Home page logo

nmap-dev logo Nmap Development mailing list archives

Re: New Samba remote root vuln (CVE-2012-1182) script idea
From: Aleksandar Nikolic <nikolic.alek () gmail com>
Date: Fri, 20 Apr 2012 14:04:41 +0200


could you check the logs and see if the script actually crashed the machine?
Log should be called log.nmap , and should mention invalid free and crash
as opposed to simple error.

I'll set up a test and check myself.


On Fri, Apr 20, 2012 at 1:57 PM, Patrik Karlsson <patrik () cqure net> wrote:

On Tue, Apr 17, 2012 at 10:20 PM, Aleksandar Nikolic <
nikolic.alek () gmail com> wrote:

Hi all,

I've written a detection script for this vulnerability using the method I
described earlier.
I've attached a patch for msrpc.lua to add GetAliasMembership function
in the exploit.
If you check the source, you'll notice that I didn't do any marshalling,
and I'm building the
packet myself. I'm not sure this is the right way to use the library, so
any suggestion on
how to improve that part.

The script it self is very simple and if basically ZDI's PoC rewritten
I've tested this on vulnerable samba on fedora and fully patched ubuntu.
I'd welcome any comments on improving this. Also , feel free to change the
name of the script, as I'm not sure what the convention is.


Hi Aleksandar,

I just tested the script against Samba 3.5.8 on Ubuntu 11.10 and the
script fails to detect it as vulnerable.
The error returned by samr_getaliasmembership is "MSRPC call returned a
fault (packet type)".
Updating the server to  "2:3.5.11~dfsg-1ubuntu2.2" returns the same
Any ideas on what's happening?


Patrik Karlsson

Sent through the nmap-dev mailing list
Archived at http://seclists.org/nmap-dev/

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]