Windows SMB2 client side crash exploit

=== EDIT - this exploit appears to be exactly the same one of one which was already found and fixed notified by Laurent Gaffié, i did not know this but his blog post can be found here thanks for the guy who anonymously commented to notify us about this. ==

While coding my SMB server to further expose cool tricks with MySQL injections i walked against a very nice bug in the SMB2 protocol which can make the box on the other side crash instantly while trying to connect to you.

Here is an overview of how it the exploit took place:

Victim:
Negotiate protocol request and hoping for getting a
negotiate protocol response back.

You:
Netbios session service packet with message type set to
"session message" (0x00) and length field set to 0x000001
(means the rest of the packet should be 1 byte).

You:
Close connection FIN, ACK

Victim:
ACK back and it crashes

The exploit code can be found here.

I tried this out of a Windows 7 build 7600 but when later trying with a fully updated Windows 7 machine of a friend it didn't worked unfortunately.

Windows Vista and Windows server 2008 are untested since i don't have any of those here but i suppose they are vulnerable too.

Still it's a cool trick to have in your pocket i think and i suppose it's patched some updates ago (or his firewall blocked me and it still works).

You may have noticed i was talking about SMB, MySQL injections and cool tricks, well the way i found it was like this:

I have XAMPP running on the Windows 7 box and coded a tiny vulnerable PHP/MySQL program which allows me to do MySQL injections, as told in an earlier post i am working on remote ways of exploiting the SMB client with which MySQL will try to connect to your box and that i am working on ways of speeding up blind SQL injections and black box injections, the way i found this exploit was like this:
http://server/index.php?id=1 AND load_file("\\\\homebrew_smb_server\\filename")
The server will then try to connect over SMB to my home brew SMB server and die if you have the exploit running on that box.

There will come more posts from me out on this out of band MySQL injection exploitation subject and a program which already for me has proven to be a much faster way of exploiting MySQL injections in general will be published soon on this blog.

Hello, I am Jelmer born in 1991 and I live in Holland. I met Fredrik and Mathias through the internet. You can contact me via email jelmerdehen [ at ] hotmail [d0t] com Or you can chat with me in the IRC.

7 Comments

  1. Tweets that mention New Post: Windows SMB2 client side crash exploit ( ): While coding my SMB server to... -- Topsy.com says:

    [...] This post was mentioned on Twitter by AckAck. AckAck said: New Post: Windows SMB2 client side crash exploit ( http://cli.gs/gYWMP ): While coding my SMB server to... [...]

  2. Choosing Ideal Hosting Solution For Your Business | Host Rage says:

    [...] Windows SMB2 client side crash exploit [...]

  3. lol says:

    This bug is EXACTLY the same as this one ....
    http://g-laurent.blogspot.com/2009/11/windows-7-server-2008r2-remote-kernel.html

    Kernel goes in infinite loop because is expecting bytes ...
    This as been patched in April patch tuesday and it's under CVE-2009-3676.
    From MS10-020:
    "A denial of service vulnerability exists in the way that the Microsoft Server Message Block (SMB) client implementation handles specially crafted SMB responses. An attempt to exploit the vulnerability would not require authentication, allowing an attacker to exploit the vulnerability by sending a specially crafted SMB response to a client-initiated SMB request. An attacker who successfully exploited this vulnerability could cause the computer to stop responding until restarted."

    Regards,

  4. Jelmer de Hen says:

    I suppose it's time to update my Windows 7 :/ thanks anyway because i actually found this exploit without any idea that it was published, i thought it was a pretty cool way to make a machine crash and i fuzzed around with it for quite a few hours till i tracked down where it came from. As noted i was making a SMB server, i got that thing finished now and i will release a PoC of a cool way to do MySQL injections this evening; got half of that post ready already. Anyway i changed the post to let full credit flow to Laurent's post.

  5. veterinary technician says:

    I’ve recently started a blog, the information you provide on this site has helped me tremendously. Thank you for all of your time & work.

  6. My Lego Mario Creations Part 3 | Hot Legos says:

    [...] Windows SMB2 client side crash exploit [...]

  7. Robin Ginolfi says:

    Superb write-up, well written I have to admit.

Leave a Comment