Microsoft SRV2.SYS SMB Negotiate ProcessID Function Table Dereference (MS09-050)

2010.08.20
Credit: Piotr Bania
Risk: High
Local: No
Remote: Yes
CWE: CWE-399


CVSS Base Score: 10/10
Impact Subscore: 10/10
Exploitability Subscore: 10/10
Exploit range: Remote
Attack complexity: Low
Authentication: No required
Confidentiality impact: Complete
Integrity impact: Complete
Availability impact: Complete

Microsoft SRV2.SYS SMB Negotiate ProcessID Function Table Dereference --------------------------------------------------------------------- Exploited by Piotr Bania // www.piotrbania.com Exploit for Vista SP2/SP1 only, should be reliable! Tested on: Vista sp2 (6.0.6002.18005) Vista sp1 ultimate (6.0.6001.18000) Kudos for: Stephen, HDM, Laurent Gaffie(bug) and all the mates i know, peace. Special kudos for prdelka for testing this shit and all the hosters. Sample usage ------------ > smb2_exploit.exe 192.167.0.5 45 0 > telnet 192.167.0.5 28876 Microsoft Windows [Version 6.0.6001] Copyright (c) 2006 Microsoft Corporation. All rights reserved. C:\Windows\system32>whoami whoami nt authority\system C:\Windows\system32> When all is done it should spawn a port TARGET_IP:28876 RELEASE UPDATE 08/2010: ---------------------- This exploit was created almost a year ago and wasnt modified from that time whatsoever. The vulnerability itself is patched for a long time already so i have decided to release this little exploit. You use it for your own responsibility and im not responsible for any potential damage this thing can cause. Finally i don't care whether it worked for you or not. P.S the technique itself is described here: http://blog.metasploit.com/2009/10/smb2-351-packets-from-trampoline.html =========================================================================== Download: http://www.exploit-db.com/sploits/smb2_exploit_release.zip

References:

http://www.us-cert.gov/cas/techalerts/TA09-286A.html
http://www.kb.cert.org/vuls/id/135940
http://xforce.iss.net/xforce/xfdb/53090
http://www.securitytracker.com/id?1022848
http://www.securityfocus.com/bid/36299
http://www.securityfocus.com/archive/1/archive/1/506327/100/0/threaded
http://www.securityfocus.com/archive/1/archive/1/506300/100/0/threaded
2000
http://www.reversemode.com/index.php?option=com_content&task=view&id=64&Itemid=1
http://www.milw0rm.com/exploits/9594
http://www.microsoft.com/technet/security/Bulletin/MS09-050.mspx
http://www.microsoft.com/technet/security/advisory/975497.mspx
http://secunia.com/advisories/36623
http://osvdb.org/57799
http://isc.sans.org/diary.html?storyid=7093
http://g-laurent.blogspot.com/2009/09/windows-vista7-smb20-negotiate-protocol.html
http://blog.48bits.com/?p=510
http://archives.neohapsis.com/archives/fulldisclosure/2009-09/0090.html


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2021, cxsecurity.com

 

Back to Top