CVE-2009-2532
published 2009-10-14CVE-2009-2532: Microsoft Windows Vista Gold, SP1, and SP2, Windows Server 2008 Gold and SP2, and Windows 7 RC do not properly process the command value in an SMB…
PriorityP279critical10CVSS 2.0
AVNACLAuNCCICAC
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
62.17%
99.1th percentile
Microsoft Windows Vista Gold, SP1, and SP2, Windows Server 2008 Gold and SP2, and Windows 7 RC do not properly process the command value in an SMB Multi-Protocol Negotiate Request packet, which allows remote attackers to execute arbitrary code via a crafted SMBv2 packet to the Server service, aka "SMBv2 Command Value Vulnerability."
Detection & IOCsextracted from sources · hover to see the quote
bytes↗
\x00\x00\x03\x9e\xff\x53\x4d\x42\x72\x00\x00\x00\x00\x18\x53\xc8
bytes↗
\x00\x02\x53\x4d\x42\x20\x32\x2e\x30\x30\x32\x00
bytes↗
\x04\x0d\xdf\xff
bytes↗
\xb4\xff\xff\x3f
bytes↗
\x09\x0d\xd0\xff
- →Detect SMBv2 Negotiate Request packets with a crafted/malformed command value field targeting port 445 on Windows Vista/Server 2008/Windows 7 RC systems; the exploit packet begins with the byte sequence \x00\x00\x03\x9e\xff\x53\x4d\x42\x72 (NetBIOS session + SMB header with command 0x72). ↗
- →The exploit packet contains the SMBv2 dialect string '\x00\x02SMB 2.002\x00' embedded in the negotiate request; inspect SMB negotiate packets for this dialect string combined with oversized or malformed payloads. ↗
- →The exploit repeats the 4-byte pattern \x04\x0d\xdf\xff 25 times within the SMB negotiate packet as a heap spray/padding technique; this repetition is a strong network-level signature. ↗
- →After sending the malicious SMBv2 packet, the exploit triggers code execution via an SMB authentication event (rpcclient login); monitor for unauthenticated or failed SMB authentication immediately following anomalous SMBv2 negotiate traffic. ↗
- →Successful exploitation spawns a bind shell on TCP port 28876 on the target; monitor for unexpected listening services on this port on Windows Vista/Server 2008 hosts. ↗
- →The vulnerability resides in srv2.sys (SMBv2 kernel driver); monitor for unexpected crashes, restarts, or anomalous activity in this driver on affected Windows systems. ↗
- →The exploit uses a sysenter hook stager (stager_sysenter_hook from Metasploit) prepended before the shellcode; the stager begins with \xfc\xfa\xeb\x1e\x5e and can be used as a payload-level byte signature. ↗
- ·The Python exploit (EDB-40280) hardcodes a Meterpreter reverse_tcp shellcode connecting back to 192.168.30.77:443; this LHOST/LPORT is specific to the exploit author's lab environment and must be replaced in real-world attacks — do not treat these as universal IOCs. ↗
- ·The binary exploit (EDB-14674) was tested only against Vista SP1 and SP2; reliability against other affected targets (Server 2008, Windows 7 RC) is not confirmed by the exploit author. ↗
- ·The Python exploit depends on the Linux 'smbclient'/'rpcclient' command-line tools to trigger the authentication event; the exploit author notes no Python SMB login library was available, so the trigger mechanism is OS-dependent. ↗
CVSS provenance
nvdv2.010.0CRITICALAV:N/AC:L/Au:N/C:C/I:C/A:C
vulncheck10.0CRITICAL
vendor_redhat7.2HIGH
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-mvjv-f233-94jq: Microsoft Windows Vista Gold, SP1, and SP2, Windows Server 2008 Gold and SP2, and Windows 7 RC do not properly process the command value in an SMB Mul
ghsa_unreviewed·2022-05-02
CVE-2009-2532 [HIGH] CWE-94 GHSA-mvjv-f233-94jq: Microsoft Windows Vista Gold, SP1, and SP2, Windows Server 2008 Gold and SP2, and Windows 7 RC do not properly process the command value in an SMB Mul
Microsoft Windows Vista Gold, SP1, and SP2, Windows Server 2008 Gold and SP2, and Windows 7 RC do not properly process the command value in an SMB Multi-Protocol Negotiate Request packet, which allows remote attackers to execute arbitrary code via a crafted SMBv2 packet to the Server service, aka "SMBv2 Command Value Vulnerability."
VulnCheck
Microsoft Windows Improper Control of Generation of Code ('Code Injection')
vulncheck·2009·CVSS 10.0
CVE-2009-2532 [CRITICAL] Microsoft Windows Improper Control of Generation of Code ('Code Injection')
Microsoft Windows Improper Control of Generation of Code ('Code Injection')
Microsoft Windows Vista Gold, SP1, and SP2, Windows Server 2008 Gold and SP2, and Windows 7 RC do not properly process the command value in an SMB Multi-Protocol Negotiate Request packet, which allows remote attackers to execute arbitrary code via a crafted SMBv2 packet to the Server service, aka "SMBv2 Command Value Vulnerability."
Affected: Microsoft Windows
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Exploitation References: https://community.broadcom.com/symantecenterprise/communities/community-home/librarydocuments/viewdocument?DocumentKey=a9c54f79-d780-437b-a7f5-a74960e299d5&CommunityKey=8af7f28
Red Hat
gnome-power-manager: Screen not locked on resume from hibernate / suspend
vendor_redhat·2009-09-11·CVSS 7.2
CVE-2009-4997 [HIGH] gnome-power-manager: Screen not locked on resume from hibernate / suspend
gnome-power-manager: Screen not locked on resume from hibernate / suspend
gnome-power-manager 2.27.92 does not properly implement the lock_on_suspend and lock_on_hibernate settings for locking the screen when the suspend or hibernate button is pressed, which might make it easier for physically proximate attackers to access an unattended laptop via a resume action, a related issue to CVE-2010-2532. NOTE: this issue exists because of a regression that followed a gnome-power-manager fix a few years earlier.
Package: gnome-power-manager (Red Hat Enterprise Linux 5) - Affected
No detection rules found.
Exploit-DB
Microsoft Windows - 'srv2.sys' SMB Code Execution (Python) (MS09-050)
exploitdb·2016-02-26
CVE-2009-3103 Microsoft Windows - 'srv2.sys' SMB Code Execution (Python) (MS09-050)
Microsoft Windows - 'srv2.sys' SMB Code Execution (Python) (MS09-050)
---
# EDB-Note: Source ~ https://raw.githubusercontent.com/ohnozzy/Exploit/master/MS09_050.py
#!/usr/bin/python
#This module depends on the linux command line program smbclient.
#I can't find a python smb library for smb login. If you can find one, you can replace that part of the code with the smb login function in python.
#The idea is that after the evil payload is injected by the first packet, it need to be trigger by an authentication event. Whether the authentication successes or not does not matter.
import tempfile
import sys
import subprocess
from socket import socket
from time import sleep
from smb.SMBConnection import SMBConnection
try:
target = sys.argv[1]
except IndexError:
print '\nUsage: %s \n' % sys.a
Exploit-DB
Microsoft Windows - 'srv2.sys' SMB Negotiate ProcessID Function Table Dereference (MS09-050)
exploitdb·2010-08-17
CVE-2009-3103 Microsoft Windows - 'srv2.sys' SMB Negotiate ProcessID Function Table Dereference (MS09-050)
Microsoft Windows - 'srv2.sys' SMB Negotiate ProcessID Function Table Dereference (MS09-050)
---
Microsoft SRV2.SYS SMB Negotiate ProcessID Function Table Dereference
Exploited by Piotr Bania // www.piotrbania.com
Exploit for Vista SP2/SP1 only, should be reliable!
Tested on:
Vista sp2 (6.0.6002.18005)
Vista sp1 ultimate (6.0.6001.18000)
Kudos for:
Stephen, HDM, Laurent Gaffie(bug) and all the mates i know, peace.
Special kudos for prdelka for testing this shit and all the hosters.
Sample usage
> smb2_exploit.exe 192.167.0.5 45 0
> telnet 192.167.0.5 28876
Microsoft Windows [Version 6.0.6001]
Copyright (c) 2006 Microsoft Corporation. All rights reserved.
C:\Windows\system32>whoami
whoami
nt authority\system
C:\Windows\system32>
When all is done it should spawn a port TARGET_IP:2
http://www.us-cert.gov/cas/techalerts/TA09-286A.htmlhttps://docs.microsoft.com/en-us/security-updates/securitybulletins/2009/ms09-050https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A6336http://www.us-cert.gov/cas/techalerts/TA09-286A.htmlhttps://docs.microsoft.com/en-us/security-updates/securitybulletins/2009/ms09-050https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A6336
2009-10-14
Published
Exploited in the wild