RPC probe explosion.

**mart_man00** · 08-11-2003

Im not trying to convert anyone, but i gotta point out a couple things.

For programming, Kdevelop and Anjunta

To keep your website up to date you could still use Linux, just throw in Samba. Then windows can see the Linux box.

Then you could either work in the folder on the server or setup rsysnc. Rsysnc would keep everything in sync for you.

DirectX, you could if you wanted to, but im sure its a pain

(run winex, for games. or use Bochs to use windows in linux, havent done it but heard it can be done, for free!)

**Perspective** · 08-11-2003

[affects Win2k through Server 2003]

so am i safe with winME or can this still cause pain to my puter?

**Brian** · 08-11-2003

Originally posted by Perspective
so am i safe with winME or can this still cause pain to my puter?

WinME is not affected.

**gcn_zelda** · 08-11-2003

huzza! At least WinME is good for something!

**JaWiB** · 08-11-2003

what about win98...

**Perspective** · 08-11-2003

Originally posted by JaWiB
what about win98...

no, just win2k -> windows server 2003 (and everything in between)

**Brian** · 08-12-2003

AFAIK it doesn't infect XP, it only infects some versions of 2k. It does however cause XP to reboot. Which I find rather amusing.

**nvoigt** · 08-12-2003

Microsoft Security Bulletin MS03-026

Buffer Overrun In RPC Interface Could Allow Code Execution (823980)

Originally posted: July 16, 2003 (!)

Affected Software:

Microsoft Windows NT® 4.0
Microsoft Windows NT 4.0 Terminal Services Edition
Microsoft Windows 2000
Microsoft Windows XP
Microsoft Windows Server™ 2003

Not Affected Software:

Microsoft Windows Millennium Edition

Crashing systems with RPC errormessages are a sure sign of infection. Crashing systems due to other messages might be a sign of a failed intrusion attempt. Crashes can only be blocked by firewalls, because the patch does only hinder the infection, not the crashing itself.

**Brian** · 08-12-2003

Originally posted by nvoigt
Microsoft Security Bulletin MS03-026

Buffer Overrun In RPC Interface Could Allow Code Execution (823980)

Originally posted: July 16, 2003 (!)

Crashing systems with RPC errormessages are a sure sign of infection. Crashing systems due to other messages might be a sign of a failed intrusion attempt. Crashes can only be blocked by firewalls, because the patch does only hinder the infection, not the crashing itself.

a crash means infection $$$$ed up. it means it tried to jump to the wrong EIP which means the exploit code never worked. but it also means the RPC process tries to access memory it isn't allowed to, so it crashes, causing a reboot.

**cc0d3r** · 08-12-2003

RPC crashes both after the unsuccessful and successfull attempts. Compile the exploit, run it agains the unpatched box and you will see for yourself.

Somebody posted on bugtraq though, that it is possible to avoid the crash after the successful break-in. For that, the exploit has to be modified to exit via ExitThread().

**Brian** · 08-12-2003

Originally posted by cc0d3r
RPC crashes both after the unsuccessful and successfull attempts. Compile the exploit, run it agains the unpatched box and you will see for yourself.

Somebody posted on bugtraq though, that it is possible to avoid the crash after the successful break-in. For that, the exploit has to be modified to exit via ExitThread().

yeah silly me.

**JaWiB** · 08-12-2003

Yes...it can pay to use win 98...or to read Cboard

**Xei** · 08-12-2003

Actually, I was infected by it last night. It was strange, because I turned off Zone Alarm and then all of a sudden windows said "This station is shutting down in 1:00 seconds. Activated by NT ADMINISTRATION\SYSTEM." I took a screenshot if anyone wants- this happened twice in a row. Afterwards there was a new msworm.exe trying to scan ports 135 of certain IP ranges. Norton didn't catch it, either. I have obtained source code to one of the RPC exploits, it is in Assembly and C, and it uses very large enumerator tables with values I havn't been able to put together, I think it's little-endian format, not sure. I'll post the code to get all of your input on how, exactly, it works.

**confuted** · 08-12-2003

Xei... you compiled it? (there's an .exe in that .zip) Is that the worm thing, or is it safe?

edit: woot, my post count is 1337

**Xei** · 08-12-2003

Originally posted by blackrat364
Xei... you compiled it? (there's an .exe in that .zip) Is that the worm thing, or is it safe?

edit: woot, my post count is 1337

The EXE is not the worm. If you compile the C-Code then you will get a release version of rpctest.exe. Then goto a DOS console and type in:

rpctest x.x.x.x (where x.x.x.x is an IP)

It will then attempt to create a virtual DOS shell on port 57005, where you can telnet into the computer. This is just an example of an exploit(the shell is limited though, some API is possible to execute through the shell if done manually). Many systems are patched against RPC exploits now, but I did find that most IP's where people are running file-sharing servers are exploitable about 3/5ths of the time. MS really needs to revise the RPC. Personally, I think the idea of RPC is kinda silly.

Thread: RPC probe explosion.

Thread Tools

Search Thread

Display

Similar Threads

RPC concurrent server in C...???

Help in RPC please

IPC vs RPC

Rpc

Rpc