Close Panel

20

Aug

2010

Remote SMB Exploit for Vista SP1/SP2

By IPSECS Admin. Posted in Exploitation, News | No Comments »

It has been while story about SMB version 2 vulnerability since this post. Finally public exploit to take over control windows vista SP1 and SP2 are out! You can catch the exploit at exploit-db.

Microsoft SRV2.SYS SMB Negotiate ProcessID Function Table Dereference
---------------------------------------------------------------------

Exploited by Piotr Bania // www.piotrbania.com
Exploit for Vista SP2/SP1 only, should be reliable!

Tested on:
Vista sp2 (6.0.6002.18005)
Vista sp1 ultimate (6.0.6001.18000)

Kudos for:
Stephen, HDM, Laurent Gaffie(bug) and all the mates i know, peace.
Special kudos for prdelka for testing this shit and all the hosters.

Sample usage
------------

> smb2_exploit.exe 192.167.0.5 45 0
> telnet 192.167.0.5 28876

Microsoft Windows [Version 6.0.6001]
Copyright (c) 2006 Microsoft Corporation.  All rights reserved.

C:\Windows\system32>whoami
whoami
nt authority\system
C:\Windows\system32>

When all is done it should spawn a port TARGET_IP:28876

RELEASE UPDATE 08/2010:
----------------------
This exploit was created almost a year ago and wasnt modified from that time
whatsoever. The vulnerability itself is patched for a long time already so
i have decided to release this little exploit. You use it for your own
responsibility and im not responsible for any potential damage this thing
can cause. Finally i don't care whether it worked for you or not.

P.S the technique itself is described here:

http://blog.metasploit.com/2009/10/smb2-351-packets-from-trampoline.html

===========================================================================
Download:

http://www.exploit-db.com/sploits/smb2_exploit_release.zip

For your information, two days later at 19th August 2010, Kingcope released root exploit for FreeBSD 8.x and 7.x by poisoning mbufs() function. You may download Kingcope’s exploit here. Now happy exploiting while waiting “SAHUR” guys!

 

An independent security consultant publicized this week the details to a critical flaw in the server message block version 2 (SMB2) component of Microsoft’s Windows Vista, Windows Server 2008, and the release candidate for Windows 7.

The researcher, Laurent Gaffié, claimed in his advisory that the vulnerability causes a Blue Screen of Death, a pernicious crash on Windows system, but other researchers have subsequently concluded that the flaw is actually remotely exploitable, a more serious issue.

Microsoft acknowledged the flaw on Tuesday in an advisory. The flaw does not affect the latest version of Windows 7, Windows Server 2008 R2, nor Windows XP, the company stated. Microsoft took the researcher to task for disclosing the information before it fixed the security issue.

Yet, Gaffié argued that the disclosure was fair. The software company should have done more software quality assurance (SQA) on the networking components, he said in an e-mail interview with SecurityFocus. If they did, they would have easily found the issue — it took his fuzzer only 15 packets to crash the component, he said.

“So I personally think the one who has been irresponsible is Microsoft for shipping this driver on any Server 2008, Vista, and Windows 7 (system) without doing any SQA and security review,” he responded.

Gaffié said he notified the company, but had a typo in the e-mail address.

The flaw was disclosed on Monday, the day before Microsoft’s regularly scheduled patch day. The software giant issued five patches for eight vulnerabilities, including three flaws in the company’s TCP/IP networking stack. Other flaws affected Windows’ Javascript engine and its Windows Media components.

While Microsoft has not released a fix for the issue, the software giant recommended that administrators disable SMB version 2 or block the specific TCP ports (139 and 445) used by the file-sharing feature.

Source : http://www.securityfocus.com/brief/1009