Last week Laurent Gaffie posted a POC for a Windows 7 (beta through RC) and Windows Server 2008 R2 SMB denial of service.  He provided a POC in a Python payload harness to setup the listener and deliver the SMB packet.

The code works fresh from the box however, pay attention to Python’s preference for tabs:

class SMB2(SocketServer.BaseRequestHandler):
 def handle(self):
   print "Who:", self.client_address
   print "THANKS SDL"
   input = self.request.recv(1024)
   self.request.send(packet)
   self.request.close()

launch = SocketServer.TCPServer(('', 445),SMB2)
launch.serve_forever()

There really is nothing special that is required to make this work.  Executing the Python script will open a socket listening on TCP/445.  When the target attempts to access SMB services on the attacker, the target will hang.

I was not able to produce a BSOD and in some test cases the target was recovered once the SMB session was terminated.  NOTE: any SMB session connection will do, however as Laurent pointed out the ‘dir’ method is the easiest.

Just for grins, I captured the errant packet as it flew across the wire.  This is the encoded back from Laurent’s source in PCAP format decoded in Wireshark.

Why do we care?  How many organizations or even home users block egress SMB ?  Not many I’m certain.