[NSE] Interesting DCERPC/SMB modules

[Dražen Popović <dpopovic () lss hr>]

Dangerous vulnerability checks:

1)
Names: 'Microsoft Workstation Service NetpManageIPCConnect Overflow',
CVE2006-4691, OSVDB-30263, BID-20985, MS06-070

Description: 
        This module exploits a stack buffer overflow in the NetApi32
NetpManageIPCConnect function using the Workstation service in Windows
2000 SP4 and Windows XP SP2. In order to exploit this vulnerability, you
must specify a the name of a valid Windows DOMAIN. Although Windows XP
SP2 is vulnerable, Microsoft reports that Administrator credentials are
required to reach the vulnerable code. Windows XP SP1 only requires
valid user credentials. Also, testing shows that a machine already
joined to a domain is not exploitable.

2)
Names: 'Microsoft Services MS06-066 nwapi32.dll', CVE-2006-4688,
OSVDB-30260, BID-21023, MS06-066.

Description: 
        This module exploits a stack buffer overflow in the svchost service,
when the netware client service is running. This specific vulnerability
is in the nwapi32.dll module.

3)
Names: 'Microsoft RRAS Service RASMAN Registry Overflow', CVE-2006-2370,
OSVDB-26437, BID-18325, MS06-025

Description: 
        This module exploits a registry-based stack buffer overflow in the
Windows Routing and Remote Access Service. Since the service is hosted
inside svchost.exe,a failed exploit attempt can cause other system
services to fail as well. A valid username and password is required to
exploit this flaw on Windows 2000. When attacking XP SP1, the SMBPIPE
option needs to be set to 'SRVSVC'.

4)
Names: 'Microsoft Plug and Play Service Overflow', CVE-2005-1983,
OSVBD-18605, BID-14513, MS05-039.

Description: 
        This module exploits a stack buffer overflow in the Windows Plug and
Play service. This vulnerability can be exploited on Windows 2000
without a valid user account. Since the PnP service runs inside the
service.exe process, a failed exploit attempt will cause the system to
automatically reboot.

5)
Names:'Microsoft NetDDE Service Overflow', CVE-2004-0206, OSVDB-10689,
BID-11372, MS04-031. 
Description: 
        This module exploits a stack buffer overflow in the NetDDE service,
which is the precursor to the DCOM interface.  This exploit effects only
operating systems released prior to Windows XP SP1 (2000 SP4, XP SP0).
Despite Microsoft's claim that this vulnerability can be exploited
without authentication, the NDDEAPI pipe is only accessible after
successful authentication.

6)
Names: 'Microsoft LSASS Service DsRolerUpgradeDownlevelServer Overflow',
CVE-2003-0533, OSVDB-5248, BID-10108, MS04-011.

Description:
        This module exploits a stack buffer overflow in the LSASS
service, this vulnerability was originally found by eEye. When
re-exploiting a Windows XP system, you will need need to run this module
twice. DCERPC request fragmentation can be performed by setting
'FragSize' parameter.

7)
Names: 'Microsoft DNS RPC Service extractQuotedChar() Overflow (SMB)',
CVE-2007-1748, OSVDB-34100, MS07-029.

Description:
        This module exploits a stack buffer overflow in the RPC
interface of the Microsoft DNS service. The vulnerability is triggered  
when a long zone name parameter is supplied that contains   
escaped octal strings. This module is capable of bypassing NX/DEP
protection on Windows 2003 SP1/SP2. This module exploits the
RPC service using the \\DNSSERVER pipe available via SMB. This
pipe requires a valid user account to access.
The DNS service can be reached across a named pipe using SMB and
directly over TCP.


These are some of the MSF exploit modules I've been looking at. Note
that this is not a complete list of DCERPC/SMB related stuff within MSF,
just my temporary compilation. Also one scripts that is a MUST DO is the
endpoint mapper script similar to portmapper scripts that is currently
being developed in NSE.


-- 
Laboratory for Systems and Signals
Department of Electronic Systems and Information Processing
Faculty of Electrical Engineering and Computing
University of Zagreb

_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/