Vulnerability & Exploit Database

Back to search

Samba SetInformationPolicy AuditEventsInfo Heap Overflow

This module triggers a vulnerability in the LSA RPC service of the Samba daemon because of an error on the PIDL auto-generated code. Making a specially crafted call to SetInformationPolicy to set a PolicyAuditEventsInformation allows to trigger a heap overflow and finally execute arbitrary code with root privileges. The module uses brute force to guess the stackpivot/rop chain or the system() address and redirect flow there in order to bypass NX. The start and stop addresses for brute forcing have been calculated empirically. On the other hand the module provides the StartBrute and StopBrute which allow the user to configure his own addresses.

Free Metasploit Download

Get your copy of the world's leading penetration testing tool

 Download Now

Module Name

exploit/linux/samba/setinfopolicy_heap

Authors

  • Unknown
  • blasty
  • mephos
  • sinn3r <sinn3r [at] metasploit.com>
  • juan vazquez <juan.vazquez [at] metasploit.com>

References

Targets

  • 2:3.5.11~dfsg-1ubuntu2 on Ubuntu Server 11.10
  • 2:3.5.8~dfsg-1ubuntu2 on Ubuntu Server 11.10
  • 2:3.5.8~dfsg-1ubuntu2 on Ubuntu Server 11.04
  • 2:3.5.4~dfsg-1ubuntu8 on Ubuntu Server 10.10
  • 2:3.5.6~dfsg-3squeeze6 on Debian Squeeze
  • 3.5.10-0.107.el5 on CentOS 5

Platforms

  • linux
  • unix

Architectures

  • x86

Reliability

Development

Module Options

To display the available options, load the module within the Metasploit console and run the commands 'show options' or 'show advanced':

msf > use exploit/linux/samba/setinfopolicy_heap msf exploit(setinfopolicy_heap) > show targets ...targets... msf exploit(setinfopolicy_heap) > set TARGET <target-id> msf exploit(setinfopolicy_heap) > show options ...show and set options... msf exploit(setinfopolicy_heap) > exploit

Related Vulnerabilities