[Snort-sigs] DCOMRPC Exploit POC code posted

Jason Alexander lists at ...1882...
Wed Sep 17 20:05:02 EDT 2003


So has anyone seen any of these attacks in the wild yet. Luckly I haven't
seen any yet.


> The recent DoS attack code from cnhonker.com is detected as :
>
> "LOCAL COMMON NetBios DCERPC exploit attempt (req 3)"
>
> (from the "quick rules for the new dcom stuff) by Johnathan Norman")
>
> (the attack tool is listed here)
> http://www.cnhonker.com/index.php?module=releases&act=view&type=3&id=45
>
> It uses some of the same code as the original DCOM scanners. We did note
> that McAffee VirusScan does pick up the code in the EXE (as of 4292 DAT)
> which kept us from getting an executable of the above code to save on to
> our test development machine. So, if this makes it into a worm/virus, it
> looks as if some of the virus companies' generic sigs are catching
> things. The code itself took down a machine in less than two seconds and
> initiates an automatic retry to the same address. Nasty little bugger.
>
> Sincerely,
>
> David
>
> SoloNet Newsfeed Processor wrote:
>
>>http://www.k-otik.com/exploits/09.11.dcom2_scanner.c.php
>>
>>This was mentioned on Full-Disclosure this morning, but I expect that in
>>the hands of folks, we have a scanner, now some code for a possible base
>>for a root. I expect we'll see an exploit soon. Anybody wanna create a
>> sig
>>for it?
>>
>>Thanks,
>>
>>David A. Koran
>>SoloNet INS
>>http://www.solo.net/
>>
>>
>>-------------------------------------------------------
>>This sf.net email is sponsored by:ThinkGeek
>>Welcome to geek heaven.
>>http://thinkgeek.com/sf
>>_______________________________________________
>>Snort-sigs mailing list
>>Snort-sigs at lists.sourceforge.net
>>https://lists.sourceforge.net/lists/listinfo/snort-sigs
>>
>>
>>
>>
>
>
>
> -------------------------------------------------------
> This sf.net email is sponsored by:ThinkGeek
> Welcome to geek heaven.
> http://thinkgeek.com/sf
> _______________________________________________
> Snort-sigs mailing list
> Snort-sigs at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/snort-sigs
>





More information about the Snort-sigs mailing list