SMBv2 Remote Exploit Improvements

[Kostya Kortchinsky <kostya () immunityinc com>]

Immunity, Inc. (mostly Nicolas Pouvesle and Skylar Rampersaud - who are
awesome by the way) has improved the initial exploit for the SMBv2
vulnerability. CANVAS Early Update customers can grab the latest version
here:

http://www.immunityinc.com/ceu-index.shtml

It will now get you a SYSTEM shell on Vista and 2008 Server, SP1 or SP2,
up-to-date or not, as long as its x86. SP0 is in the works, and x64 too.
The latest might turn out to be the hardest.

One of the funny tricks we used in the early versions (involving some
RDTSC remote black magic) is now gone, making it more reliable. Add to
that the fact that Windows is handing out the Service Pack version in
the NativeOS SMB field, and you get a vulnerability that is decently
wormable on x86 platforms.

I have to admit that the exploitation path we chose makes it the most
interesting exploit to write of 2009!

Dave's awesome Windows Video, pretty and commented:
http://immunityinc.com/documentation/smbv2.html
(against a 2008 SP1 English and a Vista SP2 French)

Xvidcap on Ubuntu dropping my frames like crazy video:
http://immunityinc.com/documentation/smb2.html
(against a Vista SP2 English)

Cheers,

Kostya

_______________________________________________
Dailydave mailing list
Dailydave () lists immunitysec com
http://lists.immunitysec.com/mailman/listinfo/dailydave