More details on MS10-006

An Advisory as been released by Microsoft patching MS10-006.
This vulnerability as been found back in november while testing some client side vulnerability on SMB.
A full advisory regarding the details of this issue is located here

Regarding the SRD statement for smb client possible exploitation i’d like to add & post a small tool abusing netbios name service functionnality.
Ronald Bowes did some great work with nbtool for such purpose.

You can find a small version in python here;

Basicly, anyone on the segment using :
net use \\blabla\share
net view \\blabla\share
dir \\blabla\share
etc
On vista/7/server2008|R2 it’s also possible to use start -> search box –> \\existing_machine\share

Any of these command result in a NBNS query asking which IP is using this netbios name
Then this small utility will answer it’s at “attacker_IP”.
Once the ip resolved, the machine will initiate a smb connection to that IP.
You can also abuse the BROWSER service for same kind of purpose, I will post a full entry when i get some free time …

Print Share Comment Cite Upload Translate

APA

() » More details on MS10-006. Retrieved from https://www.truth.cx/2010/02/09/more-details-on-ms10-006/.

MLA

" » More details on MS10-006." - , https://www.truth.cx/2010/02/09/more-details-on-ms10-006/

HARVARD

» More details on MS10-006., viewed ,

VANCOUVER

- » More details on MS10-006. [Internet]. [Accessed ]. Available from: https://www.truth.cx/2010/02/09/more-details-on-ms10-006/

CHICAGO

" » More details on MS10-006." - Accessed . https://www.truth.cx/2010/02/09/more-details-on-ms10-006/

IEEE

" » More details on MS10-006." [Online]. Available: https://www.truth.cx/2010/02/09/more-details-on-ms10-006/. [Accessed: ]

Select a language: Afrikaans Albanian Arabic Armenian Basque Bengali Bulgarian Catalan Cambodian Chinese (Mandarin) Croatian Czech Danish Dutch English Estonian Fiji Finnish French Georgian German Greek Gujarati Hebrew Hindi Hungarian Icelandic Indonesian Irish Italian Japanese Javanese Korean Latin Latvian Lithuanian Macedonian Malay Malayalam Maltese Maori Marathi Mongolian Nepali Norwegian Persian Polish Portuguese Punjabi Quechua Romanian Russian Samoan Serbian Slovak Slovenian Spanish Swahili Swedish Tamil Tatar Telugu Thai Tibetan Tonga Turkish Ukrainian Urdu Uzbek Vietnamese Welsh Xhosa An Advisory as been released by Microsoft patching <a href="http://www.microsoft.com/technet/security/Bulletin/MS10-006.mspx">MS10-006</a>.<br />This vulnerability as been found back in november while testing some client side vulnerability on SMB.<br />A full advisory regarding the details of this issue is <a href="http://seclists.org/fulldisclosure/2010/Feb/168">located here</a> <br /><br />Regarding the <a href="http://blogs.technet.com/srd/archive/2010/02/09/ms10-006-and-ms10-012-smb-security-bulletins.aspx">SRD statement</a> for smb client possible exploitation i'd like to add & post a small tool abusing netbios name service functionnality.<br /><a href="http://www.skullsecurity.org/">Ronald Bowes</a> did some great work with <a href="http://www.skullsecurity.org/wiki/index.php/Nbtool">nbtool</a> for such purpose.<br /><br />You can find a small version in python <a href="http://pastebin.com/f7d970467">here</a>;<br /><br />Basicly, anyone on the segment using :<br />net use \\blabla\share<br />net view \\blabla\share<br />dir \\blabla\share<br />etc<br />On vista/7/server2008|R2 it's also possible to use start -> search box --> \\existing_machine\share<br /><br />Any of these command result in a NBNS query asking which IP is using this netbios name<br />Then this small utility will answer it's at "attacker_IP".<br />Once the ip resolved, the machine will initiate a smb connection to that IP.<br />You can also abuse the BROWSER service for same kind of purpose, I will post a full entry when i get some free time ... First name:

Last name: