is it even possible for a worm with dcom vuln?

• Previous message: Ingram: "perl/php connect-back backdoor?"
• Next in thread: H D Moore: "Re: is it even possible for a worm with dcom vuln?"
• Reply: H D Moore: "Re: is it even possible for a worm with dcom vuln?"
• Maybe reply: wirepair: "Re: is it even possible for a worm with dcom vuln?"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

To: vuln-dev@securityfocus.com
Date: Sun, 27 Jul 2003 10:09:12 -0700

After the release of the few exploits which take advantage of the dcom / rpc vulnerability I began thinking to myself how this
could
possibly be turned into a worm. The exploits that have already been written use hard coded offsets for the different sp's/os's. So
this would not work for a worm template. Also it requires a few requests so this would not be a very fast worm in theory. Also
after
the service is exploited the service fails. I could see a few issues with a 'universal offset' for a jmp esp/call esp or any other
way
  to get the worm instructions to begin executing. The vast differences in operating systems could make the threat of this being a
worm
  smaller in my mind. With the IIS worms (code red) they had it easy because the service would just restart itself, and is only
attacking one particular version with the same base addresses. So I guess what I'm asking is, is it even feasible to write a worm
for
  this particular vulnerability? I would imagine the worm would need to be pretty advanced in finding the correct offsets prior to
exploitation, without crashing svchost.exe. Now I am in no way down playing the threat of this vulnerability and I find it to
probably
be the largest thing to ever hit windows. I just want to hear other peoples thoughts on this subject. Or a worm could attack a
single
operating system/sp but that wouldn't be nearly as damaging as a worm that could attack all versions of windows (nt4-win2k3) and
sp's.
  
Any thoughts?
-wire

--
Visit Things From Another World for the best
comics, movies, toys, collectibles and more.
http://www.tfaw.com/?qt=wmf

• Previous message: Ingram: "perl/php connect-back backdoor?"
• Next in thread: H D Moore: "Re: is it even possible for a worm with dcom vuln?"
• Reply: H D Moore: "Re: is it even possible for a worm with dcom vuln?"
• Maybe reply: wirepair: "Re: is it even possible for a worm with dcom vuln?"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]