* Posts by mjpinvestor

1 publicly visible post • joined 12 Nov 2009

Win 7 remote kernel crasher code released

mjpinvestor

Some incorrect comments here.

First, to Annihilator, your ingress firewall rules do not matter. The victim machine makes the connection. If someone were to host a website with a hidden redirect to a server running Gaffie's code, the victim would attempt to connect to port 445 and crash. That said, if you have EGRESS filters on your router/firewall, meaning you don't let 445 OUTBOUND, then you are safe.

Second to Dustin 1, about Netbios being Non-routable. We are talking about SMB. I can be on any network in the world, and if you have a machine listening to 445, I can attempt a connection with dir \\ip-address\share and that will route to where the ip-address is (assuming it is public and not RFD-1918). As mentioned in my first comment, if you block 445 outbound, not an issue. If you are talking about NBNS broadcasts, then yes, those are not routable and must be on the same network.

There are two concerns with this whole thing. 1- How can MS let something so trivial as changing the assumed packet size in the header cause such a freeze. 2- This can become a DoS issue if people will ill-intensions start serving up this code on the internet then use phishing or hack known sites and add hidden redirects and send users to the code.

I tested the code on both Win7 and 2008 and it did indeed freeze with no trace of why.

http://praetorianprefect.com/archives/2009/11/how-to-crash-windows-7-and-server-2008/