Hosting Provided By

locator exploit

From: Dave Aitel <dave(at)immunitysec.com>
Date: Sat Feb 01 2003 - 01:57:06 EST

So after writing the RPC locator exploit, I noticed that the service is not actually vulnerable until it has been initialized properly. Does anyone have any more information on how often and when this service is intialized (as opposed to simply started)?

Here is tethereal output illustrating an uninitialized locator service: 192.168.1.101 -> 192.168.1.100 DCERPC Bind: call_id: 5 UUID: e33c0cc4-0482-101a-bc0c-02608c6ba218 ver 1.0 192.168.1.100 -> 192.168.1.101 DCERPC Bind_ack: call_id: 5 Provider rejection, reason: Abstract syntax not supported

In my testing environment this is the state of the locator service until a local user binds to it to begin a lookup.

Other than this, the RPC Locator Service exploit is available as a CANVAS module. (http://www.immunitysec.com/CANVAS/)

-dave Received on Sat Feb 1 04:20:07 2003

This message: [ Message body ]
Next message: Gregory Duchemin: "Re: slocate vulnerability"
Previous message: CERT(R) Coordination Center: "Re: bash 2.05.0(1)-release/it.map.gz Slackware 8.0 default and Debian VU#438955"

Contemporary messages sorted: [ By Date ] [ By Thread ] [ By Subject ] [ By Author ] [ By messages with attachments ]

This archive was generated by hypermail 2.1.8 : Wed Aug 23 2006 - 14:07:37 EDT