[TOOL] Command Line UNIX RPC/DCOM Vulnerability Checker
From: SecuriTeam (support_at_securiteam.com)
Date: 08/04/03
- Previous message: SecuriTeam: "[NEWS] Win32 Device Drivers Communication Vulnerabilities - Tutorial"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
To: list@securiteam.com Date: 4 Aug 2003 19:04:04 +0200
The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion
Get Thawte's New Step-by-Step SSL Guide for MSIIS
In this guide you will find out how to test, purchase, install
and use a Thawte Digital Certificate on your MSIIS web server.
Throughout, best practices for set-up are highlighted to help you
ensure efficient ongoing management of your encryption keys and digital
certificates. Get your copy of this new guide now:
http://ad.doubleclick.net/clk;5903126;8265119;j
- - - - - - - - -
Command Line UNIX RPC/DCOM Vulnerability Checker
------------------------------------------------------------------------
DETAILS
The following tool can be used by administrators to test their environment
for RPC/DCOM vulnerable hosts (to the latest MS-RPC
<http://www.securiteam.com/windowsntfocus/5SP0C20AKG.html> security
vulnerability).
Tool:
/*
* buildtheb0x presents : dcom/rpc scanner
* ---------------------------------------
*
*
* by: kid and farp
*
* greets: kajun, phr_, dvdman, Sam, flatline, #nanog, synD, and to all
danny's waitress's
*
*/
#include <stdio.h>
#include <stdlib.h>
#include <errno.h>
#include <string.h>
#include <netdb.h>
#include <sys/types.h>
#include <netinet/in.h>
#include <sys/socket.h>
#define DEST_PORT 135
char fear1[] = {
0x05, 0x00, 0x0b, 0x03, 0x10, 0x00, 0x00, 0x00,
0x48, 0x00, 0x00, 0x00, 0x09, 0x00, 0x00, 0x00,
0xd0, 0x16, 0xd0, 0x16, 0x00, 0x00, 0x00, 0x00,
0x01, 0x00, 0x00, 0x00, 0x02, 0x00, 0x01, 0x00,
0xb8, 0x4a, 0x9f, 0x4d, 0x1c, 0x7d, 0xcf, 0x11,
0x86, 0x1e, 0x00, 0x20, 0xaf, 0x6e, 0x7c, 0x57,
0x00, 0x00, 0x00, 0x00, 0x04, 0x5d, 0x88, 0x8a,
0xeb, 0x1c, 0xc9, 0x11, 0x9f, 0xe8, 0x08, 0x00,
0x2b, 0x10, 0x48, 0x60, 0x02, 0x00, 0x00, 0x00 };
char fear2[] = {
0x05, 0x00, 0x00, 0x03, 0x10, 0x00, 0x00, 0x00,
0x7e, 0x00, 0x00, 0x00, 0x09, 0x00, 0x00, 0x00,
0x66, 0x00, 0x00, 0x00, 0x02, 0x00, 0x00, 0x00,
0x05, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x6b, 0xac, 0xd8, 0x08,
0x2f, 0x2e, 0x03, 0x48, 0xaa, 0xdc, 0xc1, 0x6a,
0x62, 0xfb, 0xeb, 0x98, 0x00, 0x00, 0x00, 0x00,
0xf8, 0x91, 0x7b, 0x5a, 0x00, 0xff, 0xd0, 0x11,
0xa9, 0xb2, 0x00, 0xc0, 0x4f, 0xb6, 0xe6, 0xfc,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x02, 0x00, 0x00, 0x00, 0xff, 0xff, 0xff, 0xff,
0x01, 0x00, 0x00, 0x00, 0x38, 0xff, 0x0a, 0x00,
0x01, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0xc0, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x46, 0x01, 0x00, 0x00, 0x00,
0x01, 0x00, 0x00, 0x00, 0x07, 0x00 };
char fear3[] = {
0x05, 0x00, 0x0b, 0x03, 0x10, 0x00, 0x00, 0x00,
0x48, 0x00, 0x00, 0x00, 0x65, 0x45, 0x79, 0x65,
0xd0, 0x16, 0xd0, 0x16, 0x00, 0x00, 0x00, 0x00,
0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01, 0x00,
0xb8, 0x4a, 0x9f, 0x4d, 0x1c, 0x7d, 0xcf, 0x11,
0x86, 0x1e, 0x00, 0x20, 0xaf, 0x6e, 0x7c, 0x57,
0x00, 0x00, 0x00, 0x00, 0x04, 0x5d, 0x88, 0x8a,
0xeb, 0x1c, 0xc9, 0x11, 0x9f, 0xe8, 0x08, 0x00,
0x2b, 0x10, 0x48, 0x60, 0x02, 0x00, 0x00, 0x00 };
char fear4[] = {
0x05, 0x00, 0x00, 0x03, 0x10, 0x00, 0x00, 0x00,
0xc6, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0xae, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x05, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x5b, 0x52, 0x65, 0x74,
0x69, 0x6e, 0x61, 0x5d, 0x5b, 0x52, 0x65, 0x74,
0x69, 0x6e, 0x61, 0x5d, 0x00, 0x00, 0x00, 0x00,
0x65, 0x45, 0x79, 0x65, 0x32, 0x30, 0x30, 0x33,
0x65, 0x45, 0x79, 0x65, 0x32, 0x30, 0x30, 0x33,
0x68, 0x0f, 0x0b, 0x00, 0x1e, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x1e, 0x00, 0x00, 0x00,
0x5c, 0x00, 0x5c, 0x00, 0x41, 0x00, 0x00, 0x00,
0x5c, 0x00, 0x00, 0x00, 0x63, 0x00, 0x24, 0x00,
0x5c, 0x00, 0x65, 0x00, 0x45, 0x00, 0x79, 0x00,
0x65, 0x00, 0x5f, 0x00, 0x32, 0x00, 0x30, 0x00,
0x30, 0x00, 0x33, 0x00, 0x5f, 0x00, 0x52, 0x00,
0x65, 0x00, 0x74, 0x00, 0x69, 0x00, 0x6e, 0x00,
0x61, 0x00, 0x2e, 0x00, 0x74, 0x00, 0x78, 0x00,
0x74, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x02, 0x00, 0x00, 0x00, 0x02, 0x00, 0x00, 0x00,
0x01, 0x00, 0x00, 0x00, 0xb8, 0xeb, 0x0b, 0x00,
0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00,
0x01, 0x00, 0x00, 0x00, 0x07, 0x00 };
char buf1[1024];
char buf2[1024];
char buf3[1024];
char buf4[1024];
int len,i;
int recv_length[4];
int main(int argc, char **argv)
{
int sockfd;
struct sockaddr_in dest_addr; /* hold dest addy */
if((sockfd = socket(AF_INET, SOCK_STREAM, 0)) < 0)
{ printf("error getting socket"); }
if (argc < 2) { printf("usage: dcom-isvuln <target-ip> [--debug]\n");
return(1); }
dest_addr.sin_family = AF_INET;
dest_addr.sin_port = htons(DEST_PORT);
dest_addr.sin_addr.s_addr = inet_addr(argv[1]);
bzero(&(dest_addr.sin_zero), 8); /* zero rest of struct */
printf("[+] Connecting to %s\n",argv[1]);
if(connect(sockfd, (struct sockaddr *)&dest_addr, sizeof(struct
sockaddr)) < 0)
{ printf("\n -- %s does not accept DCERPC protocol\n", argv[1]);
exit(1); }
printf("[+] Sending DCERPC, Bind: call_id: 9 UUID: REMACT\n");
if(send(sockfd, fear1, sizeof(fear1), 0) < 0)
{ printf("sending error 1"); }
if((recv_length[0]=recv(sockfd, buf1, 1024, 0)) < 0)
{ printf("receiving error 1"); }
printf("[+] Sending REMACT, RemoteActivation reques\n");
if(send(sockfd, fear2, sizeof(fear2), 0) < 0)
{ printf("sending error 2"); }
if((recv_length[1]=recv(sockfd, buf2, 1024, 0)) < 0)
{ printf("receiving error 2"); }
/* close socket */
close(sockfd);
/* open second socket to complete test */
if((sockfd = socket(AF_INET, SOCK_STREAM, 0)) < 0)
