Microsoft SRV2.SYS SMB Negotiate ProcessID Function Table Dereference --------------------------------------------------------------------- Exploited by Piotr Bania // www.piotrbania.com Exploit for Vista SP2/SP1 only, should be reliable! Tested on: Vista sp2 (6.0.6002.18005) Vista sp1 ultimate (6.0.6001.18000) Kudos for: Stephen, HDM, Laurent Gaffie(bug) and all the mates i know, peace. Special kudos for prdelka for testing this shit and all the hosters. Sample usage ------------ > smb2_exploit.exe 192.167.0.5 45 0 > telnet 192.167.0.5 28876 Microsoft Windows [Version 6.0.6001] Copyright (c) 2006 Microsoft Corporation. All rights reserved. C:\Windows\system32>whoami whoami nt authority\system C:\Windows\system32> When all is done it should spawn a port TARGET_IP:28876 RELEASE UPDATE 08/2010: ---------------------- This exploit was created almost a year ago and wasnt modified from that time whatsoever. The vulnerability itself is patched for a long time already so i have decided to release this little exploit. You use it for your own responsibility and im not responsible for any potential damage this thing can cause. Finally i don't care whether it worked for you or not. P.S the technique itself is described here: http://blog.metasploit.com/2009/10/smb2-351-packets-from-trampoline.html =========================================================================== Download: http://www.exploit-db.com/sploits/smb2_exploit_release.zip