Block port 135 without using any firewall

Are you scared of DCOM exploits. Although there are patches availaible by Microsoft but who wants them .We are hackers so we can create our own protocols .Aren't we?? I hope this tutorial will flash you mind a bit. I'm writting this article keeping just XP prof in mind. I haven't tested it yet on other platforms.

Microsoft RPC port 135, DCOM buffer overrun

Microsoft's RPC implementation runs over TCP port 135.RPC is used by a number of higher level protocols for their transport layer, such as by DCOM.

Vulnerabilities have been found in Microsoft's RPC implementation and the services it gives access to.Closing TCP port 135

It is highly desirable to close port 135. Port 135 is consistently on of the most attacked ports on the Internet.

It is not possible to simply disable the RPC service as there are many essential parts of Windows that require RPC to be running even though they do not make network connections.

However Microsoft does not allow RPC to configured to a different port and by default it is bound to all network interfaces making it vulnerable to attack from the Internet.

Below i have described how to disable services that run on top of RPC, which is desirable in itself, and then to close port 135 itself.

Step 1

Disable RPC dependent services

SSDP Discovery Service
Windows Time
Messenger
Remote Registry
System Event Notification
Remote Desktop Help Session Manager
Distributed Transaction Coordinator
Task Scheduler service
COM+ Event System
COM+ System Application

Step 2

Disable DCOM

1. Run "regedt32.exe" from the Start menu "Run." item.
2. Select the key "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole"
Set the value "EnableDCOM" to "N".
3. Select the key "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Rpc"
Edit the value "DCOM Protocols". This may contain a number of
strings.Delete the string "ncacn_ip_tcp"

Configure RPC

1. Run "regedt32.exe" from the Start menu "Run." item.
2. Select the key
"HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RpcSs"
Add the string value "ListenOnInternet" and set it to "N".

Step 4

Patching the RPC server

Microsoft RPC cannot be configured not to listen on a different port to 135.Instead it is necessary to patch the system to force it not to use the port.Patching an OS is strictly for advanced users.

The server needs to be patched using a hex editor.I have used Winhex here .

The RPC server is implemented in a file called rpcss.dll, however this file is in constant use.So you will first have to disable it, re-boot, patch it, re-enable it and reboot again.

1. Make a copy of the file rpcss.dll, as a backup.Copy the file from\windows\system32\rpcss.dll into one of your own directories,using Windows Explorer.
2. From the Start menu select Run.
3. Enter "regedt32" and click on OK.
4. Expand the tree and select the key:HKLM\System\CurrentControlSet\Services\RpcSs
5. Rename the value "ImagePath" to "xImagePath"
6. Exit regedt32 and re-boot the machine. The machine may take longer than normal to start up and some functionality will no longer be available. The Start bar may longer be visible to it is a good idea to have a short cut to a DOS BOX on the desktop. This will be re-enabled later.
7. Run your hex editor and open the file "from \windows\system32\rpcss.dll"
8. Search for the byte sequence "31 00 33 00 35" or the Unicode text "135".
9. Over-write this byte sequence to "30 00 30 00 30". This changes the port from 135 to 000, which DCOM will not be able to open.
10.Save the file in the hex editor.
11.From the Start menu select Run.
12.Enter "regedt32" and click on OK.
13.Expand the tree and select the key: HKLM\System\CurrentControlSet\Services\RpcSs
14.Rename the value "xImagePath" to "ImagePath"
15.Exit regedt32 and re-boot the machine
16.The DCOM server should no longer bind to port 135

Who need those stupid packet filtering tools such as firewall when we have a beautiful technique to survive called Reverse Engineering.

I hope you guys will enjoy my work .Your comments are always welcome.


2 comments:

canvas said...

That's greate yeaar ....

armageddonsaviour said...

Great, Article

I would also like to know your opinion about a problem mentioned here:

http://armageddonsaviour.blogspot.com/2008/12/has-anybody-cared-to-inform-dte.html