Unauthenticated RCE in Samba WINS wins hook

This repository contains a proof-of-concept (PoC) exploit for CVE-2025-10230, a critical unauthenticated remote code execution vulnerability in Samba's WINS hook functionality when running as an Active Directory Domain Controller (AD DC) with WINS support and a hook script enabled. The exploit is implemented in a single Python script (CVE-2025-10230.py) that uses the Scapy library to craft and send a malicious WINS Name Registration packet to the target's UDP port 42. The vulnerability arises from unsanitized NetBIOS names being passed directly to a shell in the WINS hook script, allowing command injection. The script allows the attacker to specify a custom payload (shell command), with the default writing the output of 'id' to /tmp/injected_by_cve.txt on the target. The README.md provides an extensive technical and contextual overview of the vulnerability, affected configurations, impact, and mitigation steps. The exploit is a functional PoC and not weaponized, requiring the attacker to have root privileges locally to send raw packets. No hardcoded IPs or domains are present; the target is specified at runtime. The main attack vector is network-based, targeting exposed Samba AD DCs with vulnerable WINS configurations.

This repository contains a proof-of-concept (PoC) exploit for CVE-2025-10230, a critical unauthenticated remote code execution vulnerability in Samba's WINS hook handling. The exploit is implemented in a single Python script (CVE-2025-10230.py) that crafts and sends a malicious WINS Name Registration packet to a target Samba AD Domain Controller with WINS and a 'wins hook' script enabled. The vulnerability arises from unsanitized NetBIOS names being passed directly to the hook script, allowing command injection. The script uses Scapy to construct and send the packet, with a customizable payload (default: '; id > /tmp/injected_by_cve.txt 2>&1'). The README.md provides an extensive technical and contextual overview, including affected versions, impact, and mitigation advice. The exploit requires root privileges to send raw packets and targets UDP port 42 on the victim. If successful, arbitrary shell commands are executed on the Samba server, potentially leading to full system compromise. The repository is well-structured, with clear documentation and a single, focused exploit script.

This repository provides a proof-of-concept (PoC) exploit for CVE-2025-10230, a command injection vulnerability in Samba's WINS hook mechanism. The exploit is implemented in a single Python script (poc/cve-2025-10230.py) that crafts and sends a NetBIOS Name Service (NBNS) registration packet to a target Samba server's UDP port 137. The exploit leverages improper sanitization of the NetBIOS name field, which is directly inserted into a shell command defined by the 'wins hook' parameter in smb.conf. If the Samba server is configured as an Active Directory Domain Controller with 'wins support = yes' and a non-empty 'wins hook', arbitrary shell commands (up to 15 characters, subject to NetBIOS name restrictions) can be executed with the privileges of the Samba process (often root). The repository includes a sample vulnerable smb.conf, logs demonstrating exploitation, and a detailed README explaining the vulnerability, exploitation steps, and mitigation. No hardcoded IPs or domains are present; the exploit is generic and targets any vulnerable Samba server configured as described.

This repository contains a proof-of-concept (PoC) exploit for CVE-2025-10230, a critical unauthenticated remote code execution vulnerability in Samba's WINS hook handling. The exploit is implemented in a single Python script (CVE-2025-10230.py) that uses Scapy to craft and send a malicious WINS Name Registration packet to a target Samba AD Domain Controller with WINS support and a hook script enabled. The vulnerability arises from unsanitized NetBIOS names being passed directly to a shell in the hook script, allowing command injection. The script allows the user to specify a target IP, a custom shell payload, and a spoofed source IP. By default, it attempts to execute the 'id' command on the target and write the output to /tmp/injected_by_cve.txt. The README.md provides an extensive technical and contextual overview of the vulnerability, affected configurations, impact, and mitigation steps. No hardcoded IPs or domains are present; the exploit targets any user-supplied IP running a vulnerable Samba configuration. The attack vector is network-based, requiring only access to UDP port 42 on the target. The repository is well-structured, with clear documentation and a single, focused exploit script.

This repository provides a proof-of-concept (PoC) exploit for CVE-2025-10230, a command injection vulnerability in Samba's WINS hook functionality. The main exploit script (CVE-2025-10230.py) is written in Python and crafts a NetBIOS Name Registration packet, which is sent to a user-specified WINS server IP and port. The exploit targets Samba versions prior to 4.23.2, 4.22.5, and 4.21.9, but only if WINS support is enabled and a 'wins hook' is configured. The payload is limited to a NetBIOS name (max 15 characters, restricted charset), which severely limits the potential for arbitrary command injection. The repository also includes a Docker environment for building and running a vulnerable Samba instance, complete with a custom WINS hook script and logging for demonstration purposes. The exploit demonstrates the vulnerable code path but does not provide a weaponized payload due to the inherent input restrictions. The overall structure is clear, with the main PoC in Python, supporting Docker files for testing, and a concise README.