An approach to SMB v2 Negotiate Protocol BSOD Vulnerability Remote Check
As we know recently, there had been a hype about SMB v2 protocol vulnerability which was causing BSOD in the vulnerable system. This vulnerability exists in srv2.sys which was not able to handle a higher/lower PID value in the SMB_Negotiate protocol field (2 Bytes). The vulnerability can be successfully exploited by the poc provided by Laurent Gaffié (Found this bug in 3 seconds with his simple hand made fuzzer). And after successful exploitation it will cause a remote BSOD in the affected SMB v2 enabled Operating System thus causing a hard reboot in the machine.
.text:000056B3 loc_56B3: ; CODE XREF: Smb2ValidateProviderCallBack .text:000056B3 ; Smb2ValidateProviderCallback(x)+4DE↑j .text:000056B3 movzx eax, word ptr [esi+0Ch] .text:000056B7 mov eax, _ValidateRoutines[eax*4] .text:000056BE test eax, eax .text:000056C0 jnz short loc_56C9 .text:000056C2 mov eax, 0C00000002h .text:000056C7 jmp short loc_56CC .text:000056C9 ; --------------------------------------------------------------------------- .text:000056C9 .text:000056C9 loc_56C9: ; CODE XREF:Smb2ValidateProviderCallback .text:000056C9 push ebx .text:000056CA call eax ; Smb2ValidateNegotiate(x) ; Smb2ValidateNegotiate(x)
As you can see that the vulnerability lies in the offset address at 0×000056B3 when EAX register is initialized as a WORD. If you want to know more in-depth analysis of this vulnerability then you can point here. As this article is not meant for explaining the vulnerability details in-depth so, I just dropped a basic idea about its assembly code.
Well let me come straight away to the topic header now. I just went through some websites on how to perform the vulnerability check remotely without any authentications but finally SecPod developed one (perhaps the only one till date). The plugin can be downloaded from here. In some other vulnerability scanners you can find that you can check the existence of the vulnerability by checking the vulnerable file version (though local check), but if you want to check whether the remote system is vulnerable or not without doing local check then this plugin is meant for you!!! Thanks to Chandrasekhar and Chandan with their effort for distributing their plugin in public 
. I hope you guys know how to run/import plugins into OpenVAS Scanner and perform the vulnerability assessment checks. If you don’t know how to do it then you can follow the below method for performing the checks.
Download the plugin from their SVN Repository. Or click here to view this plugin. Put the plugin secpod_ms09-050-remote.nasl into /usr/local/lib/openvas/plugins Kill the running openvas daemon (#killall openvasd) Reload openvas daemon by issuing the command #openvasd –D <Return> Load OpenVAS GUI or you can make use of command line parameters as well to check this plugin. Set the target IP where you want to perform the check and Execute the scan and after a while scanner engine will come up with its output and will print an information in its output console, if the remote system is patched with the Microsoft provided patch or else it will display a security hole message that the remote system is vulnerable.
Well the code is self explanatory that how its performing the remote check, but still if you have any doubts on how this code works then don’t hesitate to drop your questions. I hope this plugin will definitely help to pen testers//security researchers.
If you have any suggestions/feedback then please do drop as it gives some more encouragement 
Signing off,
XyluX