module
Samba SetInformationPolicy AuditEventsInfo Heap Overflow
| Disclosed | Created |
|---|---|
| 2012-04-10 | 2018-05-30 |
Disclosed
2012-04-10
Created
2018-05-30
Description
This module triggers a vulnerability in the LSA RPC service of the Samba daemon
because of an error on the PIDL auto-generated code. Making a specially crafted
call to SetInformationPolicy to set a PolicyAuditEventsInformation allows to
trigger a heap overflow and finally execute arbitrary code with root privileges.
The module uses brute force to guess the stackpivot/rop chain or the system()
address and redirect flow there in order to bypass NX. The start and stop addresses
for brute forcing have been calculated empirically. On the other hand the module
provides the StartBrute and StopBrute which allow the user to configure his own
addresses.
because of an error on the PIDL auto-generated code. Making a specially crafted
call to SetInformationPolicy to set a PolicyAuditEventsInformation allows to
trigger a heap overflow and finally execute arbitrary code with root privileges.
The module uses brute force to guess the stackpivot/rop chain or the system()
address and redirect flow there in order to bypass NX. The start and stop addresses
for brute forcing have been calculated empirically. On the other hand the module
provides the StartBrute and StopBrute which allow the user to configure his own
addresses.
Authors
Unknown
blasty
mephos
sinn3r sinn3r@metasploit.com
juan vazquez juan.vazquez@metasploit.com
blasty
mephos
sinn3r sinn3r@metasploit.com
juan vazquez juan.vazquez@metasploit.com
Platform
Linux,Unix
References
Module Options
To display the available options, load the module within the Metasploit console and run the commands ‘show options’ or ‘show advanced’:
NEW
Explore Exposure Command
Confidently identify and prioritize exposures from endpoint to cloud with full attack surface visibility and threat-aware risk context.