August 26th, 2003, 11:32 AM
Remote Procedure Call
The Blaster worm & others are making headlines these days.
Can anyone explain what an remote procedure call is.
August 26th, 2003, 12:07 PM
An RPC is initiated by the caller (client) sending a request message to a remote system (the server) to execute a certain procedure using arguments supplied. A resulting message is returned to the caller. There are many variations and subtleties in various implementations, resulting in a variety of different (incompatible) RPC protocols.
"These are not my words - tr3kker"
There is more info at:
And even more info from google......
August 26th, 2003, 05:56 PM
Well..as far as i know, it works using RPC and opening a remote shell on the machine using port 135. Then comes smbport 4444 , by using tftp.exe in c:/>windows/system32 folder downloads the worm itself. Many fixes can be seen on AO for removing this worm.
any queries..PM me..
August 26th, 2003, 09:24 PM
This is all off the top of my head, so there are probably many errors.
RPC is a mechanism by which you can run code on other machines. It's basically a client/server system, nothing really fancy. The problem that Blaster exploits is not with the core of RPC, but with the RPC portmapper. The portmapper, which runs on port 135, is a mechanism that allows you to find out what ports certain RPC services use. So, for example, you connect to the machine and ask it what port NFS is running on. It tells you, and then you can connect to NFS on the proper port.
Anyway, there's a bug in the Windows portmapper code that allows (presumably) a buffer overflow. This means that a specially crafted request can write directly to memory on the target machine, and then execute whatever's in that memory location. In the case of Blaster, as usual, that code opens a remote shell on the target machine. At that point, the attacker is in complete control of the machine, and can do whatever they like. In the case of Blaster, as ommy noted, it uses tftp to download the real worm payload from the attacker.