Menu

Search for hundreds of thousands of exploits

"Microsoft Windows Server 2008 R2 (x64) - 'SrvOs2FeaToNt' SMB Remote Code Execution (MS17-010)"

Author

Exploit author

"Juan Sacco"

Platform

Exploit platform

windows_x86-64

Release date

Exploit published date

2017-05-10

Download file

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
# Exploit Author: Juan Sacco <juan.sacco@kpn.com> at KPN Red Team - http://www.kpn.com  
# Date and time of release: May, 9 2017 - 13:00PM 
# Found this and more exploits on my open source security project: http://www.exploitpack.com 
#
# MS17-010 - https://technet.microsoft.com/en-us/library/security/ms17-010.aspx
# Tested on: Microsoft Windows Server 2008 x64 SP1 R2 Standard 
#
# Description: SMBv1 SrvOs2FeaToNt OOB is prone to a remote code execution
# vulnerability because the application fails to perform adequate
# boundary-checks on user-supplied input. Srv.sys process SrvOs2FeaListSizeToNt 
# and when the logic is not correct it leads to a cross-border copy. The vulnerability trigger point is as follows:
#
# Vulnerable code:
# unsigned int __fastcall SrvOs2FeaToNt(int a1, int a2)
# {
#   int v4; // edi@1
#   _BYTE *v5; // edi@1
#   unsigned int result; // eax@1
# 
#   v4 = a1 + 8;
#   *(_BYTE *)(a1 + 4) = *(_BYTE *)a2;
#   *(_BYTE *)(a1 + 5) = *(_BYTE *)(a2 + 1);
#   *(_WORD *)(a1 + 6) = *(_WORD *)(a2 + 2);
#   _memmove((void *)(a1 + 8), (const void *)(a2 + 4), *(_BYTE *)(a2 + 1));
#   v5 = (_BYTE *)(*(_BYTE *)(a1 + 5) + v4);
#   *v5++ = 0;
#   _memmove(v5, (const void *)(a2 + 5 + *(_BYTE *)(a1 + 5)), *(_WORD *)(a1 + 6));
#   result = (unsigned int)&v5[*(_WORD *)(a1 + 6) + 3] & 0xFFFFFFFC;
#   *(_DWORD *)a1 = result - a1;
#   return result;
# }
#
# Impact: An attacker could exploit this vulnerability to execute arbitrary code in the
# context of the application. Failed exploit attempts could result in a
# denial-of-service condition.
#
# Timeline:
# 04/05/2017 - Research started
# 04/05/2017 - First PoC using original code
# 05/05/2017 - Kernel debugging on Windows 2008
# 05/05/2017 - Exploit code first draft
# 06/05/2017 - Functional PoC
# 07/05/2017 - Added support for Zerosum0x0 shellcode
# 08/05/2017 - Code revisited and bugs fixed
# 09/05/2017 - First successful shell
# 09/05/2017 - Exploit tested in QA Laba
# 09/05/2017 - Exploit code final review
# 09/05/2017 - Publish
#
# Vendor homepage: http://www.microsoft.com
# This exploit is a port from the amazing work made by Risksense. Checkout the original project at: https://github.com/RiskSense-Ops/MS17-010
# Credits: @EquationGroup @ShadowBrokers @progmboy @zerosum0x0 @juansacco 
#
# How to run: python3 ms17010.py ipaddress
#
import sys
import socket
import time
import ast
import binascii
import os

