This bug was discovered back in december 2009, and patched by microsoft in April 2010.
This issue is a basic stack overflow affecting only windows 7/2008R2 smb1 implementation.
It's actually a nice bug as the affected function is not protected by a canary, and allow us to redirect the flow anywhere we want to.
You can find the full advisory about this bug here : http://seclists.org/fulldisclosure/2010/Apr/201
Have phun !
PoC url : http://pastebin.com/h3jSyJTN
Saturday, April 17, 2010
Thursday, April 15, 2010
Turning SMB client bug to server side
This blog post is about a technic to automate with no user interaction at all SMB client side bug exploitation targeting the Domain Master Browser (DMB) or PDC (only the PDC can be a DMB)which is basicaly the perfect target in a pentest. Targeting the DMB is perfect, simply because if you control that box, you'll control all computer joined to this box tree.
Since the SRD is once again downplaying SMB client side bug i think it's important to share this kind of tricks.
It's also important to mention that Browser and NBNS abusing is well known since a long time, as theses protocols wasn't developed with security in mind, this blog post is a simple real case example.
There's two way to automate SMB client side bug;
The basic goal of this attack is to hijack the Local Master Browser (LMB), and there's various way to do so;
Simple, the Backup browser will sync via SMB (NetServerEnum2) on the LMB every 15 mn.
We don't care that much about the Backup Browser, what we want it's the DMB, and guess what, he's also syncing on the LMB as soon you send him a Browser MasterAnnouncement :]
In this case, i will wait for a HostAnnouncement, a LocalMasterAnnouncement or an ElectionResquest, then I will send two LMB ResetBrowserState;
- one Reset_state clear_all
- one Reset_state stop_master
Which will directly kill the LMB (at least on Windows implementation).
Then you can launch an election that you're sure to win (as mentionned before),
make a Local Master Browser Announcement, and finally a MasterAnnouncement, then the DMB will connect direclty to your fake server and get pwned (or not).
Here's a quickly made proof of concept which work pretty well , it also have a NBNS spoofer just in case an admin try to access a share:]
I included a proof of concept for a previously discovered bug patched in february (MS10-006), you can find the full advisory here: http://seclists.org/fulldisclosure/2010/Feb/168
Note: Make sure your SMB server/exploit listen on 139 and 445, and can handle NBSS session request, if not, you wont get any candy.
Since Blogger is not python friendly: http://pastebin.com/YBtzs9yr
A bug like MS10-006 can be easily wormable if exploited with this kind of approach.
Since the SRD is once again downplaying SMB client side bug i think it's important to share this kind of tricks.
It's also important to mention that Browser and NBNS abusing is well known since a long time, as theses protocols wasn't developed with security in mind, this blog post is a simple real case example.
There's two way to automate SMB client side bug;
- NBNS Spoofing (require some "kind" of user interaction in some way, anyways in a corporate network it works pretty well)
- Browser Protocol Abusing (the funny one)
The basic goal of this attack is to hijack the Local Master Browser (LMB), and there's various way to do so;
- Register via NBNS on the Workgroup or domain, and launch an election (zero filled election packet), the winning criteria is first the browser version, and then the box capabilities, which is controlled by us.
- Create a NBNS name/ip conflict with the LMB and after 3 shot send a "Name Overwrite Demand" packet
- Reset the LMB
Simple, the Backup browser will sync via SMB (NetServerEnum2) on the LMB every 15 mn.
We don't care that much about the Backup Browser, what we want it's the DMB, and guess what, he's also syncing on the LMB as soon you send him a Browser MasterAnnouncement :]
In this case, i will wait for a HostAnnouncement, a LocalMasterAnnouncement or an ElectionResquest, then I will send two LMB ResetBrowserState;
- one Reset_state clear_all
- one Reset_state stop_master
Which will directly kill the LMB (at least on Windows implementation).
Then you can launch an election that you're sure to win (as mentionned before),
make a Local Master Browser Announcement, and finally a MasterAnnouncement, then the DMB will connect direclty to your fake server and get pwned (or not).
Here's a quickly made proof of concept which work pretty well , it also have a NBNS spoofer just in case an admin try to access a share:]
I included a proof of concept for a previously discovered bug patched in february (MS10-006), you can find the full advisory here: http://seclists.org/fulldisclosure/2010/Feb/168
Note: Make sure your SMB server/exploit listen on 139 and 445, and can handle NBSS session request, if not, you wont get any candy.
Since Blogger is not python friendly: http://pastebin.com/YBtzs9yr
A bug like MS10-006 can be easily wormable if exploited with this kind of approach.
Subscribe to:
Posts (Atom)