#21 32-Bit Winexe Aborts or Segfaults
I am working to package winexe for Kali Linux (Debian based) and experienced odd behavior when compiling winexe-waf for 32-bit.
I followed the instructions provided for a static build. Using that method I was able to compile on 64-bit and use it without issue. Limited testing produces results that are expected.
I then tried the same process on Kali Linux 32-bit. Everything compiled appropriately, but when running the program (./winexe-static) I immediately receive the message 'Aborted'.
I moved that binary build on the 32-bit system to my 64-bit Kali Linux system and it ran perfectly, all testing produced expected results.
Thinking it may be Kali-related, I completed the process you outline on an Ubuntu 12.10 32-bit desktop. When executing the program, without any arguments/options it displays the help menu as expected. However when issuing a command (./winexe-static -U Administrator%Password //192.168.1.10 cmd.exe) it immediately core dumps.
I tried the same on a Debian 6 32-bit desktop and again a core dump resulted.
I've also tried the shared libraries approach you documented on the 32-bit systems and they also core dump.
From what I can tell everything seems to be working as expected on 64-bit systems but 32-bit systems are having issues.
Please let me know if there is additional info I can provide. (uname, gcc, python, etc)
Thanks for the bug report. Obviously this is a serious issue.
Please let me know when you have a fix and I can test. Once it is working as expected, I will package up and add tot he Kali Linux repos.
I was just going to put v1.00 in the repos, but if you are working on it, I will wait to see.
Thanks,
Eric
I have been investigating this issue since I also reproduced it on my i386 Kali system when built against samba 4.0.6. In my case the problem was that winexe is compiled differently from the samba shared libraries. In particular, Samba is built with -DHAVE_IMMEDIATE_STRUCTURES on my system and winexe was not gettings this flag which changes the ABI of all functions that return NTRESULT. The pkg-config information of dcerpc had this flag however:
So I updated the waf build script to rely on pkg-config in the case of the shared build and it seems to work now. You'll find my patch attached.
Note that this solves only the case where we use Samba's shared libraries, not the case where we build from a source checkout. But at least you know what to look after, i.e. have a way to ensure that you build both the static library and the winexe binary with matching flags.
Great Ill test it out. If we're good Ill get it packaged into Kali Linux.
Thanks,
Eric
Last edit: Thomas Hood 2013-06-30
It's already in the process of being packaged for Kali. We're testing
Samba 4 and winexe compiled against it the kali-dev repository:
http://repo.kali.org/kali/pool/main/w/winexe/
http://repo.kali.org/kali/pool/main/s/samba/
Dope. Yeah sorry I just put together your name and Kali. Apologies.
Eric
Last edit: Thomas Hood 2013-06-30
I just applied Raphael's "use-pkgconfig" patch:
https://sourceforge.net/p/winexe/winexe-waf/ci/27dfef347f638c18252e797f878445f014c48786/
What do we need to do in order to be sure that we always build with matching flags?
Last edit: Thomas Hood 2013-06-30
Raphael thanks for the patch. Regarding static compilation we have full control of the build process - we are building static samba lib and winexe. Maybe it is not a guarantee of proper linking, but a quite good chances :)
Thomas, thanks for applying.
Last edit: ahajda 2013-07-01
I hate to have to request this be reopened, but the static build is still having issues, as Raphael states above his fix was confirmed against shared libraries, however I compiled static tonight and it again segfaulted immediately. "Note that this solves only the case where we use Samba's shared libraries, not the case where we build from a source checkout."
Target - Ubuntu Gnome 13.04 32 bit
Winexe obtained via git clone per the website instructions (v1.1)
Samba latest (4.0.9) obtained from samba.org
All dependencies obtained via apt-get per the website instructions
Python v2.7.4
Command executed -> ./waf configure --samba-dir=../../samba-4.0.9/
Config and build (./waf) completed without error
./winexe-static -U admin%password //192.168.1.100 cmd
resulted in immediate segfault just as before.
Can you please reopen and investigate? Let me know if more information is required.
Best Regards,
Eric
Please run 'ldd winexe-static' in the build directory, and post output here.
