SMB2: 351 Packets from the Trampoline released!

Posted On // 5 comments
Kudos for HDM:
SMB2: 351 Packets from the Trampoline

Enjoy!

P.S Some small "exploitation" parts were skipped intentionally.

P.S2 Im not going to release the exploit, so dont ask about it!!! Thank you!

Drank up all kool-aid, left glasses in my kitchen
Food for thought, my nigga you do the dishes!.

5 komentarze:

Mads said...

Piotr,

I really enjoyed reading your guest post on the Metasploit blog, congrats on the reliable exploit!

I know you won't share the exploit code, honestly I'm a novice and I'm not sure it would make too much sense to me. But I am learning, and I thought if you could share the bit of code you wrote to enumerate the memory regions in SRV2.SYS that can be reached with the vulnerable function it would be pretty informative. If not I understand, but it might make a(nother) good blog post :-).

Regards,

--Mike

Rolf Rolles said...

Good work, Piotr :-)

Piotr Bania said...

@Rolf: Thanks man! :-)

@mish: Im glad u liked it. I don't think the "dump-proggie" is worth publishing and moreover i never thought someone would like to see it. It's one of the tools you write in 5 mins just to proceed with another research step. Anyway im attaching a little code fragment perhaps it can help you a little. This one uses libdasm but any diassembler library will be fine. Of course it reads from the already dumped srv2.sys file (you can dump the memory contents in few different ways in example: by writing a windbg plugin and using ReadMemory, writing a windows device driver etc.). The addresses are hardcoded for SP2 AFAIR, and finally the code is ugly and shouldn't be viewed by anyone :-)

http://piotrbania.com/all/smb_just_snap.c

Mads said...

Thank you for posting it, Piotr! I didn't see it earlier, hence the late gratitude :-).

--Mish

Piotr Bania said...

@mish: no problem :-)