Friday, April 16, 2010

Proof of Concept for MS10-006 SMB Client-Side Bug

This is a technic to automate with no user interaction at all SMB client side bug exploitation targeting the Domain Master Browser (DMB) or PDC  (only the PDC can be a DMB)which is basicaly the perfect target in a pentest. Targeting the DMB is perfect, simply because if you control that box, you'll control all computer joined to this box tree.

Since the SRD is once again downplaying SMB client side bug i think it's important to share this kind of tricks.

It's also important to mention that Browser and NBNS abusing is well known since a long time, as theses protocols wasn't developed with security in mind, this blog post is a simple real case example.

There's two way to automate SMB client side bug;

  • NBNS Spoofing (require some "kind" of user interaction in some way,   anyways  in a corporate network it works pretty well)
  • Browser Protocol Abusing (the funny one)
In this case I will cover a form of Browser Protocol Abusing.

To see more details:
http://g-laurent.blogspot.com/2010/04/turning-smb-client-bug-to-server-side.html

No comments: