____      ____     __    __
                     /    \    /    \   |  |  |  |
        ----====####/  /\__\##/  /\  \##|  |##|  |####====----
                   |  |      |  |__|  | |  |  |  |
                   |  |  ___ |   __   | |  |  |  |
  ------======######\  \/  /#|  |##|  |#|  |##|  |######======------
                     \____/  |__|  |__|  \______/
                                                     
                    Computer Academic Underground
                        http://www.caughq.org
                            Exploit Code

===============/========================================================
Exploit ID:     CAU-EX-2009-0002
Release Date:   2009.09.11
Title:          smb2_negotiate.sh
Description:    SMBv2 Negotiate Protocol Request DoS
Tested:         Internetz
Attributes:     Remote, PreAuth, DoS, BugCheck,
Advisory URL:   http://www.caughq.org/exploits/CAU-EX-2009-0002.txt
Exploit URL:    http://www.caughq.org/exploits/2009/smb2_negotiate.sh
Author/Email:   I)ruid <druid (@) caughq.org>
===============/========================================================

Description
===========

This exploit targets the vulnerability in SMBv2 introduced by the patch
for MS07-063 in that SRV2.SYS fails to handle malformed SMB headers for
a NEGOTIATE PROTOCOL REQUEST.  This vulnerability is pre-auth due to the
NEGOTIATE PROTOCOL REQUEST being the first SMB query a client sends to
an SMB server.

This exploit is based on the original proof-of-concept released by
Laurent Gaffié on September 7th, 2009.


Example
=======

./smb2_negotiate.sh


Credits
=======

Original vulnerability and proof-of concept by Laurent Gaffié.


References
==========

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3103
http://www.securityfocus.com/bid/36299
http://g-laurent.blogspot.com/2009/09/windows-vista7-smb20-negotiate-protocol.html


Exploit
=======

http://www.caughq.org/exploits/2009/smb2_negotiate.sh