Testing Windows 7 SMB 2.0 BSOD Exploit!
Friend and colleague Cedric told me about an exploit uncovered a week or so back (read about it here) that allows remote users on a network, to blue screen a machine running Vista, Windows 7 or Server 2008.
This is because these OS versions run SMB 2.0, and are suceptible to a malformed packet, causing a PAGE_FAULT_IN_NONPAGED_AREA blue screen of death.
Apparently, this is fixed in Windows 7 7100, at least with the update I'm currently running.
First, Cedric found a working Python install on the lab unix cluster. So the script was edited to include my IP address and run on the machine.
At first it was thought that perhaps SMB was blocked from lab to the user network, but this works fine - as you can see with these packets:
Ping from unix cluster in lab:
757 2009-09-15 10:46:30.618160 UNIX(IP-Removed) Win7(IP-Removed) ICMP Echo (ping) request
Here's a couple of MS DS packets coming in from the python script on the unix cluster:
49 2009-09-15 10:45:56.127200 UNIX(IP-Removed) Win7(IP-Removed) TCP 49065 > microsoft-ds [SYN] Seq=0 Win=49640 Len=0 MSS=1460 WS=0
71 2009-09-15 10:45:59.504096 UNIX(IP-Removed) Win7(IP-Removed) TCP 49065 > microsoft-ds [SYN] Seq=0 Win=49640 Len=0 MSS=1460 WS=0
And a reset from my machine:
85 2009-09-15 10:46:04.018977 UNIX(IP-Removed) Win7(IP-Removed) TCP 49065 > microsoft-ds [RST] Seq=1 Win=49640 Len=0
So it would appear the exploit is fixed in the evaluation build, 7100, of Windows 7. No BSOD.
Interesting experiment! Would be nice to get this working on a Vista machine. There's a laptop around here running it, I should find it and try.
This is because these OS versions run SMB 2.0, and are suceptible to a malformed packet, causing a PAGE_FAULT_IN_NONPAGED_AREA blue screen of death.
Apparently, this is fixed in Windows 7 7100, at least with the update I'm currently running.
First, Cedric found a working Python install on the lab unix cluster. So the script was edited to include my IP address and run on the machine.
At first it was thought that perhaps SMB was blocked from lab to the user network, but this works fine - as you can see with these packets:
Ping from unix cluster in lab:
757 2009-09-15 10:46:30.618160 UNIX(IP-Removed) Win7(IP-Removed) ICMP Echo (ping) request
Here's a couple of MS DS packets coming in from the python script on the unix cluster:
49 2009-09-15 10:45:56.127200 UNIX(IP-Removed) Win7(IP-Removed) TCP 49065 > microsoft-ds [SYN] Seq=0 Win=49640 Len=0 MSS=1460 WS=0
71 2009-09-15 10:45:59.504096 UNIX(IP-Removed) Win7(IP-Removed) TCP 49065 > microsoft-ds [SYN] Seq=0 Win=49640 Len=0 MSS=1460 WS=0
And a reset from my machine:
85 2009-09-15 10:46:04.018977 UNIX(IP-Removed) Win7(IP-Removed) TCP 49065 > microsoft-ds [RST] Seq=1 Win=49640 Len=0
So it would appear the exploit is fixed in the evaluation build, 7100, of Windows 7. No BSOD.
Interesting experiment! Would be nice to get this working on a Vista machine. There's a laptop around here running it, I should find it and try.
Comments