New DCOM/RPC Exploit Released

Well it seems a new exploit was released that attacks the latest report problem with Microsofts RPC/DCOM bug.

This exploit is readily available with source, so easily modifiable. It only supports from what I can tell and tested, windows 2000 boxes with either sp3 or sp4 on it and service pack ms03-026. Looks like microsoft created another bug in DCOM/RPC when they released the ms03-026 update.

The exploit will connect to the target machine, and in the unaltered source, create a username named e and a password of asd#321. Unfortunately, the username and password are very easily modifiable.

It connects to the target machine on port 135, so if your perimeter firewalls or personal firewalls block that port you should be ok.

I personally have no report cases of the exploit working as of yet. I am sure as the days go on we will see a large amount of hacks due to this though.

Grinler

well as most of the n/ws have already firewalled themselve against the previous DCOM...so i dont think this will be very helpful to the bloddy bad minds. :D

I agree, most ISP's have blocked 135, but there are still plenty who havnt.

Just have to wait and see

did you test it against a box with the MS03-039 RPC/DCOM patch that came out last week?

can someone post the location of the exploit

No, but I heard from multiple people, some reliable other no so, that it works.

Grinler

Here is an article about the exploit..

http://www.crn.com/sections/Breaking...rticleID=44561

The exploit has not been posted on bugtraq the only thing out there is a proof of concept by Dave Aitel, has anyone seen an actual exploit?

Many orgs may have the firewall rules in place, but that sure doesn't protect you from that laptop user who plugs into DSL or RoadRunner unprotected and then comes into work and plugs into your network.

Been there, done that. Got the T-Shirt.

Grinler - my question is basically this:

Is this the MS03-039 exploit? I see that you have tested against the earlier 026 patch but not against the patch that came out last week. If this is just the 039 exploit running around (and I have seen several versions of this exploit already) then it's not really new news. If it is indeed another NEW exploit then this could be a problem.


I haven't seen anything about a "new" DCOM/RPC exploit out on any of the lists that I read on a regular basis. Let's hope this is just the 039 exploit code.