hacking contest

hacking exploits security forum
hacking
compliance articles
upgrade backup exec
information security consultant
Help - Search - Member List - Calendar
GovernmentSecurity.org > The Archives > Exploit Articles
KapKebap
Jul 31 2003, 11:31 AM
Hi,

does someone know how to implement this?

>One glitch is that the exploitation is not very
>stealth. All RPC/COM based functions stop working
>completely after exploitation and fail to heal until
>the machine is restarted. Many of these functions are
>quite visible and easily noticeable(drag&drop,
>clipboard, property sheets, etc., for example). This
>happens without exception.

If the shellcode exit via ExitThread(), RPCSS will not die, everything
rock as usual, and you can run the exploit over and over again.

Cheers
netcomm
Aug 1 2003, 07:27 AM
im not sure id this works or not as i havent tested it.
but type
svchost -k rpcss
in cmd
let me know if it works

NetComm
woutiir
Aug 1 2003, 04:56 PM
NetComm,
svchost -k rpcss in cmd.exe at the attackers side, or at the attacked side. And what should this suppose to do? If i get this right it make dcom more or less stable, so it should be executed at the victims host/side.
But then it doesn't sovle the problem that KapKebap describes.. Since it fix when you are in, not when you're not in.

Tho, i might be wrong, in that case, i appologize smile.gif Otherwise i appologize also :>

Anyway, let me know, i might try to get that ExitThread() call into the shellcode.. Though, i'm not into NT BOFs, so i don't have a fucking clue how i should do this, i'll check some papers out when i have time, if i founded it i'll report bugs/questions/proof of concept of it smile.gif

See ya guys around,
woutiir
netcomm
Aug 11 2003, 04:05 AM
woutiir if u have a look in services under rpc then properties you will see
that when you start rpc it runs the command svchost -k rpcss hence starting rpc.
i tested it out a few times. it works when rpc has alrdy been stoped but when you
are on the remote computer under the dcom shell rpc is still running. it doesnt stop untill you quit..

SO i have come up with this....


1.login in via dcom
2.start telnet (net start telnet)
3.login the the remote box via telnet
4.stop the shutdown (shutdown -a)
5.restart rpc (svchost -k rpcss)

im making a C++ gui to do this will be rdy in a week or so...
till then peace...

NetComm
woutiir
Aug 11 2003, 11:24 AM
Hmm Netcom, really interesting, hopefullly this works.

Let me know!

Greetings,
woutiir
This is a "lo-fi" version of our main content. To view the full version with more information, formatting and images, please click here.
 
Invision Power Board © 2001-2005 Invision Power Services, Inc.