Detects Microsoft Windows systems vulnerable to denial of service (CVE-2009-3103). This script will crash the service if it is vulnerable.
The script performs a denial-of-service against the vulnerability disclosed in CVE-2009-3103. This works against Windows Vista and some versions of Windows 7, and causes a bluescreen if successful. The proof-of-concept code at http://seclists.org/fulldisclosure/2009/Sep/39 was used, with one small change.
This check was previously part of smb-check-vulns.
- smbdomain, smbhash, smbnoguest, smbpassword, smbtype, smbusername
See the documentation for the smbauth library.
- randomseed, smbbasic, smbport, smbsign
See the documentation for the smb library.
- vulns.short, vulns.showall
See the documentation for the vulns library.
nmap --script smb-vuln-cve2009-3103.nse -p445 <host> nmap -sU --script smb-vuln-cve2009-3103.nse -p U:137,T:139 <host>
Host script results: | smb-vuln-cve2009-3103: | VULNERABLE: | SMBv2 exploit (CVE-2009-3103, Microsoft Security Advisory 975497) | State: VULNERABLE | IDs: CVE:CVE-2009-3103 | Array index error in the SMBv2 protocol implementation in srv2.sys in Microsoft Windows Vista Gold, SP1, and SP2, | Windows Server 2008 Gold and SP2, and Windows 7 RC allows remote attackers to execute arbitrary code or cause a | denial of service (system crash) via an & (ampersand) character in a Process ID High header field in a NEGOTIATE | PROTOCOL REQUEST packet, which triggers an attempted dereference of an out-of-bounds memory location, | aka "SMBv2 Negotiation Vulnerability." NOTE: some of these details are obtained from third party information. | | Disclosure date: 2009-09-08 | References: | http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3103 |_ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3103
License: Same as Nmap--See https://nmap.org/book/man-legal.html