Has anyone heard of or run across the program "RPCNuke" that crashes XP machines? (Google for it if you haven't.) It's a rather terrifying tool that even ZoneAlarm can't block. Does anyone know how to protect one's computer from it, or even what ports or protocols this exploit uses to take down a machine?
-
We’re currently investigating an issue related to the forum theme and styling that is impacting page layout and visual formatting. The problem has been identified, and we are actively working on a resolution. There is no impact to user data or functionality, this is strictly a front-end display issue. We’ll post an update once the fix has been deployed. Thanks for your patience while we get this sorted.
You are using an out of date browser. It may not display this or other websites correctly.
You should upgrade or use an alternative browser.
You should upgrade or use an alternative browser.
RPCNuke (remote crashing of XP) - no way to protect from it?
- Thread starter stultus
- Start date
Originally posted by: Kilrsat
I just tested this on a new machine at work.
Without the XP built in firewall, I could crash the machine.
Enabled builtin firewall, RPC couldn't connect to the machine.
Maybe the XP firewall isn't useless?
What compiler did you use?
Originally posted by: stultus
Try here - it's what I'm using (and passed Norton AV).
If the WinXP firewall can block it, then, by golly, I want to know how to block it with ZoneAlarm.
I hate running untrusted binaries...
As far as Zone alarm goes:
1. Disconnect your computers from the internet.
2. Re-IP your machine. Leave the target computer as is, but give the "attacking" machine a new ip address outside of the previous subnet (ie. previously you were using 192.168.100.0/24, try 10.10.10.1 for the attacking machine).
3. Make sure zone alarm is running on the victim machine.
4 Try again.
I think Zone alarm uses "protective zones" which allow more from ip addresses in the "home zone" than from machines from an "external zone." Sorry, I dont know the ZA lingo, and I could be totally wrong. But I hope that helps.
Originally posted by: n0cmonkey
Originally posted by: Kilrsat
I just tested this on a new machine at work.
Without the XP built in firewall, I could crash the machine.
Enabled builtin firewall, RPC couldn't connect to the machine.
Maybe the XP firewall isn't useless?
What compiler did you use?
Sorry, didn't compile it.
Don't have ZA and wouldn't have a local zone to test it on here, but that is roughly how Zone Alarm works. Internet and "local" traffic pass through different rules/restrictions.
I was in the middle of updating the machine with a few patches and things. Going to try the tests again now to see if there was an update that might have closed the hole.
***UPDATE***
WinXP with all the latest updates was still able to be crashed (firewall prevented again). I did some packet sniffing and it looks pretty much like a basic overflow attack, on port 135. I don't have the source here, so I don't know how much you can customize that aspect but the compiled binary floating around uses 135.
Edit added above:
WinXP with all the latest updates was still able to be crashed. I did some packet sniffing and it looks pretty much like a basic overflow attack, on port 135. I don't have the source here, so I don't know how much you can customize that aspect but the compiled binary floating around uses 135.
WinXP with all the latest updates was still able to be crashed. I did some packet sniffing and it looks pretty much like a basic overflow attack, on port 135. I don't have the source here, so I don't know how much you can customize that aspect but the compiled binary floating around uses 135.
I had one of my developers compile this and was unable to crash any number of XP or 2k pro clients on my network.
XP (fully patched) had no reaction at all, while 2k (fully patched) reported only that an svchost.exe instance had errored out and needed to be closed (not affecting the OS at all apparently).
XP (fully patched) had no reaction at all, while 2k (fully patched) reported only that an svchost.exe instance had errored out and needed to be closed (not affecting the OS at all apparently).
Originally posted by: Saltin
I had one of my developers compile this and was unable to crash any number of XP or 2k pro clients on my network.
XP (fully patched) had no reaction at all, while 2k (fully patched) reported only that an svchost.exe instance had errored out and needed to be closed (not affecting the OS at all apparently).
It killed my XP machine, which had all of the "emergency" patches except for some ie patch. I used the binary linked in the thread.
JackBurton
Lifer
Get Norton Firewall. I slammed the hell out of my friends machine (I informed him on what I was going to do) and his little 'ol 56K connection didn't even flinch. Meanwhile he was laughing at me over Yahoo messenger. 🙁 I thought he was using ZA but he's using Norton Personal Firewall (I think 2002). Anyway, ZoneAlarm needs an update.