|
-
September 17th, 2003, 03:26 PM
#1
 New DCOM/RPC Exploit Released
Well it seems a new exploit was released that attacks the latest report problem with Microsofts RPC/DCOM bug.
This exploit is readily available with source, so easily modifiable. It only supports from what I can tell and tested, windows 2000 boxes with either sp3 or sp4 on it and service pack ms03-026. Looks like microsoft created another bug in DCOM/RPC when they released the ms03-026 update.
The exploit will connect to the target machine, and in the unaltered source, create a username named e and a password of asd#321. Unfortunately, the username and password are very easily modifiable.
It connects to the target machine on port 135, so if your perimeter firewalls or personal firewalls block that port you should be ok.
I personally have no report cases of the exploit working as of yet. I am sure as the days go on we will see a large amount of hacks due to this though.
Grinler
-
September 17th, 2003, 05:02 PM
#2
well as most of the n/ws have already firewalled themselve against the previous DCOM...so i dont think this will be very helpful to the bloddy bad minds. 
guru@linux:~> who I grep -i blonde I talk; cd ~; wine; talk; touch; unzip; touch; strip; gasp; finger; mount; fsck; more; yes; gasp; umount; make clean; sleep;
-
September 17th, 2003, 05:04 PM
#3
I agree, most ISP's have blocked 135, but there are still plenty who havnt.
Just have to wait and see
-
September 17th, 2003, 05:11 PM
#4
did you test it against a box with the MS03-039 RPC/DCOM patch that came out last week?
Give a man a match and he will be warm for a while, light him on fire and he will be warm for the rest of his life.
-
September 17th, 2003, 05:57 PM
#5
can someone post the location of the exploit
That which does not kill me makes me stronger -- Friedrich Nietzche
-
September 17th, 2003, 07:48 PM
#6
No, but I heard from multiple people, some reliable other no so, that it works.
Grinler
-
September 17th, 2003, 08:09 PM
#7
-
September 17th, 2003, 08:10 PM
#8
The exploit has not been posted on bugtraq the only thing out there is a proof of concept by Dave Aitel, has anyone seen an actual exploit?
That which does not kill me makes me stronger -- Friedrich Nietzche
-
September 17th, 2003, 08:30 PM
#9
Junior Member
Many orgs may have the firewall rules in place, but that sure doesn't protect you from that laptop user who plugs into DSL or RoadRunner unprotected and then comes into work and plugs into your network.
Been there, done that. Got the T-Shirt.
-
September 17th, 2003, 08:34 PM
#10
Grinler - my question is basically this:
Is this the MS03-039 exploit? I see that you have tested against the earlier 026 patch but not against the patch that came out last week. If this is just the 039 exploit running around (and I have seen several versions of this exploit already) then it's not really new news. If it is indeed another NEW exploit then this could be a problem.
I haven't seen anything about a "new" DCOM/RPC exploit out on any of the lists that I read on a regular basis. Let's hope this is just the 039 exploit code.
Give a man a match and he will be warm for a while, light him on fire and he will be warm for the rest of his life.
Posting Permissions
- You may not post new threads
- You may not post replies
- You may not post attachments
- You may not edit your posts
-
Forum Rules
|
|
Reply With Quote