The following security advisory is sent to the securiteam mailing list, and can
be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion
The SecuriTeam alerts list - Free, Accurate, Independent.
Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html
- - - - - - - - -
Using the oc192-Dcom.c Exploit to Accomplish Revenge
------------------------------------------------------------------------
SUMMARY
The document linked below provides an analysis of several different
exploits to the DCOM RPC vulnerability, and to the MS.Blaster worm. The
document also provides an excellent top down detailed example of a full
system exploit using one of the exploits listed. The author assumes almost
no prior knowledge. Therefore, even readers with basic knowledge can
benefit from it.
DETAILS
Purpose:
"On the 16th July 2003 Microsoft released a security bulletin describing a
vulnerability that existed in their Dcom RPC interface. The vulnerability
was common to all but one supported windows platform, regardless of what
service pack was installed.
On the same day my friend that worked for ACME Corporation as an ASP
developer was dismissed, and rather unfairly I think. He was only using
Kazaa to download his latest favorite ripped movies from the Internet and
burning them on the company CD writer, that is of course until his boss
saw what he was doing.
So now he's jobless and pretty upset with the company, and he has come to
me to help him exact revenge on the firm. He wants my help to deface the
web page so that it can ease his suffering. I'm up to that, especially
knowing that my friend has some good insider information and that there is
great new vulnerability that I might just be able to use.
Before I can move in for the kill I will need to research the exploit and
possible code available a little further to understand just what it does
and how it works. Using reconnaissance methods I will then gather
information about the site from the Internet and my friend's brain. Once I
have that information the preparation stage will be begin to accumulate
all the necessary tools I will need for the attack. Of course the aim
would be to deface the web site, but I'll try getting in with leaving as
little evidence as possible for any administrators or incident handling
team to find, although my friend tells me there is no incident handling
team at the moment. It's going to be interesting to see how they cope with
the attack?"
The document can be found at:
<http://www.giac.org/practical/GCIH/Mark_Johnston_GCIH.pdf> Using the
oc192-dcom.c exploit to accomplish revenge
ADDITIONAL INFORMATION
The original article can be found at:
<http://www.giac.org/practical/GCIH/Mark_Johnston_GCIH.pdf>
http://www.giac.org/practical/GCIH/Mark_Johnston_GCIH.pdf
========================================
This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to:
list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to:
list-subscribe@securiteam.com
====================
====================
DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any
kind.
In no event shall we be liable for any damages whatsoever including direct,
indirect, incidental, consequential, loss of business profits or special
damages.
