SMBloris - 0 Day SMB Vulnerability

During this research, it was discovered that SMBv1 handles allocation of the non-paged pool memory in a way that could be exploited. SMB allocation works by allowing the client to tell the server the size of the buffer it plans to send, the server will then reserve this size buffer within the memory.

The SMBloris exploit works by sending a request for a large buffer size but never sending the content leaving the memory reserved. With enough of these connections being made, the memory pool will quickly fill up denying memory to other resources until a stage is reached where the memory is totally exhausted. At this point, the server will crash to the point that the device is not even capable of displaying a blue screen of death (BSoD) error. This is because there aren't enough resources left to generate the error page so the server will simply freeze and be unable to recover.

There is no active exploitation in the wild currently observed to date. Despite this, it is very likely we will see any remaining SMBv1 enabled devices presenting their SMB port to the internet receiving attacks in the very near future.