Threat Level: green Handler on Duty: Brad Duncan

SANS ISC: Windows 7 / Windows Server 2008 Remote SMB Exploit - SANS Internet Storm Center SANS ISC InfoSec Forums

Watch ISC TV. Great for NOCs, SOCs and Living Rooms:

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Windows 7 / Windows Server 2008 Remote SMB Exploit

Mikael wrote us yesterday, telling us about a site claiming to have a zero day for SMB on both Windows 7 and Windows Server 2008.  Thanks for the pointer Mikael,  Laurent Gaffié is the original author of this bit of code.

However, after a first try, we found that the code didn't run as posted.  Nothing major, one required line of code was missing, and some formatting issues.  Given what this code does, these omissions might have been intentional, to give Microsoft a chance to get a fix in before this disseminates.  The code does in fact work.  The sequence to see the exploit is:

1/ On a linux machine, ensure that port 445 is open or that your firewall is down - ensure that the target windows host and the linux host have connectivity (a quick ping does the trick here)

2/ On that linux box, run the resulting code - "sudo python" .  Note that you need sudo to open a tcp service, and we're using a linux box for this because of course port 445 is taken on most windows hosts.

3/ On the target Windows box, do a "net use x.x.x.x", where x.x.x.x is the ip address of the linux box.

You'll see that the Windows host is frozen - no mouse, no keyboard, and completely unresponsive on the network as well.  This works on both Windows 7 and Windows Server 2008, with the very latest patches applied.  As the author states, disabling SMBv2 does not give even temporary protection.  Here's hoping Microsoft scrambles the troops to get this patched before it's out in the wild.



Rob VandenBrink

579 Posts
ISC Handler
Nov 12th 2009
The exploit is listed as working on Windows 7 and Windows Server 2008 R2. The R2 is important because that's the server equivalent to Windows 7 (including SMB v2.1 instead of SMB v2). Did you verify that it works against Windows Server 2008 (non-R2 version)? I haven't had the chance to test it myself.

you want to give kudos to this sort of guy?

November 8th, 2009: MSRC contacted
November 8th, 2009: MSRC acknoledge the vuln
November 11th, 2009: MRSC try to convince me that multi-vendor-ipv6 bug shouldn't appears on a security bulletin.
November 11th, 2009: Win 7 remote kernel smash released

135 Posts
I pulled the word "kudos" out - honestly I spent more time on the code than in reading the text in his blog.
Rob VandenBrink

579 Posts
ISC Handler
I was able to verify that Windows 2008 SP2 was not affected by the posted vulnerability. Using the published code.
Rob VandenBrink
1 Posts
Thanks for the clarification BDJ - I'll add "R2" to the post, and test on the original Win2k8 code tomorrow (as you say, I expect that the original Win2k8 will be fine)
Rob VandenBrink

579 Posts
ISC Handler
Rob VandenBrink
4 Posts
Too bad that older versions of Windows are not vulnerable. This exploit would have a great place on a tarpit or system that detects scans and exploit attempts from the Internet. Causing the scanner/infected machine to seize up should help in a) reducing scanning/propagation traffic and b) perhaps cause the user of the infected machine to investigate and clean the system. :)

24 Posts

Sign Up for Free or Log In to start participating in the conversation!