RPC / DCom exploit

[Cerveza]

I dont know what this code will do 'as is' yet but the code originally posted by Xfocus will only cause svchost to crash unless the code is tweeked.

There exists a tweaked version. There is also source code for a worm.
And no I am not gonna link you to them.

[prodikal]

ok lets not forget that this exploit can only work if your RPC ports are exposed which a personal firewall protects stright out of the box. i really dont see a mass stampede of users switching to linux when they can just about use windows. i can see the sale of firewalls increasing.

True indeed tedob1 but not all people are computer illiterate just out of curiosity i scanned my range with nmap and out of 254 boxes there were only about 20 firewalled i didnt try to get in to any the boxes but IMO i would say at least 150 of those people would have been vulnerable

I really have to wonder why this fact isn't forced down the publics throat. all i keep reading is how dangerous this can be and nothing about how simple it would be to prevent it.

Exactly that's who it will effevt the public. Maybe ISP's should start email all there user's telling them of this new bug in windows

I dont know what this code will do 'as is' yet but the code originally posted by Xfocus will only cause svchost to crash unless the code is tweeked.

The code i posted will drop you in to a shell with the right's of the person who is logged in i tested it on a friends machine and i had a shell in like 5 secs i could tftp to it up-load what ever i wanted i could download any file i wanted as-well but untill people realise about security there isnt much people can do

[sweet_angel]

Originally posted here by prodikal


True indeed tedob1 but not all people are computer illiterate just out of curiosity i scanned my range with nmap and out of 254 boxes there were only about 20 firewalled i didnt try to get in to any the boxes but IMO i would say at least 150 of those people would have been vulnerable



Exactly that's who it will effevt the public. Maybe ISP's should start email all there user's telling them of this new bug in windows



The code i posted will drop you in to a shell with the right's of the person who is logged in i tested it on a friends machine and i had a shell in like 5 secs i could tftp to it up-load what ever i wanted i could download any file i wanted as-well but untill people realise about security there isnt much people can do

To be honest this code (need to be tweaked a bit first) really scary and works.. I've found 11 websites so far.. have vurnerability using this code and all of "ADM FROM THOSE WEBSITES HAVE BEEN NOTIFIED" before "THE BAD GUYS GET'S THEM".
So this is just one of example of one of those websites:

Code:

#./labexploits 4 www.kghyzt.com

-Target: [Win2k-]:www.kghyzt.com:135, Bindshell:666, RET=[0x0018759f]
 [+] Connected to bindshell.. 
 
 -- exploits penetration succesfully --
 
 Microsoft Windows 2000 [Version 5.00.2195]
 (C) Copyright 1985-2000 Microsoft Corp. 
 
 C:\WINNT\system32>label gocha
 label gotcha
 
 C:\WINNT\system32>cd\ 
 cd\ 

 C:\>dir
 dir
 Volume in drive C is gotcha
 Volume Serial Number is 30A1-E843 
 
 Directory of C:\ 
 
 03/27/2003 12:11p <DIR> Backup 
 09/19/2002 05:24p <DIR> Documents and Settings 
 09/19/2002 05:18p <DIR> Inetpub 
 09/25/2002 05:30p <DIR> MDaemon 
 10/31/2002 11:55p <DIR> Program Files 
 09/19/2002 07:50p 600 PUTTY.RND 
 10/10/2002 10:49p <DIR> WINNT 
 1 File(s) 600 bytes 
 6 Dir(s) 7,899,820,032 bytes free 
 
 C:\>

PS:Yes I do have permission to do penetration on those websites to prove it that code really works BUT now I have stopped to do testing again and I move on to do another thing ( my assign )

[Plastic]

Originally posted here by prodikal
True indeed tedob1 but not all people are computer illiterate just out of curiosity i scanned my range with nmap and out of 254 boxes there were only about 20 firewalled i didnt try to get in to any the boxes but IMO i would say at least 150 of those people would have been vulnerable

no friggin kidding... when I first got hold of the exploit, I used eEye's Retina scanner, which scans IP ranges looking for the vulnerability. About 32 people on my subnet alone were vulnerable... perhaps ISPs should inform their subscribers

[Tedob1]

=+=+=+=+=+=+=+=+=
True indeed tedob1 but not all people are computer illiterate
=+=+=+=+=+=+=+=+=

thats my point! why isn't anyone telling them. I even heard about it on an AM news cast with no mention of what you can do execpt "ms has issued a patch". what does that mean to most users? a free firewall will peotect against most zero-day exploits unless your using web services like webserver telnet etc.

