[Full-Disclosure] RPC explooit shutdown issue

after a successfull exploit the "shutdown /A" command responds properly... morning_wood ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html

RE: [Full-Disclosure] DCOM RPC exploit (dcom.c)

"Admin GSecur" <[EMAIL PROTECTED]> wrote: > I completely agree, unfortunately this is a constant problem in any > enterprise size network. So many times it only takes a less experienced > network admin to bring a network to it's knees. True, but even that can be mitigated somewhat -- of course,

Re: [Full-Disclosure] Off-Topic: Defcon Meeting!

On 24 Jul 2003, Daniel Berg wrote: > i will think about some kind of possibility to make the meeting point > striking so that no one will miss it. if anyone has ideas feel free to > comment ;) I'd venture to suggest that having yourself thrown in the pool, fully dressed would be a useful identifie

[Full-Disclosure] 18 TARGET included on RPC DCOM Exploit ????

Hi, when i was surfing on the wild i found an exploit named "Windows RPC DCOM Remote Exploit with 18 Targets" / // // Windows RPC DCOM Remote Exploit with 18 Targets // // Targets: //0 Win2k Polish nosp ver 5.00.21

RE: [Full-Disclosure] DCOM RPC exploit (dcom.c)

You would kill the process. Sometimes the system will continue to run but not properly. Other times a reboot is necessary. - Thiago Campos > What if it just kept an internal list of return address es and simply cycled > through them each in a separate thread until it was abl e to gain access to

[Full-Disclosure] [BUG-CORRECTION] IISShield logfile generation

Hi all, A problem was fixed in IISShield that concerned the start-up of the ISAPI FIlter and was related to the log filename generation for the daily logfiles of IISShield. Downloadable zip file already has the mentioned fix. If anyone finds any other problems, please feel free to report them to

Re: [Full-Disclosure] dcom exploit code observations

I would also like to know, since I though the remote computer would experience some sort of DoS instead of exploitation if the wrong return address was used. On Mon, 28 Jul 2003 22:20:20 +0200 Knud Erik Højgaard <[EMAIL PROTECTED]> wrote: > morning_wood wrote: > [snip] > > THIS IS NOT THE CASE..

Re: [Full-Disclosure] morning_wood should stop posting xss

Hi. [EMAIL PROTECTED] wrote: kindergarden! i think this is multy national! Yes, it's an international kindergarden. Will this bashing ever end? Bye, Mike ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.ht

Re: [Full-Disclosure] Off-Topic: Defcon Meeting?

Hey, about off topic, is something like that in germany too?? has somebody the time to do it here??? can we get something together in germany hopefully the south? No discipline is ever requisite to force attendance upon lectures which are really worth the attending. -- Adam Smith, "The Wealth of

[Full-Disclosure] Exploited??

Here I was, freshly installing win2k with sp4. 4 error messages popped up in a row, unhandled exception in svchost.exe. I stupidly didn't get the locations, because I dismissed it as a random bug.   It then occurred to me that this may be how the recent RPC exploits on the end user's system.

Re: Re: [Full-Disclosure] morning_wood should stop posting xss

kindergarden! i think this is multy national! > The whole point, you moron, is that you are trying to gain credibility > as a security researcher. If your own web site has a so-called XSS > security hole that you love to post about, then you look like an > idiot. People, glass houses, stones,

RE: [Full-Disclosure] DCOM RPC exploit (dcom.c)

Most of the mail I have been reading on this list is rather incorrect. All this talk about hard coded offsets to specific OS patch levels is very old school. A worm wouldn't need to determine (brute force) what offset to use on the remote system or any of that sort of archaic technique, were past t

RE: [Full-Disclosure] How to easily bypass a firewall...

