| Subcribe via RSS

0-day SMB remote exploit in Windows 7 and Windows Server 2008 R2

November 13th, 2009 Posted in Uncategorized

There is a new 0-day remote exploit available for Windows 7 and Windows Server 2008 R2.
This only works on R2 of Windows Server, but it work even with all the latest patches applied.

Exploitation of the exploit crashes the system. This is done by sending a NetBios header that specifies that the SMB-packet is 1, 2 or 4 bytes larger or smaller than what it actually is.

When the system crashes, there is no BSOD, the system simply freezes. And there is no traces in the event logs (after reboot).

When the system receives the packet, it goes into an infinite loop.

The crash itself happens in KeAccumulateTicks() due to NT_ASSERT()/DbgRaiseAssertionFailure() (which is caused by an infinite loop).

The vulnerability could possibly be exploited through IE.

And the proof of concept works by:

1. Running the python code on a *nix box, and ensuring port 445 is open.
2. Connecting through SMB to the *nix box.

Read more:
http://isc.sans.org/diary.html?storyid=7573
http://blog.trendmicro.com/new-smb-zero-day-exploit/
http://praetorianprefect.com/archives/2009/11/how-to-crash-windows-7-and-server-2008/
http://g-laurent.blogspot.com/2009/11/windows-7-server-2008r2-remote-kernel.html

Leave a Reply