[REVS] Using the oc192-Dcom.c Exploit to Accomplish Revenge

From: SecuriTeam (support_at_securiteam.com)
Date: 10/06/04

  • Next message: SecuriTeam: "[UNIX] BlackBoard Path Disclosure and File Inclusion Vulnerabilities" 
    To: list@securiteam.com
Date: 6 Oct 2004 14:38:46 +0200

    The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
    - - promotion

    The SecuriTeam alerts list - Free, Accurate, Independent.

    Get your security news from a reliable source.
    http://www.securiteam.com/mailinglist.html

    - - - - - - - - -

      Using the oc192-Dcom.c Exploit to Accomplish Revenge
    ------------------------------------------------------------------------

    SUMMARY

    The document linked below provides an analysis of several different
    exploits to the DCOM RPC vulnerability, and to the MS.Blaster worm. The
    document also provides an excellent top down detailed example of a full
    system exploit using one of the exploits listed. The author assumes almost
    no prior knowledge. Therefore, even readers with basic knowledge can
    benefit from it.

    DETAILS

    Purpose:
    "On the 16th July 2003 Microsoft released a security bulletin describing a
    vulnerability that existed in their Dcom RPC interface. The vulnerability
    was common to all but one supported windows platform, regardless of what
    service pack was installed.
    On the same day my friend that worked for ACME Corporation as an ASP
    developer was dismissed, and rather unfairly I think. He was only using
    Kazaa to download his latest favorite ripped movies from the Internet and
    burning them on the company CD writer, that is of course until his boss
    saw what he was doing.

    So now he's jobless and pretty upset with the company, and he has come to
    me to help him exact revenge on the firm. He wants my help to deface the
    web page so that it can ease his suffering. I'm up to that, especially
    knowing that my friend has some good insider information and that there is
    great new vulnerability that I might just be able to use.
    Before I can move in for the kill I will need to research the exploit and
    possible code available a little further to understand just what it does
    and how it works. Using reconnaissance methods I will then gather
    information about the site from the Internet and my friend's brain. Once I
    have that information the preparation stage will be begin to accumulate
    all the necessary tools I will need for the attack. Of course the aim
    would be to deface the web site, but I'll try getting in with leaving as
    little evidence as possible for any administrators or incident handling
    team to find, although my friend tells me there is no incident handling
    team at the moment. It's going to be interesting to see how they cope with
    the attack?"

    The document can be found at:
    <http://www.giac.org/practical/GCIH/Mark_Johnston_GCIH.pdf> Using the
    oc192-dcom.c exploit to accomplish revenge

    ADDITIONAL INFORMATION

    The original article can be found at:
    <http://www.giac.org/practical/GCIH/Mark_Johnston_GCIH.pdf>
    http://www.giac.org/practical/GCIH/Mark_Johnston_GCIH.pdf

    ========================================

    This bulletin is sent to members of the SecuriTeam mailing list.
    To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
    In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

    ====================
    ====================

    DISCLAIMER:
    The information in this bulletin is provided "AS IS" without warranty of any kind.
    In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.

  • Next message: SecuriTeam: "[UNIX] BlackBoard Path Disclosure and File Inclusion Vulnerabilities"

    Relevant Pages