[Snort-sigs] DCOMRPC Exploit POC code posted
newsfeed at ...1411...
Tue Sep 16 07:30:10 EDT 2003
The recent DoS attack code from cnhonker.com is detected as :
"LOCAL COMMON NetBios DCERPC exploit attempt (req 3)"
(from the "quick rules for the new dcom stuff) by Johnathan Norman")
(the attack tool is listed here)
It uses some of the same code as the original DCOM scanners. We did note
that McAffee VirusScan does pick up the code in the EXE (as of 4292 DAT)
which kept us from getting an executable of the above code to save on to
our test development machine. So, if this makes it into a worm/virus, it
looks as if some of the virus companies' generic sigs are catching
things. The code itself took down a machine in less than two seconds and
initiates an automatic retry to the same address. Nasty little bugger.
SoloNet Newsfeed Processor wrote:
>This was mentioned on Full-Disclosure this morning, but I expect that in
>the hands of folks, we have a scanner, now some code for a possible base
>for a root. I expect we'll see an exploit soon. Anybody wanna create a sig
>David A. Koran
>This sf.net email is sponsored by:ThinkGeek
>Welcome to geek heaven.
>Snort-sigs mailing list
>Snort-sigs at lists.sourceforge.net
More information about the Snort-sigs