Last edit: ahajda 2013-09-01
Fresh Install Ubuntu 12.10 32 Bit
Fresh build of Winexe 1.1 (Pulled 9/1/2013)
Samaba latest pulled from samba.org (4.0.9)
Python 2.7.3
Linux eric-VirtualBox 3.5.0-39-generic #60-Ubuntu SMP Tue Aug 13 18:35:04 UTC 2013 i686 i686 i686 GNU/Linux
gcc version 4.7.2 (Ubuntu/Linaro 4.7.2-2ubuntu1)
eric@eric-VirtualBox:~/Downloads/winexe/source/build$ ldd winexe-static
linux-gate.so.1 => (0xb77b8000)
libdl.so.2 => /lib/i386-linux-gnu/libdl.so.2 (0xb779e000)
libpthread.so.0 => /lib/i386-linux-gnu/libpthread.so.0 (0xb7783000)
libc.so.6 => /lib/i386-linux-gnu/libc.so.6 (0xb75d8000)
/lib/ld-linux.so.2 (0xb77b9000)
eric@eric-VirtualBox:~/Downloads/winexe/source/build$ ./winexe-static --help
winexe version 1.1
This program may be freely redistributed under the terms of the GNU GPLv3
Usage: winexe-static [OPTION]... //HOST COMMAND
Options:
-?, --help Display help message
-V, --version Display version number
-U, --user=[DOMAIN/]USERNAME[%PASSWORD] Set the network username
-A, --authentication-file=FILE Get the credentials from a file
-N, --no-pass Don't ask for a password
-k, --kerberos=STRING Use Kerberos, -k [yes|no]
-d, --debuglevel=DEBUGLEVEL Set debug level
--uninstall Uninstall winexe service after
remote execution
--reinstall Reinstall winexe service before
remote execution
--system Use SYSTEM account
--profile Load user profile
--convert Try to convert characters
between local and remote
code-pages
--runas=[DOMAIN]USERNAME%PASSWORD Run as user (BEWARE: password is
sent in cleartext over net)
--runas-file=FILE Run as user options defined in a
file
--interactive=0|1 Desktop interaction: 0 -
disallow, 1 - allow. If you
allow use also --system switch
(Win requirement). Vista do not
support this option.
--ostype=0|1|2 OS type: 0 - 32-bit, 1 - 64-bit,
2 - winexe will decide.
Determines which version (32-bit
or 64-bit) of service will be
installed.
eric@eric-VirtualBox:~/Downloads/winexe/source/build$ ./winexe-static -U administrator%P@ssW0rd //11.11.14.163 cmd
Aborted (core dumped)
Hmm, thats weird.
Could you run:
./winexe-static -U administrator%P@ssW0rd //11.11.14.163 cmd -d99
You can also recompile it with debug info, ie. in wscript_build,
in cflags and linkflags add '-g' option:
cflags='-pthread -g',
linkflags='-pthread -g',
then recompile.
And run it with valgrind:
valgrind ./winexe-static -U administrator%P@ssW0rd //11.11.14.163 cmd -d99
Same system (Ubuntu 12.10 described above)
eric@eric-VirtualBox:~/Downloads/winexe/source/build$ ./winexe-static -U administrator%P@ssW0rd //11.11.14.163 cmd -d99
INFO: Current debug levels:
all: 99
tdb: 99
printdrivers: 99
lanman: 99
smb: 99
rpc_parse: 99
rpc_srv: 99
rpc_cli: 99
passdb: 99
sam: 99
auth: 99
winbind: 99
vfs: 99
idmap: 99
quota: 99
acls: 99
locking: 99
msdfs: 99
dmapi: 99
registry: 99
scavenger: 99
dns: 99
ldb: 99
winexe version 1.1
This program may be freely redistributed under the terms of the GNU GPLv3
added interface eth0 ip=11.11.14.182 bcast=11.11.14.255 netmask=255.255.255.0
added interface eth0 ip=11.11.14.182 bcast=11.11.14.255 netmask=255.255.255.0
Bad talloc magic value - unknown value
Aborted (core dumped)
Same system (Ubuntu 12.10 described above)
During the testing Ubuntu reported memcheck crashed...
File attached.
Please check if adding "-DHAVE_IMMEDIATE_STRUCTURES=1 -D_GNU_SOURCE=1" to cflags of winexe-static target.
W00t! Works as expected so far!
eric@eric-VirtualBox:~/Downloads/winexe/source/build$ ./winexe-static
winexe version 1.1
This program may be freely redistributed under the terms of the GNU GPLv3
Usage: winexe-static [OPTION]... //HOST COMMAND
Options:
-?, --help Display help message
-V, --version Display version number
-U, --user=[DOMAIN/]USERNAME[%PASSWORD] Set the network username
-A, --authentication-file=FILE Get the credentials from a file
-N, --no-pass Don't ask for a password
-k, --kerberos=STRING Use Kerberos, -k [yes|no]
-d, --debuglevel=DEBUGLEVEL Set debug level
--uninstall Uninstall winexe service after
remote execution
--reinstall Reinstall winexe service before
remote execution
--system Use SYSTEM account
--profile Load user profile
--convert Try to convert characters
between local and remote
code-pages
--runas=[DOMAIN]USERNAME%PASSWORD Run as user (BEWARE: password is
sent in cleartext over net)
--runas-file=FILE Run as user options defined in a
file
--interactive=0|1 Desktop interaction: 0 -
disallow, 1 - allow. If you
allow use also --system switch
(Win requirement). Vista do not
support this option.
--ostype=0|1|2 OS type: 0 - 32-bit, 1 - 64-bit,
2 - winexe will decide.
Determines which version (32-bit
or 64-bit) of service will be
installed.
eric@eric-VirtualBox:~/Downloads/winexe/source/build$ ./winexe-static -U administrator%P@ssW0rd //11.11.14.163 cmd
Microsoft Windows [Version 6.1.7601]
Copyright (c) 2009 Microsoft Corporation. All rights reserved.
C:\Windows\system32>FTW!!! ;-)
I have uploaded proper fix (I hope) to git, please test it.
Everything seems to be working as expected. I think we can close this one...
Thanks for everything you guys have been awesome to work with!
Eric