module

Microsoft Windows Browser Pool DoS

Try Surface Command
Back to search
Disclosed
N/A
Created
May 30, 2018

Description

This module exploits a denial of service flaw in the Microsoft
Windows SMB service on versions of Windows Server 2003 that have been
configured as a domain controller. By sending a specially crafted election
request, an attacker can cause a pool overflow.

The vulnerability appears to be due to an error handling a length value
while calculating the amount of memory to copy to a buffer. When there are
zero bytes left in the buffer, the length value is improperly decremented
and an integer underflow occurs. The resulting value is used in several
calculations and is then passed as the length value to an inline memcpy
operation.

Unfortunately, the length value appears to be fixed at -2 (0xfffffffe) and
causes considerable damage to kernel heap memory. While theoretically possible,
it does not appear to be trivial to turn this vulnerability into remote (or
even local) code execution.

Authors

Cupidon-3005
jduck [email protected]

References

Module Options

To display the available options, load the module within the Metasploit console and run the commands 'show options' or 'show advanced':


    msf > use auxiliary/dos/windows/smb/ms11_019_electbowser
    msf auxiliary(ms11_019_electbowser) > show actions
        ...actions...
    msf auxiliary(ms11_019_electbowser) > set ACTION < action-name >
    msf auxiliary(ms11_019_electbowser) > show options
        ...show and set options...
    msf auxiliary(ms11_019_electbowser) > run
Title
NEW

Explore Exposure Command

Confidently identify and prioritize exposures from endpoint to cloud with full attack surface visibility and threat-aware risk context.

Try it today