Microsoft Windows Browser Pool DoS

This module exploits a denial of service flaw in the Microsoft Windows SMB service on versions of Windows Server 2003 that have been configured as a domain controller. By sending a specially crafted election request, an attacker can cause a pool overflow. The vulnerability appears to be due to an error handling a length value while calculating the amount of memory to copy to a buffer. When there are zero bytes left in the buffer, the length value is improperly decremented and an integer underflow occurs. The resulting value is used in several calculations and is then passed as the length value to an inline memcpy operation. Unfortunately, the length value appears to be fixed at -2 (0xfffffffe) and causes considerable damage to kernel heap memory. While theoretically possible, it does not appear to be trivial to turn this vulnerability into remote (or even local) code execution.

Search Other Modules

Rank

• Manual

Authors

• Cupidon-3005 < >
• jduck < jduck [at] metasploit.com >

Vulnerability References

• CVE-2011-0654
• BID-46360
• OSVDB-70881
• MSB-MS11-019
• EDB-16166
• http://seclists.org/fulldisclosure/2011/Feb/285

Development

• Source Code
• History

Similar Modules

• auxiliary/dos/windows/smb/ms05_047_pnp
• auxiliary/dos/windows/smb/ms06_035_mailslot
• auxiliary/dos/windows/smb/ms06_063_trans
• auxiliary/dos/windows/smb/ms09_001_write
• auxiliary/dos/windows/smb/ms09_050_smb2_negotiate_pidhigh
• auxiliary/dos/windows/smb/ms09_050_smb2_session_logoff
• auxiliary/dos/windows/smb/ms10_006_negotiate_response_loop
• auxiliary/dos/windows/smb/ms10_054_queryfs_pool_overflow
• auxiliary/dos/windows/smb/rras_vls_null_deref
• auxiliary/dos/windows/smb/vista_negotiate_stop

Usage Information

Module Options