Johannes Ullrich of the ISC said the exploit implemented an SMBv3 server and clients connecting to it would be affected.
He said he had tested it with a fully patched Windows 10 machine and experienced a blue screen of death.
"An attacker would have to trick the client to connect to this server. It isn't clear if this is exploitable beyond a denial of service," he wrote.
Ullrich said that after the normal "Tree Connect Request Tree" message, the server responded with a crafted "Tree Connect Response" message. "The message itself was actually kind of ok, but the length of the message is excessive (1580 Bytes) and includes a long trailer."
He wrote that the tree connect response message consisted of:
- NetBIOS header. This just includes the message type (0) and the total length (1580 in this case).
- SMB2 header. The usual 64 bytes. The "Command" indicates that this is a tree connect message and the response flag is set.
- The Tree Connect Response Message. This message has a fixed length of 8 bytes in addition to the fixed header.
"This is where the message should end," Ullrich said. "But apparently, since the total message size according to the NetBIOS header is larger, Windows keeps on decoding in the crafted header which then triggers the buffer overflow."