Another RPC DCOM Vulnerability / Exploit (Now DCOM3) !

[Gurou]

hi, this is a message from bugtraq :

Universal exploit for MS03-039 is now public on k-otik.com

http://www.k-otik.com/exploits/10.09...niversal.c.php
http://www.k-otik.com/exploits/10.09.rpcunshell.asm.php

It was reported by exploit author (and confirmed), Windows XP SP1
with all security fixes installed still vulnerable to variant of the
same bug. Windows 2000/2003 was not tested.

For a while only DoS exploit exists (DCOM3) , but code execution is probably possible. Technical details are sent to Microsoft, waiting for confirmation.

ppl must block the vulnerable ports.

Regards

Gurou ** Security Administrator

[Limpster]

These are everywhere now...thanks for the heads up

[infernon]

while i understand what rpc and dcom are as technologies, i don't understand how they work or how they interact with each other. i did some searching on the site and wasn't able to find a tutorial on this either. i'm also interested in how these exploits work in plain english-- all of that code is just plain french to me at this point
anyone have any good links?

[souleman]

RPC is a way to make a remote machine run a certain procedure for you. It was used a bit with SunOS, but I don't know anyone that has used it in a windows environment.

DCOM is the same idea, but on a different level, and it is a MS only thing. dcom should be more "invisible" where the program does all the work, while rpc would require user interaction. I have never seen this used.. anyplace.. The only use I have seen for DCOM is to exploit it.

The exploit is a buffer overflow. Basically it sends a shitload of information to the DCOM port, then finishes the info off with the code to run a remote shell. DCOM gets confused and runs the code at the end, and you have a shell. When MS patched it, all they did was tell it not to run the code at the end. They didn't tell it to drop the packets. Thats why it causes a DOS.