首页
社区
课程
招聘
[转帖]Microsoft SRV2.SYS SMB Negotiate ProcessID Function Table Dereference (MS09-050)
发表于: 2010-8-19 03:56 4634

[转帖]Microsoft SRV2.SYS SMB Negotiate ProcessID Function Table Dereference (MS09-050)

2010-8-19 03:56
4634
Microsoft SRV2.SYS SMB Negotiate ProcessID Function Table Dereference  

---------------------------------------------------------------------  

   

Exploited by Piotr Bania // www.piotrbania.com  

Exploit for Vista SP2/SP1 only, should be reliable!  

   

Tested on:  

Vista sp2 (6.0.6002.18005)  

Vista sp1 ultimate (6.0.6001.18000)  

   

Kudos for:  

Stephen, HDM, Laurent Gaffie(bug) and all the mates i know, peace.  

Special kudos for prdelka for testing this shit and all the hosters.  

   

   

Sample usage  

------------  

   

> smb2_exploit.exe 192.167.0.5 45 0  

> telnet 192.167.0.5 28876  

   

Microsoft Windows [Version 6.0.6001]  

Copyright (c) 2006 Microsoft Corporation.  All rights reserved.  

   

C:\Windows\system32>whoami  

whoami  

nt authority\system  

C:\Windows\system32>  

   

When all is done it should spawn a port TARGET_IP:28876  

   

   

RELEASE UPDATE 08/2010:  

----------------------  

This exploit was created almost a year ago and wasnt modified from that time  

whatsoever. The vulnerability itself is patched for a long time already so  

i have decided to release this little exploit. You use it for your own  

responsibility and im not responsible for any potential damage this thing  

can cause. Finally i don't care whether it worked for you or not.  

   

P.S the technique itself is described here:  

http://blog.metasploit.com/2009/10/smb2-351-packets-from-trampoline.html  

   

===========================================================================

[培训]内核驱动高级班,冲击BAT一流互联网大厂工作,每周日13:00-18:00直播授课

上传的附件:
收藏
免费 0
支持
分享
最新回复 (1)
雪    币: 200
活跃值: (10)
能力值: ( LV2,RANK:10 )
在线值:
发帖
回帖
粉丝
2
强大,拜谢中:)
2011-5-31 08:18
0
游客
登录 | 注册 方可回帖
返回
//