New DCOM/RPC Exploit Released
Page 1 of 2 12 LastLast
Results 1 to 10 of 19

Thread: New DCOM/RPC Exploit Released

  1. #1

    Exclamation New DCOM/RPC Exploit Released

    Well it seems a new exploit was released that attacks the latest report problem with Microsofts RPC/DCOM bug.

    This exploit is readily available with source, so easily modifiable. It only supports from what I can tell and tested, windows 2000 boxes with either sp3 or sp4 on it and service pack ms03-026. Looks like microsoft created another bug in DCOM/RPC when they released the ms03-026 update.

    The exploit will connect to the target machine, and in the unaltered source, create a username named e and a password of asd#321. Unfortunately, the username and password are very easily modifiable.

    It connects to the target machine on port 135, so if your perimeter firewalls or personal firewalls block that port you should be ok.

    I personally have no report cases of the exploit working as of yet. I am sure as the days go on we will see a large amount of hacks due to this though.

    Grinler

  2. #2
    Senior Member
    Join Date
    May 2003
    Posts
    472
    well as most of the n/ws have already firewalled themselve against the previous DCOM...so i dont think this will be very helpful to the bloddy bad minds.
    guru@linux:~> who I grep -i blonde I talk; cd ~; wine; talk; touch; unzip; touch; strip; gasp; finger; mount; fsck; more; yes; gasp; umount; make clean; sleep;

  3. #3
    I agree, most ISP's have blocked 135, but there are still plenty who havnt.

    Just have to wait and see

  4. #4
    Senior Member
    Join Date
    Mar 2003
    Posts
    372
    did you test it against a box with the MS03-039 RPC/DCOM patch that came out last week?

    Give a man a match and he will be warm for a while, light him on fire and he will be warm for the rest of his life.

  5. #5
    Senior Member
    Join Date
    Jun 2003
    Posts
    236
    can someone post the location of the exploit
    That which does not kill me makes me stronger -- Friedrich Nietzche

  6. #6
    No, but I heard from multiple people, some reliable other no so, that it works.

    Grinler

  7. #7
    Senior Member
    Join Date
    Oct 2001
    Posts
    748
    Here is an article about the exploit..

    http://www.crn.com/sections/Breaking...rticleID=44561

  8. #8
    Senior Member
    Join Date
    Jun 2003
    Posts
    236
    The exploit has not been posted on bugtraq the only thing out there is a proof of concept by Dave Aitel, has anyone seen an actual exploit?
    That which does not kill me makes me stronger -- Friedrich Nietzche

  9. #9
    Junior Member
    Join Date
    Sep 2003
    Posts
    6
    Many orgs may have the firewall rules in place, but that sure doesn't protect you from that laptop user who plugs into DSL or RoadRunner unprotected and then comes into work and plugs into your network.

    Been there, done that. Got the T-Shirt.
    Pete Fanning

  10. #10
    Senior Member
    Join Date
    Mar 2003
    Posts
    372
    Grinler - my question is basically this:

    Is this the MS03-039 exploit? I see that you have tested against the earlier 026 patch but not against the patch that came out last week. If this is just the 039 exploit running around (and I have seen several versions of this exploit already) then it's not really new news. If it is indeed another NEW exploit then this could be a problem.


    I haven't seen anything about a "new" DCOM/RPC exploit out on any of the lists that I read on a regular basis. Let's hope this is just the 039 exploit code.

    Give a man a match and he will be warm for a while, light him on fire and he will be warm for the rest of his life.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •