Msblast Exploit

hello everybody,
I have a private network of 5 computers all running windows 2000 sp3, i recently downloaded a tool form www.eeye.com and scanned my network if it was vulnerable to an RPC attack, I found out that it was, i then downloaded the exploit from www.securityfocus.com and tried running it against the networked pc's but somehow the xploit isnt seem to b working, neither remotely nor locally, this was good news.....but i see that port 135 is open on all my networked pcs still they dont seem to be vulnerable to the xploit....i jes want to know if i am doing something wrong here....
n besides this i would like to request chris to if he could start writing on stuff like network programming, it would b great to see topics like network programming in here.
last but definitely not the least....i believe the only guyz doing justice to networking are you ppl....long live firewall.cx!!!

If you could tell us what RPC exploit it was vulnerable to we might be able to help you. Usually the vulnerability code will be something like MS03-39 or something similar, which basically means Microsoft 2003 - Vulnerability number 39.

I'm assuming you used Retina to scan your network. Trust me, if Retina says that you're vulnerable to something, you are. Was the exploit you got off securityfocus a precompiled exploit (higly unlikely) or was it exploit code (more likely) that you had to code yourself ? If you compiled the code yourself there may have been some errors there that you needed to fix.

Usually exploits don't work 'out of the box' so to speak.. a lot of people who release proof-of-concept exploits don't want everyone to just be able to download the code, compile it and attack everyone else... so they deliberately insert bugs into the code that any half-decent programmer should be able to figure out.

If the code is Perl / C then I wouldn't mind having a look at it.
Just for your information, there is a tool called Core Impact, which is a vulnerability scanner that actually exploits the remote machine if you ask it to. Its expensive though, and you might have a hard time justifying to your company why you'd need a tool to break the network that they pay you to keep running

-- and so the struggle continues between the suits and the admins

I'll move this topic to the Security and Firewalls forum tomorrow as I think the matter is more relevant for that forum.


Cheers,

yes exactly, the microsoft advisory number wuz MS03-039....

well the code that i downloaded from security focus, wuz precompiled....the url to the exploit is www.securityfocus.com/data/vulnerabilities/exploits/kaht2.zip this exploit automatically scans for vulnerable pcs through a range of ip addresses, and if it finds any vulnerable computer it sends the xploit to it.....in my network...it doez find vulnerable pcs ie with port 135 open...but it fails to send the exploit....

my local network is not attached to the outside world, i use a dial-up connection to connect to the internet, from a pc which has nothing to do with the network....so the only threat em facin is from inside....

there wuz a sahir something that i once knew,when i wuz in the third grade.....i bet ur not him....he never wuz so brilliant..neway where r u from...jes to make sure.......

Hey,
I downloaded the exploit and tested against an unpatched winxp box that I just put up, and the exploit failed.. so perhaps theres something wrong with the exploit itself. Thats wierd though, usually securityfocus is pretty good about these things.. anyway I'll try it on a couple more machines later.

Where am I from ? I'm from Bombay, India.


Cheers,

nnbnb www.astalavista.com/tools/auditing/netwo...ultiscanner/RPC2.zip

Try this tools out.

thanx manip and sahir i really appreciate ur help....i cudnt hav won dat noble prize without u....

well...wut do u know sahir.....d sahir dat i knew wuz also from india....but he wuz from kerala....