RE: [Full-Disclosure] DCOM RPC exploit (dcom.c)

From: gml (
Date: 07/28/03

  • Next message: Brett Moore: "[Full-Disclosure] Shattering SEH II"
    To: "'Robert Wesley McGrew'" <rwm8@CSE.MsState.EDU>, <>
    Date: Mon, 28 Jul 2003 16:20:43 -0400

    What if it just kept an internal list of return addresses and simply cycled
    through them each in a separate thread until it was able to gain access to
    the machine?

    -----Original Message-----
    [] On Behalf Of Robert Wesley
    Sent: Monday, July 28, 2003 1:11 PM
    Subject: RE: [Full-Disclosure] DCOM RPC exploit (dcom.c)

    On Mon, 28 Jul 2003, Schmehl, Paul L wrote:

    > > 2) For this DCOM RPC problem in particular, everyone's
    > > talking about worms. How would the worm know what return
    > > address to use? Remote OS fingerprinting would mean it would
    > > be relatively large, slow, and unreliable (compared with
    > > Slammer), and sticking with one would cause more machines to
    > > just crash than to spread the worm. I haven't looked into
    > > this very closely yet to see if it can be generalized.
    > What fingerprinting? If you've got 135/UDP open to the Internet, you're
    > screwed. Slammer didn't fingerprint. It simply hit every box it could
    > find on port 1434/UDP, and the exploit either worked or it didn't. Most
    > worms do the same. They attack indiscriminately, and infect those Oses
    > that are susceptible. And with Windows, that's enough boxes to cause a
    > real problem.

    Thanks for responding. I realize that having 135 open on any Windows
    machine makes you vulnerable, and that you wouldn't need to differentiate
    Windows/OtherOSes. My question is about different Windows versions. The
    version (NT/2000/XP), service pack, and language at least have to be known
    to get the return address right. If it's "guessed" wrong, the system goes
    down with no shell executed.

    Any worm using this would need to know the return address before
    attempting to exploit If a worm were to stick to targetting one return
    address (say, English XP SP1), everytime it ran across something slightly
    different (SP0, german, win2k, etc) it would simply crash it and not
    spread. One of three things would happen in the case of this worm :

    1) Sticks with one return address, makes a spectacular DoS against all
    other languages/versions/SPs. This could limit how quickly it spreads.

    2) Somehow finds out ahead of time what the remote language/version/SP is.
    Could be very unreliable and slow.

    3) There is some way of generalizing the return address in a way that
    would work on at least a large portion of installs. This is what would
    bring it into the league of Very Scary Worms.

    Has anyone seen any indication in the private exploits or in their
    research that there's a way to get it to work reliably on systems without
    having to know version/SP/etc?

    Full-Disclosure - We believe in it.

    Full-Disclosure - We believe in it.

  • Next message: Brett Moore: "[Full-Disclosure] Shattering SEH II"

    Relevant Pages

    • FW: Actions for the Blaster Worm - Special Edition, TechNet Flash
      ... Actions for the Blaster Worm - Special Edition, ... You are receiving this message because you are a Microsoft newsletter ... Presence of the file msblast.exe in the WINDOWS SYSTEM32 directory ... antivirus vendor and scan your machine. ...
    • Re: Cant apply KB835732 on various Win2k systems
      ... So these machines have the Sasser worm? ... Microsoft has learned about a worm identified as "W32.Sasser.worm" that is ... Windows XP Professional ... > AnalyzePhaseOne: used 7691 ticks ...
    • Safeguard Your PC Against the Downadup Worm
      ... Safeguard Your PC Against the Downadup Worm ... How to protect your PC from the biggest worm in years. ... Security experts say it's the biggest worm attack in years, ... Windows that Microsoft Corp. patched nearly four months ago. ...
    • [NEWS] A new Mass-Mailing and Backdoor Capable Worm Found in the Wild
      ... The worm uses the common auto-reply feature from an infected client to ... This directory varies with each version of Windows: ... It creates this registry entry to load the DLL file during startup: ... Message Body: Adult content!!! ...
    • Re: Installing a MS Patch killed my computer
      ... Best bet would've been to remove the worm before trying to install the ... patch - you're trying to lock the barn door after the cows have gotten out. ... Windows XP, Windows 2000, Windows Server 2003, Windows NT ... Symptoms of the virus: Some customer may not notice any symptoms at all. ...