BETA: Samba trans2open Buffer Overflow (Solaris/SPARC)

[hdm at metasploit.com (H D Moore)]

Attached is *beta* exploit module for the trans2open() overflow affecting 
Samba versions 2.2.8 and below. If you have a Solaris/SPARC box handy and 
already run a vulnerable version of Samba (or don't mind installing it), 
I would appreciate any feedback. This version will not work on systems 
configured with non-executable stacks. This is a relatively easy fix, as 
it just requires fingerprinting the heap address where NetBIOS dialects 
are stored during negotiation...

The biggest compatibility issue is going to be the stack base address; 
this address changes a bit between OS versions and the MMU in the 
hardware. Use a TARGET value of '0' for Solaris 9 systems and a value of 
'1' for Solaris 7 and 8. If the exploit fails, please drop me an email 
(off-list) with the following information:

1) Output of uname -a
2) Version of Samba (between 2.2.0 and 2.2.8 [not 2.2.8a])
3) The stack base address, obtained via the command:
# pmap $$ | tail -2

Thanks!

-HD

PS. For those new to the Framework, you can install this module by copying 
it into the ./exploits subdirectory and preserving the original filename.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: samba_trans2open_solsparc.pm
Type: application/x-perl-module
Size: 6869 bytes
Desc: not available
URL: <http://mail.metasploit.com/pipermail/framework/attachments/20050121/d89b1920/attachment.bin>