RE: Exploit for Windows RPC may be in the wild!

Yes, I was able to get a copy of the exploit from various newsgroups:

http://www.derkeiler.com/Mailing-Lists/VulnWatch/2003-07/0055.html

I was successfully able to get it work on win2k, NT, and XP. I did not try 2k3. Both the win32 and unix versions can be found on the above newsgroup. It seems as though the success rate on un-patched machines is not 100% On un-patched machines I was getting it to work maybe 60 to 70% of the time. The exploit comes in a rpc port and then allows for cmd.exe netcat connection to port 4444. The code can be recompiled to drop the command line to a different port (say something common like 80)!!

Jeff

-----Original Message-----
From: Sumit [mailto:scorpio_chaser@yahoo.co.uk] Sent: Tuesday, July 29, 2003 7:47 AM
To: 'James C. Slora, Jr.'; incidents@securityfocus.com Subject: RE: Exploit for Windows RPC may be in the wild!

Does any one have working Exploit for "[NT] Buffer Overrun in RPC Interface Could Allow Code Execution"

To be Specific Win NT 4.0

With Regard,
Sc0rPiO
"Nature knows no indecencies; man invents them."

Do you need help?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related securityfocus.com Links bugtraq certification focus-bsd focus-ids focus-ih focus-linux focus-ms focus-sun focus-unix-other focus-virus forensics incidents libnet linux-secnews ms-secnews pen-test secpapers secprog sectools secureshell security-basics securityjobs sf-news vuln-dev webappsec Request more information about Pantek

-----Original Message-----
From: James C. Slora, Jr. [mailto:Jim.Slora@phra.com] Sent: Monday, July 28, 2003 11:46 PM
To: incidents@securityfocus.com
Subject: RE: Exploit for Windows RPC may be in the wild!

tEA-TiME wrote Sunday, July 27, 2003 6:34 PM
> There could be another explanation for the flow of traffic to port
135. Many
> programs being released now for using the NET SEND command to
advertise,
> come with a built in "scanner" to see if the host is active beore
wasting
> the time sending the whole message. Some of these software makers also
139,
> and 445 to see if a host is running and accepting NET messages.

Yes many could be messenger spam probes. I've seen a marked increase in TCP 135 scanning over the past week, though. And I'm getting new scan combos (TCP 135 and 445 with no other ports) that strongly suggest RPC probing rather than messenger spam.

---
------------------------------------------------------------------------
----


------------------------------------------------------------------------
---
------------------------------------------------------------------------
----



---------------------------------------------------------------------------
----------------------------------------------------------------------------