Open EmperorArthur opened 4 years ago
Hi!
This issue has been left open with no activity for a while now.
We get a lot of issues, so we currently close issues after 60 days of inactivity. It’s been at least 30 days since the last update here. If we missed this issue or if you want to keep it open, please reply here. You can also add the label "not stale" to keep this issue open!
As a friendly reminder: the best way to see this issue, or any other, fixed is to open a Pull Request.
This issue still exists.
The offending file is this one. The problem is in def enumerate_directories(share).
Other important commands that I had to discover were:
set SMBUser <user>
set SMBPass <password>
set SMB::AlwaysEncrypt false
set SMB::ProtocolVersion 2,3
The first three are extremely important and are not mentioned in the normal info section.
In addition, "auxiliary/scanner/smb/smb_enumshares" actually gets the information that the exploit is missing.
This means there is a fix, I am just not sure how to implement it.
@EmperorArthur Thanks for the error report; Would you mind trying this out again with the latest version of Metasploit, and attaching the output of the debug command?
msfconsole
set loglevel 3
debug
command===8<=== CUT AND PASTE EVERYTHING BELOW THIS LINE ===8<===
line and make sure to REMOVE ANY SENSITIVE INFORMATION.Thanks fo reporting this @EmperorArthur. It looks like this is more an improvement than a real bug. This module is not fully compatible with RubySMB and, by extension, SMB2/3. This will require some refactor to replace #find_first
by something RubySMB already supports, like it has been done here. Also, I like the idea to add an option to set a path instead of automatically detecting it.
@cdelafuente-r7 Microsoft is very actively deprecating SMB1, to the point that many new versions of Windows aren't even including it, and everything except corporate upgrades is actively uninstalling it. Unless the exploit relies on SMB1, then it seems broken, or at least needs to be explicitly mentioned as a dependency.
@adfoster-r7 Here are the results you asked for. After looking at the logs, I performed an additional check and confirmed that the problem is coming from connect(versions: [1])
. I have confirmed that the server min protocol is "SMB2_02".
What's interesting to me is the logs seem to indicate it thought it could negatie SMB1, but then failed when it actually tried to use that protocol.
setg RHOSTS <ip_address>
use exploit/linux/samba/is_known_pipename
set SMBUser <user_name>
set SMBPass <password>
set SMB_SHARE_NAME <writable_folder>
set loglevel 3
set SMB::AlwaysEncrypt false
run
Results in:
[-]
:445 - Exploit failed [no-access]: Rex::Proto::SMB::Exceptions::LoginError Login Failed: undefined method `[]' for nil:NilClass [*] Exploit completed, but no session was created.
The following global/module datastore, and database setup was configured before the issue occurred:
The following commands were ran during the session and before this issue occurred:
The following framework errors occurred before the issue occurred:
The following web service errors occurred before the issue occurred:
The following framework logs were recorded before the issue occurred:
The following web service logs were recorded before the issue occurred:
The versions and install method of your Metasploit setup:
Steps to reproduce
First have a Samba server with SMB 1 disabled.
Within mfsconsole:
Expected behavior
The exploit succeeds or fails.
Current behavior
System stuff
Metasploit version
Framework: 6.0.1-dev- Console : 6.0.1-dev-
I installed Metasploit with:
OS
Ubuntu 19.10
Additional Information
The verbose log explains the problem pretty clearly. Line 128 forces use of SMB Version 1, and the server has it disabled. Replacing it with just
connect
fails because of thestuff = self.simple.client.find_first("\\*")
line.I was able to temporarily bypass the issue by commenting out the findfirst line, and everything which dealt with "stuff". The root folder of the share was writable, so it worked.
It may be worth adding an option to set the folder path within the share, and only falling back to searching if that is unset. Along with a note to that effect in the info section.
Due to my contract, I would require permission to share any code I have written during work hours with the community without explicit approval. Which means I can't actually submit a PR unless I did the work on my own time on my own computer at home.