Witam
na pewno slyszeliscie conieco o dziurze w smb 2.0
w internecie mozna znalezc exploit bsod na to ktory powoduje blue screen
przeczytalem ze jest mozliwosc jednak wykonania wlasnego kodu nalezy tylko ale za to az tylko przekierowac wskaznik w inne miejsce by wskazywal na co innego, chodzi o dyreferencje wskaznika
moje pytanie "Jak to zrobic, w jakis posob nadpiasac bufor bo nie mam kompletnie zielonego pojecia?"

tutaj daje fragment zrodla :
Code (asm)

; int __stdcall Smb2ValidateProviderCallback(PVOID DestinationBuffer)
[email protected] proc near


.text:000156B3 loc_156B3: ; CODE XREF: Smb2ValidateProviderCallback(x)+4D5j
.text:000156B3 ; Smb2ValidateProviderCallback(x)+4DEj
.text:000156B3 movzx eax, word ptr [esi+0Ch]; packet->SBM_Header->Process_ID_High
.text:000156B7 mov eax, _ValidateRoutines[eax*4]; BUG - out-of-bounds dereference.
.text:000156BE test eax, eax
.text:000156C0 jnz short loc_156C9
.text:000156C2 mov eax, 0C0000002h
.text:000156C7 jmp short loc_156CC
.text:000156C9 ; —————————————————————————
.text:000156C9
.text:000156C9 loc_156C9: ; CODE XREF: Smb2ValidateProviderCallback(x)+4F3j
.text:000156C9 push ebx
.text:000156CA call eax ; Smb2ValidateNegotiate(x) ; Smb2ValidateNegotiate(x) - KABOOOM!!
As you can see,[ ESI+0xC ] points to our packet, exactly to the ProcessIDHigh header field whose size is 16 bits. We can fully control this value. Later on this value is used as index to a Function Pointer within the function table _ValidateRoutines. Classic Bug, an out-of-bounds dereference since the code is not checking the size of the table before dereferencing the function pointer. This is the reason why this vulnerability is a Remote Code Execution and not only a DoS. And this is the reason why the exploit provided may or may not crash a machine. If the page pointed by the index is invalid the system will BSOD otherwise it might crash on another point or simply not to crash.

How to exploit it?

We see that ESI points to our packet, in addition this function table is located at .data which is located before .PAGE addresses so we can dereference a pointer in that area as well. We "only" need to find a suitable pointer to control the execution.

Vulnerable systems:
Vista, 7 RC and < 2008 Server R2 according to Microsoft.