MS Windows RPC DCOM Scanner MS03039

Document Sample
MS Windows RPC DCOM Scanner MS03039 Powered By Docstoc
					                                   MS Windows RPC DCOM Scanner MS03039           Page 1/18
  1    /*
  2    dcom2_scanner.c
  3
  4    scan for second dcom vulnerability (MS03−039)
  5
  6    by Doke Scott, doke at udel.edu, 10 Sep 2003
  7
  8    based on work by:
  9     * buildtheb0x presents : dcom/rpc scanner
  10    * −−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−
  11    * by: kid and farp
  12
  13    and on packet sniffs of MS’s dcom2 scanner
  14
  15   */
  16
  17   #define d_dcom_scan_timeout 5   // max seconds for individual dcom scan
  18
  19   #include   <stdio.h>
  20   #include   <stdlib.h>
  21   #include   <sys/types.h>
  22   #include   <sys/socket.h>
  23   #include   <netinet/in.h>
  24   #include   <arpa/inet.h>
  25   #include   <unistd.h>
  26   #include   <netdb.h>
  27   #include   <fcntl.h>
  28   #include   <unistd.h>
  29   #include   <signal.h>
  30   #include   <errno.h>
  31
  32   #define null NULL
  33
  34
  35   // for sun spro cc wierdness? seg faults without this
  36   #define my_inet_ntoa(ip) inet_ntoa( *( (struct in_addr *) &ip ) )
  37
  38
  39
  40   static char *program_name;
  41   static int verbose = 0;
  42   int dcom_scan_timeout = d_dcom_scan_timeout;
  43   volatile int timed_out = 0;
  44   volatile int dcomsockfd = 0;
  45
  46   extern char *optarg;
  47   extern int optind, opterr, optopt;
  48
  49
  50
  51
  52

Doke Scott                                                                        09/12/2003
                                 MS Windows RPC DCOM Scanner MS03039                     Page 2/18
  53    void
  54    print_hex( unsigned char *data, int len ) {
  55        int i, j;
  56        char alphastr[ 17 ];
  57
  58        for ( i = 0, j = 0; i < len; i++, j++ ) {
  59            if ( j == 0 ) {
  60                alphastr[ j ] = isprint( data[i] ) ? data[i] : ’.’;
  61                printf( "%04x %02x", i, data[ i ] & 0xff );
  62                }
  63            else if ( j == 15 ) {
  64                alphastr[ j ] = isprint( data[i] ) ? data[i] : ’.’;
  65                alphastr[ j + 1 ] = 0;
  66                printf( " %02x %s\n", data[ i ] & 0xff, alphastr );
  67                j = −1;
  68                }
  69            else {
  70                alphastr[ j ] = isprint( data[i] ) ? data[i] : ’.’;
  71                printf( " %02x", data[ i ] & 0xff );
  72                }
  73            }
  74        if ( j ) {
  75            alphastr[ j + 1 ] = 0;
  76            for ( ; j < 16; j++ )
  77                printf( " " );
  78            printf( " %s\n", alphastr );
  79            }
  80        }
  81
  82
  83
  84
  85    /*
  86     * based on:
  87     *
  88     * buildtheb0x presents : dcom/rpc scanner
  89     * −−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−
  90     *
  91     *
  92     * by: kid and farp
  93     *
  94     * greets: kajun, phr_, dvdman, Sam, flatline, #nanog, synD, and to all danny’
  95    s waitress’s
  96     *
  97     */
  98
  99    #define DEST_PORT 135
  100
  101   ///////////////////////////
  102   // first request packet, bind request
  103
  104   // from dcom1 exploit code
Doke Scott                                                                                09/12/2003
                                 MS Windows RPC DCOM Scanner MS03039                                  Page 3/18
  105   unsigned char bindstr[]={
  106       0x05, 0x00, 0x0B, 0x03,   0x10,   0x00,   0x00,   0x00,   0x48,   0x00,   0x00,   0x00,
  107       0x7F, 0x00, 0x00, 0x00,   0xD0,   0x16,   0xD0,   0x16,   0x00,   0x00,   0x00,   0x00,
  108       0x01, 0x00, 0x00, 0x00,   0x01,   0x00,   0x01,   0x00,   0xa0,   0x01,   0x00,   0x00,
  109       0x00, 0x00, 0x00, 0x00,   0xC0,   0x00,   0x00,   0x00,   0x00,   0x00,   0x00,   0x46,
  110       0x00, 0x00, 0x00, 0x00,   0x04,   0x5D,   0x88,   0x8A,   0xEB,   0x1C,   0xC9,   0x11,
  111       0x9F, 0xE8, 0x08, 0x00,   0x2B,   0x10,   0x48,   0x60,   0x02,   0x00,   0x00,   0x00
  112       };
  113
  114   // from dcom1 dcom_scanz
  115   unsigned char fear1[] = {
  116       0x05, 0x00, 0x0b, 0x03,   0x10,   0x00,   0x00,   0x00,   0x48,   0x00,   0x00,   0x00,
  117       0x09, 0x00, 0x00, 0x00,   0xd0,   0x16,   0xd0,   0x16,   0x00,   0x00,   0x00,   0x00,
  118       0x01, 0x00, 0x00, 0x00,   0x02,   0x00,   0x01,   0x00,   0xb8,   0x4a,   0x9f,   0x4d,
  119       0x1c, 0x7d, 0xcf, 0x11,   0x86,   0x1e,   0x00,   0x20,   0xaf,   0x6e,   0x7c,   0x57,
  120       0x00, 0x00, 0x00, 0x00,   0x04,   0x5d,   0x88,   0x8a,   0xeb,   0x1c,   0xc9,   0x11,
  121       0x9f, 0xe8, 0x08, 0x00,   0x2b,   0x10,   0x48,   0x60,   0x02,   0x00,   0x00,   0x00
  122       };
  123
  124   // sniffed from dcom2 scanner, when scanning patched machine
  125   unsigned char request1[] = {
  126       0x05, 0x00, 0x0b, 0x03, 0x10, 0x00, 0x00, 0x00, 0x48, 0x00,               0x00,   0x00,
  127       0x01, 0x00, 0x00, 0x00, 0xd0, 0x16, 0xd0, 0x16, 0x00, 0x00,               0x00,   0x00,
  128       0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01, 0x00, 0xa0, 0x01,               0x00,   0x00,
  129       0x00, 0x00, 0x00, 0x00, 0xc0, 0x00, 0x00, 0x00, 0x00, 0x00,               0x00,   0x46,
  130       0x00, 0x00, 0x00, 0x00, 0x04, 0x5d, 0x88, 0x8a, 0xeb, 0x1c,               0xc9,   0x11,
  131       0x9f, 0xe8, 0x08, 0x00, 0x2b, 0x10, 0x48, 0x60, 0x02, 0x00,               0x00,   0x00
  132       };
  133
  134   unsigned char expected1[] =   {
  135       0x05, 0x00, 0x0c, 0x03,   0x10,   0x00,   0x00,   0x00,   0x3c,   0x00,   0x00,   0x00,
  136       0x01, 0x00, 0x00, 0x00,   0xd0,   0x16,   0xd0,   0x16,   0x28,   0x57,   0x00,   0x00,
  137       0x04, 0x00, 0x31, 0x33,   0x35,   0x00,   0x02,   0x00,   0x01,   0x00,   0x00,   0x00,
  138       0x00, 0x00, 0x00, 0x00,   0x04,   0x5d,   0x88,   0x8a,   0xeb,   0x1c,   0xc9,   0x11,
  139       0x9f, 0xe8, 0x08, 0x00,   0x2b,   0x10,   0x48,   0x60,   0x02,   0x00,   0x00,   0x00,
  140       };
  141
  142
  143   ///////////////////////////
  144   // second request packet
  145
  146   // from dcom1 exploit code
  147   unsigned char exploit_request1[]={
