I just thought an idea and maybe it is irelevant but here it goes..
As I manage to understand, main problem of getting shell in buffer overflows is because shell is too big to fit the buffer.
So, why not coding something else then shell?? FOr example, I read somewhere that RPC patch only changes one registry value from "1" to "0"... Maybe there is more, maybe not.. but just tounderstand my idea, what if one would make a application that just changes back this registry value from 0 to 1? Then you would enable RPC on victim's comp, and get shell easy then..
I think that this application should be much smaller then shell code... Basicly, point of this is to make some application that will unpatch mashine against some old exploit...

Nice..
One thing.Can we change registry values remotely?
Regards
~Faceless Master

i think its possible, however just the size of the string pointing to the registry value you want to change would probably make the code even bigger than today's shellcodes

For to be able to connect to a remote machines registry one
would need to obtain the proper credentials to connect to it,
in other words you would need the administrator password.
You could try and write shellcode that changes registry settings remotely
if you are exploiting something that will give you System or Admin
priviledges. If im understanding your theory correctly your plan is to
write regkey changing shellcode to enable dcom service which you
can then exploit? This wouldnt be of much use either i guess, you would
still face the problem of buffer sizes and shellcode size.

echo it to a reg file and then tell the batch to run it, hell why not tie it in with a nice internet explorer exploit. They visit a webpage get infected (they wont know, put a fake 404 up ) and you can use a script to get there ip number. Sorted