Results 1 to 7 of 7

Thread: My DCOM Solver

  1. #1
    Senior Member
    Join Date
    Jan 2003
    Posts
    1,499

    My DCOM Solver

    I created a new.exe based on the code from the msblast.exe worm.

    My code downloads and runs the patch from microsoft and seals the hole/exploit.
    It deletes the blast virus and its 3 known variants.

    I set it loose on my network here at 9:00 last night and all the machines were patched within 20 minutes. (250 off)

    It did slow the network to a grinding halt but the log file it was reporting back to did show its path and I'm satisfied that I maintained a level of control over its path and it didn't make it into the wild. (Nearly crapped myself when I thought it had.)

    Its a great way to seal the exploit on your network.

    I am throwing together a scanner type tool to search for the exploit and a single non replicating tool to send and patch p.cs.

    If anyone wants to lend me a hand I would be greatfull.

  2. #2
    Senior Member
    Join Date
    Jun 2003
    Posts
    188
    Nice mark, can i have that new.exe

  3. #3
    Senior Member
    Join Date
    Jan 2003
    Posts
    1,499
    Hmm,

    I don't want it to find its way into the wild. It would be a major DOS attack.

    MSBLAST is <10k the patch is 1200k ish.

    How about I give you the code and you compile it then if it leaks out of your network I don't get my ass kicked and sent to jail like some alt 2300 script kiddie.

  4. #4
    Senior Member
    Join Date
    Jun 2003
    Posts
    188
    I would be happy with the code too.

  5. #5
    Senior Member
    Join Date
    Jan 2003
    Posts
    1,499
    What languages / compilers do you have ?

  6. #6
    Hi mom!
    Join Date
    Aug 2001
    Posts
    1,103
    Put the microsoft patches for all affected OS'ses in your startup-script. Don't worry about running the wrong patch on a wrong operating system to much: the win2k, nt4 and win2003 patches just quit with an errormessage if you run them on the wrong OS.

    We ran the w2k patch on all about 300 computers, after which we started McAfee Stinger. After 24 hours, only 30 unpatched machines were left.
    I wish to express my gratitude to the people of Italy. Thank you for inventing pizza.

  7. #7
    Master-Jedi-Pimps0r & Moderator thehorse13's Avatar
    Join Date
    Dec 2002
    Location
    Washington D.C. area
    Posts
    2,885
    Well if you have an AD environment, you can push out the correct patch and removal tool via scripting and group policy. I pushed it out to 7500+ machines inside of 4 hours. The only issues that we have left are those machines that are not part of AD and they were easily tagged as vulnerable using Nessus and the MSRPC_DCOM NASL. (NASL ID 11808).
    Our scars have the power to remind us that our past was real. -- Hannibal Lecter.
    Talent is God given. Be humble. Fame is man-given. Be grateful. Conceit is self-given. Be careful. -- John Wooden

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •