linux/samba/lsa_transnames_heap: "Error: EOFError: end of file reached"

[hal at deer-run.com (Hal Pomeranz)]

I have no doubt that this is going to be some sort of ID10T error on
my part, but I've been pounding my head on this all day and need to
recruit some alternate brain cells...

I'm trying to set up a demo of the Samba LSA RPC heap overflow (the
one the RISE guys used to root the EeePC):

-- target is unpatched Samba 3.0.24 (built from source) on CentOS 5.1
running inside of VMware Server 1.0.5

-- attack is originating from another CentOS 5.1 machine (different
physical hardware, not virtualized), running Framework 3.1

-- exploits/linux/samba/lsa_transnames_heap, TARGET is 4 (Linux Heap
Brute Force (RHEL/CentOS)), PAYLOAD is linux/x86/shell_bind_tcp

Running the exploit from msfconsole generates a series of:

[*] Trying to exploit Samba with address 0xb800f000...
[*] Connecting to the SMB service...
[*] Binding to 12345778-1234-abcd-ef00-0123456789ab:0.0 at ncacn_np:10.66.254.244[\lsarpc] ...
[*] Bound to 12345778-1234-abcd-ef00-0123456789ab:0.0 at ncacn_np:10.66.254.244[\lsarpc] ...
[*] Calling the vulnerable function...
[-] Error: EOFError: end of file reached

Over on the target machine we get logs like:

[2008/04/05 12:47:29, 0] rpc_parse/parse_prs.c:prs_mem_get(559)
  prs_mem_get: reading data of size 2694881440 would overrun buffer by 2694814848 bytes.
[2008/04/05 12:47:29, 0] rpc_server/srv_lsa.c:api_lsa_lookup_sids(170)
  api_lsa_lookup_sids: failed to unmarshall LSA_Q_LOOKUP_SIDS.
[2008/04/05 12:47:29, 0] rpc_server/srv_pipe.c:api_rpcTNP(2287)
  api_rpcTNP: lsarpc: LSA_LOOKUPSIDS failed.
[2008/04/05 12:47:29, 0] lib/fault.c:fault_report(41)
  ===============================================================
[2008/04/05 12:47:29, 0] lib/fault.c:fault_report(42)
  INTERNAL ERROR: Signal 11 in pid 7206 (3.0.24)
  Please read the Trouble-Shooting section of the Samba3-HOWTO
[2008/04/05 12:47:29, 0] lib/fault.c:fault_report(44)

  From: http://www.samba.org/samba/docs/Samba3-HOWTO.pdf
[2008/04/05 12:47:29, 0] lib/fault.c:fault_report(45)
  ===============================================================
[2008/04/05 12:47:29, 0] lib/util.c:smb_panic(1599)
  PANIC (pid 7206): internal error
[2008/04/05 12:47:29, 0] lib/util.c:log_stack_trace(1706)
  BACKTRACE: 15 stack frames:
   #0 /usr/local/vulnerable-samba/sbin/smbd(log_stack_trace+0x2d) [0xdb1291]
   #1 /usr/local/vulnerable-samba/sbin/smbd(smb_panic+0x78) [0xdb13bf]
   #2 /usr/local/vulnerable-samba/sbin/smbd [0xd9e12b]
   #3 [0x817420]
   #4 /usr/local/vulnerable-samba/sbin/smbd(talloc_free_children+0x4b) [0xdb78db]
   #5 /usr/local/vulnerable-samba/sbin/smbd [0xd051e8]
   #6 /usr/local/vulnerable-samba/sbin/smbd [0xd061e3]
   #7 /usr/local/vulnerable-samba/sbin/smbd(write_to_pipe+0x12d) [0xd04842]
   #8 /usr/local/vulnerable-samba/sbin/smbd(reply_pipe_write_and_X+0x1a4) [0xc2894c]
   #9 /usr/local/vulnerable-samba/sbin/smbd(reply_write_and_X+0x9a) [0xc2ff9e]
   #10 /usr/local/vulnerable-samba/sbin/smbd [0xc662b1]
   #11 /usr/local/vulnerable-samba/sbin/smbd(smbd_process+0x8de) [0xc67664]
   #12 /usr/local/vulnerable-samba/sbin/smbd(main+0x1620) [0xe4ded7]
   #13 /lib/libc.so.6(__libc_start_main+0xdc) [0x222dec]
   #14 /usr/local/vulnerable-samba/sbin/smbd [0xbfa0c1]
[2008/04/05 12:47:29, 0] lib/fault.c:dump_core(168)
  unable to change to /usr/local/vulnerable-samba/var/cores/smbdrefusing to dump core

Those of you interested in a packet trace can view a complete capture
at http://www.deer-run.com/~hal/packets.txt

Any thoughts on why this isn't happily rooting my demo box?  I feel
like it's right in front of me, but I've been staring at it too long.

-- 
Hal Pomeranz, Founder/CEO      Deer Run Associates      hal at deer-run.com
    Network Connectivity and Security, Systems Management, Training