Recently I downloaded the new Windows server 2019 and upgraded my Win10 box to 1809.

Obviously, the first thing I did was to test the juicy/rotten exploit and surprisingly it did not work on both OS (tried aslo with other CLSID’s)

Cattura

Remember what MS said about this “vulnerability”? Fear the Rotten/Juicy potato attack?

So I’m not sure if they patched it or some strange unintended behavior?

Probably something related to the OXID resolver, given that connection gets immediately dropped. Seems like some checks in place before calling the resolver:

cap1

 

By omittimg the port in the RPC bindings string (“host” instead of host[port]”)  in the IstorageTrigger::MarshalInterface method – where port is our local listener port specified with -l switch – connection does not get dropped and normal flow continues.

But DCOM won’t talk to our local listener, so no MITM and no exploit.

Note:   if you put the default port in the RPC bindings “host[135]” connection gets dropped  again. You cannot  specify ports, only hosts (local ore remote…)

Probably MS changed something in the rpcss.dll, version and size differs from previous builds.

That’s all for now, I will update this posts with as soon as I have news!

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s