> 4. Firewall doesn't allow programs to send commands to its dialog box > Analysis: Not possible due to Windows' messaging architecture. Any window > can send any command to any other window, and the destination > window has no > way of knowing if the key press was sent by a program or if it > a

Re: [Full-Disclosure] dcom exploit code observations

morning_wood wrote: [snip] > THIS IS NOT THE CASE... > this .bat works perfect... So somehow running the exploit from a .bat file with some shameless selfpromotion makes svchost _not_ crash upon hitting a wrong return address? Would you care to elaborate on how you pull that off? -- kokanin ___

[Full-Disclosure] Shattering SEH II

= = Shattering SEH II = = [EMAIL PROTECTED] = http://www.security-assessment.com = = Originally posted: July 28, 2003 = == Background == Following on fro

Re: [Full-Disclosure] DCOM RPC exploit (dcom.c)

On Mon, 28 Jul 2003 12:10:56 CDT, Robert Wesley McGrew <[EMAIL PROTECTED]> said: > Any worm using this would need to know the return address before > attempting to exploit If a worm were to stick to targetting one return > address (say, English XP SP1), everytime it ran across something slightly

[Full-Disclosure] IISShield Mailing List

As a follow-up to the previous announcement, we provide a mailing list for all comments, suggestions, bugs focusing on IISShield. The mailing list can be found at: http://groups.yahoo.com/group/IISShield/ Your valuable input is most appreciated! Regards, Tiago Halm == IISShie

RE: [Full-Disclosure] DCOM RPC exploit (dcom.c)

What if it just kept an internal list of return addresses and simply cycled through them each in a separate thread until it was able to gain access to the machine? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Robert Wesley McGrew Sent: Monday, July 28,

Re: [Full-Disclosure] How to patch your systems (was Re: DCOM RPC exploit)

On Mon, Jul 28, 2003 at 02:12:31PM -0400, [EMAIL PROTECTED] wrote: > On Mon, 28 Jul 2003 14:08:06 EDT, [EMAIL PROTECTED] said: > > If you use Active Directory, why not assign the patch package to all > > computers? Shouldn't this be quite easy ? > > Yeah.. You assign the patch package, push it out

[Full-Disclosure] Browser on Windows

Does anyone know where I can find information about the Browser service in Windows? I am looking to research it a bit thanks, --Justin Shin ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html

RE: [Full-Disclosure] DCOM RPC exploit (dcom.c)

On Mon, 28 Jul 2003, Schmehl, Paul L wrote: > > 2) For this DCOM RPC problem in particular, everyone's > > talking about worms. How would the worm know what return > > address to use? Remote OS fingerprinting would mean it would > > be relatively large, slow, and unreliable (compared with > >

Re: [Full-Disclosure] Win-Trap captured DCOM-RPC exploit code,on the spot!

Now you wouldn't be incinuating anything ILLEGAL, now would you? :) Are you talking about the OpenSSL dos sploit? :-) Justin ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html

Re: [Full-Disclosure] Remotely exploitable b/o/f in Apache+mod_mylo

ct FreeBSD slighly more than Linux systems. > > Advisory + exploit attached. Exploit Sourcecode available at : http://www.security-corporation.com/exploits-20030728-000.html Regards, -- GaLiaRePt ___ Full-Disclosure - We believe in it. Charter:

[Full-Disclosure] DCOM Exploit : FAQ

Hi, Since many people seem to have the same problems again and again, I think it is time to write a little FAQ about the "dcom.c" exploit ... 1/ How do I find the right return address for my system ? - Get the right KERNEL32.DLL file (you can find it directly in the SP file). - Open it in your

Re: [Full-Disclosure] How to patch your systems (was Re: DCOM RPC exploit)

If you use Active Directory, why not assign the patch package to all computers? Shouldn't this be quite easy ? -- Justin On 07-28-2003 12:59 pm, you wrote: > Anybody got a automagic upgrade-it-all tool that gets *THIS* one right? > > http://support.microsoft.com/default.aspx?scid=kb;en-us;32429

Re: [Full-Disclosure] How to patch your systems (was Re: DCOM RPC exploit)

On Mon, 28 Jul 2003 14:08:06 EDT, [EMAIL PROTECTED] said: > If you use Active Directory, why not assign the patch package to all > computers? Shouldn't this be quite easy ? Yeah.. You assign the patch package, push it out - and find out that the patch doesn't actually *make* it to all the machines

Re: [Full-Disclosure] dcom exploit code observations

- Original Message - From: "john" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Monday, July 28, 2003 7:42 AM Subject: [Full-Disclosure] dcom exploit code observations > Downloaded the revised exploit code by HD moore and got it compiled on a > linux box. > > There seems to either

[Full-Disclosure] weasel32, looking for gui developer and security metric

Hi guys -- We need to know if anyone can work on developing a GUI for a nessus command line which has been *successfully* compiled on Windows. I know about nessusWx but italacks the look and feel of what we are trying to accomplish. If you are interested please email me and I can give you more de

Re: [Full-Disclosure] DCOM RPC exploit (dcom.c)

To answer my own question, I just noticed this on the metasploit site : "Update: A return address has been identified for both Windows 2000 and Windows XP that works independent of the service pack. This information can be easily obtained by analyzing the DLL's that are loaded by the svchost.exe

[Full-Disclosure] How to patch your systems (was Re: DCOM RPC exploit)

Anybody got a automagic upgrade-it-all tool that gets *THIS* one right? http://support.microsoft.com/default.aspx?scid=kb;en-us;324292 (Yes, an older article, but it's the sort of thing that bites you when you're trying to do mass upgrades) pgp0.pgp Description: PGP signature

Re: [Full-Disclosure] Win-Trap captured DCOM-RPC exploit code, on the spot!

I don't think you have too much to worry about anymore. From http://www.phsecurity.com, their account appears to be suspended. -Anne Knud Erik H?jgaard grabbed a keyboard and typed... > Executable Security wrote: > [snip disgusting commercial] > > Why dont you people fuck off and die die die? S

RE: [Full-Disclosure] DCOM RPC exploit (dcom.c)

I completely agree, unfortunately this is a constant problem in any enterprise size network. So many times it only takes a less experienced network admin to bring a network to it's knees. Personally I have found an aggressive and continuous network auditing policy by the corporation can help nega

RE: [Full-Disclosure] DCOM RPC exploit (dcom.c)

[SNIP] > This is simply and plainly false. I don't know why people can't seem to > grasp this. I know of several major corporations who not only had > 1434/UDP blocked at the firewall but also on a number of internal > routers *and* had aggressive patching programs, and they *still* > s

[Full-Disclosure] Cisco Security Advisory: HTTP GET Vulnerability in AP1x00

http://www.cisco.com/warp/public/707/cisco-sa-20030728-ap1x00.shtml. The external report can be found at http://www.vigilante.com/inetsecurity/advisories/VIGILANTE-2003002.htm leavingcisco.com. Although it mentions two issues only one is addressed by this advisory. The other issue

[Full-Disclosure] Cisco Aironet AP 1100 Malformed HTTP Request Crash Vulnerability

://cve.mitre.org/ ) was contacted and assigned CAN-2003-0511 to this vulnerability.   Links:*Cisco Advisory: http://www.cisco.com/warp/public/707/cisco-sa-20030728-ap1x00.shtmlVigilante Advisory:  http://www.vigilante.com/inetsecurity/advisories/VIGILANTE-2003001.htmProduct Homepage:  http

RE: [Full-Disclosure] DCOM RPC exploit (dcom.c)

> -Original Message- > From: Ron DuFresne [mailto:[EMAIL PROTECTED] > Sent: Monday, July 28, 2003 10:46 AM > To: Schmehl, Paul L > Cc: Robert Wesley McGrew; [EMAIL PROTECTED] > Subject: RE: [Full-Disclosure] DCOM RPC exploit (dcom.c) > > And those sites during slammer that blocked 1434, a

[Full-Disclosure] Cisco Aironet AP1100 Valid Account Disclosure Vulnerability

VIGILANTe Security Watch Advisory   Name: Cisco Aironet AP1100 Valid Account Disclosure VulnerabilitySystems Affected: Tested on a Cisco Aironet AP1100 Model 1120B Series Wireless device.Firmware version 12.2(4)JA and earlier.NB : A large number of Cisco IOSes are affected by this flaw.Severi

Re: [Full-Disclosure] Win-Trap captured DCOM-RPC exploit code, on the spot!

Executable Security wrote: [snip disgusting commercial] Why dont you people fuck off and die die die? Spamming the list is one thing, which should be punished, but spamming my private inbox is worse. It seems www.phsecurity.com runs some old version of openssl, any takers? [EMAIL PROTECTED] spam

Re: Re: [Full-Disclosure] DCOM RPC exploit (dcom.c)

On Sun, 2003-07-27 at 12:25, David R. Piegdon wrote: > -BEGIN PGP SIGNED MESSAGE- > Hash: SHA1 > > > IMHO it is TIME to sue corporations like microsoft for their stupidity > - and their believe that people/customers are even more stupid. > they sell their software and tell about their "g

RE: [Full-Disclosure] DCOM RPC exploit (dcom.c)

[SNIP] > > What fingerprinting? If you've got 135/UDP open to the Internet, you're > screwed. Slammer didn't fingerprint. It simply hit every box it could > find on port 1434/UDP, and the exploit either worked or it didn't. Most > worms do the same. They attack indiscriminately, and

Re: [Full-Disclosure] dcom exploit code observations

More observations: After exploiting a windows 2000 SP3 system the "PASTE" function is not working anymore. The "COPY" and "CUT" functions appear to work but paste is grayed out, and even CTRL+V doesn't work. Also you can't move files or folders around within the Explorer shell window. Is this ha

RE: [Full-Disclosure] DCOM RPC exploit (dcom.c)

> -Original Message- > From: Robert Wesley McGrew [mailto:[EMAIL PROTECTED] > Sent: Monday, July 28, 2003 3:01 AM > To: [EMAIL PROTECTED] > Subject: Re: [Full-Disclosure] DCOM RPC exploit (dcom.c) > > 1) How would you propose to change the > scene/industry/community of security in such a

RE: [Full-Disclosure] DCOM RPC exploit (dcom.c)

> -Original Message- > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] > Sent: 27 July 2003 16:38 > To: Nathan Seven > Cc: [EMAIL PROTECTED] > Subject: Re: [Full-Disclosure] DCOM RPC exploit (dcom.c) > [snip] > > It may be a corner case, but based on the number of sites > that got nai

[Full-Disclosure] dcom exploit code observations

Downloaded the revised exploit code by HD moore and got it compiled on a linux box. There seems to either be some flaws in the exploit code or just a general instability of the rpc service. If the code is run against a vulnerable box and the right SP level setting is not correct it crashes the rp

[Full-Disclosure] DCOM RPC exploit failed

(BHi, (B (BI have to test our system (B (B WindowsNT 4 Workstation (Japanese Version) (B WIndows2000 Pro (Japanese Version) (B WindowsXP (Japanese Version) (B (Bfor our company's security_up. (B (BDoes anyone know what the correct offset is? (B (Bplease help. (B (B__

[Full-Disclosure] Remotely exploitable b/o/f in Apache+mod_mylo

There exists a remotely exploitable buffer overflow in the mod_mylo module for apache. It is a relatively obscure MySQL logging module for Apache that appears not to be in widespread use at present. However, it is present in the FreeBSD ports collection so may affect FreeBSD slighly more than

[Full-Disclosure] Dcom

Anyone know why if you run this against an XP SP0 twice it sends a shutdown command to the box?   Cheers,   Dr.F33LG00D

[Full-Disclosure] How to easily bypass a firewall...

