Script smb-vuln-ms07-029

Script types: hostrule
Categories: intrusive, exploit, dos, vuln

Script Summary

Detects Microsoft Windows systems with Dns Server RPC vulnerable to MS07-029.

MS07-029 targets the R_DnssrvQuery() and R_DnssrvQuery2() RPC method which isa part of DNS Server RPC interface that serves as a RPC service for configuring and getting information from the DNS Server service. DNS Server RPC service can be accessed using "\dnsserver" SMB named pipe. The vulnerability is triggered when a long string is send as the "zone" parameter which causes the buffer overflow which crashes the service.

This check was previously part of smb-check-vulns.

Script Arguments

smbdomain, smbhash, smbnoguest, smbpassword, smbtype, smbusername

See the documentation for the smbauth library.

randomseed, smbbasic, smbport, smbsign

See the documentation for the smb library.

vulns.short, vulns.showall

See the documentation for the vulns library.

Example Usage

nmap --script smb-vuln-ms07-029.nse -p445 <host>
nmap -sU --script smb-vuln-ms07-029.nse -p U:137,T:139 <host>

Script Output

Host script results:
| smb-vuln-ms07-029:
|   Windows DNS RPC Interface Could Allow Remote Code Execution (MS07-029)
|     State: VULNERABLE
|     IDs:  CVE:CVE-2007-1748
|           A stack-based buffer overflow in the RPC interface in the Domain Name System (DNS) Server Service in
|           Microsoft Windows 2000 Server SP 4, Server 2003 SP 1, and Server 2003 SP 2 allows remote attackers to
|           execute arbitrary code via a long zone name containing character constants represented by escape sequences.
|     Disclosure date: 2007-06-06
|     References:



  • Ron Bowes
  • Jiayi Ye
  • Paulino Calderon <calderon()>

License: Same as Nmap--See