#76201 - 2003-08-11 04:25 PM
Re: Deploy-KB823980.kix MS03-026: Buffer Overrun in RPC Interface May Allow Code Executio
|
Anonymous
Anonymous
Unregistered
|
One more question Doc. On a couple of machines, one NT 4.0 and one Windows 2k, I got a strange bomb out on the script. Here is a before and after for the Windows 2k section.
code:
BEFORE:
CASE @ProductType='Windows 2000 Professional'
$KBFile='Windows2000-KB823980-x86-ENU.exe'
IF $RPCver <> "5.00.2195.6753"
$GetLogServer = GetLogServer()
$IServer = $GetLogServer[0]
$LServer = $GetLogServer[1]
SHELL '%comspec% /c \\'+$IServer+'\'+$KBPath+'\'+$KBFile+' /u /q /z'
ENDIF
AFTER:
CASE @ProductType='Windows 2000 Professional'
;$KBFile='Windows2000-KB823980-x86-ENU.exe'
IF $RPCver <> "5.00.2195.6753"
;$GetLogServer = GetLogServer()
;$IServer = $GetLogServer[0]
;$LServer = $GetLogServer[1]
SHELL '%comspec% /c \\servername\netlogon\Patches\KB823980\Windows2000-KB823980-x86-ENU.exe /u /q /z'
ENDIF
Using kix32.exe /d //path/to/login.kix I walked through the script. When it got to the "$IServer = $GetLogServer[0]" line it went fine. The next line, however, was simply "[0]". Not sure what is happening there. Of course "[0]" is not a valid kixstart command and the script just bombed out.
By the time I got to these 2 machines, the rollout was for the most part done, so having them hit one server was no big deal. I just changed the script to hard code the path and filename. This worked fine and now that things have settled down I was just curious.
I also found out that you at least have to have SP2 for Win 2k and SP6a for NT 4.0. It is sad, but I had one of each in that state. ![[Frown]](images/icons/frown.gif)
Any thoughts?
BTW: This is a wonderful way to rollout "High Priority" patches. I would like to use it in the future as a template. That ok Doc?
|
|
Top
|
|
|
|
|
#76203 - 2003-08-11 04:36 PM
Re: Deploy-KB823980.kix MS03-026: Buffer Overrun in RPC Interface May Allow Code Executio
|
Anonymous
Anonymous
Unregistered
|
It is there. Here are all of the KB823980 functions in my login script.
code:
function LocalAdmin()
$LocalAdmin=ingroup('@wksta\'+sidtoname('S-1-5-32-544'))-1+@INWIN
endfunction
Function GetCurrentIP()
DIM $IP, $TempFile, $Line, $cf
$TempFile = "%TEMP%\PING.TXT"
If Exist($TempFile)
Del $TempFile
EndIf
SHELL '%COMSPEC% /C PING -n 1 @WKSTA >'+$TempFile
$IP = ""
If Open(1, $TempFile) = 0
$Line = ReadLine(1)
While @ERROR = 0
If InStr($Line,@WKSTA)
$Line = SubStr($Line,InStr($Line,"[")+1)
$GetCurrentIP = Substr($Line,1,InStr($Line,"]")-1)
EndIf
$Line = ReadLine(1)
Loop
$cf = Close(1)
EndIf
If Exist($TempFile)
Del $TempFile
EndIf
EndFunction
Function GetLogServer()
DIM $InstallerArray[2],$IP,$UserDomain,$spServer,$LogServer
$UserDomain=@DOMAIN
$IP=GetCurrentIP
SELECT
CASE InStr($IP, '10.0.1.')
$spServer='Server-1'
$LogServer='Server-1'
RETURN
CASE InStr($IP, '10.0.2.')
$spServer='Server-2'
$LogServer='Server-2'
CASE 1
$spServer='Server-3'
$LogServer='Server-3'
ENDSELECT
$InstallerArray[0]=$spServer
$InstallerArray[1]=$LogServer
$GetLogServer=$InstallerArray
EndFunction
Function GetRPCVersion()
$GetRPCVersion = GetFileVersion('%windir%\system32\Rpcrt4.dll', 'Productversion')
endfunction
Thanks
|
|
Top
|
|
|
|
|
#76205 - 2003-08-11 10:13 PM
Re: Deploy-KB823980.kix MS03-026: Buffer Overrun in RPC Interface May Allow Code Executio
|
Anonymous
Anonymous
Unregistered
|
I am sorry if all of this smacks of a total newb! Allow me to explain further.
quote:
How many Domains do you have?
