lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Message-ID: <3F67EE01.60100@jackhammer.org>
From: pdt at jackhammer.org (Paul Tinsley)
Subject: EXPLOIT : RPC DCOM (MS03-039)

Only creates an administrator account is in my opinion worse than the 
shell listening on a port like the previous exploit did.  At least with 
the old exploit and Blaster.A you could monitor port 4444 with a logging 
deny ACL and keep track of the infected hosts.  If all of the traffic 
goes across legitimate Microsoft protocols/ports that job becomes much 
harder.

Bad guy  ---> victim (port 135) #creates account
Bad guy  ---> victim (port 135/445) #copies files across using the 
default file shares and uses IPC to run a process.  MUCH less trackable 
from the network point of view.



Also, do you know where I might be able to pickup such a one-way ticket?


> 
> The exploit at http://www.k-otik.com/exploits/09.16.MS03-039-exp.c.php is
> rather limited. It only creates a local administrator account named "e"
> with a password of "asd#321". But, it only works against Windows 2000
> (English) with SP3 or SP4, if it works at all.
> 
> I've seen references to other exploits out there, along with some source
> and executables, including one that is much more capable. It allegedly
> works against all SP and language versions of both Windows 2000 and XP. It
> gives access to a command shell that has Local System rights, and might
> easily be modified to work as part of a universal worm package. Remember
> that Blaster and Welchia/Nachia both had to "guess" whether they were
> attacking W2K or XP. This new exploit works either way.
> 
> Here's a link to a screen shot of it:
> 
> http://haiyangtop.533.net/1.jpg
> 
> Rather than a sleeping bag, a one-way ticket to a nice uninhabited island
> sounds better.
> 
> Jerry
> 
> -----Original Message-----
> From: pdt@...khammer.org [mailto:pdt@...khammer.org]
> Sent: Tuesday, September 16, 2003 8:05 PM
> To: full-disclosure@...ts.netsys.com
> Subject: RE: [Full-Disclosure] EXPLOIT : RPC DCOM (MS03-039)
> 
> 
> Has anyone tested this exploit successfully?  I havn't been able to make
> it work as of yet.  I tried the Target 0 type and have the exact DLL
> versions referenced.  Just wondering if this is BS or there is some other
> dependency on my test systems that isn't quite lining up.
> 
> 
> Reguardless I think I am going to throw a sleeping bag in the back of the
> car on the way to work tomorrow, I think there are some long days coming
> up soon.
> 
> 
>>RPC DCOM long filename heap overflow Exploit (MS03-039)
>>
>>http://www.k-otik.com/exploits/09.16.MS03-039-exp.c.php
>>
>>blaster.b soon ?
> 
> 
> 
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.netsys.com/full-disclosure-charter.html
> 
> Confidentiality Notice: This e-mail message, including any attachments,
> is for the sole use of the intended recipient(s) and may contain
> confidential and privileged information.  Any unauthorized review, use,
> disclosure or distribution is prohibited.  If you are not the intended
> recipient, please contact the sender by reply e-mail and destroy all
> copies of the original message.
>

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