Microsoft Windows Browser Pool DoS
Description
This module exploits a denial of service flaw in the Microsoft Windows SMB service on versions of Windows Server 2003 that have been configured as a domain controller. By sending a specially crafted election request, an attacker can cause a pool overflow. The vulnerability appears to be due to an error handling a length value while calculating the amount of memory to copy to a buffer. When there are zero bytes left in the buffer, the length value is improperly decremented and an integer underflow occurs. The resulting value is used in several calculations and is then passed as the length value to an inline memcpy operation. Unfortunately, the length value appears to be fixed at -2 (0xfffffffe) and causes considerable damage to kernel heap memory. While theoretically possible, it does not appear to be trivial to turn this vulnerability into remote (or even local) code execution.
Author(s)
- Cupidon-3005
- jduck <jduck@metasploit.com>
Development
Module Options
To display the available options, load the module within the Metasploit console and run the commands 'show options' or 'show advanced':
msf > use auxiliary/dos/windows/smb/ms11_019_electbowser
msf auxiliary(ms11_019_electbowser) > show actions
...actions...
msf auxiliary(ms11_019_electbowser) > set ACTION < action-name >
msf auxiliary(ms11_019_electbowser) > show options
...show and set options...
msf auxiliary(ms11_019_electbowser) > run 
- Collect and share all the information you need to conduct a successful and efficient penetration test
- Simulate complex attacks against your systems and users
- Test your defenses to make sure they’re ready
- Automate Every Step of Your Penetration Test
Time is precious, so I don’t want to do something manually that I can automate. Leveraging the Metasploit Framework when automating any task keeps us from having to re-create the wheel as we can use the existing libraries and focus our efforts where it matters.
– Jim O’Gorman | President, Offensive Security