Metasploit

1.  
2. Name: Microsoft Server Service NetpwPathCanonicalize Overflow
3. Module: exploit/windows/smb/ms06_040_netapi
4. Version: 14976
5. Platform: Windows
6. Privileged: Yes
7. License: Metasploit Framework License (BSD)
8. Rank: Good
9.  
10. Provided by:
11. hdm <hdm@
12. metasploit.com>
13.  
14. Available targets:
15. Id Name
16. -- ----
17. 0 (wcscpy) Automatic (NT 4.0, 2000 SP0-SP4, XP SP0-SP1)
18. 1 (wcscpy) Windows NT 4.0 / Windows 2000 SP0-SP4
19. 2 (wcscpy) Windows XP SP0/SP1
20. 3 (stack) Windows XP SP1 English
21. 4 (stack) Windows XP SP1 Italian
22. 5 (wcscpy) Windows 2003 SP0
23.  
24. Basic options:
25. Name Current Setting Required Description
26. ---- --------------- -------- -----------
27. RHOST yes The target address
28. RPORT 445 yes Set the SMB service port
29. SMBPIPE BROWSER yes The pipe name to use (BROWSER, SRVSVC)
30.  
31. Payload information:
32. Space: 370
33. Avoid: 7 characters
34.  
35. Description:
36. This module exploits a stack buffer overflow in the NetApi32
37. CanonicalizePathName() function using the NetpwPathCanonicalize RPC
38. call in the Server Service. It is likely that other RPC calls could
39. be used to exploit this service. This exploit will result in a
40. denial of service on Windows XP SP2 or Windows 2003 SP1. A failed
41. exploit attempt will likely result in a complete reboot on Windows
42. 2000 and the termination of all SMB-related services on Windows XP.
43. The default target for this exploit should succeed on Windows NT
44. 4.0, Windows 2000 SP0-SP4+, Windows XP SP0-SP1 and Windows 2003 SP0.
45.  
46. References:
47. http://cve.mitre.org/cgi-bin/cvename.cgi?name=2006-3439
48. http://www.osvdb.org/27845
49. http://www.securityfocus.com/bid/19409
50. http://www.microsoft.com/technet/security/bulletin/MS06-040.mspx