  148       0x05, 0x00, 0x00, 0x03, 0x10, 0x00,       0x00,   0x00,   0x7e,   0x00,   0x00,   0x00,
  149       0x09, 0x00, 0x00, 0x00, 0x66, 0x00,       0x00,   0x00,   0x02,   0x00,   0x00,   0x00,
  150       0x05, 0x00, 0x01, 0x00, 0x00, 0x00,       0x00,   0x00,   0x00,   0x00,   0x00,   0x00,
  151       0x6b, 0xac, 0xd8, 0x08, 0x2f, 0x2e,       0x03,   0x48,   0xaa,   0xdc,   0xc1,   0x6a,
  152       0x62, 0xfb, 0xeb, 0x98, 0x00, 0x00,       0x00,   0x00,   0xf8,   0x91,   0x7b,   0x5a,
  153       0x00, 0xff, 0xd0, 0x11, 0xa9, 0xb2,       0x00,   0xc0,   0x4f,   0xb6,   0xe6,   0xfc,
  154       0x00, 0x00, 0x00, 0x00, 0x00, 0x00,       0x00,   0x00,   0x02,   0x00,   0x00,   0x00,
  155       0xff, 0xff, 0xff, 0xff, 0x01, 0x00,       0x00,   0x00,   0x38,   0xff,   0x0a,   0x00,
  156       0x01, 0x00, 0x00, 0x00, 0x01, 0x00,       0x00,   0x00,   0x00,   0x00,   0x00,   0x00,
Doke Scott                                                                                             09/12/2003
                                 MS Windows RPC DCOM Scanner MS03039                                  Page 4/18
  157       0xc0, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x46, 0x01, 0x00, 0x00, 0x00,
  158       0x01, 0x00, 0x00, 0x00, 0x07, 0x00
  159       };
  160
  161
  162   // from dcom1 dcom_scanz
  163   unsigned char fear2[] = {
  164       0x05, 0x00, 0x00, 0x03,   0x10,   0x00,   0x00,   0x00,   0x7e,   0x00,   0x00,   0x00,
  165       0x09, 0x00, 0x00, 0x00,   0x66,   0x00,   0x00,   0x00,   0x02,   0x00,   0x00,   0x00,
  166       0x05, 0x00, 0x01, 0x00,   0x00,   0x00,   0x00,   0x00,   0x00,   0x00,   0x00,   0x00,
  167       0x6b, 0xac, 0xd8, 0x08,   0x2f,   0x2e,   0x03,   0x48,   0xaa,   0xdc,   0xc1,   0x6a,
  168       0x62, 0xfb, 0xeb, 0x98,   0x00,   0x00,   0x00,   0x00,   0xf8,   0x91,   0x7b,   0x5a,
  169       0x00, 0xff, 0xd0, 0x11,   0xa9,   0xb2,   0x00,   0xc0,   0x4f,   0xb6,   0xe6,   0xfc,
  170       0x00, 0x00, 0x00, 0x00,   0x00,   0x00,   0x00,   0x00,   0x02,   0x00,   0x00,   0x00,
  171       0xff, 0xff, 0xff, 0xff,   0x01,   0x00,   0x00,   0x00,   0x38,   0xff,   0x0a,   0x00,
  172       0x01, 0x00, 0x00, 0x00,   0x01,   0x00,   0x00,   0x00,   0x00,   0x00,   0x00,   0x00,
  173       0xc0, 0x00, 0x00, 0x00,   0x00,   0x00,   0x00,   0x46,   0x01,   0x00,   0x00,   0x00,
  174       0x01, 0x00, 0x00, 0x00,   0x07,   0x00
  175       };
  176
  177   // sniffed from dcom2 scanner, when scanning unpatched machine
  178   unsigned char request2[] = {
  179       0x05, 0x00, 0x00, 0x03, 0x10, 0x00, 0x00, 0x00, 0xb0, 0x03,               0x00,   0x00,
  180       0x01, 0x00, 0x00, 0x00, 0x98, 0x03, 0x00, 0x00, 0x00, 0x00,               0x04,   0x00,
  181       0x05, 0x00, 0x02, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,               0x00,   0x00,
  182       0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,               0x00,   0x00,
  183       0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,               0x00,   0x00,
  184       0xe0, 0xab, 0x14, 0x00, 0x68, 0x03, 0x00, 0x00, 0x68, 0x03,               0x00,   0x00,
  185       0x4d, 0x45, 0x4f, 0x57, 0x04, 0x00, 0x00, 0x00, 0xa2, 0x01,               0x00,   0x00,
  186       0x00, 0x00, 0x00, 0x00, 0xc0, 0x00, 0x00, 0x00, 0x00, 0x00,               0x00,   0x46,
  187       0x38, 0x03, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xc0, 0x00,               0x00,   0x00,
  188       0x00, 0x00, 0x00, 0x46, 0x00, 0x00, 0x00, 0x00, 0x38, 0x03,               0x00,   0x00,
  189       0x30, 0x03, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01, 0x10,               0x08,   0x00,
  190       0xcc, 0xcc, 0xcc, 0xcc, 0xc8, 0x00, 0x00, 0x00, 0x00, 0x00,               0x00,   0x00,
  191       0x30, 0x03, 0x00, 0x00, 0xd8, 0x00, 0x00, 0x00, 0x00, 0x00,               0x00,   0x00,
  192       0x02, 0x00, 0x00, 0x00, 0x07, 0x00, 0x00, 0x00, 0x00, 0x00,               0x00,   0x00,
  193       0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,               0x00,   0x00,
  194       0x18, 0x01, 0x8d, 0x00, 0xb8, 0x01, 0x8d, 0x00, 0x00, 0x00,               0x00,   0x00,
  195       0x07, 0x00, 0x00, 0x00, 0xb9, 0x01, 0x00, 0x00, 0x00, 0x00,               0x00,   0x00,
  196       0xc0, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x46, 0xab, 0x01,               0x00,   0x00,
  197       0x00, 0x00, 0x00, 0x00, 0xc0, 0x00, 0x00, 0x00, 0x00, 0x00,               0x00,   0x46,
  198       0xa5, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xc0, 0x00,               0x00,   0x00,
  199       0x00, 0x00, 0x00, 0x46, 0xa6, 0x01, 0x00, 0x00, 0x00, 0x00,               0x00,   0x00,
  200       0xc0, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x46, 0xa4, 0x01,               0x00,   0x00,
  201       0x00, 0x00, 0x00, 0x00, 0xc0, 0x00, 0x00, 0x00, 0x00, 0x00,               0x00,   0x46,
  202       0xad, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xc0, 0x00,               0x00,   0x00,
  203       0x00, 0x00, 0x00, 0x46, 0xaa, 0x01, 0x00, 0x00, 0x00, 0x00,               0x00,   0x00,
  204       0xc0, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x46, 0x07, 0x00,               0x00,   0x00,
  205       0x60, 0x00, 0x00, 0x00, 0x58, 0x00, 0x00, 0x00, 0x90, 0x00,               0x00,   0x00,
  206       0x58, 0x00, 0x00, 0x00, 0x20, 0x00, 0x00, 0x00, 0x68, 0x00,               0x00,   0x00,
  207       0x30, 0x00, 0x00, 0x00, 0xc0, 0x00, 0x00, 0x00, 0x01, 0x10,               0x08,   0x00,
  208       0xcc, 0xcc, 0xcc, 0xcc, 0x50, 0x00, 0x00, 0x00, 0x00, 0x00,               0x00,   0x00,
Doke Scott                                                                                             09/12/2003
                                       MS Windows RPC DCOM Scanner MS03039                                  Page 5/18
  209       0xff,   0xff,   0xff,   0xff,   0x00,   0x00,   0x00,   0x00,   0x00,   0x00,   0x00,   0x00,
  210       0x00,   0x00,   0x00,   0x00,   0x00,   0x00,   0x00,   0x00,   0x00,   0x00,   0x00,   0x00,
  211       0x00,   0x00,   0x00,   0x00,   0x00,   0x00,   0x00,   0x00,   0x00,   0x00,   0x00,   0x00,
  212       0x00,   0x00,   0x00,   0x00,   0x00,   0x00,   0x00,   0x00,   0x00,   0x00,   0x00,   0x00,
  213       0x00,   0x00,   0x00,   0x00,   0x00,   0x00,   0x00,   0x00,   0x00,   0x00,   0x00,   0x00,