def mod_replay():
    # Download attachment for more information

if __name__ == "__main__":
    print("[*] MS17-010 Exploit - SMBv1 SrvOs2FeaToNt OOB")
    print("[*] Exploit running.. Please wait")
    main(sys.argv[1])
Release Date Title Type Platform Author
2020-12-02 "Mitel mitel-cs018 - Call Data Information Disclosure" remote linux "Andrea Intilangelo"
2020-12-02 "aSc TimeTables 2021.6.2 - Denial of Service (PoC)" local windows "Ismael Nava"
2020-12-02 "NewsLister - Authenticated Persistent Cross-Site Scripting" webapps multiple "Emre Aslan"
2020-12-02 "Anuko Time Tracker 1.19.23.5311 - No rate Limit on Password Reset functionality" webapps php "Mufaddal Masalawala"
2020-12-02 "Ksix Zigbee Devices - Playback Protection Bypass (PoC)" remote multiple "Alejandro Vazquez Vazquez"
2020-12-02 "DotCMS 20.11 - Stored Cross-Site Scripting" webapps multiple "Hardik Solanki"
2020-12-02 "ChurchCRM 4.2.0 - CSV/Formula Injection" webapps multiple "Mufaddal Masalawala"
2020-12-02 "ChurchCRM 4.2.1 - Persistent Cross Site Scripting (XSS)" webapps multiple "Mufaddal Masalawala"
2020-12-02 "Artworks Gallery 1.0 - Arbitrary File Upload RCE (Authenticated) via Edit Profile" webapps multiple "Shahrukh Iqbal Mirza"
2020-12-02 "IDT PC Audio 1.0.6433.0 - 'STacSV' Unquoted Service Path" local windows "Manuel Alvarez"
Release Date Title Type Platform Author
2020-01-07 "Microsoft Windows 10 (19H1 1901 x64) - 'ws2ifsl.sys' Use After Free Local Privilege Escalation (kASLR kCFG SMEP)" local windows_x86-64 bluefrostsec
2019-12-07 "Mozilla FireFox (Windows 10 x64) - Full Chain Client Side Attack" local windows_x86-64 "Axel Souchet"
2019-11-03 "DOUBLEPULSAR (x64) - Hooking 'srv!SrvTransactionNotImplemented' in 'srv!SrvTransaction2DispatchTable'" local windows_x86-64 Mumbai
2019-10-07 "ASX to MP3 converter 3.1.3.7 - '.asx' Local Stack Overflow (DEP)" local windows_x86-64 max7253
2019-08-16 "GetGo Download Manager 6.2.2.3300 - Denial of Service" dos windows_x86-64 "Malav Vyas"
2019-01-28 "CloudMe Sync 1.11.2 Buffer Overflow - WoW64 - (DEP Bypass)" remote windows_x86-64 "Matteo Malvica"
2019-01-02 "NBMonitor Network Bandwidth Monitor 1.6.5.0 - 'Name' Denial of Service (PoC)" dos windows_x86-64 "Luis Martínez"
2019-01-02 "EZ CD Audio Converter 8.0.7 - Denial of Service (PoC)" dos windows_x86-64 Achilles
2019-01-02 "NetworkSleuth 3.0.0.0 - 'Key' Denial of Service (PoC)" dos windows_x86-64 "Luis Martínez"
2018-11-16 "Mumsoft Easy Software 2.0 - Denial of Service (PoC)" dos windows_x86-64 "Ihsan Sencan"
Release Date Title Type Platform Author
2019-06-17 "Netperf 2.6.0 - Stack-Based Buffer Overflow" dos linux "Juan Sacco"
2018-08-29 "SIPP 3.3 - Stack-Based Buffer Overflow" local linux "Juan Sacco"
2018-05-16 "WhatsApp 2.18.31 - Memory Corruption" dos ios "Juan Sacco"
2018-04-24 "Kaspersky KSN for Linux 5.2 - Memory Corruption" dos linux "Juan Sacco"
2018-04-09 "PMS 0.42 - Local Stack-Based Overflow (ROP)" local linux "Juan Sacco"
2018-03-23 "Crashmail 1.6 - Stack-Based Buffer Overflow (ROP)" local linux "Juan Sacco"
2018-03-12 "SC 7.16 - Stack-Based Buffer Overflow" local linux "Juan Sacco"
2018-02-21 "EChat Server 3.1 - 'CHAT.ghp' Buffer Overflow" remote windows "Juan Sacco"
2018-02-07 "Asterisk 13.17.2 - 'chan_skinny' Remote Memory Corruption" dos multiple "Juan Sacco"
2018-02-05 "BOCHS 2.6-5 - Local Buffer Overflow" local linux "Juan Sacco"
2017-11-01 "WhatsApp 2.17.52 - Memory Corruption" dos ios "Juan Sacco"
2017-07-24 "MAWK 1.3.3-17 - Local Buffer Overflow" local linux "Juan Sacco"
2017-06-28 "Flat Assembler 1.7.21 - Local Buffer Overflow" local linux "Juan Sacco"
2017-06-26 "JAD Java Decompiler 1.5.8e - Local Buffer Overflow (NX Enabled)" local linux "Juan Sacco"
2017-06-09 "Mapscrn 2.03 - Local Buffer Overflow (PoC)" dos linux "Juan Sacco"
2017-05-30 "TiEmu 2.08 - Local Buffer Overflow" local windows "Juan Sacco"
2017-05-26 "JAD Java Decompiler 1.5.8e - Local Buffer Overflow" local linux "Juan Sacco"
2017-05-10 "Microsoft Windows Server 2008 R2 (x64) - 'SrvOs2FeaToNt' SMB Remote Code Execution (MS17-010)" remote windows_x86-64 "Juan Sacco"
2017-01-16 "iSelect v1.4 - Local Buffer Overflow" local linux "Juan Sacco"
2016-10-27 "GNU GTypist 2.9.5-2 - Local Buffer Overflow" local linux "Juan Sacco"
2016-09-19 "EKG Gadu 1.9~pre+r2855-3+b1 - Local Buffer Overflow" local linux "Juan Sacco"
2016-08-05 "zFTP Client 20061220 - 'Connection Name' Local Buffer Overflow" local linux "Juan Sacco"
2016-06-27 "PInfo 0.6.9-5.1 - Local Buffer Overflow" local linux "Juan Sacco"
2016-06-27 "HNB 1.9.18-10 - Local Buffer Overflow" local linux "Juan Sacco"
2016-05-13 "NRSS Reader 0.3.9 - Local Stack Overflow" local linux "Juan Sacco"
2016-05-04 "TRN Threaded USENET News Reader 3.6-23 - Local Stack Overflow" local linux "Juan Sacco"
2016-04-26 "Yasr Screen Reader 0.6.9 - Local Buffer Overflow" local linux "Juan Sacco"
2016-04-13 "Texas Instrument Emulator 3.03 - Local Buffer Overflow" local linux "Juan Sacco"
2016-04-07 "Mess Emulator 0.154-3.1 - Local Buffer Overflow" local linux "Juan Sacco"
2016-02-03 "yTree 1.94-1.1 - Local Buffer Overflow (PoC)" dos linux "Juan Sacco" 
import requests
response = requests.get('http://127.0.0.1:8181?format=json')

For full documentation follow the link above

Cipherscan. Find out which SSL ciphersuites are supported by a target.

Cipher Protocols Sigalg Trusted

Identify and fingerprint Web Application Firewall (WAF) products protecting a website.

Host WAF detected