All softwares have some weak points called vulnerabilities which allow a hacker to exploit them. An exploit is a program which makes use of the vulnerability. The exploits are usually written in C or perl.
RPC DCOM VULNERABILITY
INTRODUCTIONThe Remote Procedure Call ( RPC ) is an application level protocol used to facilitate communication between two machines on a network. RPC uses the client/server model of communication where the requesting machine is considered the client and the machine servicing the request is considered the server. Since RPC operates at the application layer of the OSI model it is not concerned with the details of the underlying network. A runtime program exists on both the client and server computers which has knowledge of the underlying network and manages the transmission of the RPC request across the network. The RPC Distributed Component Object Model ( DCOM ) interface accessible via port 135 is used to provide the location of DCOM services to clients making associated requests.
RPC works by having a client make a call with the necessary parameters and arguments to the server. The client will then wait for the server to reply. As RPC is synchronous no more communication will take place on the clients thread until the client either receives a reply or the connection times out. When the request arrives at the server, the server will process the information and return the reply back to the client. The client will then continue again, until another request is required. DCOM provides a means for objects to communicate with each other on different machines connected by LAN or internet or by any other means.For DCOM to communicate over the network with remote hosts, it relies on RPC to format the information into conforming network packets. When a client needs to make use of a component on a remote machine, DCOM simply passes the information onto a network RPC. THE VULNERABILITYOn the 16th July 2003 Microsoft released a security bulletin describing a vulnerability that existed in their DCOM RPC interface. The vulnerability was common to all but it supported windows platform, regardless of what service pack was installed. It is related to a buffer overflow in the DCOM interface within the Remote Procedure Call mechanism of many Windows operating systems.
By sending a specially crafted RPC request to port 135 of the victim , an evil hacker can overflows the buffer and can return instructions to the stack which then launches a command shell (with system privileges) listening on a specified port on the victim's machine. This means that by sending a malicious request to port 135 , a person can make the victim's buffer overflow. This vulnerability exists because the inputs are not properly checked for size. If you supply an input which exceeds the assigned size , the buffer overflows and the rest of the input is copied onto the memory and gets executed. The exploit is coded in a way that it first overflows the buffer and then gives the command to open a command shell on a specified port. Once a shell has been opened on the specified port , the attacked disconnects from port 135 and connects to the newly opened port. Since a command shell is open on this port , he gets full access to the victim's computer.
THE EXPLOIT
Exploits making use of this vulnerability are widely available on the net. One such place is securityfocus.com . Though most of the systems today are patched against this vulnerability , it posed a great risk to the users of the affected operating systems.
CONCLUSION
If all this went above your head , drop a mail by clicking here. We will send you a special newbie write-up on this topic.
NOTE : Certain information published above has been taken from articles from different authors. If any such author has an objection against this , do inform us. We will change the content at the earliest
�2005 HACKERZONE