首页
社区
课程
招聘
[转帖]Microsoft SRV2.SYS SMB Negotiate ProcessID Function Table Dereference (MS09-050)
发表于: 2010-8-18 06:05 3545

[转帖]Microsoft SRV2.SYS SMB Negotiate ProcessID Function Table Dereference (MS09-050)

2010-8-18 06:05
3545
Microsoft SRV2.SYS SMB Negotiate ProcessID Function Table Dereference  

---------------------------------------------------------------------  

   

Exploited by Piotr Bania // www.piotrbania.com  

Exploit for Vista SP2/SP1 only, should be reliable!  

   

Tested on:  

Vista sp2 (6.0.6002.18005)  

Vista sp1 ultimate (6.0.6001.18000)  

   

Kudos for:  

Stephen, HDM, Laurent Gaffie(bug) and all the mates i know, peace.  

Special kudos for prdelka for testing this shit and all the hosters.  

   

   

Sample usage  

------------  

   

> smb2_exploit.exe 192.167.0.5 45 0  

> telnet 192.167.0.5 28876  

   

Microsoft Windows [Version 6.0.6001]  

Copyright (c) 2006 Microsoft Corporation.  All rights reserved.  

   

C:\Windows\system32>whoami  

whoami  

nt authority\system  

C:\Windows\system32>  

   

When all is done it should spawn a port TARGET_IP:28876  

   

   

RELEASE UPDATE 08/2010:  

----------------------  

This exploit was created almost a year ago and wasnt modified from that time  

whatsoever. The vulnerability itself is patched for a long time already so  

i have decided to release this little exploit. You use it for your own  

responsibility and im not responsible for any potential damage this thing  

can cause. Finally i don't care whether it worked for you or not.  

   

P.S the technique itself is described here:  

http://blog.metasploit.com/2009/10/smb2-351-packets-from-trampoline.html  

   

===========================================================================  

Download:  

http://www.exploit-db.com/sploits/smb2_exploit_release.zip

[招生]科锐逆向工程师培训(2024年11月15日实地,远程教学同时开班, 第51期)

收藏
免费 0
支持
分享
最新回复 (0)
游客
登录 | 注册 方可回帖
返回
//