after a successfull exploit the "shutdown /A" command responds properly...
morning_wood
___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html
"Admin GSecur" <[EMAIL PROTECTED]> wrote:
> I completely agree, unfortunately this is a constant problem in any
> enterprise size network. So many times it only takes a less experienced
> network admin to bring a network to it's knees.
True, but even that can be mitigated somewhat -- of course,
On 24 Jul 2003, Daniel Berg wrote:
> i will think about some kind of possibility to make the meeting point
> striking so that no one will miss it. if anyone has ideas feel free to
> comment ;)
I'd venture to suggest that having yourself thrown in the pool, fully
dressed would be a useful identifie
Hi,
when i was surfing on the wild i found an exploit
named "Windows RPC DCOM Remote Exploit with 18
Targets"
/
//
// Windows RPC DCOM Remote Exploit with 18 Targets
//
// Targets:
//0 Win2k Polish nosp ver 5.00.21
You would kill the process. Sometimes the system will
continue to run but not properly. Other times a reboot
is necessary.
- Thiago Campos
> What if it just kept an internal list of return address
es and simply cycled
> through them each in a separate thread until it was abl
e to gain access to
Hi all,
A problem was fixed in IISShield that concerned the start-up of the ISAPI
FIlter and was related to the log filename generation for the daily logfiles
of IISShield.
Downloadable zip file already has the mentioned fix.
If anyone finds any other problems, please feel free to report them to
I would also like to know, since I though the remote computer would experience some
sort of DoS instead of exploitation if the wrong return address was used.
On Mon, 28 Jul 2003 22:20:20 +0200
Knud Erik Højgaard <[EMAIL PROTECTED]> wrote:
> morning_wood wrote:
> [snip]
> > THIS IS NOT THE CASE..
Hi.
[EMAIL PROTECTED] wrote:
kindergarden! i think this is multy national!
Yes, it's an international kindergarden.
Will this bashing ever end?
Bye, Mike
___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.ht
Hey, about off topic,
is something like that in germany too??
has somebody the time to do it here???
can we get something together in germany hopefully the south?
No discipline is ever requisite to force attendance upon lectures
which are really worth the attending.
-- Adam Smith, "The Wealth of
Here I was, freshly installing win2k with sp4. 4
error messages popped up in a row, unhandled exception in svchost.exe. I
stupidly didn't get the locations, because I dismissed it as a random
bug.
It then occurred to me that this may be how the
recent RPC exploits on the end user's system.
kindergarden! i think this is multy national!
> The whole point, you moron, is that you are trying to gain credibility
> as a security researcher. If your own web site has a so-called XSS
> security hole that you love to post about, then you look like an
> idiot. People, glass houses, stones,
Most of the mail I have been reading on this list is rather incorrect. All
this talk about hard coded offsets to specific OS patch levels is very old
school. A worm wouldn't need to determine (brute force) what offset to use
on the remote system or any of that sort of archaic technique, were past t
> 4. Firewall doesn't allow programs to send commands to its dialog box
> Analysis: Not possible due to Windows' messaging architecture. Any window
> can send any command to any other window, and the destination
> window has no
> way of knowing if the key press was sent by a program or if it
> a
morning_wood wrote:
[snip]
> THIS IS NOT THE CASE...
> this .bat works perfect...
So somehow running the exploit from a .bat file with some shameless
selfpromotion makes svchost _not_ crash upon hitting a wrong return address?
Would you care to elaborate on how you pull that off?
--
kokanin
___
=
= Shattering SEH II
=
= [EMAIL PROTECTED]
= http://www.security-assessment.com
=
= Originally posted: July 28, 2003
=
== Background ==
Following on fro
On Mon, 28 Jul 2003 12:10:56 CDT, Robert Wesley McGrew <[EMAIL PROTECTED]> said:
> Any worm using this would need to know the return address before
> attempting to exploit If a worm were to stick to targetting one return
> address (say, English XP SP1), everytime it ran across something slightly
As a follow-up to the previous announcement, we provide a mailing list for all
comments, suggestions, bugs focusing on IISShield.
