Script `smb-vuln-ms07-029`

Script types: hostrule
Categories: intrusive, exploit, dos, vuln
Download: https://svn.nmap.org/nmap/scripts/smb-vuln-ms07-029.nse

Script Summary

Detects Microsoft Windows systems with Dns Server RPC vulnerable to MS07-029.

MS07-029 targets the R_DnssrvQuery() and R_DnssrvQuery2() RPC method which isa part of DNS Server RPC interface that serves as a RPC service for configuring and getting information from the DNS Server service. DNS Server RPC service can be accessed using "\dnsserver" SMB named pipe. The vulnerability is triggered when a long string is send as the "zone" parameter which causes the buffer overflow which crashes the service.

This check was previously part of smb-check-vulns.

Script Arguments

smbdomain, smbhash, smbnoguest, smbpassword, smbtype, smbusername: See the documentation for the smbauth library.
randomseed, smbbasic, smbport, smbsign: See the documentation for the smb library.
vulns.short, vulns.showall: See the documentation for the vulns library.

Example Usage

nmap --script smb-vuln-ms07-029.nse -p445 <host>
nmap -sU --script smb-vuln-ms07-029.nse -p U:137,T:139 <host>

Script Output

Host script results:
| smb-vuln-ms07-029:
|   VULNERABLE:
|   Windows DNS RPC Interface Could Allow Remote Code Execution (MS07-029)
|     State: VULNERABLE
|     IDs:  CVE:CVE-2007-1748
|           A stack-based buffer overflow in the RPC interface in the Domain Name System (DNS) Server Service in
|           Microsoft Windows 2000 Server SP 4, Server 2003 SP 1, and Server 2003 SP 2 allows remote attackers to
|           execute arbitrary code via a long zone name containing character constants represented by escape sequences.
|
|     Disclosure date: 2007-06-06
|     References:
|       https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-1748
|_      https://technet.microsoft.com/en-us/library/security/ms07-029.aspx

Requires

Authors:

Ron Bowes
Jiayi Ye
Paulino Calderon <calderon()websec.mx>