[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: [Full-Disclosure] EXPLOIT : RPC DCOM (MS03-039)

To: Jerry Heidtke <jheidtke@xxxxxxxx>
Subject: RE: [Full-Disclosure] EXPLOIT : RPC DCOM (MS03-039)
From: Paul Tinsley <pdt@xxxxxxxxxxxxxx>
Date: Wed, 17 Sep 2003 00:15:45 -0500

Only creates an administrator account is in my opinion worse than the shell listening on a port like the previous exploit did. At least with the old exploit and Blaster.A you could monitor port 4444 with a logging deny ACL and keep track of the infected hosts. If all of the traffic goes across legitimate Microsoft protocols/ports that job becomes much harder.

Bad guy ---> victim (port 135) #creates account Bad guy ---> victim (port 135/445) #copies files across using the default file shares and uses IPC to run a process. MUCH less trackable from the network point of view.

Also, do you know where I might be able to pickup such a one-way ticket?


The exploit at http://www.k-otik.com/exploits/09.16.MS03-039-exp.c.php is
rather limited. It only creates a local administrator account named "e"
with a password of "asd#321". But, it only works against Windows 2000
(English) with SP3 or SP4, if it works at all.

I've seen references to other exploits out there, along with some source
and executables, including one that is much more capable. It allegedly
works against all SP and language versions of both Windows 2000 and XP. It
gives access to a command shell that has Local System rights, and might
easily be modified to work as part of a universal worm package. Remember
that Blaster and Welchia/Nachia both had to "guess" whether they were
attacking W2K or XP. This new exploit works either way.

Here's a link to a screen shot of it:

http://haiyangtop.533.net/1.jpg

Rather than a sleeping bag, a one-way ticket to a nice uninhabited island
sounds better.

Jerry

-----Original Message-----
From: pdt@xxxxxxxxxxxxxx [mailto:pdt@xxxxxxxxxxxxxx]
Sent: Tuesday, September 16, 2003 8:05 PM
To: full-disclosure@xxxxxxxxxxxxxxxx
Subject: RE: [Full-Disclosure] EXPLOIT : RPC DCOM (MS03-039)


Has anyone tested this exploit successfully?  I havn't been able to make
it work as of yet.  I tried the Target 0 type and have the exact DLL
versions referenced.  Just wondering if this is BS or there is some other
dependency on my test systems that isn't quite lining up.


Reguardless I think I am going to throw a sleeping bag in the back of the
car on the way to work tomorrow, I think there are some long days coming
up soon.

RPC DCOM long filename heap overflow Exploit (MS03-039)

http://www.k-otik.com/exploits/09.16.MS03-039-exp.c.php

blaster.b soon ?


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Confidentiality Notice: This e-mail message, including any attachments,
is for the sole use of the intended recipient(s) and may contain
confidential and privileged information.  Any unauthorized review, use,
disclosure or distribution is prohibited.  If you are not the intended
recipient, please contact the sender by reply e-mail and destroy all
copies of the original message.


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

References:
- RE: [Full-Disclosure] EXPLOIT : RPC DCOM (MS03-039)
  - From: Jerry Heidtke

Prev by Date: Re: [Full-Disclosure] Verisign abusing .COM/.NET monopoly, BIND releases new
Next by Date: RE: [Full-Disclosure] Blocking Music Sharing.
Previous by thread: RE: [Full-Disclosure] EXPLOIT : RPC DCOM (MS03-039)
Next by thread: [Full-Disclosure] SuSE Security Announcement: openssh (SuSE-SA:2003:038)
Index(es):
- Date
- Thread