The mailing list can be found at:
http://groups.yahoo.com/group/IISShield/
Your valuable input is most appreciated!
Regards,
Tiago Halm
== IISShie
What if it just kept an internal list of return addresses and simply cycled
through them each in a separate thread until it was able to gain access to
the machine?
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Robert Wesley
McGrew
Sent: Monday, July 28,
On Mon, Jul 28, 2003 at 02:12:31PM -0400, [EMAIL PROTECTED] wrote:
> On Mon, 28 Jul 2003 14:08:06 EDT, [EMAIL PROTECTED] said:
> > If you use Active Directory, why not assign the patch package to all
> > computers? Shouldn't this be quite easy ?
>
> Yeah.. You assign the patch package, push it out
Does anyone know where I can find information about the Browser service in Windows? I
am looking to research it a bit
thanks,
--Justin Shin
___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html
On Mon, 28 Jul 2003, Schmehl, Paul L wrote:
> > 2) For this DCOM RPC problem in particular, everyone's
> > talking about worms. How would the worm know what return
> > address to use? Remote OS fingerprinting would mean it would
> > be relatively large, slow, and unreliable (compared with
> >
Now you wouldn't be incinuating anything ILLEGAL, now would you? :) Are you talking
about the OpenSSL dos sploit?
:-) Justin
___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html
ct FreeBSD slighly more than Linux systems.
>
> Advisory + exploit attached.
Exploit Sourcecode available at :
http://www.security-corporation.com/exploits-20030728-000.html
Regards,
--
GaLiaRePt
___
Full-Disclosure - We believe in it.
Charter:
Hi,
Since many people seem to have the same problems again and again, I
think it is time to write a little FAQ about the "dcom.c" exploit ...
1/ How do I find the right return address for my system ?
- Get the right KERNEL32.DLL file (you can find it directly in the SP file).
- Open it in your
If you use Active Directory, why not assign the patch package to all
computers? Shouldn't this be quite easy ?
-- Justin
On 07-28-2003 12:59 pm, you wrote:
> Anybody got a automagic upgrade-it-all tool that gets *THIS* one
right?
>
> http://support.microsoft.com/default.aspx?scid=kb;en-us;32429
On Mon, 28 Jul 2003 14:08:06 EDT, [EMAIL PROTECTED] said:
> If you use Active Directory, why not assign the patch package to all
> computers? Shouldn't this be quite easy ?
Yeah.. You assign the patch package, push it out - and find out that the
patch doesn't actually *make* it to all the machines
- Original Message -
From: "john" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Monday, July 28, 2003 7:42 AM
Subject: [Full-Disclosure] dcom exploit code observations
> Downloaded the revised exploit code by HD moore and got it compiled on a
> linux box.
>
> There seems to either
Hi guys --
We need to know if anyone can work on developing a GUI for a nessus
command line which has been *successfully* compiled on Windows. I know
about nessusWx but italacks the look and feel of what we are trying to
accomplish. If you are interested please email me and I can give you
more de
To answer my own question, I just noticed this on the metasploit site :
"Update: A return address has been identified for both Windows 2000 and
Windows XP that works independent of the service pack. This information
can be easily obtained by analyzing the DLL's that are loaded by the
svchost.exe
Anybody got a automagic upgrade-it-all tool that gets *THIS* one right?
http://support.microsoft.com/default.aspx?scid=kb;en-us;324292
(Yes, an older article, but it's the sort of thing that bites you when you're
trying to do mass upgrades)
pgp0.pgp
Description: PGP signature
I don't think you have too much to worry about anymore.
From http://www.phsecurity.com, their account appears to
be suspended.
-Anne
Knud Erik H?jgaard grabbed a keyboard and typed...
> Executable Security wrote:
> [snip disgusting commercial]
>
> Why dont you people fuck off and die die die? S
I completely agree, unfortunately this is a constant problem in any
enterprise size network. So many times it only takes a less experienced
network admin to bring a network to it's knees.
