RE: [Full-Disclosure] EXPLOIT : RPC DCOM (MS03-039)
From: Paul Tinsley (pdt_at_jackhammer.org)
Date: 09/17/03
- Previous message: Brian Hatch: "Re: [Full-Disclosure] Verisign abusing .COM/.NET monopoly, BIND releases new"
- In reply to: Jerry Heidtke: "RE: [Full-Disclosure] EXPLOIT : RPC DCOM (MS03-039)"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
To: Jerry Heidtke <jheidtke@fmlh.edu> Date: Wed, 17 Sep 2003 00:15:45 -0500
Only creates an administrator account is in my opinion worse than the
shell listening on a port like the previous exploit did. At least with
the old exploit and Blaster.A you could monitor port 4444 with a logging
deny ACL and keep track of the infected hosts. If all of the traffic
goes across legitimate Microsoft protocols/ports that job becomes much
harder.
Bad guy ---> victim (port 135) #creates account
Bad guy ---> victim (port 135/445) #copies files across using the
default file shares and uses IPC to run a process. MUCH less trackable
from the network point of view.
Also, do you know where I might be able to pickup such a one-way ticket?
>
> The exploit at http://www.k-otik.com/exploits/09.16.MS03-039-exp.c.php is
> rather limited. It only creates a local administrator account named "e"
> with a password of "asd#321". But, it only works against Windows 2000
> (English) with SP3 or SP4, if it works at all.
>
> I've seen references to other exploits out there, along with some source
> and executables, including one that is much more capable. It allegedly
> works against all SP and language versions of both Windows 2000 and XP. It
> gives access to a command shell that has Local System rights, and might
> easily be modified to work as part of a universal worm package. Remember
> that Blaster and Welchia/Nachia both had to "guess" whether they were
> attacking W2K or XP. This new exploit works either way.
>
> Here's a link to a screen shot of it:
>
> http://haiyangtop.533.net/1.jpg
>
> Rather than a sleeping bag, a one-way ticket to a nice uninhabited island
> sounds better.
>
> Jerry
>
> -----Original Message-----
> From: pdt@jackhammer.org [mailto:pdt@jackhammer.org]
> Sent: Tuesday, September 16, 2003 8:05 PM
> To: full-disclosure@lists.netsys.com
> Subject: RE: [Full-Disclosure] EXPLOIT : RPC DCOM (MS03-039)
>
>
> Has anyone tested this exploit successfully? I havn't been able to make
> it work as of yet. I tried the Target 0 type and have the exact DLL
> versions referenced. Just wondering if this is BS or there is some other
> dependency on my test systems that isn't quite lining up.
>
>
> Reguardless I think I am going to throw a sleeping bag in the back of the
> car on the way to work tomorrow, I think there are some long days coming
> up soon.
>
>
>>RPC DCOM long filename heap overflow Exploit (MS03-039)
>>
>>http://www.k-otik.com/exploits/09.16.MS03-039-exp.c.php
>>
>>blaster.b soon ?
>
>
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.netsys.com/full-disclosure-charter.html
>
> Confidentiality Notice: This e-mail message, including any attachments,
> is for the sole use of the intended recipient(s) and may contain
> confidential and privileged information. Any unauthorized review, use,
> disclosure or distribution is prohibited. If you are not the intended
> recipient, please contact the sender by reply e-mail and destroy all
> copies of the original message.
>
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html
- Previous message: Brian Hatch: "Re: [Full-Disclosure] Verisign abusing .COM/.NET monopoly, BIND releases new"
- In reply to: Jerry Heidtke: "RE: [Full-Disclosure] EXPLOIT : RPC DCOM (MS03-039)"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
