Metasploit mailing list archives
BETA: Samba trans2open Buffer Overflow (Solaris/SPARC)
From: hdm at metasploit.com (H D Moore)
Date: Fri, 21 Jan 2005 03:06:39 -0600
Attached is *beta* exploit module for the trans2open() overflow affecting Samba versions 2.2.8 and below. If you have a Solaris/SPARC box handy and already run a vulnerable version of Samba (or don't mind installing it), I would appreciate any feedback. This version will not work on systems configured with non-executable stacks. This is a relatively easy fix, as it just requires fingerprinting the heap address where NetBIOS dialects are stored during negotiation... The biggest compatibility issue is going to be the stack base address; this address changes a bit between OS versions and the MMU in the hardware. Use a TARGET value of '0' for Solaris 9 systems and a value of '1' for Solaris 7 and 8. If the exploit fails, please drop me an email (off-list) with the following information: 1) Output of uname -a 2) Version of Samba (between 2.2.0 and 2.2.8 [not 2.2.8a]) 3) The stack base address, obtained via the command: # pmap $$ | tail -2 Thanks! -HD PS. For those new to the Framework, you can install this module by copying it into the ./exploits subdirectory and preserving the original filename. -------------- next part -------------- A non-text attachment was scrubbed... Name: samba_trans2open_solsparc.pm Type: application/x-perl-module Size: 6869 bytes Desc: not available URL: <http://mail.metasploit.com/pipermail/framework/attachments/20050121/d89b1920/attachment.bin>
Current thread:
- BETA: Samba trans2open Buffer Overflow (Solaris/SPARC) H D Moore (Jan 21)