fw: [Snort-sigs] Possible rule for samba-2.2.XX exploit

Jacob Hurley jacobh at ...1425...
Fri Apr 11 06:19:06 EDT 2003

I am still a rule writing newbie but I would like to get better.  I have
looked at the official rule for this but I am not quite sure what that
content: is looking for since it's encoded.  I am not sure if this rule
is for a specific exploit (I heard netric's name mentioned) .. but this
exploit works.

I don't have any packet dumps to copy over right now, but I can tell you
that when I tried it I ran tcpdump and saw that most of the initial
attempts/packets (for brute forcing the ret addr) all had something
similar to "unset HISTFILE" in them.

Or maybe just create some rules to detect some of your standard command
line stuff:


If anyone is interested I will try to get some better testing setup over
here and maybe create a rule or two.


Jacob Hurley
Network Operations Center
Alexander Open Systems

-----Original Message-----
From: noir sin [mailto:noir at ...1448...] 
Sent: Tuesday, April 08, 2003 6:01 AM
To: bugtraq at ...113...
Subject: samba 2.x call_trans2open() exploit

0day is fragile! one day it's your precious, next day its worthless ...

anyways i put together this SAMBAExploit class in python which might be
interesting for folks since it's reusable in many other stuff ...

python cause; write once a heap, stack or fmt string exploit class and
rest is just to "cp old_exp.py new_exp.py; vi new_exp.py"

exploit bruteforces all possible stack range and dups the already
connected socket for spawning the shell

greets to: Michael Teo for pysmb, lsd-pl for linux/findsck shellcode

- noir

noir at ...1449...:/tmp/samba_exp2 > python samba_exp.py
[*]  brute forcing well known addr range ... [*]
trying; retaddr: 0xbffed404
trying; retaddr: 0xbffed504
trying; retaddr: 0xbffed604
trying; retaddr: 0xbffed704
Linux localhost 2.4.9-e.3 #1 Fri May 3 17:02:43 EDT 2002 i686 unknown
cat /etc/redhat-rel*
Red Hat Linux Advanced Server release 2.1AS (Pensacola)
uid=0(root) gid=0(root) groups=99(nobody)
*** Connection closed by remote host ***

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20030411/3c51cd59/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: samba_exp2.tar.gz
Type: application/x-gunzip
Size: 15799 bytes
Desc: samba_exp2.tar.gz
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20030411/3c51cd59/attachment.bin>

More information about the Snort-sigs mailing list