Whenever a program first tries to access the Internet, most/all personal firewalls display a dialog box asking the user if he/she wants to allow program "This is a Trojan.exe" to access the Internet. If the user wants "This is a Trojan.exe" to access the Internet, he/she clicks "Remember my ans

RE: [Full-Disclosure] mailinglists and links

http://www.governmentsecurity.org http://www.how-to-hack.org - Don't let the name fool you a great site. ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html

RE: [Full-Disclosure] mailinglists and links

www.securitynewsportal.com, www.infosyssec.com C -Original Message- From: subscribe [mailto:[EMAIL PROTECTED] Sent: Monday, July 28, 2003 5:21 AM To: [EMAIL PROTECTED] Subject: [Full-Disclosure] mailinglists and links Hi list, this maybe a off topic, but I'll post it anyways. I've been

Re: [Full-Disclosure] DCOM RPC exploit failed

On Mon, 28 Jul 2003 08:36 pm, Richard Stevens wrote: > Has anyone got this working on NT4 systems? Nope. The dcom.c exploit posted here won't work, as the correct offset for NT4 systems isn't defined in the program. Does anyone know what the correct offset is? ___

RE: [Full-Disclosure] DCOM RPC exploit (dcom.c) (fwd)

Thanks, 0. Users: There are inexpensive tools to take care of this for you. Dameware NT utilties is one. If you're an admin and haven't touched this one you're missing out. A few click of the mouse and all you can hope for can come true. It also can be used on both sides of

RE: [Full-Disclosure] DCOM RPC exploit failed

Title: RE: [Full-Disclosure] DCOM RPC exploit failed Kills visio stone dead - loads as a background process, but never appears. Or opens visio (once you kill the process, then has memory over-write problems This is after rebooting (twice) on Windows 2000 sp4 (server and workstation) So

[Full-Disclosure] DCOM RPC exploit - offset German Version

Hi, does anybody know the offset for the German Win2k Versions ? regards -- +++ GMX - Mail, Messaging & more http://www.gmx.net +++ Jetzt ein- oder umsteigen und USB-Speicheruhr als Prämie sichern! ___ Full-Disclosure - We believe in it. Charter: h

RE: [Full-Disclosure] DCOM RPC exploit failed

Has anyone got this working on NT4 systems? ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html

Re: [Full-Disclosure] TEXT/PLAIN: ALERT("OUTLOOK EXPRESS")

Quoting "[EMAIL PROTECTED]" <[EMAIL PROTECTED]>: > > Friday, July 25, 2003 > > Active Scripting and HTML in a plain text mail message: > > MIME-Version: 1.0 > Content-Type: text/plain; > Content-Transfer-Encoding: 7bit > X-Source: 25.07.03 http://www.malware.com > > foo > This is a well kno

[Full-Disclosure] mailinglists and links

Hi list, this maybe a off topic, but I'll post it anyways. I've been searching on the web for security resources like mailinglists and forums. There are many resources out there, and many websites that are not serious. I've found some that I've joined, like this one, and I'm happy if I can get so

[Full-Disclosure] moroning_wood is a criminal (was Re: Full-Disclosure digest, Vol 1 #977 - 35 msgs)

On Sun, 27 Jul 2003 10:23:01 -0700 morning_wood <[EMAIL PROTECTED]> wrote: [snip] > ive managed to be successfull in exploiting WinXP ( option 5 and >6 ) and Win2k ( option 4 ) with the dcom32.exe sample, on machies >in the wild. Exploiting machines in the wild. Are we talking breaking into oth

Re: [Full-Disclosure] DCOM RPC exploit failed

Thiago Campos wrote: > Hi > > With the Portuguese version of Windows XP using the offset from Windows XP SP1 english something different occurs. A window with a 30 seconds countdown and these senteces appears: > > "You are not a valid administrator. Your computer will be powered off" Similar Do

Re: [Full-Disclosure] DCOM RPC exploit (dcom.c)

Good of a point as any to jump into this, with a couple of questions to steer conversation towards something resembling productivity ;). For the record, I support full-disclosure with "reasonable" vendor notification, taking into account a time to acknowledge and a time to patch, and I also suppo