Tuesday, October 13, 2009

Crash Windows Vista and Later Remotely With Non-authenticated User

Last month, I was looking into the reports of this flaw and I had written up a proof of concept in C/C++ on Windows. It seems pretty straightforward and I was able to crash Windows 7 Beta and RC. Due to the lateness of the exploits discovery, I would not be surprised if the exploit works on the Windows 7 RTM bits, or the next Windows Server bits. I don't have much time to explain the defect in detail, but suffice it to say that it relies on poor or just plain unvalidated SMB negotiation data in the srv2.sys driver. As most Windows driver authors know, crashes in kernel mode equals BSOD.

For more information, see the following links:
For convenience (for most people), today I took the time to wrap the source code proof of concept in a VS 2008 project to make building the binary much easier. For people using some other build system, the only "non-default" lib you have to use is Ws2_32.lib, the Windows Sockets lib. For folks using GCC on Linux, sorry I did not have time to make this cross-platform or portable. It shouldn't be too hard for you to strip out the WSA* windows-specific sockets stuff and just use standard BSD-style sockets calls. There is also some address-resolution code that is probably MS-specific. In any event, the code is below. It's really just a single source file (though Visual Studio is good at adding a lot of crap to the project, I have tried to minimize it by not using PCH, etc...)

Here is a link to the project (includes binaries).

Notes
  • DO NOT use this tool against someone's computer! This may be a violation of law in your jurisdiction. Please use this for academic purposes only, for rebooting your own machines, for generating crash dumps for novice investigation, or for generating crash dumps when debugging other drivers or system apps when you don't have an alternative method.
  • The usage is pretty simple. From a command prompt just run "crash_remotely 69.69.69.69" where 69.69.69.69 is the remote machine address.
  • The project builds, as configured, to use the MSVCRT. If you are not using VC 2008, you will need the MSVCRT 9 runtime.
  • The target machine must be Windows Vista or later running the srv2.sys SMB/CIFS networking share driver, and have at least one active share (basically the driver must be loaded and processing connection requests). You do not need share access, which indicates the severity and exploitability of this bug.
  • It is not clear when/if this bug will be addressed by Microsoft. If the tool does not work for you, tough luck.