Professional Documents
Culture Documents
INTRODUCING BADSAMBA
After seeing a similar scenario wherein a script was being run from a remote SMB share, this got me thinking
Would it be possible to spoof the SMB server? If the client asks for startup.vbs could I then send it evil.vbs of my
choosing? Could I then further accept any form of authentication in order to trick the Windows system?
From this idea the concept of BadSamba was born, a simple malicious proof-of-concept SMB server that is built
to exploit this very scenario in order to gain remote command execution as SYSTEM.
BadSamba has the following two requirements:
Accept any form of authentication - anonymous, domain, blank password, non-existent accounts. It will allow any
user to connect to the SMB server and access any share.
File spoofing - serve the same file regardless of what file was originally requested, and regardless of which SMB
share the client is connected to. If the user requests foo.vbs we will send them evil.vbs instead.
With these requirements, I have created an auxiliary Metasploit module to demonstrate this proof-of-concept that
allows for any authentication, connection to arbitrary SMB shares, and reading files from the SMB server.
DEMONSTRATION
Within the Windows 7 system (10.20.0.101), we have already identified that thestartup.vbs script will execute
from the remote SMB share when the operating system starts up.
Start Metasploit on Kali (10.20.0.103) and load the BadSamba server, setting the FILE to notepad.vbs. This file
simply executes notepad.exe in order to demonstrate that the commands being executed are in fact being run in
the context of NT AUTHORITY\SYSTEM.
notepad.vbs file:
Dim oShell
Set oShell = WScript.CreateObject (WScript.Shell)
oShell.run C:\windows\system32\notepad.exe
After running the module and once the Windows 7 machine is restarted it successfully authenticates and
connects to the malicious SMB share. A request forstartup.vbs is then made, and we serve up our notepad.vbs.
This is downloaded and executed by the target machine under the NT AUTHORITY\SYSTEM account as can be
seen by inspecting the running tasks within the operating system.
Now that we have verified the module works, and that we can execute privileged commands, lets create another
VBScript file that will add a user account, also added to the Administrators group.
evil-user-add.vbs file:
Dim oShell
Set oShell = WScript.CreateObject (WScript.Shell)
oShell.run cmd.exe /c net user hacker Password123 /ADD && net localgroup Administrators hacker /ADD
Again we set the FILE setting to our malicious script, run the exploit server and restart the Windows 7 system.
As we can see the file was successfully downloaded by the target machine. Now to verify it executed
successfully:
The hacker account has been created and added to the Administrators group!
LIMITATIONS
BadSamba has been tested using .bat and .vbs remote script includes. The file extension does seem to matter,
so if its requesting a .bat, serve up a .bat.
In the lab environment, testing has been against Windows 7 SP1 (English) for the proof-of-concept. Different
versions of Windows may react differently, but the principal concepts should remain the same.
Its not currently possible to Browse the files within the SMB share. This is due to the complexity of the SMB
protocol, and adding this functionality would greatly increase the complexity of the module.
The protocol is quite noisy, and so it can be difficult to determine if the file was successfully downloaded or if it
was download and executed.
Currently there is no exclusive lock on files being requested, and this allows for the file to be downloaded multiple
times. In my experience, it only gets executed once, but it does make for noisy output within the module.
The SMB protocol is one of the noisiest protocols Ive ever looked at. The number of requests required just to
establish a connection to a share and download a file is much higher than I would have ever anticipated! This
module requires 9 distinct request/responses, granted some of those are very simple such as an SMB ping.
When running multiple commands in VBScript, the most consistent way I have found is to execute cmd.exe and
use the && operator instead of multiple .runcommands.
When setting up an SMB server, pay special attention to the capabilities bits that are sent during the negotiation
phase. For similar modules, I recommend:
0x0080000d # UNIX extensions; large files; unicode; raw mode
When working with SMB, use the Wireshark dissector to determine what is being parsed accurately. Ive included
resources for the protocol below, but Wireshark was essential to building this module.
Every version of Windows, and different tools or commands, use the SMB protocol differently. When testing with
Windows XP, and Windows 7, even the type command of a remote share was different than using the Windows
Run dialog, and even the Windows Explorer Address bar. Keep this in mind when playing with Windows SMB, as
you have to target specific environments and functionality.
This almost goes without saying, but do try your scripts out on the local test environment before attempting to
execute them remotely. VBScript and Batch dont necessarily have the most intuitive syntax.
SOURCE CODE
GitHub - https://github.com/GDSSecurity/BadSamba