Personally I have found an aggressive and continuous network auditing
policy by the corporation can help nega
[SNIP]
> This is simply and plainly false. I don't know why people can't seem to
> grasp this. I know of several major corporations who not only had
> 1434/UDP blocked at the firewall but also on a number of internal
> routers *and* had aggressive patching programs, and they *still*
> s
http://www.cisco.com/warp/public/707/cisco-sa-20030728-ap1x00.shtml.
The external report can be found at
http://www.vigilante.com/inetsecurity/advisories/VIGILANTE-2003002.htm
leavingcisco.com. Although it mentions two issues only one is addressed by
this advisory. The other issue
://cve.mitre.org/ ) was contacted and
assigned CAN-2003-0511 to this vulnerability.
Links:*Cisco
Advisory: http://www.cisco.com/warp/public/707/cisco-sa-20030728-ap1x00.shtmlVigilante
Advisory: http://www.vigilante.com/inetsecurity/advisories/VIGILANTE-2003001.htmProduct
Homepage: http
> -Original Message-
> From: Ron DuFresne [mailto:[EMAIL PROTECTED]
> Sent: Monday, July 28, 2003 10:46 AM
> To: Schmehl, Paul L
> Cc: Robert Wesley McGrew; [EMAIL PROTECTED]
> Subject: RE: [Full-Disclosure] DCOM RPC exploit (dcom.c)
>
> And those sites during slammer that blocked 1434, a
VIGILANTe Security Watch Advisory
Name: Cisco Aironet AP1100 Valid Account Disclosure
VulnerabilitySystems Affected: Tested on a Cisco Aironet AP1100 Model 1120B
Series Wireless device.Firmware version 12.2(4)JA and earlier.NB : A
large number of Cisco IOSes are affected by this flaw.Severi
Executable Security wrote:
[snip disgusting commercial]
Why dont you people fuck off and die die die? Spamming the list is one
thing, which should be punished, but spamming my private inbox is worse.
It seems www.phsecurity.com runs some old version of openssl, any takers?
[EMAIL PROTECTED] spam
On Sun, 2003-07-27 at 12:25, David R. Piegdon wrote:
> -BEGIN PGP SIGNED MESSAGE-
> Hash: SHA1
>
>
> IMHO it is TIME to sue corporations like microsoft for their stupidity
> - and their believe that people/customers are even more stupid.
> they sell their software and tell about their "g
[SNIP]
>
> What fingerprinting? If you've got 135/UDP open to the Internet, you're
> screwed. Slammer didn't fingerprint. It simply hit every box it could
> find on port 1434/UDP, and the exploit either worked or it didn't. Most
> worms do the same. They attack indiscriminately, and
More observations:
After exploiting a windows 2000 SP3 system the "PASTE" function is not
working anymore. The "COPY" and "CUT" functions appear to work but
paste is grayed out, and even CTRL+V doesn't work. Also you can't move
files or folders around within the Explorer shell window. Is this
ha
> -Original Message-
> From: Robert Wesley McGrew [mailto:[EMAIL PROTECTED]
> Sent: Monday, July 28, 2003 3:01 AM
> To: [EMAIL PROTECTED]
> Subject: Re: [Full-Disclosure] DCOM RPC exploit (dcom.c)
>
> 1) How would you propose to change the
> scene/industry/community of security in such a
> -Original Message-
> From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]
> Sent: 27 July 2003 16:38
> To: Nathan Seven
> Cc: [EMAIL PROTECTED]
> Subject: Re: [Full-Disclosure] DCOM RPC exploit (dcom.c)
>
[snip]
>
> It may be a corner case, but based on the number of sites
> that got nai
Downloaded the revised exploit code by HD moore and got it compiled on a
linux box.
There seems to either be some flaws in the exploit code or just a
general instability of the rpc service.
If the code is run against a vulnerable box and the right SP level
setting is not correct it crashes the rp
(BHi,
(B
(BI have to test our system
(B
(B WindowsNT 4 Workstation (Japanese Version)
(B WIndows2000 Pro (Japanese Version)
(B WindowsXP (Japanese Version)
(B
(Bfor our company's security_up.
