An attacker might take use of Samba's arbitrary module loading flaw to upload a shared library to a writable share, causing the server to load and execute malicious code.
Checks if target machines are vulnerable to the arbitrary shared library load vulnerability CVE-2017-7494. Unpatched versions of Samba from 3.5.0 to 4.4.13, and versions prior to 4.5.10 and 4.6.4 are affected by a vulnerability that allows remote code execution, allowing a malicious client to upload a shared library to a writable share, and then cause the server to load and execute it. The script does not scan the version numbers by default as the patches released for the mainstream Linux distributions do not change the version numbers. The script checks the preconditions for the exploit to happen:
1) If the argument check-version is applied, the script will ONLY check services running potentially vulnerable versions of Samba, and run the exploit against those services. This is useful if you wish to scan a group of hosts quickly for the vulnerability based on the version number. However, because of their version number, some patched versions may still show up as likely vulnerable. Here, we use smb.get_os(host) to do versioning of the Samba version and compare it to see if it is a known vulnerable version of Samba. Note that this check is not conclusive: See 2,3,4
2) Whether there exist writable shares for the execution of the script. We must be able to write to a file to the share for the exploit to take place. We hence enumerate the shares using smb.share_find_writable(host) which returns the main_name, main_path and a list of writable shares.
3) Whether the workaround (disabling of named pipes) was applied. When "nt pipe support = no" is configured on the host, the service would not be exploitable. Hence, we check whether this is configured on the host using smb.share_get_details(host, 'IPC$'). The error returned would be "NT_STATUS_ACCESS_DENIED" if the workaround is applied.
4) Whether we can invoke the payloads from the shares. Using payloads from Metasploit, we upload the library files to the writable share obtained from 2). We then make a named pipe request using NT_CREATE_ANDX_REQUEST to the actual local filepath and if the payload executes, the status return will be false. Note that only Linux_x86 and Linux_x64 payloads are tested in this script.
This script is based on the metasploit module written by hdm.
The latest versions of Samba, 4.6.4, 4.5.10, and 4.4.14, have been patched to address the vulnerability. Samba maintainers have also provided patches for earlier and unsupported versions of Samba, which may be found here.