SMBv2 Nuke Crashes Windows Vista, 7 and Server 2008 with BlueScreen of Death

About 15 years ago during Windows 95 era, there were a lot of “winnukes” which can cause Windows
to blue screen. Microsoft did release patches to fix those bugs but during that time Internet was still very new and not many people know that there are updates to fix those problems. There was no Windows Update to scan what your system needed to update. Then came Windows 98 and most of the winnukes were patched. However I still remembered that a team called X-Coders has came up with IGMP nukes which can also crashes Windows 98.

Finally XP came and it is considered to be one of the most stable Windows that Microsoft ever released! As stable as it is, hackers still able to find flaw in their system. That time there was another nuker called SMBDie which crashes Windows XP computers by sending a specially crafted SMB request.

It definitely worked because I was pretty much “abusing” it with my childish teenager mindset. I didn’t crash just anyone but only to a particular guy who was downloading a lot with Limewire
and hogging the Internet connection until none of the housemates can use the Internet. If I am not wrong, that bug was patched in SP1.

Just when we thought the latest Windows Vista and 7 is safe, Laurent Gaffié discovered an exploit that can cause a remote computer to get a bluescreen of death and released a proof of concept on 9th September. I only got to know about it few days ago because on the day the exploit was released, I was busy packing my bags and getting ready for my honeymoon.

I found 2 compiled version of the exploit and this is how it looks like. This one has an interface for you to enter the victim’s IP address and clicking the OK button will send a specially crafted packet to the remote computer.











The second one is command line application. Just enter the IP address after the program to launch the attack.

I’ve tried to attack my own computer running Windows Vista SP1 and the computer shows a blue screen and auto rebooted. When Windows is booted up, I got a notification window that says “Window has recovered from an unexpected shutdown” with the problem event name “BlueScreen”.

The good news is Windows Firewall is able to block this attack. Thank God that all Windows Firewall
is turned on by default or else a lot of people will get nuked by another wave of SMBDie. Looks like Windows Firewall is not so useless after all… Windows XP and 2000 are NOT affected as they don’t have the SMB2.0 driver. You can also update your Windows to be patched from this exploit. If you take a look at this video, Immunity Inc has made a working exploit of SMBv2 that can run commands on the remote system!