Ethical Hacking - GAINING ACCESS(3)

Sever side attacks code execution

Let‘s analyze the Zenmap scan result first and search for something vulnerabilities about Samba smbd 3.x.

Ethical Hacking - GAINING ACCESS(3)_第1张图片

 

 We find the following vulnerability and try to use it.  https://www.rapid7.com/db/modules/exploit/multi/samba/usermap_script

Samba "username map script" Command Execution
Disclosed
05/14/2007
Created
05/30/2018
Description
This module exploits a command execution vulnerability in Samba versions 3.0.20 through 3.0.25rc3 when using the non-default "username map script" configuration option. By specifying a username containing shell meta characters, attackers can execute arbitrary commands. No authentication is needed to exploit this vulnerability since this option is used to map usernames prior to authentication!

Author(s)
jduck 
Platform
Unix

Architectures
cmd

Development
Source Code
History
References
CVE-2007-2447
OSVDB-34700
BID-23972
http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=534
http://samba.org/samba/security/CVE-2007-2447.html
Module Options
To display the available options, load the module within the Metasploit console and run the commands 'show options' or 'show advanced':

msf > use exploit/multi/samba/usermap_script
msf exploit(usermap_script) > show targets
    ...targets...
msf exploit(usermap_script) > set TARGET < target-id >
msf exploit(usermap_script) > show options
    ...show and set options...
msf exploit(usermap_script) > exploit

Open Metasploit and set the RHOST.

Ethical Hacking - GAINING ACCESS(3)_第2张图片

 

 Show payloads.

Ethical Hacking - GAINING ACCESS(3)_第3张图片

 

 Set payload.

Ethical Hacking - GAINING ACCESS(3)_第4张图片

 

 Set LHOST

Ethical Hacking - GAINING ACCESS(3)_第5张图片

 

 Set LPORT.

Ethical Hacking - GAINING ACCESS(3)_第6张图片

 

 Exploit the target machine sucessfully.

Ethical Hacking - GAINING ACCESS(3)_第7张图片

 

你可能感兴趣的:(Ethical Hacking - GAINING ACCESS(3))