Nmap Development mailing list archives
[NSE] Interesting DCERPC/SMB modules
From: Dražen Popović <dpopovic () lss hr>
Date: Sun, 16 May 2010 15:09:17 +0200
Dangerous vulnerability checks: 1) Names: 'Microsoft Workstation Service NetpManageIPCConnect Overflow', CVE2006-4691, OSVDB-30263, BID-20985, MS06-070 Description: This module exploits a stack buffer overflow in the NetApi32 NetpManageIPCConnect function using the Workstation service in Windows 2000 SP4 and Windows XP SP2. In order to exploit this vulnerability, you must specify a the name of a valid Windows DOMAIN. Although Windows XP SP2 is vulnerable, Microsoft reports that Administrator credentials are required to reach the vulnerable code. Windows XP SP1 only requires valid user credentials. Also, testing shows that a machine already joined to a domain is not exploitable. 2) Names: 'Microsoft Services MS06-066 nwapi32.dll', CVE-2006-4688, OSVDB-30260, BID-21023, MS06-066. Description: This module exploits a stack buffer overflow in the svchost service, when the netware client service is running. This specific vulnerability is in the nwapi32.dll module. 3) Names: 'Microsoft RRAS Service RASMAN Registry Overflow', CVE-2006-2370, OSVDB-26437, BID-18325, MS06-025 Description: This module exploits a registry-based stack buffer overflow in the Windows Routing and Remote Access Service. Since the service is hosted inside svchost.exe,a failed exploit attempt can cause other system services to fail as well. A valid username and password is required to exploit this flaw on Windows 2000. When attacking XP SP1, the SMBPIPE option needs to be set to 'SRVSVC'. 4) Names: 'Microsoft Plug and Play Service Overflow', CVE-2005-1983, OSVBD-18605, BID-14513, MS05-039. Description: This module exploits a stack buffer overflow in the Windows Plug and Play service. This vulnerability can be exploited on Windows 2000 without a valid user account. Since the PnP service runs inside the service.exe process, a failed exploit attempt will cause the system to automatically reboot. 5) Names:'Microsoft NetDDE Service Overflow', CVE-2004-0206, OSVDB-10689, BID-11372, MS04-031. Description: This module exploits a stack buffer overflow in the NetDDE service, which is the precursor to the DCOM interface. This exploit effects only operating systems released prior to Windows XP SP1 (2000 SP4, XP SP0). Despite Microsoft's claim that this vulnerability can be exploited without authentication, the NDDEAPI pipe is only accessible after successful authentication. 6) Names: 'Microsoft LSASS Service DsRolerUpgradeDownlevelServer Overflow', CVE-2003-0533, OSVDB-5248, BID-10108, MS04-011. Description: This module exploits a stack buffer overflow in the LSASS service, this vulnerability was originally found by eEye. When re-exploiting a Windows XP system, you will need need to run this module twice. DCERPC request fragmentation can be performed by setting 'FragSize' parameter. 7) Names: 'Microsoft DNS RPC Service extractQuotedChar() Overflow (SMB)', CVE-2007-1748, OSVDB-34100, MS07-029. Description: This module exploits a stack buffer overflow in the RPC interface of the Microsoft DNS service. The vulnerability is triggered when a long zone name parameter is supplied that contains escaped octal strings. This module is capable of bypassing NX/DEP protection on Windows 2003 SP1/SP2. This module exploits the RPC service using the \\DNSSERVER pipe available via SMB. This pipe requires a valid user account to access. The DNS service can be reached across a named pipe using SMB and directly over TCP. These are some of the MSF exploit modules I've been looking at. Note that this is not a complete list of DCERPC/SMB related stuff within MSF, just my temporary compilation. Also one scripts that is a MUST DO is the endpoint mapper script similar to portmapper scripts that is currently being developed in NSE. -- Laboratory for Systems and Signals Department of Electronic Systems and Information Processing Faculty of Electrical Engineering and Computing University of Zagreb _______________________________________________ Sent through the nmap-dev mailing list http://cgi.insecure.org/mailman/listinfo/nmap-dev Archived at http://seclists.org/nmap-dev/
Current thread:
- [NSE] Interesting DCERPC/SMB modules Dražen Popović (May 16)