Microsoft Windows DNSAPI.dll LLMNR Buffer Underrun DoS - Metasploit
This page contains detailed information about how to use the auxiliary/dos/windows/llmnr/ms11_030_dnsapi metasploit module. For list of all metasploit modules, visit the Metasploit Module Library.
Module Overview
Name: Microsoft Windows DNSAPI.dll LLMNR Buffer Underrun DoS
Module: auxiliary/dos/windows/llmnr/ms11_030_dnsapi
Source code: modules/auxiliary/dos/windows/llmnr/ms11_030_dnsapi.rb
Disclosure date: 2011-04-12
Last modification time: 2017-07-24 06:26:21 +0000
Supported architecture(s): -
Supported platform(s): -
Target service / protocol: -
Target network port(s): 5355
List of CVEs: CVE-2011-0657
This module exploits a buffer underrun vulnerability in Microsoft's DNSAPI.dll as distributed with Windows Vista and later without KB2509553. By sending a specially crafted LLMNR query, containing a leading '.' character, an attacker can trigger stack exhaustion or potentially cause stack memory corruption. Although this vulnerability may lead to code execution, it has not been proven to be possible at the time of this writing. NOTE: In some circumstances, a '.' may be found before the top of the stack is reached. In these cases, this module may not be able to cause a crash.
Module Ranking and Traits
Module Ranking:
- normal: The exploit is otherwise reliable, but depends on a specific version and can't (or doesn't) reliably autodetect. More information about ranking can be found here.
Basic Usage
msf > use auxiliary/dos/windows/llmnr/ms11_030_dnsapi
msf auxiliary(ms11_030_dnsapi) > show targets
... a list of targets ...
msf auxiliary(ms11_030_dnsapi) > set TARGET target-id
msf auxiliary(ms11_030_dnsapi) > show options
... show and set options ...
msf auxiliary(ms11_030_dnsapi) > exploit
Go back to menu.
Msfconsole Usage
Here is how the dos/windows/llmnr/ms11_030_dnsapi auxiliary module looks in the msfconsole:
msf6 > use auxiliary/dos/windows/llmnr/ms11_030_dnsapi
msf6 auxiliary(dos/windows/llmnr/ms11_030_dnsapi) > show info
Name: Microsoft Windows DNSAPI.dll LLMNR Buffer Underrun DoS
Module: auxiliary/dos/windows/llmnr/ms11_030_dnsapi
License: Metasploit Framework License (BSD)
Rank: Normal
Disclosed: 2011-04-12
Provided by:
jduck <[email protected]>
Check supported:
No
Basic options:
Name Current Setting Required Description
---- --------------- -------- -----------
RHOSTS 224.0.0.252 yes The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
RPORT 5355 yes The target port (UDP)
Description:
This module exploits a buffer underrun vulnerability in Microsoft's
DNSAPI.dll as distributed with Windows Vista and later without
KB2509553. By sending a specially crafted LLMNR query, containing a
leading '.' character, an attacker can trigger stack exhaustion or
potentially cause stack memory corruption. Although this
vulnerability may lead to code execution, it has not been proven to
be possible at the time of this writing. NOTE: In some
circumstances, a '.' may be found before the top of the stack is
reached. In these cases, this module may not be able to cause a
crash.
References:
https://nvd.nist.gov/vuln/detail/CVE-2011-0657
OSVDB (71780)
https://docs.microsoft.com/en-us/security-updates/SecurityBulletins/2011/MS11-030
Module Options
This is a complete list of options available in the dos/windows/llmnr/ms11_030_dnsapi auxiliary module:
msf6 auxiliary(dos/windows/llmnr/ms11_030_dnsapi) > show options
Module options (auxiliary/dos/windows/llmnr/ms11_030_dnsapi):
Name Current Setting Required Description
---- --------------- -------- -----------
RHOSTS 224.0.0.252 yes The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
RPORT 5355 yes The target port (UDP)
Advanced Options
Here is a complete list of advanced options supported by the dos/windows/llmnr/ms11_030_dnsapi auxiliary module:
msf6 auxiliary(dos/windows/llmnr/ms11_030_dnsapi) > show advanced
Module advanced options (auxiliary/dos/windows/llmnr/ms11_030_dnsapi):
Name Current Setting Required Description
---- --------------- -------- -----------
CHOST no The local client address
CPORT no The local client port
VERBOSE false no Enable detailed status messages
WORKSPACE no Specify the workspace for this module
Auxiliary Actions
This is a list of all auxiliary actions that the dos/windows/llmnr/ms11_030_dnsapi module can do:
msf6 auxiliary(dos/windows/llmnr/ms11_030_dnsapi) > show actions
Auxiliary actions:
Name Description
---- -----------
Evasion Options
Here is the full list of possible evasion options supported by the dos/windows/llmnr/ms11_030_dnsapi auxiliary module in order to evade defenses (e.g. Antivirus, EDR, Firewall, NIDS etc.):
msf6 auxiliary(dos/windows/llmnr/ms11_030_dnsapi) > show evasion
Module evasion options:
Name Current Setting Required Description
---- --------------- -------- -----------
Go back to menu.
Related Pull Requests
- #8716 Merged Pull Request: Print_Status -> Print_Good (And OCD bits 'n bobs)
- #8338 Merged Pull Request: Fix msf/core and self.class msftidy warnings
- #6812 Merged Pull Request: Resolve #6807, remove all OSVDB references.
- #6655 Merged Pull Request: use MetasploitModule as a class name
- #6648 Merged Pull Request: Change metasploit class names
- #2525 Merged Pull Request: Change module boilerplate
- #1228 Merged Pull Request: MSFTIDY cleanup #1 - auxiliary
- #674 Merged Pull Request: Comply with msftidy
References
- CVE-2011-0657
- OSVDB (71780)
- MS11-030
See Also
Check also the following modules related to this module:
- auxiliary/scanner/llmnr/query
- auxiliary/spoof/llmnr/llmnr_response
- auxiliary/dos/windows/smb/ms11_019_electbowser
- exploit/windows/browser/ms11_003_ie_css_import
- exploit/windows/browser/ms11_050_mshtml_cobjectelement
- exploit/windows/browser/ms11_081_option
- exploit/windows/browser/ms11_093_ole32
- exploit/windows/fileformat/ms11_006_createsizeddibsection
- exploit/windows/fileformat/ms11_021_xlb_bof
- exploit/windows/local/ms11_080_afdjoinleaf
- exploit/windows/nntp/ms05_030_nntp
Authors
jduck
Version
This page has been produced using Metasploit Framework version 6.1.36-dev. For more modules, visit the Metasploit Module Library.
Go back to menu.