Binary Abstractions » Exploits http://www.binaryabstractions.com Research and Other Diatribes Thu, 04 Nov 2010 22:25:28 +0000 en hourly 1 http://wordpress.org/?v= Windows 7 and Server 2008 R2 SMB DoS http://www.binaryabstractions.com/2009/11/16/windows-7-and-server-2008-r2-smb-dos/ http://www.binaryabstractions.com/2009/11/16/windows-7-and-server-2008-r2-smb-dos/#comments Mon, 16 Nov 2009 13:54:00 +0000 SigmaApex http://www.binaryabstractions.org/2009/11/16/windows-7-and-server-2008-r2-smb-dos/ Last week Laurent Gaffie posted a POC for a Windows 7 (beta through RC) and Windows Server 2008 R2 SMB denial of service.  He provided a POC in a Python payload harness to setup the listener and deliver the SMB packet.

The code works fresh from the box however, pay attention to Python’s preference for tabs:

class SMB2(SocketServer.BaseRequestHandler):
 def handle(self):
   print "Who:", self.client_address
   print "THANKS SDL"
   input = self.request.recv(1024)
   self.request.send(packet)
   self.request.close()

launch = SocketServer.TCPServer(('', 445),SMB2)
launch.serve_forever()

There really is nothing special that is required to make this work.  Executing the Python script will open a socket listening on TCP/445.  When the target attempts to access SMB services on the attacker, the target will hang.

I was not able to produce a BSOD and in some test cases the target was recovered once the SMB session was terminated.  NOTE: any SMB session connection will do, however as Laurent pointed out the ‘dir’ method is the easiest.

Just for grins, I captured the errant packet as it flew across the wire.  This is the encoded back from Laurent’s source in PCAP format decoded in Wireshark.

smb-Win7-DoS capture

Why do we care?  How many organizations or even home users block egress SMB ?  Not many I’m certain.

]]> http://www.binaryabstractions.com/2009/11/16/windows-7-and-server-2008-r2-smb-dos/feed/ 0