Description: Good evening ladies and gentleman.
Tonight im going to demonstrate an unpatched DOS attack on a fully patched Windows Server 2003 R2 server.
The exploit is currently in the wild and can be found here, http://www.exploit-db.com/exploits/16... and is covered by vulnerability reference 2011-0654 which described the vulnerability as a "Heap-based buffer overflow in Mrxsmb.sys in Microsoft Windows Server 2003 Active Directory allows remote attackers to execute arbitrary code via a crafted BROWSER ELECTION request. "
As mentioned previously my target is a fully patched Windows 2003 R2 box (10.50.60.216) being used as a domain controller on the domain d3m0n35.local - all I have done is run dcpromo and set up the primary domain, then installed all the latest patches.
There is a Metasploit module for this exploit which I have yet to have been successful with, that module and the above script have port 138 set by default as the SMB port, I have had to modify that to port 139 to get the overflow to work in my lab.
As there is no patch for this vulnerability, you or your admins might want to tighten up your firewall scope to limit access on ports 138, 139 and 445.
Also please excuse tonights setup, normally I would show the affects of vulnerabilities via a Remote Desktop or NX session to the target but as this one completely takes the target offline, ive had to show you through the console of my vSphere client thats why the mouse is a little of out sync :/
d3m0n35
Tags: CVE-2011-0654 , samba , unpatched , denial of service , Windows 2003 R2 , ,
Disclaimer: We are a infosec video aggregator and this video is linked from an external website. The original author may be different from the user re-posting/linking it here. Please do not assume the authors to be same without verifying.
Nice....just nice. Thanks for the video. We do appreciate it(I hope I don't offend others in saying we).
In the future would you mind provide direct links to the exploit in the description...I got it, but some others might not have.
Hi Andrew - thanks for the thanks; the description was pasted from the you-tube description, so I guess the URL got messed up along the way :/ - Love your Ruby for Hackers videos btw - plan to watch them as soon as I get some time away from my day job :-S.
I see it in the description now...maybe I missed it earlier. Thanks again.
your link points to an exploit from 2003!?
The URL has been cut.
The real exploit URL is http://www.exploit-db.com/exploits/16166/