Microsoft Windows 7 / Server 2008 R2 SMB Client Infinite Loop
This module exploits a denial of service flaw in the Microsoft Windows SMB client on Windows 7 and Windows Server 2008 R2. To trigger this bug, run this module as a service and forces a vulnerabile client to access the IP of this system as an SMB server. This can be accomplished by embedding a UNC path (\HOST\share\something) into a web page if the target is using Internet Explorer, or a Word document otherwise.
Rank
- Normal
Authors
- Laurent Gaffie < laurent.gaffie [at] gmail.com >
- hdm < hdm [at] metasploit.com >
Vulnerability References
- CVE-2010-0017
- OSVDB-62244
- MSB-MS10-006
- http://g-laurent.blogspot.com/2009/11/windows-7-server-2008r2-remote-kernel.html
Development
Similar Modules
- auxiliary/dos/windows/smb/ms05_047_pnp
- auxiliary/dos/windows/smb/ms06_035_mailslot
- auxiliary/dos/windows/smb/ms06_063_trans
- auxiliary/dos/windows/smb/ms09_001_write
- auxiliary/dos/windows/smb/ms09_050_smb2_negotiate_pidhigh
- auxiliary/dos/windows/smb/ms09_050_smb2_session_logoff
- auxiliary/dos/windows/smb/ms10_054_queryfs_pool_overflow
- auxiliary/dos/windows/smb/ms11_019_electbowser
- auxiliary/dos/windows/smb/rras_vls_null_deref
- auxiliary/dos/windows/smb/vista_negotiate_stop
Usage Information
$ msfconsole
## ### ## ##
## ## #### ###### #### ##### ##### ## #### ######
####### ## ## ## ## ## ## ## ## ## ## ### ##
####### ###### ## ##### #### ## ## ## ## ## ## ##
## # ## ## ## ## ## ## ##### ## ## ## ## ##
## ## #### ### ##### ##### ## #### #### #### ###
##
msf > use auxiliary/dos/windows/smb/ms10_006_negotiate_response_loop
msf auxiliary(ms10_006_negotiate_response_loop) > run
## ### ## ##
## ## #### ###### #### ##### ##### ## #### ######
####### ## ## ## ## ## ## ## ## ## ## ### ##
####### ###### ## ##### #### ## ## ## ## ## ## ##
## # ## ## ## ## ## ## ##### ## ## ## ## ##
## ## #### ### ##### ##### ## #### #### #### ###
##
msf > use auxiliary/dos/windows/smb/ms10_006_negotiate_response_loop
msf auxiliary(ms10_006_negotiate_response_loop) > run
Module Options
| SRVHOST | The local host to listen on. This must be an address on the local machine or 0.0.0.0 (default: 0.0.0.0) |
| SRVPORT | The SMB port to listen on (default: 445) |
| SSL | Negotiate SSL for incoming connections |
| SSLCert | Path to a custom SSL certificate (default is randomly generated) |
| SSLVersion | Specify the version of SSL that should be used (accepted: SSL2, SSL3, TLS1) (default: SSL3) |
| ListenerComm | The specific communication channel to use for this service |
| VERBOSE | Enable detailed status messages |
| WORKSPACE | Specify the workspace for this module |
| TCP::max_send_size | Maximum tcp segment size. (0 = disable) |
| TCP::send_delay | Delays inserted before every send. (0 = disable) |