Re: [Full-Disclosure] DCOM RPC exploit (dcom.c)

Valdis.Kletnieks_at_vt.edu
Date: 07/28/03

Next message: Knud Erik Højgaard: "Re: [Full-Disclosure] dcom exploit code observations"

Previous message: Brett Moore: "[Full-Disclosure] Shattering SEH II"
In reply to: Robert Wesley McGrew: "RE: [Full-Disclosure] DCOM RPC exploit (dcom.c)"
Next in thread: Marc Maiffret: "RE: [Full-Disclosure] DCOM RPC exploit (dcom.c)"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

To: Robert Wesley McGrew <rwm8@CSE.MsState.EDU>
Date: Mon, 28 Jul 2003 16:23:15 -0400

On Mon, 28 Jul 2003 12:10:56 CDT, Robert Wesley McGrew <rwm8@CSE.MsState.EDU> said:

> Any worm using this would need to know the return address before
> attempting to exploit If a worm were to stick to targetting one return
> address (say, English XP SP1), everytime it ran across something slightly
> different (SP0, german, win2k, etc) it would simply crash it and not
> spread. One of three things would happen in the case of this worm :
>
> 1) Sticks with one return address, makes a spectacular DoS against all
> other languages/versions/SPs. This could limit how quickly it spreads.
>
> 2) Somehow finds out ahead of time what the remote language/version/SP is.
> Could be very unreliable and slow.
>
> 3) There is some way of generalizing the return address in a way that
> would work on at least a large portion of installs. This is what would
> bring it into the league of Very Scary Worms.

4) For each target pick one of the known return addresses at random. Do something
to "close the door" once you get it. Then eventually, each machine will get infected
after several reboots... the best/worst of all worlds - a sustained DDoS *and* a hack. ;)

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

application/pgp-signature attachment: stored

Next message: Knud Erik Højgaard: "Re: [Full-Disclosure] dcom exploit code observations"

Previous message: Brett Moore: "[Full-Disclosure] Shattering SEH II"
In reply to: Robert Wesley McGrew: "RE: [Full-Disclosure] DCOM RPC exploit (dcom.c)"
Next in thread: Marc Maiffret: "RE: [Full-Disclosure] DCOM RPC exploit (dcom.c)"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages

Re: the better worm tutorial
... > Here some comments and code on the new worm. ... > The targetting sucks. ... safety deserve neither liberty nor safety." ...
(Incidents)
the better worm tutorial
... Here some comments and code on the new worm. ... The targetting sucks. ... I want to get some random 1000 Microsoft IIS servers - I get on to Google ... Hereby the uploader to upload the worm ...
(Vuln-Dev)
the better worm tutorial
... Here some comments and code on the new worm. ... The targetting sucks. ... I want to get some random 1000 Microsoft IIS servers - I get on to Google ... Hereby the uploader to upload the worm ...
(Incidents)
Re: LSASS.exe
... > There could be a newer worm than Blaster that's targetting lsass.exe, ... Peter ...
(microsoft.public.win2000.security)
Code-Red: An analytic model of its spread
... Subject: Code-Red: An analytic model of its spread ... and then try to compromise that IP address using ... the worm analyzed by Eeye has what seems like a bug. ... compromised machine picks other machines to attack completely at random. ...
(Incidents)