Recently I downloaded the new Windows server 2019 and upgraded my Win10 box to 1809.
Obviously, the first thing I did was to test the juicy/rotten exploit and surprisingly it did not work on both OS (tried aslo with other CLSID’s)
Remember what MS said about this “vulnerability”? Fear the Rotten/Juicy potato attack?
So I’m not sure if they patched it or some strange unintended behavior?
Probably something related to the OXID resolver, given that connection gets immediately dropped. Seems like some checks in place before calling the resolver:
By omittimg the port in the RPC bindings string (“host” instead of “host[port]”) in the IstorageTrigger::MarshalInterface method – where port is our local listener port specified with -l switch – connection does not get dropped and normal flow continues.
But DCOM won’t talk to our local listener, so no MITM and no exploit.
Note: if you put the default port in the RPC bindings “host” connection gets dropped again. You cannot specify ports, only hosts (local ore remote…)
Probably MS changed something in the rpcss.dll, version and size differs from previous builds.
That’s all for now, I will update this posts with as soon as I have news!