First, I'd like to give credit to me, I and myself who's tireless search of the net resulted in this. This is all written by me except the program description which came from the programs website. I get to be a exploit author.. again.. yay me

Ive been looking into exploiting port 1025 for a bit,
tonight I found a program called Remoxec executes a program using RPC (Task Scheduler) or DCOM (Windows Management Instrumentation).
Administrators with Null or weak passwords may be exploited through Task Scheduler (1025/tcp or above) or DCOM (default 135/tcp). You have to give heed also to RPC/DCOM and not only to SMB.

I began a scan, and found almost every machine that pings has 1025 open.

Okay so using this we can add tasks to any remote machine that has rpc server running that we have an account for this port apparently supports logon as some servers tested have replied with access denied, first i tested with no logon information and got no results so i tried with Administrator/null and it is getting me a few results but telling it to tftp files from my machine(i was trying to get it to upload a program that sends me command shell) doesn't seem to be going very well perhaps they have disabled the task manager? Though three machines have taken the commands none have connected to me at the time i specified.


I believe that someone who could code could construct a brute-force application to run against this port. I further believe that once logged on other commands could be issued resulting in remote code execution of the users choice. Its currently possible if the rpc-service is running to comprimise a remote system using the technique I have pioneered and outlined here as after enabling the services required and some local testing I uploaded a file from my machine to my machine with tftp and the task scheduler.

I've always been fond of network blackjack

If only for brute forcing (you probably really mean a dictionary attack), why not just attack the shares? I may be missing something, but I thought you said that the rpc service has to be running in order for you to be able to attack network blackjack, but if rpc is indeed running, there are already pleanty of ways to get in. Could net blackjack be attacked even if the RPC service was down? If so, then let me know.

If you can actually RUN programs thru net blackjack (especially if you can do so in the context of the user you are logged in as) then let me know and I will write a program to dictionary attack this and if successful allow you to run commands. Hell, if you can give me more info, I'll program it in any language you'd like.

hey man
nice thx
also we have other ports like : 1026 -1028

so we can exploit them

by the way would u share that exec file cause i didnt find it ! may be im weak @ searchin' lol !

i think we can exploit that port in unauthenticated way !!! so we dont need any user account !

whats ur idea

lets work on it

regards !

man sorry i didnt search the forum
lol i find it!!!!

Port 1025 is often one of the first port used by the operating system for outbound connections, thus it is likely you will see outbound connections from port 1025.
Edit: A Socket can also be allowed to listen on port 1025 as well.

Seems unlikely your theory.

well, after investigating it a bit i dont think this is an exploit.....
to schedule a program u need to connect to the remote computer right?
so what makes it different then psexec?
if u try net use \\ip.ip.ip.ip\C$ "" /user:Administrator for example and get "Access Denied" most likely when trying to run the Remoxec on the target machine u'll get the same thing... [i've tested it on 15 XP machines all the same]
and if u try net use \\ip.ip.ip.ip\C$ "" /user:Administrator for example and get "The command completed successfully" u can use psexec in order to run programs without scheduling ;P
so i dont get this utility at all... nothing new... or am i missing something..?

and if u want a link to this program (in english) here it is:
Download

I'm not talking about the port....
my question is if it works the same way as psexec what does it worth?
and to illustrate my point i have a friend using windows XP (in winxp u cant net use C$ even if u know the login password and even if u can see the shares using enumexec for eg. coz u'll get access denied)
we were trying to run remoxec on him, after he told me his administrator l/p + other users account l/p while testing remoxec on him i still got "Access Denied" if thats the case, the remoxec is good only for computers like windows2000 which u can execute using Administrator's privileges.
so if its so, this is not an AMAZING new thing... just another method...
am i right?

If someone were able to code an uploader/exec tool, like the MyDoom ones that were floating around you might have a chance.
Given the information provided by NexCess, then if you coded the tool you would need the same info as that for the MyDoom upload/exec, except with user/password options? Possibly more than I haven't mentioned?
If this were possible, then getting a shell would be simple, as you could upload something like WinShell to the box and you'd be on your merry way.

hm hm hm
i does ot understand why so many people does not get the clou
a port which is not blocked by isp's (in the moment) point one
second is when it works (get files uploaded and started for example) you have a method to connect to the machine even when the shares are deleted where psexec and so on faile.

greetz

I think most of you guys are missing the point. What apparently can be tried is a dictionary attack against the login for this. From there, you have another way to run commands. I see what you are trying to say, what's the point if you can just use PStools, right? But the point is, how do you get the pass with PStools? With this you can dictionary attack it, find the password, then run commands thru it. It has the potential to be cooler than PStools. Also, even if we can't find a way to get it to accept commands like a cmd prompt, it could easily be setup to start netcat listening for a connect back.

ok, I see what Mr.Nexcess is saying.. I get it too. But the thing is.. how do you hammer a range of ip's with username/password via port 1025?

Can you give me more details about how you're doing this if not other than IP by IP with this remoexec tool?!

I'm sorry but I don't see this as an exploit or as that huge of a vulnerability. It's just dictionary attacking a host, but through a different port. Is it huge? Probably not, or else you would have seen everywhere that your user file can be bruteforced. It just opens another hole, but its definitely not the biggest hole since ASN. Good job though, little progress is better than no progress

hmm this is nice info dude. I always wondered what rpc services run on port 1025.
so its the tasksheduler?
has nothing todo with blackjack (earlier posts).
ports 1025-1030 etc are used for rcp services and can be exploited. (security paper from the guys discovering the rcp bug).
also some trojans run this ports, so not all port results will bring the reply you tried to get.
to setup a task you would need to know the timezone of your target.
then you would set a task to run tftp.exe at a specified time, but how about attaching cmds to it?
lets see how this tasksheduler operates ...
and ofcourse need RCP tobe enabled
how would you remotely call a process when RCP is disabled? (this question isnt really one ^^).
however, nice info dude
got some boxes where I can test this

i will give it a go thanx dude

nice

Good job on that.. now how do I do something about Task Scheduler so that it doesn't keep port 1025 open?

Also, even if I have disabled DCOM, port 135 is still open. What should I do?

I've seen a lot of retards scanning my fw yesterday

well u are right... thing is exploit exists.. but it dosent spawn shell dosent do anything but crashes the 1025... but again the service is programmed to restart... soon people i know will have so it will reverse to a shell... anyways
its really pain in the ass to do all this.. so maybe if few exploits that ivgot go into wrong hands will go public but it stays private for lil while
or maybe u wanna buy it ? heh

*cough ms04-022 cough*

Feb... to almost August... good to know MS keeps up with security so well.
I want a cookie or something damnit, this is twice now ive pointed out issues and got no credit.

That sucks

Man, i've checked it locally, and succeeded executing and tftping files on my computer, stil didn't have the chance to test it on a remote machine although this one looks promising.

The only problem is to find the timeline of the remote computer, to know the exect time to execute the thing(which is easily possible with a whois search), and to brute-force the password(which i guess will require some coding).

Which reminds me to change my Admin/null pass

This aint a exploit man . Its a service designed by microsoft themselves bcoz to use it to run process u need a admin account . If u have admin account pass than u can upload file through$ shares and do this dcom and rpc trick Or keep the file u wanna execute in any folder and leave a shortcut to it in \\Sales\c$\Documents and Settings\All Users\Start Menu\Programs\Startup
and ur file will be executed on restart . This trick is nice if u are doing all this from win98 box bcoz from win98 u cant use rpc or dcom .

Cheers for info

Oh and about $ shares .
U cannot connect to $ shares of winxp sp1 unless u are in same workgroup and same workgroup as other pc is in . Not 100% sure about this correct me if um wrong but i said service pack1

Win2000 $ shares u can connect from everywhere .

I wonder if there is a scanner for weak passes for port 1025

i have a dcom exploit that works over 1025

i dont have it on its own , its in a rxbot
also theres a dcom 445 exploit with it as well
i dont have source sorry

"I wonder if there is a scanner for weak passes for port 1025 "

someone asked that, yes you can scan with ntscan the gui ver, fill in port 1025 in the port area, and there you go

and about that port 1025 give me list of commands you did to xs the computer and maybe i could help you, allso you need to code a program like psexec to start your files...

Its really funny you shuld mention this, i made a testing vb app for this port to get the data that the port sent bakc to me when i tried to connect a winsock to it. I thought maybe (with ms being what it is) there could be a buffer overflow there so i began to experiment.

chris105 .... ok .

and what did u determine ?

lol