updates to docs

h00die · h00die · commit e8a34c5797cf · 2017-05-25T16:53:39.000-04:00
diff --git a/documentation/modules/exploit/linux/samba/is_known_pipename.md b/documentation/modules/exploit/linux/samba/is_known_pipename.md
@@ -10,20 +10,42 @@ for this exploit to be successful:
 
 However, in some cases anonymous access with common filesystem locations can be used to automate exploitation.
 
+A vulnerable Samba config may have a share similar to the following in `smb.conf`.  This is a setup for 'easy' exploitation
+where no SMB options are required to be set:
+
+```
+[exploitable]
+comment = CVE-2017-7494
+path = /tmp
+writable = yes
+browseable = yes
+guest ok = yes
+```
+
 Verified on:
 
 1. Synology DS412+ DSM 6.1.1-15101 Update 2 (Samba 4.4.9)
 2. Synology DS412+ DSM 6.1.1-15101 Update 3 (Samba 4.4.9)
 3. Synology DS1512+ DSM 6.1.1-15101 Update 2 (Samba 4.4.9)
 4. Synology DS1512+ DSM 6.1.1-15101 Update 3 (Samba 4.4.9)
-5. Ubuntu 16.04 (**HDM PLEASE PUT THE Samba version here**)
-6. Synology **HDM PLEASE PUT THE DSM VERSION HERE** (**HDM PLEASE PUT THE Samba version here**)
+5. Synology DS2415+ DSM 6.1-15047 (Samba 4.3.11)
+6. Ubuntu 14.04.5 x64 (Samba 4.3.9)
 7. Ubuntu 15.04 (Samba 4.1.13)
+8. Ubuntu 16.04 (Samba 4.3.11)
+9. Fedora 24 (Samba 4.4.13)
 
 Currently not working against:
 
-1. QNAP Nas Samba 4.4.9 on armv71
-2. WD NAS armv71 **@wwebb-r7 PLEASE PUT Samba VERSION HERE**
+1. QNAP NAS Samba 4.4.9 on armv71
+2. WD MyClous NAS Samba 4.0.0rc5 armv71
+
+### SELinux
+
+Fedora (and possibly Redhat) are not exploitable in their default installation.  SELinux must be adjusted to allow nmbd to use net_admin, and smbd to exec the payload.
+
+```
+echo -ne "type=AVC msg=audit(1495745298.086:334): avc:  denied  { execstack } for  pid=2365 comm="smbd" scontext=system_u:system_r:smbd_t:s0 tcontext=system_u:system_r:smbd_t:s0 tclass=process permissive=0\ntype=AVC msg=audit(1495717997.099:267): avc:  denied  { net_admin } for  pid=959 comm="nmbd" capability=12  scontext=system_u:system_r:nmbd_t:s0 tcontext=system_u:system_r:nmbd_t:s0 tclass=capability permissive=0\ntype=AVC msg=audit(1495745002.690:308): avc:  denied  { execmem } for  pid=1830 comm="smbd" scontext=system_u:system_r:smbd_t:s0 tcontext=system_u:system_r:smbd_t:s0 tclass=process permissive=0\ntype=AVC msg=audit(1495745183.319:331): avc:  denied  { execute } for  pid=2313 comm="smbd" path="/tmp/ucFtDpZI.so" dev="tmpfs" ino=27436 scontext=system_u:system_r:smbd_t:s0 tcontext=system_u:object_r:smbd_tmp_t:s0 tclass=file permissive=0" | audit2allow -M cve-2017-7494; semodule -X 300 -i cve-2017-7494.pp
+```
 
 ## Verification Steps
 
