Sever side attacks code execution

Let‘s analyze the Zenmap scan result first and search for something vulnerabilities about Samba smbd 3.x.

We find the following vulnerability and try to use it.  https://www.rapid7.com/db/modules/exploit/multi/samba/usermap_script

Samba "username map script" Command Execution

Disclosed

05/14/2007

Created

05/30/2018

Description

This module exploits a command execution vulnerability in Samba versions 3.0.20 through 3.0.25rc3 when using the non-default "username map script" configuration option. By specifying a username containing shell meta characters, attackers can execute arbitrary commands. No authentication is needed to exploit this vulnerability since this option is used to map usernames prior to authentication!

Author(s)

jduck <jduck@metasploit.com>

Platform

Unix

Architectures

cmd

Development

Source Code

History

References

CVE-2007-2447

OSVDB-34700

BID-23972

http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=534

http://samba.org/samba/security/CVE-2007-2447.html

Module Options

To display the available options, load the module within the Metasploit console and run the commands 'show options' or 'show advanced':

msf > use exploit/multi/samba/usermap_script

msf exploit(usermap_script) > show targets

    ...targets...

msf exploit(usermap_script) > set TARGET < target-id >

msf exploit(usermap_script) > show options

    ...show and set options...

msf exploit(usermap_script) > exploit

Open Metasploit and set the RHOST.

Show payloads.

Set payload.

Set LHOST

Set LPORT.

Exploit the target machine sucessfully.

Ethical Hacking - GAINING ACCESS(3)的更多相关文章

  1. Ethical Hacking - GAINING ACCESS(1)

    Gaining Access Introduction Everything is a computer Two main approaches (1)Server Side Do not requi ...

  2. Ethical Hacking - GAINING ACCESS(23)

    CLIENT SIDE ATTACK - BeEF Framework Hooking targets using MITMF Tools: MITMF and BeEF Start BeEF and ...

  3. Ethical Hacking - GAINING ACCESS(6)

    Server Side Attack Analysing scan results and exploiting target system. Go to the Analysis page and ...

  4. Ethical Hacking - GAINING ACCESS(24)

    CLIENT SIDE ATTACKS - Detecting Trojan manually or using a sandbox Analyzing trojans Check the prope ...

  5. Ethical Hacking - GAINING ACCESS(22)

    CLIENT SIDE ATTACKS - BeEf Framework Browser Exploitation Framework allowing us to launch a number o ...

  6. Ethical Hacking - GAINING ACCESS(21)

    CLIENT SIDE ATTACKS - Trojan delivery method - using email spoofing Use gathered info to contract ta ...

  7. Ethical Hacking - GAINING ACCESS(20)

    CLIENT SIDE ATTACKS - Spoofing backdoor extension Change the extension of the trojan from exe to a s ...

  8. Ethical Hacking - GAINING ACCESS(19)

    Client-Side Attacks - Social Engineering Tool: The FAT RAT Just like Veil, it generates Undetectable ...

  9. Ethical Hacking - GAINING ACCESS(18)

    CLIENT SIDE ATTACKS Backdooring ANY file Combine backdoor with any file - Generic solution. Users ar ...

  10. Ethical Hacking - GAINING ACCESS(17)

    CLIENT SIDE ATTACKS - Backdooring exe' s Download an executable file first. VEIL - FRAMEWORK A backd ...

随机推荐

  1. snprintf和sprintf区别分析

    目录[-] snprintf函数的返回值 snprintf函数的字符串缓冲 今天在项目中使用snprintf时遇到一个比较迷惑的问题,追根溯源了一下,在此对sprintf和snprintf进行一下对比 ...

  2. HTTP Request Smuggling 请求走私

    参考文章 浅析HTTP走私攻击 SeeBug-协议层的攻击--HTTP请求走私 HTTP 走私漏洞分析 简单介绍 攻击者通过构造特殊结构的请求,干扰网站服务器对请求的处理,从而实现攻击目标 前提知识 ...

  3. C#数据结构与算法系列(十八):冒泡排序算法(BubbleSort)

    1.介绍 冒泡排序的基本思想就是:通过对待排序序列从前向后(从下标较小的元素开始),依次比较相邻元素的值,若发现逆序则交换,使值较大的元素逐渐从前移向后部,就像水底的气泡一样逐渐向上冒泡. 因为排序的 ...

  4. Dynamics CRM 365 不用按钮工具,直接用js脚本控制按钮的显示隐藏

    Dynamics CRM 365 不用按钮工具,直接用js脚本控制按钮的显示隐藏: try { // 转备案按钮 let transferSpecialRequestButton = parent.p ...

  5. 使用Xmanager连接linux,操作“xhost +”时出现类似“xhost: unable to open display "192.168.1.1811:1.0" ”问题的解决

    远程连接linux服务器时,有的时候需要把服务器上的图形界面投影到本地来进一步操作,比如linux下安装oracle时就需要在oracle用户下允许视图状态投影到本地,这需要使用命令: xhost + ...

  6. hive的简单操作语句

    **1.create table**1.1创建分区表create [external] table [if not exists] dcx1234(    cookieid string,    cr ...

  7. gRPC by .net core 3.x——概念、语法、编译

    什么是grpc? grpc来自大名鼎鼎的谷歌,孵化于CNCF基金会(docker.k8s同样出自这个基金会).它是一款高性能.开源.通用的rpc框架,你可以通过它来定义rpc的请求和响应.它基于htt ...

  8. Cypress与TestCafe WebUI端到端测试框架简介

    近期接触了Cypress和TestCafe,两个测试框架都基于Node.js,都不再使用Selenium+WebDriver,而且开箱即用,非常轻量级,就冲着不再使用WebDriver这一点,极大地勾 ...

  9. 5年前端经验小伙伴教你纯css3实现饼状图

    有一些网页中,有时候会碰到饼状图的需求,比如统计图表,进度指示器,定时器等,实现方式也是各种各样,现在也有不少现成的js库,可以直接拿来使用,方便很多.这里笔者为大家演示一种纯css实现饼状图效果的方 ...

  10. 带你认识网站图片img懒加载和预加载的区别

    懒加载 什么是懒加载? 懒加载也就是延迟加载.当访问一个页面的时候,先把img元素或是其他元素的背景图片路径替换成一张大小为1*1px图片的路径(这样就只需请求一次,俗称占位图),只有当图片出现在浏览 ...