cve/2009/CVE-2009-3103.md

### [CVE-2009-3103](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3103)
![](https://img.shields.io/static/v1?label=Product&message=n%2Fa&color=blue)
![](https://img.shields.io/static/v1?label=Version&message=n%2Fa&color=blue)
![](https://img.shields.io/static/v1?label=Vulnerability&message=n%2Fa&color=brighgreen)

### Description

Array index error in the SMBv2 protocol implementation in srv2.sys in Microsoft Windows Vista Gold, SP1, and SP2, Windows Server 2008 Gold and SP2, and Windows 7 RC allows remote attackers to execute arbitrary code or cause a denial of service (system crash) via an & (ampersand) character in a Process ID High header field in a NEGOTIATE PROTOCOL REQUEST packet, which triggers an attempted dereference of an out-of-bounds memory location, aka "SMBv2 Negotiation Vulnerability." NOTE: some of these details are obtained from third party information.

### POC

#### Reference
- http://g-laurent.blogspot.com/2009/09/windows-vista7-smb20-negotiate-protocol.html
- http://isc.sans.org/diary.html?storyid=7093
- http://www.exploit-db.com/exploits/9594
- https://docs.microsoft.com/en-us/security-updates/securitybulletins/2009/ms09-050

#### Github
- https://github.com/ARPSyndicate/cvemon
- https://github.com/Abdibimantara/Vulnerability-Asessment-Kioptrix-Level-1-Vulnhub
- https://github.com/CVEDB/PoC-List
- https://github.com/CVEDB/awesome-cve-repo
- https://github.com/EricwentwithCyber/Vulnerability-Scan-Lab
- https://github.com/Sic4rio/CVE-2009-3103---srv2.sys-SMB-Code-Execution-Python-MS09-050-
- https://github.com/amtzespinosa/kioptrix-walkthrough
- https://github.com/amtzespinosa/kioptrix1-walkthrough
- https://github.com/ankh2054/python-exploits
- https://github.com/n3masyst/n3masyst
- https://github.com/notsag-dev/htb-blue
- https://github.com/odolezal/D-Link-DIR-655
- https://github.com/rosonsec/Exploits
- https://github.com/sec13b/ms09-050_CVE-2009-3103
- https://github.com/sooklalad/ms09050
- https://github.com/uroboros-security/SMB-CVE