{ printf("error getting socket"); }
dest_addr.sin_family = AF_INET;
dest_addr.sin_port = htons(DEST_PORT);
dest_addr.sin_addr.s_addr = inet_addr(argv[1]);
bzero(&(dest_addr.sin_zero), 8); /* zero rest of struct */
printf("[+] Making second connect()\n");
if(connect(sockfd, (struct sockaddr *)&dest_addr, sizeof(struct
sockaddr)) < 0)
{ printf("connect error"); }
printf("[+] Sending DCERPC, Bind: call_id: 1702446437 UUID:
REMACT\n");
if(send(sockfd, fear3, sizeof(fear3), 0) < 0)
{ printf("sending error 3"); }
if((recv_length[2]=recv(sockfd, buf3, 1024, 0)) < 0)
{ printf("receiving error 3"); }
printf("[+] Sending REMACT, RemoteActivation request\n");
if(send(sockfd, fear4, sizeof(fear4), 0) < 0)
{ printf("sending error 4"); }
if((recv_length[3]=recv(sockfd, buf4, 1024, 0)) < 0)
{ printf("receiving error 4"); }
/* close connection */
close(sockfd);
if( argc == 3)
{
if( (strcmp(argv[2],"--debug")) == 0 )
{
printf("[+] Debug Response 4 contents:\n");
for(i=0; i<recv_length[3]; i++) { printf("--- position %d
has value %02X\n",i,buf4[i]); }
}
}
if( (buf4[68]==0x54) && (buf4[69] == 0x01) && (buf4[70]==0x04) )
{ printf("\n -- %s appears to be vulnerable!\n\n", argv[1]); }
else if( (buf4[68]==0x04) && (buf4[69]==0x00) && (buf4[70]==0x08) )
{ printf("\n -- %s appears not vulnerable.\n\n", argv[1]); }
// add more signatures here if needed
else { printf("\n -- %s contains unidentified signature, please report
if vulnable.\n\n", argv[1]); }
return(0);
}
ADDITIONAL INFORMATION
The information has been provided by <mailto:ironkid@buildtheb0x.com> kid
and <mailto:farp@buildtheb0x.com> farp
========================================
This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com
====================
====================
DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.
- Previous message: SecuriTeam: "[NEWS] Win32 Device Drivers Communication Vulnerabilities - Tutorial"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
- Re: Declaration statement
... but we have GCC warnings to guide us..:) ... > int main ...
You can't do 'sizeof' on an incomplete type. ... the compiler acts as if you had the last
line of your file "char c;" ... (comp.lang.c) - [EXPL] ELOG Remote Shell Exploit
... char content; ... static int content_length; ... static unsigned
char boundary; ... void get_server_version; ... (Securiteam) - [PATCH 1/4] v9fs: rename non-vfs related structs and functions to be moved to net/9p
... char *str; ... u32 version; ... struct v9fs_qid *qid) ...
*wstat, int extended) ... (Linux-Kernel) - (fwd) Remote BSD ftpd glob exploit
... extern int errno; ... char *description; ... void *Realloc;
... translates a host from its string representation (either in numbers ... (FreeBSD-Security) - Re: A code from M.Jerzy Buczynski
... #ifdef HAVE_ARPA_INET_H ... static char peeked; ... extern
int h_errno; ... (comp.bugs.misc)
