RPC / DCom exploit

**Plastic** · August 9th, 2003, 11:06 PM

I don't know if anybody has heard of the RPC / DCOM exploit for Win2k and WinXP, but it's pretty nasty. A simple .exe will give a full shell, or dos prompt, to the host with merely the target IP and OS type (XP or 2k).

I strongly advise that everybody running XP or 2K out there run Windows Update, there is a patch for this exploit. Patch Info

Again, this is some nasty sh*t and a pretty bad exploit. Be advised.

***prodikal*** · August 9th, 2003, 11:16 PM

Is this the first time this has been posted here its been around for about a week now. There is also a worm too based on the sploit the next code red maybe ?

**Cerveza** · August 9th, 2003, 11:28 PM

Originally posted here by prodikal
Is this the first time this has been posted here its been around for about a week now. There is also a worm too based on the sploit the next code red maybe ?

This has been posted a couple of times before.
A simple search for 'RPC' will reveal most (if not all) the threads that discussed this vulnarability before.

I read about that 'code red' factor.
All I can say is: I am keeping my eyes on my logs'

Have a nice day.

**Plastic** · August 9th, 2003, 11:33 PM

hrrmm... quite true... but more and more script kiddies are getting their hands on the exploit, and it's getting way out of hand.

***prodikal*** · August 9th, 2003, 11:57 PM

Well of-course there are about 12 proof of concepts and a worm released i seen one with 19 targets on it

heres the proof of concept

As if its hard to find a varient of it

and with my own testing it works fairly well if all goes well you should see

- Remote DCOM RPC Buffer Overflow Exploit
- Original code by FlashSky and Benjurry
- Rewritten by HDM <hdm [at] metasploit.com>
- Using return address of 0x77e9afe3
- Dropping to System Shell...

Microsoft Windows XP [Version 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.

C:\WINDOWS\system32>
No boxes were harmed in the given example

Also note that this will mostly affect home users which is a bad threat with more and more home users swicthing to high speed modems imagine thousands maybe even millions of home users running a bot that connects back to an irc chan thats set-up to DoS whatever the person at the 'wheel' feels like

scary huh

**Plastic** · August 10th, 2003, 12:15 AM

yessir... i do have a copy of that code

and yes indeed, this exploit is one hell of a scary thing. full access to 90% of people with XP or 2K, crazy stuff.

***prodikal*** · August 10th, 2003, 12:29 AM

Ya but as i said its only mostly home users i only know of one person whos caught a webserver with it and it was a .edu some where it's supposed to be microsofts biggest sploit in the OS yet all the more reason to swicth to *nix there is never this much wide spread panic

**Plastic** · August 10th, 2003, 06:44 AM

most definately... *nix systems are far superior, but ya still almost have to have XP, especially if you're like me at college

***Tedob1*** · August 10th, 2003, 07:05 AM

ok lets not forget that this exploit can only work if your RPC ports are exposed which a personal firewall protects stright out of the box. i really dont see a mass stampede of users switching to linux when they can just about use windows. i can see the sale of firewalls increasing.

I really have to wonder why this fact isn't forced down the publics throat. all i keep reading is how dangerous this can be and nothing about how simple it would be to prevent it.

I dont know what this code will do 'as is' yet but the code originally posted by Xfocus will only cause svchost to crash unless the code is tweeked.

**Plastic** · August 10th, 2003, 07:12 AM

ahh... and not JUST firewalls... just about every user behind a router even is protected from this exploit

Thread: RPC / DCom exploit

Thread Tools

Display

RPC / DCom exploit

Posting Permissions