How many Workstations do you have?
Are they all on LAN or WAN or both?
3
200+
both
Regarding the commenting out of the commands.
code:
;$KBFile='Windows2000-KB823980-x86-ENU.exe'
IF $RPCver <> "5.00.2195.6753"
;$GetLogServer = GetLogServer()
;$IServer = $GetLogServer[0]
;$LServer = $GetLogServer[1]
I commented them out and hard-coded the path and filename as a test on the 2 machines having the issue. Before, they bombed. After, they ran fine. That is how I determined which script line was giving a problem.
The script in the Before: state worked great on all but the 2 machines(maybe one or 2 more) mentioned above. Just curious as to why. Not a biggie in the grand scheme of things, just passing the info along.
Thanks
|
|
Top
|
|
|
|
|
#76207 - 2003-08-12 09:26 PM
Re: Deploy-KB823980.kix MS03-026: Buffer Overrun in RPC Interface May Allow Code Executio
|
Anonymous
Anonymous
Unregistered
|
I don't know if this helps anyone or not. I'm deploying the patch with NTDOC's script however our users do not have local admin right on their workstations. So I use a product called AutoIt to deploy the patch once the script determines that it is needed. If anyone would like I will post the script for the AutoIt install. The AutoIt program is a freeware app.
|
|
Top
|
|
|
|
|
#76210 - 2003-08-13 03:08 PM
Re: Deploy-KB823980.kix MS03-026: Buffer Overrun in RPC Interface May Allow Code Executio
|
NTDOC
Administrator
Registered: 2000-07-28
Posts: 11625
Loc: CA
|
Cholbrook,
Are you saying you compiled Domain and or Local Admin account information into an EXE with Autoit?
This program in and of itself has nothing to do with granting rights to users that don't alredy have admin rights.
http://www.hiddensoft.com/AutoIt/
|
|
Top
|
|
|
|
|
#76211 - 2003-08-14 03:30 AM
Re: Deploy-KB823980.kix MS03-026: Buffer Overrun in RPC Interface May Allow Code Executio
|
Anonymous
Anonymous
Unregistered
|
I use the autoit software to launch the application using Windows Runas. I created a domain group called system_support that I add to all local admin groups on our 2k boxes. In the kix script I check the machine but instead of launching the microsoft patch I run the autoit script that calls the the microsoft patch using local admin priviliage. I would like to use the su but I've had trouble with getting it setup right.
Example of my autoit script.
run as domain\\account \\\\server\\share\\app.exe
wait 2000
send password
exit
|
|
Top
|
|
|
|
|
#76212 - 2003-08-14 03:34 PM
Re: Deploy-KB823980.kix MS03-026: Buffer Overrun in RPC Interface May Allow Code Executio
|
Anonymous
Anonymous
Unregistered
|
One more time for me. I got some very cool poetic justice on this patch and I owe it all to the Kixstart forums(Big thanks to NTDOC for writing the script)*bows to the power of NTDOC* ![[Cool]](images/icons/cool.gif) !
My corporate office sent an email out late last week to the branch office Network Admins saying that they are exploring options to roll out this patch. But they also said not to "worry" as they felt it wouldn't be exploited any time soon(i.e. Slammer).
With this forums help and a few hours on a Saturday 2 weekends ago I was NOT hit at all with this virus. Yes I had a few machines hiccup, and a couple of remote users that simply ignored the messages with instructions for them.
In the end, no infections and a handful of machines that I had to manually work on.
Thanks everybody!!
BTW...For those who don't know, there is a free utility to scan subnets for machines that have not been patched.
Click Here for the Retina DCOM Scanner
|
|
Top
|
|
|
|
|
#76214 - 2003-08-14 03:55 PM
Re: Deploy-KB823980.kix MS03-026: Buffer Overrun in RPC Interface May Allow Code Executio
|
Radimus
Moderator
Registered: 2000-01-06
Posts: 5187
Loc: Tampa, FL
|
I've pushed it out with Remote Execution Manager on public machines or PCs whose users are absent...
|
|
Top
|
|
|
|
Moderator: Glenn Barnas, NTDOC, Arend_, Jochen, Radimus, Allen, ShaneEP, Ruud van Velsen, Mart
|
0 registered
and 229 anonymous users online.
|
|
|
![[Big Grin]](images/icons/grin.gif){kind=icon}
![[Wink]](images/icons/wink.gif){kind=icon}
tags
![[Smile]](images/icons/smile.gif){kind=icon}
i have change it...
