Detects Microsoft Windows systems with Dns Server RPC vulnerable to MS07-029.
MS07-029 targets the
RPC method which isa part of DNS Server RPC interface that serves as a RPC service
for configuring and getting information from the DNS Server service.
DNS Server RPC service can be accessed using "\dnsserver" SMB named pipe.
The vulnerability is triggered when a long string is send as the "zone" parameter
which causes the buffer overflow which crashes the service.
This check was previously part of smb-check-vulns.
smbdomain, smbhash, smbnoguest, smbpassword, smbtype, smbusernameSee the documentation for the smbauth library.
randomseed, smbbasic, smbport, smbsignSee the documentation for the smb library.
vulns.short, vulns.showallSee the documentation for the vulns library.
nmap --script smb-vuln-ms07-029.nse -p445 <host> nmap -sU --script smb-vuln-ms07-029.nse -p U:137,T:139 <host>
Host script results: | smb-vuln-ms07-029: | VULNERABLE: | Windows DNS RPC Interface Could Allow Remote Code Execution (MS07-029) | State: VULNERABLE | IDs: CVE:CVE-2007-1748 | A stack-based buffer overflow in the RPC interface in the Domain Name System (DNS) Server Service in | Microsoft Windows 2000 Server SP 4, Server 2003 SP 1, and Server 2003 SP 2 allows remote attackers to | execute arbitrary code via a long zone name containing character constants represented by escape sequences. | | Disclosure date: 2007-06-06 | References: | https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-1748 |_ https://technet.microsoft.com/en-us/library/security/ms07-029.aspx
License: Same as Nmap--See https://nmap.org/book/man-legal.html