[unisog] Nessus Plugin and RPC Cleanup Webpage

Phil.Rodrigues at uconn.edu Phil.Rodrigues at uconn.edu
Thu Aug 14 20:32:41 GMT 2003


Lina P, who modified the script, says this:

"The script sends two packets out of a socket.  The first is a bindstring. 
 The second is a request string.  Vulnerable machines return a specific 
stub.  If you set debug to 1 on the nessus plugin (11808), and throw it 
through the nasl interpreter.  nasl -t target_ip msrpc_dcom.nasl, you can 
see the stubs."

I have no idea what that means. :-)  As far as I know it opens the hole on 
the target computer to test to see if it can (the buffer overflow), but 
does not actually run the full exploit that has been floating around 
(which allows the attacker to get to cmd.exe on the target system).  I 
think that means it does overflow the buffer.

Phil

=======================================
Philip A. Rodrigues
Network Analyst, UITS
University of Connecticut

email: phil.rodrigues at uconn.edu
phone: 860.486.3743
fax: 860.486.6580
web: http://www.security.uconn.edu
=======================================





scaturro <scaturro at Princeton.EDU>
08/14/2003 03:44 PM

 
        To:     unisog at sans.org
        cc: 
        Subject:        Re: [unisog] Nessus Plugin and RPC Cleanup Webpage


Does anyone know if the plug-in is actually exploiting the 
vulnerability by overflowing the buffer?  If so, with what?  Valid code 
I would assume (but for what service pack/patch level)
Regards,
Anthony Scaturro
University IT Security Officer
Princeton University

On Thursday, August 14, 2003, at 03:22 PM, Chris Stoermer wrote:

> Nessus warning for Netware users
>
> Howdy!
>
> FYI..
>
> THere is a patch for Netware6 servers you need to apply before you run 
> Nessus against your servers.  We didn't know about this until after we 
> made our first pass.  All 5 of our SAN attached, replica holders 
> abended...dead in the water.
>
> Also, all our NDPS printers with IP addresses printed a junk session 
> of about 6 pages.
>
> --Chris
>
>>>> <Phil.Rodrigues at uconn.edu> 08/13/03 01:43PM >>>
> Hi all,
>
> Two students here (Keith Bessette and Lina Pezzella) have tweaked 
> Nessus
> plugin #11808 to more return more accurate info about RPC-DCOM
> vulnerabilities, especially when scanning Windows 95/98/ME computers 
> (that
> Nessus previously reported as "vulnerable").  It now returns the same
> basic info as v1.04 of EEye's tool.  Find it at:
>
> http://hogwash.uits.uconn.edu/msrpc.nasl
>
> We have developed a webpage to help support staff respond to the
> Stealther.Trojan compromises, MS Blast infections, and RPC-DCOM
> vulnerabilities in our network.  It may be useful to other schools:
>
> http://www.security.uconn.edu/rpc_procedure.html
>
> We have noticed that a large number of our Windows 2000 hosts seems to
> have had TCP 135 close when RPC crashed after the worm tried
> unsuccessfully to use the Win XP offset to compromise them.  Since 
> these
> hosts no longer have TCP 135 open they do not appear as "Vulnerable" to
> our scanners, and thus we are passing over them in our sweeps. 
> However,
> the guess is they will be vulnerable after they reboot and therefore 
> are
> still at risk of being infected.  Anyone have a solution to this?
>
> Phil
>
> =======================================
> Philip A. Rodrigues
> Network Analyst, UITS
> University of Connecticut
>
> email: phil.rodrigues at uconn.edu
> phone: 860.486.3743
> fax: 860.486.6580
> web: http://www.security.uconn.edu
> =======================================
>
>






More information about the unisog mailing list