Home page logo

nmap-dev logo Nmap Development mailing list archives

Re: New Samba remote root vuln (CVE-2012-1182) script idea
From: Patrik Karlsson <patrik () cqure net>
Date: Fri, 20 Apr 2012 13:57:24 +0200

On Tue, Apr 17, 2012 at 10:20 PM, Aleksandar Nikolic <nikolic.alek () gmail com

Hi all,

I've written a detection script for this vulnerability using the method I
described earlier.
I've attached a patch for msrpc.lua to add GetAliasMembership function used
in the exploit.
If you check the source, you'll notice that I didn't do any marshalling,
and I'm building the
packet myself. I'm not sure this is the right way to use the library, so
any suggestion on
how to improve that part.

The script it self is very simple and if basically ZDI's PoC rewritten into
I've tested this on vulnerable samba on fedora and fully patched ubuntu.
I'd welcome any comments on improving this. Also , feel free to change the
name of the script, as I'm not sure what the convention is.


Hi Aleksandar,

I just tested the script against Samba 3.5.8 on Ubuntu 11.10 and the script
fails to detect it as vulnerable.
The error returned by samr_getaliasmembership is "MSRPC call returned a
fault (packet type)".
Updating the server to  "2:3.5.11~dfsg-1ubuntu2.2" returns the same message.
Any ideas on what's happening?


Patrik Karlsson
Sent through the nmap-dev mailing list
Archived at http://seclists.org/nmap-dev/

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]