Positively confirmed on patched Windows 2000 SP4 - did not reproduce on patched XP Home. Drag/Drop and other COM functions stop working, after a very visible svchost.exe crash. The hdmore loopback exploit is more friendly - it gave a nice DoS on all RPC/COM services (no drag/drop) without crashing svchost. Of course, this is only with the new return addresses that are not tied to any specific servicepack.. Regards Thor Larholm PivX Solutions, LLC - Senior Security Researcher -----Original Message----- From: khan rohail [mailto:rohaikaz@YAHOO.COM] Sent: Monday, July 28, 2003 8:34 AM Subject: RPC DCOM still vulnerable even after applying patches This is in reference to exploit code available here: http://www.securiteam.com/exploits/5CP0N0KAKK.html ....... We (Douglas Mclean/and I) have checked it against windows 200 SP4 machines that "even if you apply the patch kb823980", you can get DOS attacks as tcp port 135 service (loc-srv)gets crashed and we get this error on the box against which the exploit is being run: "SVCHOST.exe has generated errors and will be closed by Windows. You will need to restart the program. An error log is being created". You are not able to access Event log either and other funny things are detected too. -------- So, even if you apply the patch MS03-026 you still are vulnerable and you can still get DOS attacks. Regards Shoaib Qazi/Douglas McClean UAB
