We just updated the tool a few minutes ago and fixed some bugs that should clear up any left over inaccuracies. Also fixed a bug keeping NT 4.0 detection from working correctly. If you find any bugs please let us know. RPC/DCOM Scanner 1.0.3 http://www.eeye.com/html/Research/Tools/RPCDCOM.html Signed, Marc Maiffret Chief Hacking Officer eEye Digital Security T.949.349.9062 F.949.349.9538 http://eEye.com/Retina - Network Security Scanner http://eEye.com/Iris - Network Traffic Analyzer http://eEye.com/SecureIIS - Stop known and unknown IIS vulnerabilities | -----Original Message----- | From: S G Masood [mailto:sgmasood@yahoo.com] | Sent: Saturday, July 26, 2003 7:53 PM | To: bugtraq@securityfocus.com | Subject: Re: DCOM RPC exploit (dcom.c) | | | Hello list, | | | The Dcom.c compiles neatly on Cygwin with GCC 3.2 when | the "#include <error.h>" line is removed. | | *Very* accurate. If the machine is vulnerable, the | exploit will almost always succeed on the first | attempt. | | I've successfully tested it on about 16 boxes and each | one was rooted on the first try. Among these were | Win2k with SP0, SP1, SP3 while two were WinXP(SP level | not known). Before running the exploit, the machines | were confirmed as vulnerable with the Eeye tool(on a | side note, while the Eeye tool did recognise many | vulnerable boxes, it failed to recognise some of them, | though, they were vulnerable). | | One glitch is that the exploitation is not very | stealth. All RPC/COM based functions stop working | completely after exploitation and fail to heal until | the machine is restarted. Many of these functions are | quite visible and easily noticeable(drag&drop, | clipboard, property sheets, etc., for example). This | happens without exception. | | The exploit mostly times out when run against remote | hosts. | | Hope we are all patched before Tim Mullen's | "Mescaline"(http://securityfocus.com/columnists/174) | becomes a reality. | | One last advice - think twice before doing any thing | risky with the exploit. Though highly accurate, it is | very noisy. | | | Regards, | | S.G.Masood | | Hyderabad, | India. | | __________________________________ | Do you Yahoo!? | Yahoo! SiteBuilder - Free, easy-to-use web site design software | http://sitebuilder.yahoo.com |
