Microsoft SRV2.SYS SMB Negotiate ProcessID Function Table Dereference (MS09-050)

2010-08-19 / 2010-08-20
Credit: Piotr Bania
Risk: High
Local: No
Remote: Yes
CWE: CWE-399

CVSS Base Score: 10/10
Impact Subscore: 10/10
Exploitability Subscore: 10/10
Exploit range: Remote
Attack complexity: Low
Authentication: No required
Confidentiality impact: Complete
Integrity impact: Complete
Availability impact: Complete

Microsoft SRV2.SYS SMB Negotiate ProcessID Function Table Dereference --------------------------------------------------------------------- Exploited by Piotr Bania // Exploit for Vista SP2/SP1 only, should be reliable! Tested on: Vista sp2 (6.0.6002.18005) Vista sp1 ultimate (6.0.6001.18000) Kudos for: Stephen, HDM, Laurent Gaffie(bug) and all the mates i know, peace. Special kudos for prdelka for testing this shit and all the hosters. Sample usage ------------ > smb2_exploit.exe 45 0 > telnet 28876 Microsoft Windows [Version 6.0.6001] Copyright (c) 2006 Microsoft Corporation. All rights reserved. C:\Windows\system32>whoami whoami nt authority\system C:\Windows\system32> When all is done it should spawn a port TARGET_IP:28876 RELEASE UPDATE 08/2010: ---------------------- This exploit was created almost a year ago and wasnt modified from that time whatsoever. The vulnerability itself is patched for a long time already so i have decided to release this little exploit. You use it for your own responsibility and im not responsible for any potential damage this thing can cause. Finally i don't care whether it worked for you or not. P.S the technique itself is described here: =========================================================================== Download:


Vote for this issue:


Thanks for you vote!


Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.

(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2024,


Back to Top