(B
(BDoes anyone know what the correct offset is?
(B
(Bplease help.
(B
(B__
There exists a remotely exploitable buffer overflow in the mod_mylo module for
apache.
It is a relatively obscure MySQL logging module for Apache that appears not to
be in widespread use at present. However, it is present in the FreeBSD ports
collection so may affect FreeBSD slighly more than
Anyone know why if you run this against an XP SP0
twice it sends a shutdown command to the box?
Cheers,
Dr.F33LG00D
Whenever a program first tries to access the Internet, most/all personal
firewalls display a dialog box asking the user if he/she wants to allow
program "This is a Trojan.exe" to access the Internet. If the user wants
"This is a Trojan.exe" to access the Internet, he/she clicks "Remember my
ans
http://www.governmentsecurity.org http://www.how-to-hack.org - Don't
let the name fool you a great site.
___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html
www.securitynewsportal.com, www.infosyssec.com
C
-Original Message-
From: subscribe [mailto:[EMAIL PROTECTED]
Sent: Monday, July 28, 2003 5:21 AM
To: [EMAIL PROTECTED]
Subject: [Full-Disclosure] mailinglists and links
Hi list,
this maybe a off topic, but I'll post it anyways. I've been
On Mon, 28 Jul 2003 08:36 pm, Richard Stevens wrote:
> Has anyone got this working on NT4 systems?
Nope. The dcom.c exploit posted here won't work, as the correct offset for NT4
systems isn't defined in the program.
Does anyone know what the correct offset is?
___
Thanks, 0.
Users:
There are inexpensive tools to take care of this for you. Dameware
NT utilties is one. If you're an admin and haven't touched this one you're
missing out. A few click of the mouse and all you can hope for can come
true. It also can be used on both sides of
Title: RE: [Full-Disclosure] DCOM RPC exploit failed
Kills visio stone dead - loads as a background process, but never appears. Or opens visio (once you kill the process, then has memory over-write problems
This is after rebooting (twice) on Windows 2000 sp4 (server and workstation)
So
Hi,
does anybody know the offset for the German Win2k Versions ?
regards
--
+++ GMX - Mail, Messaging & more http://www.gmx.net +++
Jetzt ein- oder umsteigen und USB-Speicheruhr als Prämie sichern!
___
Full-Disclosure - We believe in it.
Charter: h
Has anyone got this working on NT4 systems?
___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html
Quoting "[EMAIL PROTECTED]" <[EMAIL PROTECTED]>:
>
> Friday, July 25, 2003
>
> Active Scripting and HTML in a plain text mail message:
>
> MIME-Version: 1.0
> Content-Type: text/plain;
> Content-Transfer-Encoding: 7bit
> X-Source: 25.07.03 http://www.malware.com
>
> foo
>
This is a well kno
Hi list,
this maybe a off topic, but I'll post it anyways. I've been searching
on the web for security resources like mailinglists and forums. There
are many resources out there, and many websites that are not serious.
I've found some that I've joined, like this one, and I'm happy if I
can get so
On Sun, 27 Jul 2003 10:23:01 -0700 morning_wood <[EMAIL PROTECTED]>
wrote:
[snip]
> ive managed to be successfull in exploiting WinXP ( option 5 and
>6 ) and Win2k ( option 4 ) with the dcom32.exe sample, on machies
>in the wild.
Exploiting machines in the wild. Are we talking breaking into oth
Thiago Campos wrote:
> Hi
>
> With the Portuguese version of Windows XP using the offset from
Windows XP SP1 english something different occurs. A window with a 30
seconds countdown and these senteces appears:
>
> "You are not a valid administrator. Your computer will be powered off"
Similar Do
Good of a point as any to jump into this, with a couple of questions to
steer conversation towards something resembling productivity ;). For the
record, I support full-disclosure with "reasonable" vendor notification,
taking into account a time to acknowledge and a time to patch, and I also
suppo
60 matches
Mail list logo