Dcom V2 Beta V.0.3 By Lemongreen

Help - Search - Member List - Calendar

Full Version: Dcom V2 Beta V.0.3 By Lemongreen

GovernmentSecurity.org > The Archives > Public Downloads

test1

Sep 15 2003, 08:31 PM

wrong section

haensy

Sep 15 2003, 08:35 PM

Why

chrispen

Sep 15 2003, 08:50 PM

exactly what it says. works but no shell

nice try. i believe today or later on tomorrow we will have a working one.

Nexcess

Sep 16 2003, 10:03 AM

Not sure if anything else not mentioned is covered here but this is from trend micro about the new dcom stuff. Anyways, just tryin to drop in more info to support the cause.
-Nexy

CODE

Details:

These newly-discovered vulnerabilities that affect Windows NT, 2000, XP, and Server 2003 are actually 3 security holes found in the Distributed Component Object Model (DCOM) interface within the RPCSS Service. Two of these vulnerabilities compromise system security by allowing the execution of arbitrary code, while the third could result in denial of service.

A heap overflow occurs when a DCOM object activation request packet with a malformed length field is received by a vulnerable machine. This enables an attacker to modify any memory location, which may result in an application error or the execution of arbitrary code.

Another heap overflow occurs when a DCOM RPC request contains a file name parameter longer than what is expected. This results in overwritten registers, which may also result in an application error or the execution of arbitrary code.

Both vulnerabilities allow an attacker to execute arbitrary code on a vulnerable machine with Local System account privileges, which allows them to have virtually total control over the remote system.

The third vulnerability causes a denial of service (DoS) attack on a vulnerable machine. The application SVCHOST.EXE crashes upon receipt of this malformed DCOM packet.

It displays the following error message:

To exploit these vulnerabilities, the attacker sends a specially crafted RPC message to a vulnerable system.

Once the system is exploited, it allows a predefined code with a Local System account privilege to be executed on the affected host and could also cause the RPCSS service to fail.

Microsoft has released an advisory and a corresponding patch for these vulnerabilities in the following Microsoft page:

Microsoft Security Bulletin MS03-039

Note that this newly-released patch supersedes the earlier patch in Microsoft Security Bulletin MS03-026.

Affected users who have already applied the MS03-026 patch are strongly advised to apply the new patch.

The complete list of affected software are as follows:

Microsoft Windows NT Workstation 4.0
Microsoft Windows NT Server 4.0
Microsoft Windows NT Server 4.0, Terminal Server Edition
Microsoft Windows 2000
Microsoft Windows XP
Microsoft Windows Server 2003

MKZ

Sep 16 2003, 10:25 AM

Thx a lot fine work.

Anarchy

Sep 16 2003, 12:49 PM

it`s for ms03-026 too

let`s see

unsigned char sc[]=
"\x46\x00\x58\x00\x4E\x00\x42\x00\x46\x00\x58\x00"
"\x46\x00\x58\x00\x4E\x00\x42\x00\x46\x00\x58\x00\x46\x00\x58\x00"
"\x46\x00\x58\x00\x46\x00\x58\x00"
"\xff\xff\xff\xff"
"\xcc\xe0\xfd\x7f"
"\xcc\xe0\xfd\x7f"

memcpy(sc+36, (unsigned char *) &targets[type].ret, 4);

do u understand?the old one:ms03-026

sorry for my bad english

z0rQuE

Sep 17 2003, 04:40 PM

This exploit is fake, it doesn't work and it will never work...
Btw there is even a big bug in the USAGE, the ARGV[0] is missing and should be the second argument in the printf call...

woutiir

Sep 17 2003, 05:24 PM

QUOTE

unsigned char sc[]=
"\x46\x00\x58\x00\x4E\x00\x42\x00\x46\x00\x58\x00"
"\x46\x00\x58\x00\x4E\x00\x42\x00\x46\x00\x58\x00\x46\x00\x58\x00"
"\x46\x00\x58\x00\x46\x00\x58\x00"
"\xff\xff\xff\xff"
"\xcc\xe0\xfd\x7f"
"\xcc\xe0\xfd\x7f"

memcpy(sc+36, (unsigned char *) &targets[type].ret, 4);

Easy:

memcpy(sc+36...
says that you should copy the 2nd argument supply'd by memcpy (in this case: (unsigned char *) &targets[type].ret) at the 36 place of sc. and sc is an array of characters. so it pastes the target RET at the 36th place in the sc array..

Gr. woutiir

This is a "lo-fi" version of our main content. To view the full version with more information, formatting and images, please click here.