Metasploit mailing list archives

Previous By Date Next
Previous By Thread Next

linux/samba/lsa_transnames_heap: "Error: EOFError: end of file reached"

From: hal at deer-run.com (Hal Pomeranz)
Date: Sat, 5 Apr 2008 18:49:36 -0700
Thanks for the response, HD.  I wish I had better news for you...


At first glance, I would guess that your log-level in the smbd.conf is set 
to a non-default value (this causes the exploit to fail because it 
changes the layout of overwritten structures).


I'm using the stock smb.conf file and "log level" is not explicitly set
(nor am I setting it on the command line).  During previous attempts
I actually did try setting "log level" to values < 2 (per the exploit
info)-- no change to the result.  I've definitely killed/restarted the
server since reverting to the original smb.conf.


In order to determine what caused the EOF error, run the following:

msf> setg LogLevel 5
msf> save
msf> use exploit/.../
msf> exploit

Take a look at .msf3/logs/framework.log (at the end) and see if there is 
any obvious stack trace (or send me a copy off-list).


I'm getting nothing in framework.log when the exploit runs.  Btw, here's
the tail of my latest run, showing the output of "set":

[*] Trying to exploit Samba with address 0xb80c3000...
[*] Connecting to the SMB service...
[*] Binding to 12345778-1234-abcd-ef00-0123456789ab:0.0 at ncacn_np:10.66.254.244[\lsarpc] ...
[*] Bound to 12345778-1234-abcd-ef00-0123456789ab:0.0 at ncacn_np:10.66.254.244[\lsarpc] ...
[*] Calling the vulnerable function...
[-] Error: EOFError: end of file reached
msf exploit(lsa_transnames_heap) > set

Global
======

  Name      Value
  ----      -----
  LogLevel  5

Module: linux/samba/lsa_transnames_heap
=======================================

  Name                             Value
  ----                             -----
  AppendExit                       false
  BruteStep                        0
  BruteWait                        0
  ConnectTimeout                   10
  DCERPC::ReadTimeout              0
  DCERPC::fake_bind_multi          false
  DCERPC::fake_bind_multi_append   0
  DCERPC::fake_bind_multi_prepend  0
  DCERPC::max_frag_size            4096
  DCERPC::smb_pipeio               rw
  EnableContextEncoding            false
  EncoderDontFallThrough           false
  LPORT                            4444
  PAYLOAD                          linux/x86/shell_bind_tcp
  PrependSetresuid                 true
  PrependSetreuid                  true
  PrependSetuid                    true
  RHOST                            10.66.254.244
  RPORT                            445
  SMB::obscure_trans_pipe_level    0
  SMB::pad_data_level              0
  SMB::pad_file_level              0
  SMB::pipe_evasion                false
  SMB::pipe_read_max_size          1024
  SMB::pipe_read_min_size          1
  SMB::pipe_write_max_size         1024
  SMB::pipe_write_min_size         1
  SMBDirect                        true
  SMBDomain                        WORKGROUP
  SMBName                          *SMBSERVER
  SMBPIPE                          LSARPC
  SMBPass                          
  SMBUser                          
  SSL                              false
  TARGET                           4
  TCP::max_send_size               0
  TCP::send_delay                  0
  WfsDelay                         0

I'm open to further suggestions...

-- 
Hal Pomeranz, Founder/CEO      Deer Run Associates      hal at deer-run.com
    Network Connectivity and Security, Systems Management, Training
Previous By Date Next
Previous By Thread Next

Current thread: