Microsoft Windows SMBv1 Non-paged Pool Allocation Remote Code Execution

This strike attempts to recreate a sequence of packets correlated with a heap buffer overflow vulnerability in Microsoft Windows SMBv1 service. Affected versions include Microsoft Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8.1, Windows Server 2012 Gold and R2, Windows RT 8.1, Windows 10 Gold (releases 1511 and 1607), and Windows Server 2016. The vulnerability is due to insufficient sanitization of user-supplied input passed to the SrvOs2FeaToNt method. A remote, unauthenticated attacker could exploit this vulnerability via a specially-crafted SMB packet, containing bad values for 'Max Parameter Count' and 'Max Data Count' in the 'Trans Request' header. Successful exploitation leads to arbitrary code execution on the target system. Failing to exploiting this vulnerability usually leads to denial-of-service conditions of the targeted SMB server. NOTE: The strike exemplifies only the scanning phase, prior to the actual attack. The vulnerability indicator is usually a 'Trans Response' packet with the Error Status of "STATUS_INSUFF_SERVER_RESOURCES". For generating traffic containing ShadowBrokers shellcode, please see the strike for CVE-2017-0146.