Read the original article: SMBleedingGhost Writeup Part III: From Remote Read (SMBleed) to RCE
Introduction
Previous SMBleedingGhost write-ups:
- Part I
- Part II
- Part III (this)
In the previous part of the series, SMBleedingGhost Writeup Part II: Unauthenticated Memory Read – Preparing the Ground for an RCE, we described two techniques that allow us to read uninitialized memory from the pool buffers allocated by the SrvNetAllocateBuffer function of the srvnet.sys module. The first technique accomplishes that by crafting a special SMB packet and deducing information from the server’s response.
Continue reading SMBleedingGhost Writeup Part III: From Remote Read (SMBleed) to RCE at ZecOps Blog.
Read the original article: SMBleedingGhost Writeup Part III: From Remote Read (SMBleed) to RCE