[Snort-sigs] DCOMRPC Exploit POC code posted

SoloNet Newsfeed newsfeed at ...1411...
Tue Sep 16 07:30:10 EDT 2003

The recent DoS attack code from cnhonker.com is detected as :

"LOCAL COMMON NetBios DCERPC exploit attempt (req 3)"

(from the "quick rules for the new dcom stuff) by Johnathan Norman")

(the attack tool is listed here)

It uses some of the same code as the original DCOM scanners. We did note 
that McAffee VirusScan does pick up the code in the EXE (as of 4292 DAT) 
which kept us from getting an executable of the above code to save on to 
our test development machine. So, if this makes it into a worm/virus, it 
looks as if some of the virus companies' generic sigs are catching 
things. The code itself took down a machine in less than two seconds and 
initiates an automatic retry to the same address. Nasty little bugger.



SoloNet Newsfeed Processor wrote:

>This was mentioned on Full-Disclosure this morning, but I expect that in
>the hands of folks, we have a scanner, now some code for a possible base
>for a root. I expect we'll see an exploit soon. Anybody wanna create a sig
>for it?
>David A. Koran
>SoloNet INS
>This sf.net email is sponsored by:ThinkGeek
>Welcome to geek heaven.
>Snort-sigs mailing list
>Snort-sigs at lists.sourceforge.net

More information about the Snort-sigs mailing list