  214       0x00,   0x00,   0x00,   0x00,   0x00,   0x00,   0x00,   0x00,   0x00,   0x00,   0x00,   0x00,
  215       0x00,   0x00,   0x00,   0x00,   0x00,   0x00,   0x00,   0x00,   0x01,   0x10,   0x08,   0x00,
  216       0xcc,   0xcc,   0xcc,   0xcc,   0x48,   0x00,   0x00,   0x00,   0x00,   0x00,   0x00,   0x00,
  217       0x00,   0x5d,   0x88,   0x9a,   0xeb,   0x1c,   0xc9,   0x11,   0x9f,   0xe8,   0x08,   0x00,
  218       0x2b,   0x10,   0x48,   0x60,   0x10,   0x00,   0x00,   0x00,   0x00,   0x00,   0x00,   0x00,
  219       0x00,   0x00,   0x00,   0x00,   0x01,   0x00,   0x00,   0x00,   0x00,   0x00,   0x00,   0x00,
  220       0xb8,   0x47,   0x0a,   0x00,   0x58,   0x00,   0x00,   0x00,   0x05,   0x00,   0x06,   0x00,
  221       0x01,   0x00,   0x00,   0x00,   0x00,   0x00,   0x00,   0x00,   0x00,   0x00,   0x00,   0x00,
  222       0xc0,   0x00,   0x00,   0x00,   0x00,   0x00,   0x00,   0x46,   0xcc,   0xcc,   0xcc,   0xcc,
  223       0x01,   0x10,   0x08,   0x00,   0xcc,   0xcc,   0xcc,   0xcc,   0x80,   0x00,   0x00,   0x00,
  224       0x00,   0x00,   0x00,   0x00,   0x00,   0x00,   0x00,   0x00,   0x00,   0x00,   0x00,   0x00,
  225       0x00,   0x00,   0x00,   0x00,   0x00,   0x00,   0x00,   0x00,   0x20,   0xba,   0x09,   0x00,
  226       0x00,   0x00,   0x00,   0x00,   0x60,   0x00,   0x00,   0x00,   0x60,   0x00,   0x00,   0x00,
  227       0x4d,   0x45,   0x4f,   0x57,   0x04,   0x00,   0x00,   0x00,   0xc0,   0x01,   0x00,   0x00,
  228       0x00,   0x00,   0x00,   0x00,   0xc0,   0x00,   0x00,   0x00,   0x00,   0x00,   0x00,   0x46,
  229       0x3b,   0x03,   0x00,   0x00,   0x00,   0x00,   0x00,   0x00,   0xc0,   0x00,   0x00,   0x00,
  230       0x00,   0x00,   0x00,   0x46,   0x00,   0x00,   0x00,   0x00,   0x30,   0x00,   0x00,   0x00,
  231       0x01,   0x00,   0x01,   0x00,   0x67,   0x3c,   0x70,   0x94,   0x13,   0x33,   0xfd,   0x46,
  232       0x87,   0x24,   0x4d,   0x09,   0x39,   0x88,   0x93,   0x9d,   0x02,   0x00,   0x00,   0x00,
  233       0x00,   0x00,   0x00,   0x00,   0x00,   0x00,   0x00,   0x00,   0x00,   0x00,   0x00,   0x00,
  234       0x00,   0x00,   0x00,   0x00,   0x00,   0x00,   0x00,   0x00,   0x01,   0x00,   0x00,   0x00,
  235       0x01,   0x10,   0x08,   0x00,   0xcc,   0xcc,   0xcc,   0xcc,   0x48,   0x00,   0x00,   0x00,
  236       0x00,   0x00,   0x00,   0x00,   0x00,   0x00,   0x00,   0x00,   0xb0,   0x7e,   0x09,   0x00,
  237       0x00,   0x00,   0x00,   0x00,   0x00,   0x00,   0x00,   0x00,   0xf0,   0x89,   0x0a,   0x00,
  238       0x00,   0x00,   0x00,   0x00,   0x00,   0x00,   0x00,   0x00,   0x0d,   0x00,   0x00,   0x00,
  239       0x00,   0x00,   0x00,   0x00,   0x0d,   0x00,   0x00,   0x00,   0x73,   0x00,   0x61,   0x00,
  240       0x6a,   0x00,   0x69,   0x00,   0x61,   0x00,   0x64,   0x00,   0x65,   0x00,   0x76,   0x00,
  241       0x5f,   0x00,   0x78,   0x00,   0x38,   0x00,   0x36,   0x00,   0x00,   0x00,   0x08,   0x00,
  242       0xcc,   0xcc,   0xcc,   0xcc,   0x01,   0x10,   0x08,   0x00,   0xcc,   0xcc,   0xcc,   0xcc,
  243       0x10,   0x00,   0x00,   0x00,   0x00,   0x00,   0x00,   0x00,   0x00,   0x00,   0x00,   0x00,
  244       0x00,   0x00,   0x00,   0x00,   0x00,   0x00,   0x00,   0x00,   0x00,   0x00,   0x00,   0x00,
  245       0x01,   0x10,   0x08,   0x00,   0xcc,   0xcc,   0xcc,   0xcc,   0x58,   0x00,   0x00,   0x00,
  246       0x00,   0x00,   0x00,   0x00,   0xc0,   0x5e,   0x0a,   0x00,   0x00,   0x00,   0x00,   0x00,
  247       0x00,   0x00,   0x00,   0x00,   0x00,   0x00,   0x00,   0x00,   0x1b,   0x00,   0x00,   0x00,
  248       0x00,   0x00,   0x00,   0x00,   0x1b,   0x00,   0x00,   0x00,   0x5c,   0x00,   0x5c,   0x00,
  249       0x00,   0x00,   0x5c,   0x00,   0x6a,   0x00,   0x69,   0x00,   0x61,   0x00,   0x64,   0x00,
  250       0x65,   0x00,   0x76,   0x00,   0x5f,   0x00,   0x78,   0x00,   0x00,   0x00,   0x36,   0x00,
  251       0x5c,   0x00,   0x70,   0x00,   0x75,   0x00,   0x62,   0x00,   0x6c,   0x00,   0x69,   0x00,
  252       0x63,   0x00,   0x5c,   0x00,   0x41,   0x00,   0x41,   0x00,   0x41,   0x00,   0x41,   0x00,
  253       0x00,   0x00,   0x00,   0x00,   0x01,   0x00,   0x15,   0x00,   0x01,   0x10,   0x08,   0x00,
  254       0xcc,   0xcc,   0xcc,   0xcc,   0x20,   0x00,   0x00,   0x00,   0x00,   0x00,   0x00,   0x00,
  255       0x00,   0x00,   0x00,   0x00,   0x90,   0x5b,   0x09,   0x00,   0x02,   0x00,   0x00,   0x00,
  256       0x01,   0x00,   0x6c,   0x00,   0xc0,   0xdf,   0x08,   0x00,   0x01,   0x00,   0x00,   0x00,
  257       0x07,   0x00,   0x55,   0x00,   0x00,   0x00,   0x00,   0x00
  258       };
  259
  260   // sniffed from dcom2 scanner, when scanning unpatched machine
Doke Scott                                                                                                   09/12/2003
                                   MS Windows RPC DCOM Scanner MS03039                                Page 6/18
  261   unsigned char expected2_vulnerable[] = {
  262       0x05, 0x00, 0x02, 0x03, 0x10, 0x00, 0x00, 0x00, 0x28, 0x00, 0x00, 0x00,
  263       0x01, 0x00, 0x00, 0x00, 0x10, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
  264       0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
  265       0x04, 0x00, 0x08, 0x80,
  266       };
  267
  268   // sniffed from dcom2 scanner, when scanning patched machine
  269   // you also get this on a machine that doesn’t have either dcom               patch
  270   unsigned char expected2_patched[] = {
  271       0x05, 0x00, 0x02, 0x03, 0x10, 0x00, 0x00, 0x00, 0x28, 0x00,               0x00, 0x00,
  272       0x01, 0x00, 0x00, 0x00, 0x10, 0x00, 0x00, 0x00, 0x00, 0x00,               0x00, 0x00,
  273       0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,               0x00, 0x00,
  274       0x54, 0x01, 0x04, 0x80,
  275       };
  276
  277
  278   //   this came out of one machine, 128.175.214.151
  279   //   0000 05 00 03 23 10 00 00 00 20 00 00 00 01 00 00 00    ...#.... .......
  280   //   0010 00 00 00 00 00 00 00 00 03 00 01 1c 00 00 00 00    ................
  281   //   ethereal says it’s a dce fault response
  282   //   nmap says the system is Me, Win 2000, or WinXP
  283   //   all the following packets were unanswered, or zero length.
  284
  285   unsigned char expected2_dce_fault[] = {
  286       0x05, 0x00, 0x03
  287       };
  288
  289
  290
  291   ///////////////////////////
  292   // third request packet
  293
  294
  295   // from dcom1 dcom_scanz
  296   unsigned char fear3[] = {
  297       0x05, 0x00, 0x0b, 0x03,   0x10,   0x00,   0x00,   0x00,   0x48,   0x00,   0x00,   0x00,
  298       0x65, 0x45, 0x79, 0x65,   0xd0,   0x16,   0xd0,   0x16,   0x00,   0x00,   0x00,   0x00,
  299       0x01, 0x00, 0x00, 0x00,   0x00,   0x00,   0x01,   0x00,   0xb8,   0x4a,   0x9f,   0x4d,
  300       0x1c, 0x7d, 0xcf, 0x11,   0x86,   0x1e,   0x00,   0x20,   0xaf,   0x6e,   0x7c,   0x57,
  301       0x00, 0x00, 0x00, 0x00,   0x04,   0x5d,   0x88,   0x8a,   0xeb,   0x1c,   0xc9,   0x11,
  302       0x9f, 0xe8, 0x08, 0x00,   0x2b,   0x10,   0x48,   0x60,   0x02,   0x00,   0x00,   0x00
  303       };
  304
  305   // sniffed from dcom2 scanner, when scanning patched machine
  306   unsigned char request3[] = {
  307       0x05, 0x00, 0x00, 0x03, 0x10, 0x00, 0x00, 0x00, 0xb0, 0x03,               0x00,   0x00,
  308       0x02, 0x00, 0x00, 0x00, 0x98, 0x03, 0x00, 0x00, 0x00, 0x00,               0x04,   0x00,
  309       0x05, 0x00, 0x02, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,               0x00,   0x00,
  310       0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,               0x00,   0x00,
  311       0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,               0x00,   0x00,
  312       0x98, 0xe5, 0x14, 0x00, 0x68, 0x03, 0x00, 0x00, 0x68, 0x03,               0x00,   0x00,
Doke Scott                                                                                             09/12/2003
                                    MS Windows RPC DCOM Scanner MS03039                                  Page 7/18
  313    0x4d,   0x45,   0x4f,   0x57,   0x04,   0x00,   0x00,   0x00,   0xa2,   0x01,   0x00,   0x00,
  314    0x00,   0x00,   0x00,   0x00,   0xc0,   0x00,   0x00,   0x00,   0x00,   0x00,   0x00,   0x46,
  315    0x38,   0x03,   0x00,   0x00,   0x00,   0x00,   0x00,   0x00,   0xc0,   0x00,   0x00,   0x00,
  316    0x00,   0x00,   0x00,   0x46,   0x00,   0x00,   0x00,   0x00,   0x38,   0x03,   0x00,   0x00,
  317    0x30,   0x03,   0x00,   0x00,   0x00,   0x00,   0x00,   0x00,   0x01,   0x10,   0x08,   0x00,
  318    0xcc,   0xcc,   0xcc,   0xcc,   0xc8,   0x00,   0x00,   0x00,   0x00,   0x00,   0x00,   0x00,
  319    0x30,   0x03,   0x00,   0x00,   0xd8,   0x00,   0x00,   0x00,   0x00,   0x00,   0x00,   0x00,
  320    0x02,   0x00,   0x00,   0x00,   0x07,   0x00,   0x00,   0x00,   0x00,   0x00,   0x00,   0x00,
  321    0x00,   0x00,   0x00,   0x00,   0x00,   0x00,   0x00,   0x00,   0x00,   0x00,   0x00,   0x00,
  322    0x18,   0x01,   0x8d,   0x00,   0xb8,   0x01,   0x8d,   0x00,   0x00,   0x00,   0x00,   0x00,
  323    0x07,   0x00,   0x00,   0x00,   0xb9,   0x01,   0x00,   0x00,   0x00,   0x00,   0x00,   0x00,
  324    0xc0,   0x00,   0x00,   0x00,   0x00,   0x00,   0x00,   0x46,   0xab,   0x01,   0x00,   0x00,
  325    0x00,   0x00,   0x00,   0x00,   0xc0,   0x00,   0x00,   0x00,   0x00,   0x00,   0x00,   0x46,
  326    0xa5,   0x01,   0x00,   0x00,   0x00,   0x00,   0x00,   0x00,   0xc0,   0x00,   0x00,   0x00,
  327    0x00,   0x00,   0x00,   0x46,   0xf6,   0x01,   0x00,   0x00,   0x00,   0x00,   0x00,   0x00,
  328    0xc0,   0x00,   0x00,   0x00,   0x00,   0x00,   0x00,   0x46,   0xff,   0x01,   0x00,   0x00,
  329    0x00,   0x00,   0x00,   0x00,   0xc0,   0x00,   0x00,   0x00,   0x00,   0x00,   0x00,   0x46,
  330    0xad,   0x01,   0x00,   0x00,   0x00,   0x00,   0x00,   0x00,   0xc0,   0x00,   0x00,   0x00,
  331    0x00,   0x00,   0x00,   0x46,   0xaa,   0x01,   0x00,   0x00,   0x00,   0x00,   0x00,   0x00,
  332    0xc0,   0x00,   0x00,   0x00,   0x00,   0x00,   0x00,   0x46,   0x07,   0x00,   0x00,   0x00,
  333    0x60,   0x00,   0x00,   0x00,   0x58,   0x00,   0x00,   0x00,   0x90,   0x00,   0x00,   0x00,
  334    0x58,   0x00,   0x00,   0x00,   0x20,   0x00,   0x00,   0x00,   0x68,   0x00,   0x00,   0x00,
  335    0x30,   0x00,   0x00,   0x00,   0xc0,   0x00,   0x00,   0x00,   0x01,   0x10,   0x08,   0x00,
  336    0xcc,   0xcc,   0xcc,   0xcc,   0x50,   0x00,   0x00,   0x00,   0x00,   0x00,   0x00,   0x00,
  337    0xff,   0xff,   0xff,   0xff,   0x00,   0x00,   0x00,   0x00,   0x00,   0x00,   0x00,   0x00,
  338    0x00,   0x00,   0x00,   0x00,   0x00,   0x00,   0x00,   0x00,   0x00,   0x00,   0x00,   0x00,
  339    0x00,   0x00,   0x00,   0x00,   0x00,   0x00,   0x00,   0x00,   0x00,   0x00,   0x00,   0x00,
  340    0x00,   0x00,   0x00,   0x00,   0x00,   0x00,   0x00,   0x00,   0x00,   0x00,   0x00,   0x00,
  341    0x00,   0x00,   0x00,   0x00,   0x00,   0x00,   0x00,   0x00,   0x00,   0x00,   0x00,   0x00,
  342    0x00,   0x00,   0x00,   0x00,   0x00,   0x00,   0x00,   0x00,   0x00,   0x00,   0x00,   0x00,
  343    0x00,   0x00,   0x00,   0x00,   0x00,   0x00,   0x00,   0x00,   0x01,   0x10,   0x08,   0x00,
  344    0xcc,   0xcc,   0xcc,   0xcc,   0x48,   0x00,   0x00,   0x00,   0x00,   0x00,   0x00,   0x00,
  345    0x00,   0x5d,   0x88,   0x9a,   0xeb,   0x1c,   0xc9,   0x11,   0x9f,   0xe8,   0x08,   0x00,
  346    0x2b,   0x10,   0x48,   0x60,   0x10,   0x00,   0x00,   0x00,   0x00,   0x00,   0x00,   0x00,
  347    0x00,   0x00,   0x00,   0x00,   0x01,   0x00,   0x00,   0x00,   0x00,   0x00,   0x00,   0x00,
  348    0xb8,   0x47,   0x0a,   0x00,   0x58,   0x00,   0x00,   0x00,   0x05,   0x00,   0x06,   0x00,
  349    0x01,   0x00,   0x00,   0x00,   0x00,   0x00,   0x00,   0x00,   0x00,   0x00,   0x00,   0x00,
  350    0xc0,   0x00,   0x00,   0x00,   0x00,   0x00,   0x00,   0x46,   0xcc,   0xcc,   0xcc,   0xcc,
  351    0x01,   0x10,   0x08,   0x00,   0xcc,   0xcc,   0xcc,   0xcc,   0x80,   0x00,   0x00,   0x00,
  352    0x00,   0x00,   0x00,   0x00,   0x00,   0x00,   0x00,   0x00,   0x00,   0x00,   0x00,   0x00,
  353    0x00,   0x00,   0x00,   0x00,   0x00,   0x00,   0x00,   0x00,   0x20,   0xba,   0x09,   0x00,
  354    0x00,   0x00,   0x00,   0x00,   0x60,   0x00,   0x00,   0x00,   0x60,   0x00,   0x00,   0x00,
  355    0x4d,   0x45,   0x4f,   0x57,   0x04,   0x00,   0x00,   0x00,   0xc0,   0x01,   0x00,   0x00,
  356    0x00,   0x00,   0x00,   0x00,   0xc0,   0x00,   0x00,   0x00,   0x00,   0x00,   0x00,   0x46,
  357    0x3b,   0x03,   0x00,   0x00,   0x00,   0x00,   0x00,   0x00,   0xc0,   0x00,   0x00,   0x00,
  358    0x00,   0x00,   0x00,   0x46,   0x00,   0x00,   0x00,   0x00,   0x30,   0x00,   0x00,   0x00,
  359    0x01,   0x00,   0x01,   0x00,   0x67,   0x3c,   0x70,   0x94,   0x13,   0x33,   0xfd,   0x46,
  360    0x87,   0x24,   0x4d,   0x09,   0x39,   0x88,   0x93,   0x9d,   0x02,   0x00,   0x00,   0x00,
  361    0x00,   0x00,   0x00,   0x00,   0x00,   0x00,   0x00,   0x00,   0x00,   0x00,   0x00,   0x00,
  362    0x00,   0x00,   0x00,   0x00,   0x00,   0x00,   0x00,   0x00,   0x01,   0x00,   0x00,   0x00,
  363    0x01,   0x10,   0x08,   0x00,   0xcc,   0xcc,   0xcc,   0xcc,   0x48,   0x00,   0x00,   0x00,
  364    0x00,   0x00,   0x00,   0x00,   0x00,   0x00,   0x00,   0x00,   0xb0,   0x7e,   0x09,   0x00,
Doke Scott                                                                                                09/12/2003
                                       MS Windows RPC DCOM Scanner MS03039                                  Page 8/18
  365       0x00,   0x00,   0x00,   0x00,   0x00,   0x00,   0x00,   0x00,   0xf0,   0x89,   0x0a,   0x00,
  366       0x00,   0x00,   0x00,   0x00,   0x00,   0x00,   0x00,   0x00,   0x0d,   0x00,   0x00,   0x00,
  367       0x00,   0x00,   0x00,   0x00,   0x0d,   0x00,   0x00,   0x00,   0x73,   0x00,   0x61,   0x00,
  368       0x6a,   0x00,   0x69,   0x00,   0x61,   0x00,   0x64,   0x00,   0x65,   0x00,   0x76,   0x00,
  369       0x5f,   0x00,   0x78,   0x00,   0x38,   0x00,   0x36,   0x00,   0x00,   0x00,   0x08,   0x00,
  370       0xcc,   0xcc,   0xcc,   0xcc,   0x01,   0x10,   0x08,   0x00,   0xcc,   0xcc,   0xcc,   0xcc,
  371       0x10,   0x00,   0x00,   0x00,   0x00,   0x00,   0x00,   0x00,   0x00,   0x00,   0x00,   0x00,
  372       0x00,   0x00,   0x00,   0x00,   0x00,   0x00,   0x00,   0x00,   0x00,   0x00,   0x00,   0x00,
  373       0x01,   0x10,   0x08,   0x00,   0xcc,   0xcc,   0xcc,   0xcc,   0x58,   0x00,   0x00,   0x00,
  374       0x00,   0x00,   0x00,   0x00,   0xc0,   0x5e,   0x0a,   0x00,   0x00,   0x00,   0x00,   0x00,
  375       0x00,   0x00,   0x00,   0x00,   0x00,   0x00,   0x00,   0x00,   0x1b,   0x00,   0x00,   0x00,
  376       0x00,   0x00,   0x00,   0x00,   0x1b,   0x00,   0x00,   0x00,   0x5c,   0x00,   0x5c,   0x00,
  377       0x00,   0x00,   0x5c,   0x00,   0x6a,   0x00,   0x69,   0x00,   0x61,   0x00,   0x64,   0x00,
  378       0x65,   0x00,   0x76,   0x00,   0x5f,   0x00,   0x78,   0x00,   0x00,   0x00,   0x36,   0x00,
  379       0x5c,   0x00,   0x70,   0x00,   0x75,   0x00,   0x62,   0x00,   0x6c,   0x00,   0x69,   0x00,
  380       0x63,   0x00,   0x5c,   0x00,   0x41,   0x00,   0x41,   0x00,   0x41,   0x00,   0x41,   0x00,
  381       0x00,   0x00,   0x00,   0x00,   0x01,   0x00,   0x15,   0x00,   0x01,   0x10,   0x08,   0x00,
  382       0xcc,   0xcc,   0xcc,   0xcc,   0x20,   0x00,   0x00,   0x00,   0x00,   0x00,   0x00,   0x00,
  383       0x00,   0x00,   0x00,   0x00,   0x90,   0x5b,   0x09,   0x00,   0x02,   0x00,   0x00,   0x00,
  384       0x01,   0x00,   0x6c,   0x00,   0xc0,   0xdf,   0x08,   0x00,   0x01,   0x00,   0x00,   0x00,
  385       0x07,   0x00,   0x55,   0x00,   0x00,   0x00,   0x00,   0x00
  386       };
  387
  388   // this is what you get when it’s doesn’t have either patch
  389   unsigned char expected3_vulnerable[] = {
  390       0x05, 0x00, 0x02, 0x03, 0x10, 0x00, 0x00, 0x00, 0x28, 0x00, 0x00, 0x00,
  391       0x02, 0x00, 0x00, 0x00, 0x10, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
  392       0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
  393       0x54, 0x01, 0x04, 0x80,
  394       };
  395
  396   // this is what you get when it’s got the first dcom patch
  397   unsigned char expected3_patched1[] = {
  398       0x05, 0x00, 0x02, 0x03, 0x10, 0x00, 0x00, 0x00, 0x28, 0x00, 0x00, 0x00,
  399       0x02, 0x00, 0x00, 0x00, 0x10, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
  400       0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
  401       0x04, 0x00, 0x08, 0x80,
  402       };
  403
  404   // this is what you get when it’s got the second dcom patch
  405   unsigned char expected3_patched2[] = {
  406       0x05, 0x00, 0x02, 0x03, 0x10, 0x00, 0x00, 0x00, 0x28, 0x00, 0x00, 0x00,
  407       0x02, 0x00, 0x00, 0x00, 0x10, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
  408       0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
  409       0x02, 0x40, 0x00, 0x80,
  410       };
  411
  412
  413
  414   ///////////////////////////
  415   // fourth request packet
  416

Doke Scott                                                                                                   09/12/2003
                                 MS Windows RPC DCOM Scanner MS03039                                  Page 9/18
  417   // from dcom1 dcom_scanz
  418   unsigned char fear4[] = {
  419       0x05, 0x00, 0x00, 0x03,   0x10,   0x00,   0x00,   0x00,   0xc6,   0x00,   0x00,   0x00,
  420       0x00, 0x00, 0x00, 0x00,   0xae,   0x00,   0x00,   0x00,   0x00,   0x00,   0x00,   0x00,
  421       0x05, 0x00, 0x01, 0x00,   0x00,   0x00,   0x00,   0x00,   0x00,   0x00,   0x00,   0x00,
  422       0x5b, 0x52, 0x65, 0x74,   0x69,   0x6e,   0x61,   0x5d,   0x5b,   0x52,   0x65,   0x74,
  423       0x69, 0x6e, 0x61, 0x5d,   0x00,   0x00,   0x00,   0x00,   0x65,   0x45,   0x79,   0x65,
  424       0x32, 0x30, 0x30, 0x33,   0x65,   0x45,   0x79,   0x65,   0x32,   0x30,   0x30,   0x33,
  425       0x68, 0x0f, 0x0b, 0x00,   0x1e,   0x00,   0x00,   0x00,   0x00,   0x00,   0x00,   0x00,
  426       0x1e, 0x00, 0x00, 0x00,   0x5c,   0x00,   0x5c,   0x00,   0x41,   0x00,   0x00,   0x00,
  427       0x5c, 0x00, 0x00, 0x00,   0x63,   0x00,   0x24,   0x00,   0x5c,   0x00,   0x65,   0x00,
  428       0x45, 0x00, 0x79, 0x00,   0x65,   0x00,   0x5f,   0x00,   0x32,   0x00,   0x30,   0x00,
  429       0x30, 0x00, 0x33, 0x00,   0x5f,   0x00,   0x52,   0x00,   0x65,   0x00,   0x74,   0x00,
  430       0x69, 0x00, 0x6e, 0x00,   0x61,   0x00,   0x2e,   0x00,   0x74,   0x00,   0x78,   0x00,
  431       0x74, 0x00, 0x00, 0x00,   0x00,   0x00,   0x00,   0x00,   0x02,   0x00,   0x00,   0x00,
  432       0x02, 0x00, 0x00, 0x00,   0x01,   0x00,   0x00,   0x00,   0xb8,   0xeb,   0x0b,   0x00,
  433       0x01, 0x00, 0x00, 0x00,   0x00,   0x00,   0x00,   0x00,   0x00,   0x00,   0x00,   0x00,
  434       0x00, 0x00, 0x00, 0x00,   0x00,   0x00,   0x00,   0x00,   0x01,   0x00,   0x00,   0x00,
  435       0x01, 0x00, 0x00, 0x00,   0x07,   0x00
  436       };
  437
  438
  439   // sniffed from dcom2 scanner, when scanning vulnerable machine
  440   // only issued at vulnerable machine
  441   // no fourth packet when scanning patched machine
  442   // etheral says it’s an "alter context"
  443   unsigned char request4[] = {
  444       0x05, 0x00, 0x0e, 0x03, 0x10, 0x00, 0x00, 0x00, 0x48, 0x00,               0x00,   0x00,
  445       0x03, 0x00, 0x00, 0x00, 0xd0, 0x16, 0xd0, 0x16, 0x28, 0x57,               0x00,   0x00,
  446       0x01, 0x00, 0x00, 0x00, 0x01, 0x00, 0x01, 0x00, 0xb8, 0x4a,               0x9f,   0x4d,
  447       0x1c, 0x7d, 0xcf, 0x11, 0x86, 0x1e, 0x00, 0x20, 0xaf, 0x6e,               0x7c,   0x57,
  448       0x00, 0x00, 0x00, 0x00, 0x04, 0x5d, 0x88, 0x8a, 0xeb, 0x1c,               0xc9,   0x11,
  449       0x9f, 0xe8, 0x08, 0x00, 0x2b, 0x10, 0x48, 0x60, 0x02, 0x00,               0x00,   0x00,
  450       };
  451
  452   unsigned char expected4[] =   {
  453       0x05, 0x00, 0x0f, 0x03,   0x10,   0x00,   0x00,   0x00,   0x38,   0x00,   0x00,   0x00,
  454       0x03, 0x00, 0x00, 0x00,   0xd0,   0x16,   0xd0,   0x16,   0x28,   0x57,   0x00,   0x00,
  455       0x00, 0x00, 0x00, 0x00,   0x01,   0x00,   0x00,   0x00,   0x00,   0x00,   0x00,   0x00,
  456       0x04, 0x5d, 0x88, 0x8a,   0xeb,   0x1c,   0xc9,   0x11,   0x9f,   0xe8,   0x08,   0x00,
  457       0x2b, 0x10, 0x48, 0x60,   0x02,   0x00,   0x00,   0x00,
  458       };
  459
  460
  461
  462   ///////////////////////////
  463   // fifth request packet
  464
  465   // sniffed from dcom2 scanner, when scanning vulnerable machine
  466   unsigned char request5[] = {
  467       0x05, 0x00, 0x00, 0x03, 0x10, 0x00, 0x00, 0x00, 0x9a, 0x00, 0x00, 0x00,
  468       0x03, 0x00, 0x00, 0x00, 0x82, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00,
Doke Scott                                                                                             09/12/2003
                                       MS Windows RPC DCOM Scanner MS03039                                  Page 10/18
  469       0x05,   0x00,   0x02,   0x00,   0x00,   0x00,   0x00,   0x00,   0x00,   0x00,   0x00,   0x00,
  470       0x00,   0x00,   0x00,   0x00,   0x00,   0x00,   0x00,   0x00,   0x00,   0x00,   0x00,   0x00,
  471       0x00,   0x00,   0x00,   0x00,   0x00,   0x00,   0x00,   0x00,   0x95,   0x96,   0x95,   0x2a,
  472       0x8c,   0xda,   0x6d,   0x4a,   0xb2,   0x36,   0x19,   0xbc,   0xaf,   0x2c,   0x2d,   0xea,
  473       0x34,   0xeb,   0x98,   0x00,   0x07,   0x00,   0x00,   0x00,   0x00,   0x00,   0x00,   0x00,
  474       0x07,   0x00,   0x00,   0x00,   0x5c,   0x00,   0x5c,   0x00,   0x4d,   0x00,   0x45,   0x00,
  475       0x4f,   0x00,   0x57,   0x00,   0x00,   0x00,   0x00,   0x00,   0x00,   0x00,   0x00,   0x00,
  476       0x5c,   0x00,   0x48,   0x00,   0x5c,   0x00,   0x48,   0x00,   0x01,   0x00,   0x00,   0x00,
  477       0x58,   0xe9,   0x98,   0x00,   0x01,   0x00,   0x00,   0x00,   0x95,   0x96,   0x95,   0x2a,
  478       0x8c,   0xda,   0x6d,   0x4a,   0xb2,   0x36,   0x19,   0xbc,   0xaf,   0x2c,   0x2d,   0xea,
  479       0x01,   0x00,   0x00,   0x00,   0x01,   0x00,   0x00,   0x00,   0x5c,   0x00,
  480       };
  481
  482   // this is what you get with no dcom patches,
  483   // unfortunately it’s also what you get with the dcom 2 patch
  484   unsigned char expected5_vulnerable_or_patched2[] = {
  485       0x05, 0x00, 0x02, 0x03, 0x10, 0x00, 0x00, 0x00, 0x5c, 0x00,                     0x00,   0x00,
  486       0x03, 0x00, 0x00, 0x00, 0x44, 0x00, 0x00, 0x00, 0x01, 0x00,                     0x00,   0x00,
  487       0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,                     0x00,   0x00,
  488       0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,                     0x00,   0x00,
  489       0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,                     0x00,   0x00,
  490       0x00, 0x00, 0x00, 0x00, 0x05, 0x00, 0x02, 0x00, 0x54, 0x01,                     0x04,   0x80,
  491       0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01, 0x00,                     0x00,   0x00,
  492       0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
  493       };
  494
  495   // this is what you get from dcom patch             1
  496   unsigned char expected5_patched1[] = {
  497       0x05, 0x00, 0x02, 0x03, 0x10, 0x00,             0x00,   0x00,   0x5c,   0x00,   0x00,   0x00,
  498       0x03, 0x00, 0x00, 0x00, 0x44, 0x00,             0x00,   0x00,   0x01,   0x00,   0x00,   0x00,
  499       0x00, 0x00, 0x00, 0x00, 0x00, 0x00,             0x00,   0x00,   0x00,   0x00,   0x00,   0x00,
  500       0x00, 0x00, 0x00, 0x00, 0x00, 0x00,             0x00,   0x00,   0x00,   0x00,   0x00,   0x00,
  501       0x00, 0x00, 0x00, 0x00, 0x00, 0x00,             0x00,   0x00,   0x00,   0x00,   0x00,   0x00,
  502       0x00, 0x00, 0x00, 0x00, 0x05, 0x00,             0x02,   0x00,   0x04,   0x00,   0x08,   0x80,
  503       0x01, 0x00, 0x00, 0x00, 0x00, 0x00,             0x00,   0x00,   0x01,   0x00,   0x00,   0x00,
  504       0x00, 0x00, 0x00, 0x00, 0x00, 0x00,             0x00,   0x00,
  505       };
  506
  507
  508
  509
  510
  511
  512   void
  513   timeout_handler( int info ) {
  514       //fprintf( stderr, "timed out\n" );
  515       if ( dcomsockfd )
  516           close( dcomsockfd );   // have to close it here to abort the connect
  517       timed_out = 1;
  518       }
  519
  520

Doke Scott                                                                                                    09/12/2003
                                       MS Windows RPC DCOM Scanner MS03039        Page 11/18
  521   // send a packet, and get response
  522   // return length of received data, or −1 on error
  523   int
  524   exchange_packets( int pktnum, uint32_t ip, int fd, unsigned char *req,
  525           int reqlen, unsigned char *resp, int resplen ) {
  526       int len;
  527
  528         if ( verbose > 1 )
  529             printf( "Sending packet %d\n", pktnum );
  530
  531         if(send(dcomsockfd, req, reqlen, 0) < 0) {
  532             close( dcomsockfd );
  533             alarm( 0 );
  534             if ( timed_out )
  535                  printf( "timed out while sending packet %d to %s\n",
  536                      pktnum, my_inet_ntoa( ip ) );
  537             else
  538                  fprintf( stderr, "error sending packet %d to %s\n",
  539                      pktnum, my_inet_ntoa( ip ) );
  540             return −1;
  541             }
  542
  543         if ( ( len = recv( dcomsockfd, resp, resplen, 0 ) ) < 0 ) {
  544             close( dcomsockfd );
  545             alarm( 0 );
  546             if ( timed_out )
  547                  printf( "timed out while receiving packet %d from %s\n",
  548                      pktnum, my_inet_ntoa( ip ) );
  549             else
  550                  fprintf( stderr, "error receiving packet %d from %s\n",
  551                      pktnum, my_inet_ntoa( ip ) );
  552             return −1;
  553             }
  554
  555         return len;
  556         }
  557
  558
  559
  560
  561
  562   //   scan remote ip for dcom vulnerability
  563   //   normally doesn’t print anything, just errors
  564   //   verbose = 1 for basic scan result printfs
  565   //   verbose > 1 for more verbose stuff
  566   //   return 0 if ok, 1 if vulnerable, −1 if can’t connect or can’t tell
  567   //       0 not vulnerable
  568   //       1 does not accept DCE RPC protocol (connection refused)
  569   //       2 no response (filtering DCOM port, or not there)
  570   //       3 vulnerable to dcom 1 and dcom2
  571   //       4 vulnerable to dcom 2 (but patched for dcom1)
  572   //       255 can’t tell for some other reason
Doke Scott                                                                          09/12/2003
                                   MS Windows RPC DCOM Scanner MS03039                    Page 12/18
  573   int
  574   dcom2_scan( uint32_t ip ) {
  575       struct sockaddr_in dest_addr;   /* hold dest addy */
  576       unsigned char resp1[1024];
  577       unsigned char resp2[1024];
  578       unsigned char resp3[1024];
  579       unsigned char resp4[1024];
  580       unsigned char resp5[1024];
  581       unsigned char assoc_group[4];
  582       int len1, len2, len3, len4, len5;
  583       int vun3 = 0;
  584       int i;
  585
  586      if ( verbose > 1 )
  587          printf( "scanning %s\n", my_inet_ntoa( ip ) );
  588
  589      timed_out = 0;
  590      signal( SIGALRM, timeout_handler );
  591      alarm( dcom_scan_timeout );
  592
  593      dcomsockfd = 0;
  594      if((dcomsockfd = socket(AF_INET, SOCK_STREAM, 0)) < 0) {
  595          alarm( 0 );
  596          if ( timed_out ) {
  597               if ( verbose )
  598                   printf( "%s timed out while getting socket\n",
  599                       my_inet_ntoa( ip ) );
  600               }
  601          else
  602               fprintf( stderr, "error getting socket: %s\n", strerror( errno ) );
  603          return 255;
  604          }
  605
  606      bzero( &dest_addr, sizeof( struct sockaddr_in ) );
  607      dest_addr.sin_family = AF_INET;
  608      dest_addr.sin_port = htons(DEST_PORT);
  609      dest_addr.sin_addr.s_addr = ip;
  610
  611      if ( verbose > 1 )
  612          printf("Connecting to %s\n", my_inet_ntoa( ip ) );
  613      if( connect( dcomsockfd, (struct sockaddr *) &dest_addr,
  614              sizeof(struct sockaddr) ) < 0 ) {
  615          close( dcomsockfd );
  616          alarm( 0 );
  617          if ( timed_out || errno == ETIMEDOUT ) {
  618              if ( verbose )
  619                  printf( "%s timed out while connecting\n",
  620                       my_inet_ntoa( ip ) );
  621              return 2;
  622              }
  623          else if ( errno == ECONNREFUSED ) {
  624              if ( verbose )
Doke Scott                                                                                  09/12/2003
                                    MS Windows RPC DCOM Scanner MS03039                 Page 13/18
  625                    printf("%s does not accept DCERPC protocol −− good\n",
  626                        my_inet_ntoa( ip ) );
  627                return 1;    // good, port not open, it’s not vulnerable
  628                }
  629            if ( verbose )
  630                printf( "%s connect failed: %s\n", my_inet_ntoa( ip ),
  631                    strerror( errno ) );
  632            return 255;
  633            }
  634
  635   #if 0
  636       // the ms scanner opens a tcp connections, resets it, then opens a second
  637       // but it just refused the second connection for me.
  638
  639       close( dcomsockfd );
  640
  641       if ( verbose > 1 )
  642           printf("opening second connection to %s\n", my_inet_ntoa( ip ) );
  643       if( connect( dcomsockfd, (struct sockaddr *) &dest_addr,
  644               sizeof(struct sockaddr) ) < 0 ) {
  645           close( dcomsockfd );
  646           alarm( 0 );
  647           if ( timed_out ) {
  648               if ( verbose )
  649                   printf( "%s timed out while connecting\n",
  650                        my_inet_ntoa( ip ) );
  651               return 2;
  652               }
  653           else if ( errno == ECONNREFUSED ) {
  654               if ( verbose )
  655                   printf("%s does not accept DCERPC protocol −− good\n",
  656                        my_inet_ntoa( ip ) );
  657               return 1;      // good, it’s not vulnerable
  658           if ( verbose )
  659               printf( "%s connect failed: %s\n", my_inet_ntoa( ip ),
  660                   strerror( errno ) );
  661           return 255;
  662           }
  663   #endif
  664
  665
  666       // the bind request
  667       len1 = exchange_packets( 1, ip, dcomsockfd, request1, sizeof(request1),
  668           resp1, sizeof( resp1 ) );
  669       if ( len1 < 0 )
  670           return 255;
  671       memcpy( assoc_group, resp1 + 20, 4 ); // need this for packet 4
  672       //printf( "association group:\n" );
  673       //print_hex( assoc_group, 4 );
  674
  675
  676

Doke Scott                                                                                09/12/2003
                              MS Windows RPC DCOM Scanner MS03039                  Page 14/18
  677
  678    // packet exchange 2, call_id: 1 opnum: 4 ctx_id: 0
  679    len2 = exchange_packets( 2, ip, dcomsockfd, request2, sizeof(request2),
  680        resp2, sizeof( resp2 ) );
  681    if ( len2 < 0 )
  682        return 255;
  683    if ( ! memcmp( resp2, expected2_patched,
  684            sizeof( expected2_patched ) ) ) {
  685        // it’s probably either patched for dcom 2, or neigther
  686        if ( verbose > 1 )
  687            printf( "response 2 matches expected patched\n" );
  688        }
  689    else if ( ! memcmp( resp2, expected2_vulnerable,
  690            sizeof( expected2_vulnerable ) ) ) {
  691        // it’s probably patched for dcom 1
  692        if ( verbose > 1 )
  693            printf( "response 2 matches expected vulnerable\n" );
  694        }
  695    else if ( ! memcmp( resp2, expected2_dce_fault,
  696            sizeof( expected2_dce_fault ) ) ) {
  697        // It’s a DCE fault response. I don’t know what causes this,
  698        // but it seems to ignore any other packets. So I can’t continue.
