Skip to content

Commit 0520d7c

Browse files
hdmhdm
committed
First crack at Samba CVE-2017-7494 
1 parent e4ea618 commit 0520d7c

File tree

6 files changed

+505
-4
lines changed

6 files changed

+505
-4
lines changed

data/templates/src/elf/dll/elf_dll_armle_template.s

Lines changed: 92 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,92 @@
1+
; build with:
2+
; nasm elf_dll_armle_template.s -f bin -o template_armle_linux_dll.bin
3+
4+
BITS 32
5+
org 0
6+
ehdr:
7+
db 0x7f, "ELF", 1, 1, 1, 0 ; e_ident
8+
db 0, 0, 0, 0, 0, 0, 0, 0
9+
dw 3 ; e_type = ET_DYN
10+
dw 40 ; e_machine = EM_ARMLE
11+
dd 1 ; e_version = EV_CURRENT
12+
dd _start ; e_entry = _start
13+
dd phdr - $$ ; e_phoff
14+
dd shdr - $$ ; e_shoff
15+
dd 0 ; e_flags
16+
dw ehdrsize ; e_ehsize
17+
dw phdrsize ; e_phentsize
18+
dw 2 ; e_phnum
19+
dw shentsize ; e_shentsize
20+
dw 2 ; e_shnum
21+
dw 1 ; e_shstrndx
22+
ehdrsize equ $ - ehdr
23+
24+
phdr:
25+
dd 1 ; p_type = PT_LOAD
26+
dd 0 ; p_offset
27+
dd $$ ; p_vaddr
28+
dd $$ ; p_paddr
29+
dd 0xDEADBEEF ; p_filesz
30+
dd 0xDEADBEEF ; p_memsz
31+
dd 7 ; p_flags = rwx
32+
dd 0x1000 ; p_align
33+
34+
phdrsize equ $ - phdr
35+
dd 2 ; p_type = PT_DYNAMIC
36+
dd 7 ; p_flags = rwx
37+
dd dynsection ; p_offset
38+
dd dynsection ; p_vaddr
39+
dd dynsection ; p_vaddr
40+
dd dynsz ; p_filesz
41+
dd dynsz ; p_memsz
42+
dd 0x1000 ; p_align
43+
44+
shdr:
45+
dd 1 ; sh_name
46+
dd 6 ; sh_type = SHT_DYNAMIC
47+
dd 0 ; sh_flags
48+
dd dynsection ; sh_addr
49+
dd dynsection ; sh_offset
50+
dd dynsz ; sh_size
51+
dd 0 ; sh_link
52+
dd 0 ; sh_info
53+
dd 8 ; sh_addralign
54+
dd 7 ; sh_entsize
55+
shentsize equ $ - shdr
56+
dd 0 ; sh_name
57+
dd 3 ; sh_type = SHT_STRTAB
58+
dd 0 ; sh_flags
59+
dd strtab ; sh_addr
60+
dd strtab ; sh_offset
61+
dd strtabsz ; sh_size
62+
dd 0 ; sh_link
63+
dd 0 ; sh_info
64+
dd 0 ; sh_addralign
65+
dd 0 ; sh_entsize
66+
dynsection:
67+
; DT_INIT
68+
dd 0x0c
69+
dd _start
70+
; DT_STRTAB
71+
dd 0x05
72+
dd strtab
73+
; DT_SYMTAB
74+
dd 0x06
75+
dd strtab
76+
; DT_STRSZ
77+
dd 0x0a
78+
dd 0
79+
; DT_SYMENT
80+
dd 0x0b
81+
dd 0
82+
; DT_NULL
83+
dd 0x00
84+
dd 0
85+
dynsz equ $ - dynsection
86+
87+
strtab:
88+
db 0
89+
db 0
90+
strtabsz equ $ - strtab
91+
global _start
92+
_start:

data/templates/src/elf/dll/elf_dll_x86_template.s

Lines changed: 92 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,92 @@
1+
; build with:
2+
; nasm elf_dll_x86_template.s -f bin -o template_x86_linux_dll.bin
3+
4+
BITS 32
5+
org 0
6+
ehdr:
7+
db 0x7f, "ELF", 1, 1, 1, 0 ; e_ident
8+
db 0, 0, 0, 0, 0, 0, 0, 0
9+
dw 3 ; e_type = ET_DYN
10+
dw 3 ; e_machine = EM_386
11+
dd 1 ; e_version = EV_CURRENT
12+
dd _start ; e_entry = _start
13+
dd phdr - $$ ; e_phoff
14+
dd shdr - $$ ; e_shoff
15+
dd 0 ; e_flags
16+
dw ehdrsize ; e_ehsize
17+
dw phdrsize ; e_phentsize
18+
dw 2 ; e_phnum
19+
dw shentsize ; e_shentsize
20+
dw 2 ; e_shnum
21+
dw 1 ; e_shstrndx
22+
ehdrsize equ $ - ehdr
23+
24+
phdr:
25+
dd 1 ; p_type = PT_LOAD
26+
dd 0 ; p_offset
27+
dd $$ ; p_vaddr
28+
dd $$ ; p_paddr
29+
dd 0xDEADBEEF ; p_filesz
30+
dd 0xDEADBEEF ; p_memsz
31+
dd 7 ; p_flags = rwx
32+
dd 0x1000 ; p_align
33+
34+
phdrsize equ $ - phdr
35+
dd 2 ; p_type = PT_DYNAMIC
36+
dd 7 ; p_flags = rwx
37+
dd dynsection ; p_offset
38+
dd dynsection ; p_vaddr
39+
dd dynsection ; p_vaddr
40+
dd dynsz ; p_filesz
41+
dd dynsz ; p_memsz
42+
dd 0x1000 ; p_align
43+
44+
shdr:
45+
dd 1 ; sh_name
46+
dd 6 ; sh_type = SHT_DYNAMIC
47+
dd 0 ; sh_flags
48+
dd dynsection ; sh_addr
49+
dd dynsection ; sh_offset
50+
dd dynsz ; sh_size
51+
dd 0 ; sh_link
52+
dd 0 ; sh_info
53+
dd 8 ; sh_addralign
54+
dd 7 ; sh_entsize
55+
shentsize equ $ - shdr
56+
dd 0 ; sh_name
57+
dd 3 ; sh_type = SHT_STRTAB
58+
dd 0 ; sh_flags
59+
dd strtab ; sh_addr
60+
dd strtab ; sh_offset
61+
dd strtabsz ; sh_size
62+
dd 0 ; sh_link
63+
dd 0 ; sh_info
64+
dd 0 ; sh_addralign
65+
dd 0 ; sh_entsize
66+
dynsection:
67+
; DT_INIT
68+
dd 0x0c
69+
dd _start
70+
; DT_STRTAB
71+
dd 0x05
72+
dd strtab
73+
; DT_SYMTAB
74+
dd 0x06
75+
dd strtab
76+
; DT_STRSZ
77+
dd 0x0a
78+
dd 0
79+
; DT_SYMENT
80+
dd 0x0b
81+
dd 0
82+
; DT_NULL
83+
dd 0x00
84+
dd 0
85+
dynsz equ $ - dynsection
86+
87+
strtab:
88+
db 0
89+
db 0
90+
strtabsz equ $ - strtab
91+
global _start
92+
_start:

data/templates/template_armle_linux_dll.bin

246 Bytes
Binary file not shown.

data/templates/template_x86_linux_dll.bin

246 Bytes
Binary file not shown.

lib/msf/util/exe.rb

Lines changed: 30 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -1049,7 +1049,18 @@ def self.to_linux_x64_elf(framework, code, opts = {})
10491049
to_exe_elf(framework, opts, "template_x64_linux.bin", code)
10501050
end
10511051

1052-
# Create a 64-bit Linux ELF_DYN containing the payload provided in +code+
1052+
# Create a 32-bit x86 Linux ELF_DYN containing the payload provided in +code+
1053+
#
1054+
# @param framework [Msf::Framework]
1055+
# @param code [String]
1056+
# @param opts [Hash]
1057+
# @option [String] :template
1058+
# @return [String] Returns an elf
1059+
def self.to_linux_x86_elf_dll(framework, code, opts = {})
1060+
to_exe_elf(framework, opts, "template_x86_linux_dll.bin", code)
1061+
end
1062+
1063+
# Create a 64-bit x86_64 Linux ELF_DYN containing the payload provided in +code+
10531064
#
10541065
# @param framework [Msf::Framework]
10551066
# @param code [String]
@@ -1060,7 +1071,7 @@ def self.to_linux_x64_elf_dll(framework, code, opts = {})
10601071
to_exe_elf(framework, opts, "template_x64_linux_dll.bin", code)
10611072
end
10621073

1063-
# self.to_linux_mipsle_elf
1074+
# Create a 32-bit ARMLE Linux ELF containing the payload provided in +code+
10641075
#
10651076
# @param framework [Msf::Framework]
10661077
# @param code [String]
@@ -1071,7 +1082,18 @@ def self.to_linux_armle_elf(framework, code, opts = {})
10711082
to_exe_elf(framework, opts, "template_armle_linux.bin", code)
10721083
end
10731084

1074-
# self.to_linux_mipsle_elf
1085+
# Create a 32-bit ARMLE Linux ELF_DYN containing the payload provided in +code+
1086+
#
1087+
# @param framework [Msf::Framework]
1088+
# @param code [String]
1089+
# @param opts [Hash]
1090+
# @option [String] :template
1091+
# @return [String] Returns an elf
1092+
def self.to_linux_armle_elf_dll(framework, code, opts = {})
1093+
to_exe_elf(framework, opts, "template_armle_linux_dll.bin", code)
1094+
end
1095+
1096+
# Create a 32-bit MIPSLE Linux ELF containing the payload provided in +code+
10751097
# Little Endian
10761098
# @param framework [Msf::Framework]
10771099
# @param code [String]
@@ -1082,7 +1104,7 @@ def self.to_linux_mipsle_elf(framework, code, opts = {})
10821104
to_exe_elf(framework, opts, "template_mipsle_linux.bin", code)
10831105
end
10841106

1085-
# self.to_linux_mipsbe_elf
1107+
# Create a 32-bit MIPSBE Linux ELF containing the payload provided in +code+
10861108
# Big Endian
10871109
# @param framework [Msf::Framework]
10881110
# @param code [String]
@@ -2117,8 +2139,12 @@ def self.to_executable_fmt(framework, arch, plat, code, fmt, exeopts)
21172139
end
21182140
if !plat || plat.index(Msf::Module::Platform::Linux)
21192141
case arch
2142+
when ARCH_X86
2143+
to_linux_x86_elf_dll(framework, code, exeopts)
21202144
when ARCH_X64
21212145
to_linux_x64_elf_dll(framework, code, exeopts)
2146+
when ARCH_ARMLE
2147+
to_linux_armle_elf_dll(framework, code, exeopts)
21222148
end
21232149
end
21242150
when 'macho', 'osx-app'

0 commit comments

Comments
 (0)