October 11th, 2003, 10:00 AM
Another RPC DCOM Vulnerability / Exploit (Now DCOM3) !
hi, this is a message from bugtraq :
Universal exploit for MS03-039 is now public on k-otik.com
It was reported by exploit author (and confirmed), Windows XP SP1
with all security fixes installed still vulnerable to variant of the
same bug. Windows 2000/2003 was not tested.
For a while only DoS exploit exists (DCOM3) , but code execution is probably possible. Technical details are sent to Microsoft, waiting for confirmation.
ppl must block the vulnerable ports.
Gurou ** Security Administrator
October 11th, 2003, 01:45 PM
These are everywhere now...thanks for the heads up
[gloworange]And then it happened... a door opened to a world... rushing through the phone line like heroin through an addict\'s veins, an electronic pulse is sent out, a refuge from the day-to-day incompetencies is sought... a board is found. \"This is it... this is where I belong...\" I know everyone here... even if I\'ve never met them, never talked to them, may never hear from them again... I know you all...[/gloworange]
October 11th, 2003, 05:22 PM
while i understand what rpc and dcom are as technologies, i don't understand how they work or how they interact with each other. i did some searching on the site and wasn't able to find a tutorial on this either. i'm also interested in how these exploits work in plain english-- all of that code is just plain french to me at this point
anyone have any good links?
October 11th, 2003, 05:36 PM
RPC is a way to make a remote machine run a certain procedure for you. It was used a bit with SunOS, but I don't know anyone that has used it in a windows environment.
DCOM is the same idea, but on a different level, and it is a MS only thing. dcom should be more "invisible" where the program does all the work, while rpc would require user interaction. I have never seen this used.. anyplace.. The only use I have seen for DCOM is to exploit it.
The exploit is a buffer overflow. Basically it sends a shitload of information to the DCOM port, then finishes the info off with the code to run a remote shell. DCOM gets confused and runs the code at the end, and you have a shell. When MS patched it, all they did was tell it not to run the code at the end. They didn't tell it to drop the packets. Thats why it causes a DOS.
\"Ignorance is bliss....
but only for your enemy\"