Nmap Development mailing list archives

Previous By Date Next
Previous By Thread Next

Re: New Samba remote root vuln (CVE-2012-1182) script idea

From: Patrik Karlsson <patrik () cqure net>
Date: Fri, 20 Apr 2012 13:57:24 +0200
On Tue, Apr 17, 2012 at 10:20 PM, Aleksandar Nikolic <nikolic.alek () gmail com

wrote:



Hi all,

I've written a detection script for this vulnerability using the method I
described earlier.
I've attached a patch for msrpc.lua to add GetAliasMembership function used
in the exploit.
If you check the source, you'll notice that I didn't do any marshalling,
and I'm building the
packet myself. I'm not sure this is the right way to use the library, so
any suggestion on
how to improve that part.

The script it self is very simple and if basically ZDI's PoC rewritten into
Lua.
I've tested this on vulnerable samba on fedora and fully patched ubuntu.
I'd welcome any comments on improving this. Also , feel free to change the
name of the script, as I'm not sure what the convention is.

Regards,
Aleksandar




Hi Aleksandar,

I just tested the script against Samba 3.5.8 on Ubuntu 11.10 and the script
fails to detect it as vulnerable.
The error returned by samr_getaliasmembership is "MSRPC call returned a
fault (packet type)".
Updating the server to  "2:3.5.11~dfsg-1ubuntu2.2" returns the same message.
Any ideas on what's happening?

//Patrik

-- 
Patrik Karlsson
http://www.cqure.net
http://twitter.com/nevdull77
_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/
Previous By Date Next
Previous By Thread Next

Current thread: