS fingerprinting would mea
n it would
> > > be relatively large, slow, and unreliable (compared
with
> > > Slammer), and sticking with one would cause more ma
chines to
> > > just crash than to spread the worm. I haven't look
ed into
> > > this very closely yet to see if it can be generaliz
ed.
> >
> > What fingerprinting? If you've got 135/UDP open to t
he Internet, you're
> > screwed. Slammer didn't fingerprint. It simply hit
every box it could
> > find on port 1434/UDP, and the exploit either worked
or it didn't. Most
> > worms do the same. They attack indiscriminately, and
infect those Oses
> > that are susceptible. And with Windows, that's enoug
h boxes to cause a
> > real problem.
>
> Thanks for responding. I realize that having 135 open
on any Windows
> machine makes you vulnerable, and that you wouldn't nee
d to differentiate
> Windows/OtherOSes. My question is about different Wind
ows versions. The
> version (NT/2000/XP), service pack, and language at lea
st have to be known
> to get the return address right. If it's "guessed" wro
ng, the system goes
> down with no shell executed.
>
> Any worm using this would need to know the return addre
ss before
> attempting to exploit If a worm were to stick to target
ting one return
> address (say, English XP SP1), everytime it ran across
something slightly
> different (SP0, german, win2k, etc) it would simply cra
sh it and not
> spread. One of three things would happen in the case o
f this worm :
>
> 1) Sticks with one return address, makes a spectacular
DoS against all
> other languages/versions/SPs. This could limit how qui
ckly it spreads.
>
> 2) Somehow finds out ahead of time what the remote lang
uage/version/SP is.
> Could be very unreliable and slow.
>
> 3) There is some way of generalizing the return address
in a way that
> would work on at least a large portion of installs. Th
is is what would
> bring it into the league of Very Scary Worms.
>
> Has anyone seen any indication in the private exploits
or in their
> research that there's a way to get it to work reliably
on systems without
> having to know version/SP/etc?
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.netsys.com/full-disclosure-
charter.html
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.netsys.com/full-disclosure-
charter.html
>
__________________________________________________________________________
Acabe com aquelas janelinhas que pulam na sua tela.
AntiPop-up UOL - ? gr?tis!
http://antipopup.uol.com.br/
Powered by blists - more mailing lists