To answer my own question, I just noticed this on the metasploit site : "Update: A return address has been identified for both Windows 2000 and Windows XP that works independent of the service pack. This information can be easily obtained by analyzing the DLL's that are loaded by the svchost.exe process"
On Mon, 28 Jul 2003, Robert Wesley McGrew wrote: > 2) For this DCOM RPC problem in particular, everyone's talking about > worms. How would the worm know what return address to use? Remote OS > fingerprinting would mean it would be relatively large, slow, and > unreliable (compared with Slammer), and sticking with one would cause more > machines to just crash than to spread the worm. I haven't looked into > this very closely yet to see if it can be generalized. _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
