The bug seems to exits in NT Server and Workstation 4.0, with or without
SP1 and/or SP2. In other words all verions. Some people report the
problem also exist on NT 3.51. A small group of people report it did not
work for them but did not give enough information to figure out if the RPC
service was simple not running, what build of NT they had, or if their
testing methodoly was wront. So it's safe to assue the vulnerability exits
in most NT installations.
For it to work you must have the 'RPC Configuration' service installed.
This is the default. Port 135 is defined in RFC1060 as:
135 LOC-SRV Location Service [JXP]
You must connect to port 135 using TCP, send some random characters,
and disconnect. You MUST send a series of characters. If you just connect
and disconnect from the port it wont work. My testing shows that in some
instances the CPU usage will rise but come back down in a few seconds. I
belive it may have something to do with the string you send to it. If your
CPU usage did not stay at 100% try again with a different string.
After you disconnect the rpcss.exe process will start consumming all
available process cycles. NT does not allow you to kill rpcsss.exe even
under normal operation. You must reboot the machine to get rid of it. You
will still be able to launch other application (the NT schedualer will
give them CPU time), but they will run very slowly and the CPU will stay
at 100% utilization. The performance monitor shows that rougly rpcss.exe
spends 20% of the time in user mode, and 80% of the time in system mode.
Aleph One / aleph1@dfw.net
http://underground.org/
KeyID 1024/948FD6B5
Fingerprint EE C9 E8 AA CB AF 09 61 8C 39 EA 47 A8 6A B8 01