Re: New Samba remote root vuln (CVE-2012-1182) script idea

[Aleksandar Nikolic <nikolic.alek () gmail com>]

Hi,


could you check the logs and see if the script actually crashed the machine?
Log should be called log.nmap , and should mention invalid free and crash
as opposed to simple error.

I'll set up a test and check myself.

Regards,
Aleksandar

On Fri, Apr 20, 2012 at 1:57 PM, Patrik Karlsson <patrik () cqure net> wrote:

> On Tue, Apr 17, 2012 at 10:20 PM, Aleksandar Nikolic <
> nikolic.alek () gmail com> wrote:
>
> > Hi all,
> >
> > I've written a detection script for this vulnerability using the method I
> > described earlier.
> > I've attached a patch for msrpc.lua to add GetAliasMembership function
> > used
> > in the exploit.
> > If you check the source, you'll notice that I didn't do any marshalling,
> > and I'm building the
> > packet myself. I'm not sure this is the right way to use the library, so
> > any suggestion on
> > how to improve that part.
> >
> > The script it self is very simple and if basically ZDI's PoC rewritten
> > into
> > Lua.
> > I've tested this on vulnerable samba on fedora and fully patched ubuntu.
> > I'd welcome any comments on improving this. Also , feel free to change the
> > name of the script, as I'm not sure what the convention is.
> >
> > Regards,
> > Aleksandar
> Hi Aleksandar,
>
> I just tested the script against Samba 3.5.8 on Ubuntu 11.10 and the
> script fails to detect it as vulnerable.
> The error returned by samr_getaliasmembership is "MSRPC call returned a
> fault (packet type)".
> Updating the server to  "2:3.5.11~dfsg-1ubuntu2.2" returns the same
> message.
> Any ideas on what's happening?
>
> //Patrik
>
> --
> Patrik Karlsson
> http://www.cqure.net
> http://twitter.com/nevdull77
_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/