  699        close( dcomsockfd );
  700        if ( verbose > 1 )
  701            printf( "response 2 matches dce fault\n" );
  702        if ( verbose )
  703            printf( "%s returns DCE Fault code −− wierd\n",
  704                my_inet_ntoa( ip ) );
  705        return 255;
  706        }
  707    else if ( verbose > 1 ) {
  708        printf( "Response 2 expected vunerable contents:\n" );
  709        print_hex( expected2_vulnerable, sizeof( expected2_vulnerable ) );
  710        printf( "Response 2 expected patched contents:\n" );
  711        print_hex( expected2_patched, sizeof( expected2_patched ) );
  712        printf( "Response 2 received contents:\n" );
  713        print_hex( resp2, len2 );
  714        for ( i = 0; i < sizeof( expected2_vulnerable ); i++ ) {
  715            if ( resp2[ i ] != expected2_vulnerable[ i ] )
  716                printf( " %04x %02x != %02x\n", i, resp2[ i ],
  717                     expected2_vulnerable[ i ] );
  718            }
  719        }
  720
  721
  722
  723    // packet exchange 3, call_id: 2 opnum: 4 ctx_id: 0
  724    len3 = exchange_packets( 3, ip, dcomsockfd, request3, sizeof(request3),
  725        resp3, sizeof( resp3 ) );
  726    if ( len3 < 0 )
  727        return 255;
  728    if ( ! memcmp( resp3, expected3_vulnerable,
Doke Scott                                                                           09/12/2003
                                  MS Windows RPC DCOM Scanner MS03039                   Page 15/18
  729            sizeof( expected3_vulnerable ) ) ) {
  730        if ( verbose > 1 )
  731            printf( "response 3 matches no dcom patches\n" );
  732        vun3 = 1;
  733        }
  734    else if ( ! memcmp( resp3, expected3_patched1,
  735            sizeof( expected3_patched1 ) ) ) {
  736        if ( verbose > 1 )
  737            printf( "response 3 matches patched for dcom 1\n" );
  738        vun3 = 1;
  739        }
  740    else if ( ! memcmp( resp3, expected3_patched2,
  741            sizeof( expected3_patched2 ) ) ) {
  742        if ( verbose > 1 )
  743            printf( "response 3 matches patched for dcom 2\n" );
  744
  745        // MS scanner stops here
  746        // but I don’t really understand these packets
  747
  748        //if ( verbose )
  749        //    printf( "%s has both dcom patchs −− good\n", my_inet_ntoa( ip ) );
  750        //close( dcomsockfd );
  751        //return 0;
  752        }
  753    else if ( verbose > 1 ) {
  754        printf( "response 3 does not match any expected packet\n" );
  755        printf( "Response 3 received contents:\n" );
  756        print_hex( resp3, len3 );
  757        for ( i = 0; i < sizeof( expected3_vulnerable ); i++ ) {
  758            if ( resp3[ i ] != expected3_vulnerable[ i ] )
  759                printf( " %04x %02x != %02x\n", i, resp3[ i ],
  760                     expected3_vulnerable[ i ] );
  761            }
  762        }
  763
  764
  765
  766    // packet exchange 4, Alter context
  767    memcpy( request4 + 20, assoc_group, 4 );
  768    memcpy( expected4 + 20, assoc_group, 4 );
  769    len4 = exchange_packets( 4, ip, dcomsockfd, request4, sizeof(request4),
  770        resp4, sizeof( resp4 ) );
  771    if ( len4 < 0 )
  772        return 255;
  773    else if ( verbose > 1 ) {
  774        if ( memcmp( resp4, expected4, sizeof( expected4 ) ) ) {
  775            printf( "Response 4 expected contents:\n" );
  776            print_hex( expected4, sizeof( expected4 ) );
  777            printf( "Response 4 received contents:\n" );
  778            print_hex( resp4, len4 );
  779            for ( i = 0; i < sizeof( expected4 ); i++ ) {
  780                if ( resp4[ i ] != expected4[ i ] )
Doke Scott                                                                                09/12/2003
                                 MS Windows RPC DCOM Scanner MS03039                             Page 16/18
  781                      printf( " %04x %02x != %02x\n", i, resp4[ i ],
  782                          expected4[ i ] );
  783                  }
  784             }
  785        }
  786
  787
  788
  789    // packet exchange 5, RemoteActivation
  790    len5 = exchange_packets( 5, ip, dcomsockfd, request5, sizeof(request5),
  791        resp5, sizeof( resp5 ) );
  792    if ( len5 < 0 )
  793        return 255;
  794    close(dcomsockfd);
  795    if ( ! memcmp( resp5, expected5_patched1,
  796            sizeof( expected5_patched1 ) ) ) {
  797        if ( verbose > 1 )
  798            printf( "response 5 matches patched for dcom1 −− BAD\n" );
  799        if ( verbose )
  800            printf( "** %s only has 1st dcom patch −− BAD **\n",
  801                my_inet_ntoa( ip ) );
  802        return 4;
  803        }
  804    else if ( ! memcmp( resp5, expected5_vulnerable_or_patched2,
  805            sizeof( expected5_vulnerable_or_patched2 ) ) ) {
  806        if ( verbose > 1 )
  807            printf( "response 5 matches either no dcom patches or patched for dcom2\n" );
  808        if ( vun3 ) {
  809            if ( verbose )
  810                printf( "** %s has neither dcom patch −− BAD **\n",
  811                     my_inet_ntoa( ip ) );
  812            return 3;
  813            }
  814        if ( verbose )
  815            printf( "%s has both dcom patchs −− good\n", my_inet_ntoa( ip ) );
  816        return 0;
  817        }
  818    else if ( verbose > 1 ) {
  819        printf( "Response 5 expected contents:\n" );
  820        print_hex( expected5_vulnerable_or_patched2,
  821            sizeof( expected5_vulnerable_or_patched2 ) );
  822        printf( "Response 5 received contents:\n" );
  823        print_hex( resp5, len5 );
  824        for ( i = 0; i < sizeof( expected5_vulnerable_or_patched2 ); i++ ) {
  825            if ( resp5[ i ] != expected5_vulnerable_or_patched2[ i ] )
  826                printf( " %04x %02x != %02x\n", i, resp5[ i ],
  827                     expected5_vulnerable_or_patched2[ i ] );
  828            }
  829        }
  830
  831
  832    else if ( verbose > 1 ) {
Doke Scott                                                                                         09/12/2003
                                       MS Windows RPC DCOM Scanner MS03039         Page 17/18
  833           printf( "%s contains unidentified signature,\n",
  834               my_inet_ntoa( ip ) );
  835           printf( "Please report if vulnerable.\n" );
  836           }
  837       return 255;
  838       }
  839
  840
  841
  842
  843
  844   void
  845   usage( int rc ) {
  846        fprintf( stderr, "Usage: %s [−vqh] [ −t timeout ] <ip address>\n"
  847            "   %s [−vqh] [ −t timeout ] <ip address>/<cidr−bits>\n"
  848            " −v increase verbosity\n"
  849            " −q quiet, no output, just exit status\n"
  850            " −t n set scan timeout to n seconds, default %d\n"
  851            " −h this help\n"
  852            " when scanning one ip, exits with:\n"
  853            "    0 not vulnerable\n"
  854            "    1 does not accept DCE RPC protocol (connection refused)\n"
  855            "    2 no response (filtering DCOM port, or not there)\n"
  856            "    3 vulnerable to dcom 1 and dcom2\n"
  857            "    4 vulnerable to dcom 2 (but patched for dcom1)\n"
  858            "    255 can’t tell for some other reason\n"
  859            " when scanning an ip range, exits with:\n"
  860            "    0 nothing was vulnerable\n"
  861            "    4 one or more were vunerable\n",
  862            program_name, program_name, d_dcom_scan_timeout );
  863       exit( rc );
  864       }
  865
  866
  867
  868
  869
  870   int
  871   main( int argc, char **argv ) {
  872       int a, b, c, d, bits;
  873       unsigned int mask, low, high, ip, netip;
  874       int rc = 0, r;
  875
  876       program_name = argv[0];
  877
  878       verbose = 1; // turn on basic prints in scan function
  879       dcom_scan_timeout = d_dcom_scan_timeout;
  880
  881       while ( ( c = getopt( argc, argv, "vqt:h" ) ) >= 0 ) {
  882           switch ( c ) {
  883               case ’v’:
  884                   verbose++;
Doke Scott                                                                           09/12/2003
                                 MS Windows RPC DCOM Scanner MS03039                  Page 18/18
  885                   break;
  886               case ’q’:
  887                   verbose = 0;
  888                   break;
  889               case ’t’:
  890                   dcom_scan_timeout = atoi( optarg );
  891                   break;
  892               case ’h’:
  893                   usage( 0 );
  894                   break;
  895               default:
  896                   usage( −1 );
  897                   break;
  898               }
  899           }
  900
  901       if ( optind >= argc || ! argv[ optind ] )
  902           usage( −1 );
  903
  904       rc = sscanf( argv[ optind ], "%d.%d.%d.%d/%d", &a, &b, &c, &d, &bits );
  905       if ( rc == 5 ) {
  906            // scan range
  907            if ( bits < 0 || 32 < bits )
  908                usage( −1 );
  909            rc = 0;
  910            mask = 0xffffffff << ( 32 − bits );
  911            low = ( a << 24 | b << 16 | c << 8 | d ) & mask;
  912            high = low | ~ mask;
  913            for ( ip = low + 1; ip < high; ip++ ) {
  914                netip = htonl( ip );
  915                r = dcom2_scan( netip );
  916                if ( r == 3 || r == 4 )
  917                    rc = 4;
  918                }
  919            }
  920       else if ( rc == 4 ) {
  921            // scan 1 ip
  922            inet_pton( AF_INET, argv[ optind ], (struct in_addr *) &netip );
  923            rc = dcom2_scan( netip );
  924            }
  925       else
  926            usage( −1 );
  927
  928       return rc;
  929       }
  930
  931   // milw0rm.com [2003−09−12]




Doke Scott                                                                              09/12/2003

				
DOCUMENT INFO