Rating is available when the video has been rented.
This feature is not available right now. Please try again later.
Published on Feb 19, 2011
Good evening ladies and gentleman.
Tonight im going to demonstrate an unpatched DOS attack on a fully patched Windows Server 2003 R2 server.
The exploit is currently in the wild and can be found here, http://www.exploit-db.com/exploits/16... and is covered by vulnerability reference 2011-0654 which described the vulnerability as a "Heap-based buffer overflow in Mrxsmb.sys in Microsoft Windows Server 2003 Active Directory allows remote attackers to execute arbitrary code via a crafted BROWSER ELECTION request. "
As mentioned previously my target is a fully patched Windows 2003 R2 box (10.50.60.216) being used as a domain controller on the domain d3m0n35.local - all I have done is run dcpromo and set up the primary domain, then installed all the latest patches.
There is a Metasploit module for this exploit which I have yet to have been successful with, that module and the above script have port 138 set by default as the SMB port, I have had to modify that to port 139 to get the overflow to work in my lab.
As there is no patch for this vulnerability, you or your admins might want to tighten up your firewall scope to limit access on ports 138, 139 and 445.
Also please excuse tonights setup, normally I would show the affects of vulnerabilities via a Remote Desktop or NX session to the target but as this one completely takes the target offline, ive had to show you through the console of my vSphere client thats why the mouse is a little of out sync :/