Old dcom exploit new ports.

Published: 2007-04-07
Last Updated: 2007-04-07 16:19:50 UTC
by Tony Carothers (Version: 2)
0 comment(s)
We are currently investigating a possible exploit with MS, Active Directory, and DNS.  At this point the information looks solid, provided initially by Bill O. for review.  Further information has been provided by Bill, who is working on contacting MS, as things have progressed.  Looking at the description of the attack method, it looks solid based on my experience with MS.  If anybody has any scans from the 61.63.xxx.xxx range, I would be very interested in seeing full captures.

We will keep you posted as things progress.  I will be sending on what we have discovered as well to MS tomorrow.  It is 0130EST right now in the US, I will be passing the findings on to the other Handlers for review and input later this morning.

UPDATE: We are not sure this is related to microsoft's DNS. Based solely on the packets it looks like a dcom exploit against a high number port with shell code in it. The partial packets we received match portions of well known dcom exploits and schoeborn shell code.

The packets begin with this:
05 00 0B 03 10 00 00 00
Which matches several blaster or DCOM sigs
http://www.linklogger.com/RPC_DCOM.htm

Then some shell code (schoenborn)
04 5d 88 8a eb 1c c9 11 9f e8 08 00 2b 10 48 60 02 00 00 00
http://nepenthes.mwcollect.org/csni:shellcodes:schoenborn

UPDATE-2: We are looking at the files involved now, we will keep the diary updated as things develop.
Keywords:
0 comment(s)

Comments


Diary Archives