Samba 3.x

Port: TCP 139, 445
Service: Samba 3.x

Vulnerability: This version of Samba has several vulnerabilities that can be exploited. The first we’ll look at is the issue with “wide links” being enabled. This feature is enabled by default on older versions of Samba. It can be exploited to gain access to file shares without authenticating through SMB.

Mitigation: Upgrade to the latest version from vendor’s website – http://www.samba.org/samba/download .

Proof of Concept
Our Nmap scan revealed TCP ports 139, and 445 open, which are running Samba version 3.0.20. We can use a tool called “smbclient” to connect to the Metasploitable box, and list the available shares without having a valid username/password. When running “smbclient” just hit enter when it asks for root’s password, and it will grant you anonymous access:

1. Open a terminal in Kali, and type in “smbclient -L ip-of-Metasploitable

samba-smbclient-list-shares

The share we will focus on is “tmp“.

2. Open a new terminal, and launch Metasploit. Once it opens, do a search for “samba”. This will list all the modules with the word “samba” in them. The one we’re going to look at is the “samba_symlink_traversal” auxiliary module.

samba-metasploit-search-samba

3. Set Metasploit to use this module, then show the available options:

samba-metasploit-show-options

4. Here are the options we want to set:

  • RHOST = ip_of_Metasploitable
  • SMBSHARE = tmp

samba-metasploit-set-options

5. Now we want to run the module. The results should look like this:

samba-metasploit-run-exploit

6. The exploit was successful, so now let’s connect again using “smbclient”, and see if we can get to “rootfs”:

samba-smbclient-login-tmp

samba-smbclient-cd-rootfs

So, you can see from this that we have access to browse the root file system. We could continue enumerating the machine, looking at various config files, etc., to see if we can find any other “holes”. Please note with this one – you don’t have full root access here, so some files/directories will not be accessible.

The next Samba exploit we’ll look at actually gives us a root shell so we can interact with the machine in a more useful manner.


Vulnerability: This vulnerability takes advantage of the “username map script” functionality of Samba. There is no filtering of user input, so an attacker could connect to an SMB session, and use shell metacharacters as input for the username, causing the commands to be executed on the remote system. This could allow the attacker to gain a remote shell to the victim machine with root access.

Mitigation: Upgrade to the latest version from vendor’s website – http://www.samba.org/samba/download .

Proof of Concept
1. In Kali, open a terminal, and launch Metasploit by typing “msfconsole” at the prompt. Once it loads, do a search for “samba”.

samba2-msf-search-samba

2. The exploit we’re going to use here is the “usermap_script”.

samba2-msf-usermapscript1

3. Set Metasploit to use this exploit, then view the options.

samba2-msf-usermapscript-options

Options you will need to configure:

  • RHOST = IP of Metasploitable 2 VM
  • Payload = cmd/unix/bind_netcat

4. Once these options are set, type “exploit” at the prompt, and if everything works correctly, you should be presented with a shell session.

samba2-msf-exploit-shell

That simple! You now have full root access to the victim machine, and can fully enumerate the rest of the box.

Leave a Reply

Your email address will not be published. Required fields are marked *