What is SMBLoris?
SMBLoris is a remote and uncredentialed denial of service attack against Microsoft® Windows® operating systems, caused by a 20+ year old vulnerability in the Server Message Block (SMB) network protocol implementation.
What versions of Windows are affected?
The vulnerability is in all modern versions of Windows, at least from Windows 2000 through Windows 10. Systems are still vulnerable even if all versions of SMB (1, 2, and 3) are disabled.
What is the threat?
It is computationally inexpensive for an attacker to cause large memory allocations and enormous amounts of wasted CPU cycles†, rendering vulnerable machines completely unusable, making business-critical services (such as web and mail servers) unavailable, and even causing the entire operating system to crash.
Scenario | Sockets | Attack Cost‡ | Memory Impact |
Baseline | 1 | 4 bytes | 128 KiB |
Single IPv4 | 65,535 | 256 KiB | 8 GiB |
Single IPv6 | 65,535 | 256 KiB | 8 GiB |
Dual IPv4 / IPv6 | 131,070 | 512 KiB | 16 GiB |
10 IPs | 655,535 | 2.5 MiB | 80 GiB |
- † CPU impact cannot be meaningfully measured, but is generally quite significant.
- ‡ Attack cost is measured by how many bytes of TCP data an attacker must send over the network.
It does not include standard network headers, which are also small overhead for the attacker.
Is there a CVE?
SMBLoris has not (yet?) been assigned a CVE. Some similar vulnerabilities include:
- CVE-2012-5568
- MS09-048 (CVE-2009-1925 and CVE-2009-1926)
- CVE-2008-4609
- CVE-2007-6750
Is there a patch?
Not at this time.
What ports are affected?
Generally, SMB runs on port 445. The NetBIOS service on port 139 is probably also exploitable.
auxiliary/dos/smb/smb_lorris Metasploit Module
This module exploits a vulnerability in the NetBIOS Session Service Header for SMB.
Any Windows machine with SMB Exposed, or any Linux system running Samba are vulnerable.
See the SMBLoris page for details on the vulnerability.The module opens over 64,000 connections to the target service, so please make sure
your system ULIMIT is set appropriately to handle it. A single host running this module
can theoretically consume up to 8GB of memory on the target.
Verification Steps
Example steps in this format (is also in the PR):
- Start msfconsole
- Do:
use auxiliary/dos/smb/smb_lorris
- Do:
set RHOST [IP]
- Do:
run
- Target should allocate increasing amounts of memory.