Metasploit Penetration Testing Framework
Samba Symlink Directory Traversal
This module exploits a directory traversal flaw in the Samba CIFS server. To exploit this flaw, a writeable share must be specified. The newly created directory will link to the root filesystem.
Rank
- Normal
Authors
- kcope < >
- hdm < hdm [at] metasploit.com >
References
Development
Similar Modules
Usage Information
$ msfconsole
## ### ## ##
## ## #### ###### #### ##### ##### ## #### ######
####### ## ## ## ## ## ## ## ## ## ## ### ##
####### ###### ## ##### #### ## ## ## ## ## ## ##
## # ## ## ## ## ## ## ##### ## ## ## ## ##
## ## #### ### ##### ##### ## #### #### #### ###
##
msf > use auxiliary/admin/smb/samba_symlink_traversal
msf auxiliary(samba_symlink_traversal) > set RHOST [TARGET IP]
msf auxiliary(samba_symlink_traversal) > set SMBSHARE [STRING]
msf auxiliary(samba_symlink_traversal) > run
## ### ## ##
## ## #### ###### #### ##### ##### ## #### ######
####### ## ## ## ## ## ## ## ## ## ## ### ##
####### ###### ## ##### #### ## ## ## ## ## ## ##
## # ## ## ## ## ## ## ##### ## ## ## ## ##
## ## #### ### ##### ##### ## #### #### #### ###
##
msf > use auxiliary/admin/smb/samba_symlink_traversal
msf auxiliary(samba_symlink_traversal) > set RHOST [TARGET IP]
msf auxiliary(samba_symlink_traversal) > set SMBSHARE [STRING]
msf auxiliary(samba_symlink_traversal) > run
Module Options
| RHOST | The target address |
| RPORT | Set the SMB service port (default: 445) |
| SMBSHARE | The name of a writeable share on the server |
| SMBTARGET | The name of the directory that should point to the root filesystem (default: rootfs) |
| CHOST | The local client address |
| CPORT | The local client port |
| ConnectTimeout | Maximum number of seconds to establish a TCP connection |
| Proxies | Use a proxy chain |
| SMBDirect | The target port is a raw SMB service (not NetBIOS) |
| SMBDomain | The Windows domain to use for authentication |
| SMBName | The NetBIOS hostname (required for port 139 connections) |
| SMBPass | The password for the specified username |
| SMBUser | The username to authenticate as |
| SSL | Negotiate SSL for outgoing connections |
| SSLVersion | Specify the version of SSL that should be used (accepted: SSL2, SSL3, TLS1) |
| WORKSPACE | Specify the workspace for this module |
| SMB::obscure_trans_pipe_level | Obscure PIPE string in TransNamedPipe (level 0-3) |
| SMB::pad_data_level | Place extra padding between headers and data (level 0-3) |
| SMB::pad_file_level | Obscure path names used in open/create (level 0-3) |
| SMB::pipe_evasion | Enable segmented read/writes for SMB Pipes |
| SMB::pipe_read_max_size | Maximum buffer size for pipe reads |
| SMB::pipe_read_min_size | Minimum buffer size for pipe reads |
| SMB::pipe_write_max_size | Maximum buffer size for pipe writes |
| SMB::pipe_write_min_size | Minimum buffer size for pipe writes |
| TCP::max_send_size | Maxiumum tcp segment size. (0 = disable) |
| TCP::send_delay | Delays inserted before every send. (0 = disable) |
Metasploit Framework
Copyright © 2003-2010 Rapid7 LLC
Rapid7 Privacy Statement
Rapid7 Privacy Statement