Hey ppl,

You might think this is another dig up of an almost died exploit.
Tho i was talking to a friend and he said that the DCOM is still vulnerable, but the patch changed the RET (return adress. That's the 'magic number' as it is often called to get the shellcode executed).

He said that patching doesn't close the port, but starts loc-srv instead of dcom. In other terms, if you find the new RET after the patch, it should be as vulnerable as before.

Tho i'm not into windows, so i don't have a (filtered) clue on how to gain this.

I suppose that there is an exploit available but private.. (which means, only available for ?¿true¿? hackers...).

Let me know if you guys know something about this 'story' or have thoughts about it.

Again, i only want to share my knowledge, so please don't flame me or something .

Greetings,
woutiir

I always say that patch is vulnerable ....

yes wootir, a friend of me told me the same thing

but i d'ont have this exploit

I'll continue my search

Basically it's still vulnerable, problem is tho that ISP's and users have blocked the ports (port 135, 4444, etc) that we use in execution of the exploit...

my provider doesnt block port 135 and 4444

Well yah there will be a few that don't but the majority of the ISP's have blocked it in an attempt to squash the virus and protect their users. However having your ISP block it only contains the virus in that area... they can only block it on the outgoing/incoming connection to the net... and if they operate as a LAN then you'll have to block it personally...

But thats how I would go about writing the virus... use multiple vulnerabilities... webdav and OE attachment... along with Dcom lol... and once you start hopping into different ISP's alot more people are infected and they continue the hop

HeHe, some might have done that, but alot didn't. Like mine, and alot of ppl i asked, either. So that aint really the problem, I think the problem is this exploit

I've not found it, didn't really search either, i think it lays within the RET, but don't have a fcuking clueue how to get it. I could code an exploit once i got that... but still.. the problem remains.

thnx for the reply's

woutiir

actually i heard something similar, except i heard that u can get in threw a different port so even if the system is patched u can get in threw a different port besides the standard 135 and get a shell but then again u might need a dif ret code to enter the shell

I believe 137 for an example is dcom also. Tho i'm not really much into the Dcom thingy so correct me if i'm wrong.

Tho everyone heard of it, but still no one has something for it. Or just do not want to share it with 'us'?

Btw, i've got the feeling this board is growing bigger and bigger all the time, the time of reply's is like 0-sec

Nice! Aslong no lamers are around atleast hehehehehehehhe

Go gvnmts

Lat0rz
woutiir

The way is to scan another port and build another exploit with those RET ....

i have a dcom exploiter which allows me to imput the port to exploit on so i am gonna see what i can do via other ports

d0cSyS,

Probably nothing mate, as vnet said, every port is a different service running.
So you can't exploit a Dcom service under port 80 for an example.

Tho try as you wish, i wish you luck

C u guys around,
woutiir

i noticed the mention of port 135 udp in a cert advisory, most isps dont block this port

I think you can exploit RPC through some other ports aswell like 445 but from what ive found only 135 is effective.