You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
"description": "This exploits a memory corruption vulnerability present in Samba versions\n prior to 3.3.13. When handling chained response packets, Samba fails to validate\n the offset value used when building the next part. By setting this value to a\n number larger than the destination buffer size, an attacker can corrupt memory.\n Additionally, setting this value to a value smaller than 'smb_wct' (0x24) will\n cause the header of the input buffer chunk to be corrupted.\n\n After close inspection, it appears that 3.0.x versions of Samba are not\n exploitable. Since they use an \"InputBuffer\" size of 0x20441, an attacker cannot\n cause memory to be corrupted in an exploitable way. It is possible to corrupt the\n heap header of the \"InputBuffer\", but it didn't seem possible to get the chunk\n to be processed again prior to process exit.\n\n In order to gain code execution, this exploit attempts to overwrite a \"talloc\n chunk\" destructor function pointer.\n\n This particular module is capable of exploiting the flaw on x86 Linux systems\n that do not have the nx memory protection.\n\n NOTE: It is possible to make exploitation attempts indefinitely since Samba forks\n for user sessions in the default configuration.",
89707
+
"description": "This exploits a memory corruption vulnerability present in Samba versions\n prior to 3.3.13. When handling chained response packets, Samba fails to validate\n the offset value used when building the next part. By setting this value to a\n number larger than the destination buffer size, an attacker can corrupt memory.\n Additionally, setting this value to a value smaller than 'smb_wct' (0x24) will\n cause the header of the input buffer chunk to be corrupted.\n\n After close inspection, it appears that 3.0.x versions of Samba are not\n exploitable. Since they use an \"InputBuffer\" size of 0x20441, an attacker cannot\n cause memory to be corrupted in an exploitable way. It is possible to corrupt the\n heap header of the \"InputBuffer\", but it didn't seem possible to get the chunk\n to be processed again prior to process exit.\n\n In order to gain code execution, this exploit attempts to overwrite a \"talloc\n chunk\" destructor function pointer.\n\n This particular module is capable of exploiting the flaw on x86 Linux systems\n that do not have the nx memory protection.\n\n NOTE: It is possible to make exploitation attempts indefinitely since Samba forks\n for user sessions in the default configuration.",
"description": "This module triggers an arbitrary shared library load vulnerability\n in Samba versions 3.5.0 to 4.4.14, 4.5.10, and 4.6.4. This module\n requires valid credentials, a writeable folder in an accessible share,\n and knowledge of the server-side path of the writeable folder. In\n some cases, anonymous access combined with common filesystem locations\n can be used to automatically exploit this vulnerability.",
89761
+
"description": "This module triggers an arbitrary shared library load vulnerability\n in Samba versions 3.5.0 to 4.4.14, 4.5.10, and 4.6.4. This module\n requires valid credentials, a writeable folder in an accessible share,\n and knowledge of the server-side path of the writeable folder. In\n some cases, anonymous access combined with common filesystem locations\n can be used to automatically exploit this vulnerability.",
"description": "This module triggers a heap overflow in the LSA RPC service\n of the Samba daemon. This module uses the TALLOC chunk overwrite\n method (credit Ramon and Adriano), which only works with Samba\n versions 3.0.21-3.0.24. Additionally, this module will not work\n when the Samba \"log level\" parameter is higher than \"2\".",
89828
+
"description": "This module triggers a heap overflow in the LSA RPC service\n of the Samba daemon. This module uses the TALLOC chunk overwrite\n method (credit Ramon and Adriano), which only works with Samba\n versions 3.0.21-3.0.24. Additionally, this module will not work\n when the Samba \"log level\" parameter is higher than \"2\".",
"description": "This module triggers a vulnerability in the LSA RPC service of the Samba daemon\n because of an error on the PIDL auto-generated code. Making a specially crafted\n call to SetInformationPolicy to set a PolicyAuditEventsInformation allows to\n trigger a heap overflow and finally execute arbitrary code with root privileges.\n\n The module uses brute force to guess the stackpivot/rop chain or the system()\n address and redirect flow there in order to bypass NX. The start and stop addresses\n for brute forcing have been calculated empirically. On the other hand the module\n provides the StartBrute and StopBrute which allow the user to configure his own\n addresses.",
89890
+
"description": "This module triggers a vulnerability in the LSA RPC service of the Samba daemon\n because of an error on the PIDL auto-generated code. Making a specially crafted\n call to SetInformationPolicy to set a PolicyAuditEventsInformation allows to\n trigger a heap overflow and finally execute arbitrary code with root privileges.\n\n The module uses brute force to guess the stackpivot/rop chain or the system()\n address and redirect flow there in order to bypass NX. The start and stop addresses\n for brute forcing have been calculated empirically. On the other hand the module\n provides the StartBrute and StopBrute which allow the user to configure his own\n addresses.",
"description": "This exploits the buffer overflow found in Samba versions\n 2.2.0 to 2.2.8. This particular module is capable of\n exploiting the flaw on x86 Linux systems that do not\n have the noexec stack option set.\n\n NOTE: Some older versions of RedHat do not seem to be vulnerable\n since they apparently do not allow anonymous access to IPC.",
89948
+
"description": "This exploits the buffer overflow found in Samba versions\n 2.2.0 to 2.2.8. This particular module is capable of\n exploiting the flaw on x86 Linux systems that do not\n have the noexec stack option set.\n\n NOTE: Some older versions of RedHat do not seem to be vulnerable\n since they apparently do not allow anonymous access to IPC.",
0 commit comments