RPC probe explosion.

This is a discussion on RPC probe explosion. within the A Brief History of Cprogramming.com forums, part of the Community Boards category; Im not trying to convert anyone, but i gotta point out a couple things. For programming, Kdevelop and Anjunta To ...

  1. #16
    Registered User
    Join Date
    Jul 2002
    Posts
    913
    Im not trying to convert anyone, but i gotta point out a couple things.

    For programming, Kdevelop and Anjunta

    To keep your website up to date you could still use Linux, just throw in Samba. Then windows can see the Linux box.

    Then you could either work in the folder on the server or setup rsysnc. Rsysnc would keep everything in sync for you.

    DirectX, you could if you wanted to, but im sure its a pain
    (run winex, for games. or use Bochs to use windows in linux, havent done it but heard it can be done, for free!)

  2. #17
    Crazy Fool Perspective's Avatar
    Join Date
    Jan 2003
    Location
    Canada
    Posts
    2,640
    [affects Win2k through Server 2003]
    so am i safe with winME or can this still cause pain to my puter?

  3. #18
    Registered User
    Join Date
    Jan 2002
    Location
    Vancouver
    Posts
    2,220
    Originally posted by Perspective
    so am i safe with winME or can this still cause pain to my puter?
    WinME is not affected.

  4. #19
    Rad gcn_zelda's Avatar
    Join Date
    Mar 2003
    Posts
    942
    huzza! At least WinME is good for something!

  5. #20
    carry on JaWiB's Avatar
    Join Date
    Feb 2003
    Location
    Seattle, WA
    Posts
    1,972
    what about win98...
    "Think not but that I know these things; or think
    I know them not: not therefore am I short
    Of knowing what I ought."
    -John Milton, Paradise Regained (1671)

    "Work hard and it might happen."
    -XSquared

  6. #21
    Crazy Fool Perspective's Avatar
    Join Date
    Jan 2003
    Location
    Canada
    Posts
    2,640
    Originally posted by JaWiB
    what about win98...
    no, just win2k -> windows server 2003 (and everything in between)

  7. #22
    Registered User
    Join Date
    Jan 2002
    Location
    Vancouver
    Posts
    2,220
    AFAIK it doesn't infect XP, it only infects some versions of 2k. It does however cause XP to reboot. Which I find rather amusing.

  8. #23
    the hat of redundancy hat nvoigt's Avatar
    Join Date
    Aug 2001
    Location
    Hannover, Germany
    Posts
    3,139
    Microsoft Security Bulletin MS03-026

    Buffer Overrun In RPC Interface Could Allow Code Execution (823980)

    Originally posted: July 16, 2003 (!)

    Affected Software:

    Microsoft Windows NT® 4.0
    Microsoft Windows NT 4.0 Terminal Services Edition
    Microsoft Windows 2000
    Microsoft Windows XP
    Microsoft Windows Server™ 2003

    Not Affected Software:

    Microsoft Windows Millennium Edition
    Crashing systems with RPC errormessages are a sure sign of infection. Crashing systems due to other messages might be a sign of a failed intrusion attempt. Crashes can only be blocked by firewalls, because the patch does only hinder the infection, not the crashing itself.
    hth
    -nv

    She was so Blonde, she spent 20 minutes looking at the orange juice can because it said "Concentrate."

    When in doubt, read the FAQ.
    Then ask a smart question.

  9. #24
    Registered User
    Join Date
    Jan 2002
    Location
    Vancouver
    Posts
    2,220
    Originally posted by nvoigt
    Microsoft Security Bulletin MS03-026

    Buffer Overrun In RPC Interface Could Allow Code Execution (823980)

    Originally posted: July 16, 2003 (!)



    Crashing systems with RPC errormessages are a sure sign of infection. Crashing systems due to other messages might be a sign of a failed intrusion attempt. Crashes can only be blocked by firewalls, because the patch does only hinder the infection, not the crashing itself.
    a crash means infection $$$$ed up. it means it tried to jump to the wrong EIP which means the exploit code never worked. but it also means the RPC process tries to access memory it isn't allowed to, so it crashes, causing a reboot.

  10. #25
    Registered User
    Join Date
    Jul 2003
    Posts
    61
    RPC crashes both after the unsuccessful and successfull attempts. Compile the exploit, run it agains the unpatched box and you will see for yourself.

    Somebody posted on bugtraq though, that it is possible to avoid the crash after the successful break-in. For that, the exploit has to be modified to exit via ExitThread().
    $ENV: FreeBSD, gcc, emacs

  11. #26
    Registered User
    Join Date
    Jan 2002
    Location
    Vancouver
    Posts
    2,220
    Originally posted by cc0d3r
    RPC crashes both after the unsuccessful and successfull attempts. Compile the exploit, run it agains the unpatched box and you will see for yourself.

    Somebody posted on bugtraq though, that it is possible to avoid the crash after the successful break-in. For that, the exploit has to be modified to exit via ExitThread().
    yeah silly me.

  12. #27
    carry on JaWiB's Avatar
    Join Date
    Feb 2003
    Location
    Seattle, WA
    Posts
    1,972
    Yes...it can pay to use win 98...or to read Cboard
    "Think not but that I know these things; or think
    I know them not: not therefore am I short
    Of knowing what I ought."
    -John Milton, Paradise Regained (1671)

    "Work hard and it might happen."
    -XSquared

  13. #28
    Xei
    Xei is offline
    Registered User Xei's Avatar
    Join Date
    May 2002
    Posts
    719
    Actually, I was infected by it last night. It was strange, because I turned off Zone Alarm and then all of a sudden windows said "This station is shutting down in 1:00 seconds. Activated by NT ADMINISTRATION\SYSTEM." I took a screenshot if anyone wants- this happened twice in a row. Afterwards there was a new msworm.exe trying to scan ports 135 of certain IP ranges. Norton didn't catch it, either. I have obtained source code to one of the RPC exploits, it is in Assembly and C, and it uses very large enumerator tables with values I havn't been able to put together, I think it's little-endian format, not sure. I'll post the code to get all of your input on how, exactly, it works.
    Attached Files Attached Files
    "What are you after - the vague post of the week award?" - Salem
    IPv6 Ready.
    Travel the world, meet interesting people...kill them.
    Trying to fix or change something, only guaruntees and perpetuates its existence.
    I don't know about angels, but it is fear that gives men wings.
    The problem with wanting something is the fear of losing it, or never having it. The thought makes you weak.

    E-Mail Xei

  14. #29
    Pursuing knowledge confuted's Avatar
    Join Date
    Jun 2002
    Posts
    1,916
    Xei... you compiled it? (there's an .exe in that .zip) Is that the worm thing, or is it safe?

    edit: woot, my post count is 1337
    Away.

  15. #30
    Xei
    Xei is offline
    Registered User Xei's Avatar
    Join Date
    May 2002
    Posts
    719
    Originally posted by blackrat364
    Xei... you compiled it? (there's an .exe in that .zip) Is that the worm thing, or is it safe?

    edit: woot, my post count is 1337
    The EXE is not the worm. If you compile the C-Code then you will get a release version of rpctest.exe. Then goto a DOS console and type in:

    rpctest x.x.x.x (where x.x.x.x is an IP)

    It will then attempt to create a virtual DOS shell on port 57005, where you can telnet into the computer. This is just an example of an exploit(the shell is limited though, some API is possible to execute through the shell if done manually). Many systems are patched against RPC exploits now, but I did find that most IP's where people are running file-sharing servers are exploitable about 3/5ths of the time. MS really needs to revise the RPC. Personally, I think the idea of RPC is kinda silly.
    Last edited by Xei; 08-12-2003 at 06:46 PM.
    "What are you after - the vague post of the week award?" - Salem
    IPv6 Ready.
    Travel the world, meet interesting people...kill them.
    Trying to fix or change something, only guaruntees and perpetuates its existence.
    I don't know about angels, but it is fear that gives men wings.
    The problem with wanting something is the fear of losing it, or never having it. The thought makes you weak.

    E-Mail Xei

Page 2 of 3 FirstFirst 123 LastLast
Popular pages Recent additions subscribe to a feed

Similar Threads

  1. RPC concurrent server in C...???
    By mr_m4x in forum C Programming
    Replies: 1
    Last Post: 03-29-2009, 12:10 AM
  2. Help in RPC please
    By Duckzilla in forum Networking/Device Communication
    Replies: 1
    Last Post: 11-26-2007, 10:54 PM
  3. IPC vs RPC
    By hermit in forum Tech Board
    Replies: 7
    Last Post: 09-09-2002, 10:58 AM
  4. Rpc
    By Unregistered in forum C Programming
    Replies: 1
    Last Post: 12-01-2001, 01:25 AM
  5. Rpc
    By Unregistered in forum C Programming
    Replies: 0
    Last Post: 11-10-2001, 07:17 PM

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21