Results 1 to 4 of 4

Thread: Remote Procedure Call

  1. #1
    Join Date
    Feb 2003

    Question Remote Procedure Call

    The Blaster worm & others are making headlines these days.
    Can anyone explain what an remote procedure call is.

  2. #2
    Join Date
    Jul 2003
    An RPC is initiated by the caller (client) sending a request message to a remote system (the server) to execute a certain procedure using arguments supplied. A resulting message is returned to the caller. There are many variations and subtleties in various implementations, resulting in a variety of different (incompatible) RPC protocols.
    "These are not my words - tr3kker"

    There is more info at:

    And even more info from google......

  3. #3
    Senior Member
    Join Date
    Jun 2003
    Well..as far as i know, it works using RPC and opening a remote shell on the machine using port 135. Then comes smbport 4444 , by using tftp.exe in c:/>windows/system32 folder downloads the worm itself. Many fixes can be seen on AO for removing this worm.
    any queries..PM me..

  4. #4
    Senior Member
    Join Date
    Jul 2003
    This is all off the top of my head, so there are probably many errors.

    RPC is a mechanism by which you can run code on other machines. It's basically a client/server system, nothing really fancy. The problem that Blaster exploits is not with the core of RPC, but with the RPC portmapper. The portmapper, which runs on port 135, is a mechanism that allows you to find out what ports certain RPC services use. So, for example, you connect to the machine and ask it what port NFS is running on. It tells you, and then you can connect to NFS on the proper port.

    Anyway, there's a bug in the Windows portmapper code that allows (presumably) a buffer overflow. This means that a specially crafted request can write directly to memory on the target machine, and then execute whatever's in that memory location. In the case of Blaster, as usual, that code opens a remote shell on the target machine. At that point, the attacker is in complete control of the machine, and can do whatever they like. In the case of Blaster, as ommy noted, it uses tftp to download the real worm payload from the attacker.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts