Home
Latest images
Search
Register
Log inWindows Vista/7 : SMB2.0 NEGOTIATE PROTOCOL REQUEST Remote B.S.O.D. Exploit
Page 1 of 1
Windows Vista/7 : SMB2.0 NEGOTIATE PROTOCOL REQUEST Remote B.S.O.D. Exploit
andry Fri Oct 29, 2010 7:14 am
An attacker can remotly crash any Vista/Windows 7 machine with SMB enable
BACKGROUND
-------------------------
Windows vista and newer Windows comes with a new SMB version named SMB2.
See: http://en.wikipedia.org/wiki/Windows_Vista_networking_technologies#Server_Message_Block_2.0
for more details.
DESCRIPTION
-------------------------
SRV2.SYS fails to handle malformed SMB headers for the NEGOTIATE PROTOCOL REQUEST functionnality.
The NEGOTIATE PROTOCOL REQUEST is the first SMB query a client send to a SMB server, and it's used to identify the SMB dialect that will be used for futher communication.
PROOF OF CONCEPT
Update:
Added to Metasploit thx HD Moore
Check also: Regarding Microsoft srv2.sys SMB2.0 NEGOTIATE BSOD
This vulnerability is not only a BSOD flaw. It allows remote code
execution. The execution of code is far from being reliable though (at
the momment).
The flaw is a out-of-bounds indexing. We can fully control the 16 bit
value used as index within the function table.
BACKGROUND
-------------------------
Windows vista and newer Windows comes with a new SMB version named SMB2.
See: http://en.wikipedia.org/wiki/Windows_Vista_networking_technologies#Server_Message_Block_2.0
for more details.
DESCRIPTION
-------------------------
SRV2.SYS fails to handle malformed SMB headers for the NEGOTIATE PROTOCOL REQUEST functionnality.
The NEGOTIATE PROTOCOL REQUEST is the first SMB query a client send to a SMB server, and it's used to identify the SMB dialect that will be used for futher communication.
PROOF OF CONCEPT
Update:
Added to Metasploit thx HD Moore
Check also: Regarding Microsoft srv2.sys SMB2.0 NEGOTIATE BSOD
This vulnerability is not only a BSOD flaw. It allows remote code
execution. The execution of code is far from being reliable though (at
the momment).
The flaw is a out-of-bounds indexing. We can fully control the 16 bit
value used as index within the function table.
andry- Moderator
- Posts : 467
Join date : 2010-05-07
Similar topics» Crack Windows XP And Vista Passwords In a few Seconds
» Edit the Windows Vista Boot Menu Options - BCDEDIT
» Safari for Windows 3.2.1 Remote http: URI handler DoS
» Windows 7 / Server 2008R2 Remote Kernel Crash
» Windows live Messenger malformed file overflow DoS remote exploitation.
» Edit the Windows Vista Boot Menu Options - BCDEDIT
» Safari for Windows 3.2.1 Remote http: URI handler DoS
» Windows 7 / Server 2008R2 Remote Kernel Crash
» Windows live Messenger malformed file overflow DoS remote exploitation.
Page 1 of 1
Permissions in this forum:
You cannot reply to topics in this forum|
|
|