[Plastic]

you know my whole theory on things (and this is a classic example too)... the black hats are always one step ahead of the white hats. white hats are always trying to fix what the blackhats do, while the blackhats are already getting one step ahead... which, i must say, is crap.

even little things like informing the public better could help this problem... don't just tell somebody there's a patch... tell them what the patch is for, and what somebody could do if you don't have the patch at least. dont you think that'd help things just a lil? especially if this news was told in very common places where the average joe would see... not some computer security webpage like antionline, or packetstorm... ya know?

[Cerveza]

Did I ask for it

Well tedob, you did ask if there was a tweaked version of this exploit.
There is a universal exploit that uses ExitThread instead of ExitCrash so it will not crash anything just give you a remote shell.
There is also no need to know what version the remote system is running (SP1, 2, etc)
I am not putting links here because I dont want to give it away to the so called skids (even though they will find it there selves)
It is a big security risk and I tried it on a couple of machines I was authorized to.
What frieghtens me more is that there are allready reports of a so called auto rooter in the wild and even though it will not spread at the speed of slammer I think we will be in for it later this week considering how many people are not able to patch there systems.

It is a UNIVERSAL exploit so it will affect ALL vulnarable MS systems unlike CODE RED for example.

There is also some rumours that besides the allready known ports the ports 1025-1030 are also vulnarable. I have not been able to verify this as for now. And someone mentioned that the patch does not 'patch' the vulnarability on some systems completly. The patched machine will still remain vulnarable for DoS.
The universal exploit I am talking about includes something like 48 targets (different languages) and makes them into two universal targets (Win2k /WinXP).

And for the answer you (tedob) provided in the 'how do I know if I am being hacked' thread' regarding the shutdown dialog box.

it does sound like someone tryed the rpc exploit. the successful ones dont pop-up a msg they just open a reverse shell. put in a firewall so the rpc ports arent exposed and keep current up on your patches

The shutdown box appeared on the original exploit. It means they got in, did what they did and closed the shell they made (invoking the ExitCrash) afaik

I also ran it on an XP machine (Pro) that was up to date except for
the latest patch for RPC and it worked perfect. Telnet to port 4444
and had a shell, then as soon as I typed "exit" the host shutdown and
rebooted.

Stu
http://lists.jammed.com/incidents/2003/07/0284.html

Just to let you know.

[nebulus200]

Interesting related URL:

http://isc.sans.org/diary.html?date=2003-08-11

The folks at SANS seem to have caught a worm ... they are still working on analysis.

The way I read it is, turn of tftp outbound and you should be ok, even if you are vulnerable (this of course does NOT mean you are ok from somone attacking you)...Relevant to this worm only.

/nebulus

[sgtrush]

Interesting discussion, I have tested this exploit in a controlled environment. It is far too easy to get access. Their is a threat noone has discussed. Firewalling will keep the external threats out, but what about the joker who is employed at your company, who is already on your network. It only takes one to escalate their privelages (spelling?) and steal your company database or .......you get the picture. System Administrators need to patch all their systems regardless of their external presence.

[Tedob1]

This is what i said:

I dont know what this code will do 'as is' yet but the code originally posted by Xfocus will only cause svchost to crash unless the code is tweeked.


this is how you read it:

Well tedob, you did ask if there was a tweaked version


This is what you said:

And no I am not gonna link you to them.


this is how i read it:

And no I am not gonna link you to them.

(who the **** needs you)


and this is how i replyed:

dont you talk to me like im some ****en script kiddie!


and this is what im saying now:

WTF ive been here as a member since 2001 under the same name. came to this site before it had a bbs. Ive submitted over 2500 posts mostly trying to help some just bullshitting then some new ****en ass-hole comes along An starts insinuating im a skript kiddie. i dont think so...

And this:

The shutdown box appeared on the original exploit. It means they got in, did what they did and closed the shell they made (invoking the ExitCrash) afaik


I (not they) got this using the un-tweeked version from Xfocus on machines i set up to test this in my own network ...i was sitting there lookink at it!