Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CVE-2020-0796 PoC — 微软 Microsoft SMBv3 缓冲区错误漏洞

Source
https://github.com/heeloo123/CVE-2020-0796
Associated Vulnerability
Title:微软 Microsoft SMBv3 缓冲区错误漏洞 (CVE-2020-0796)
Description:A remote code execution vulnerability exists in the way that the Microsoft Server Message Block 3.1.1 (SMBv3) protocol handles certain requests, aka 'Windows SMBv3 Client/Server Remote Code Execution Vulnerability'.
Description
CVE-2020-0796 SMB Ghost vulnerability detection and mitigation
Readme
# CVE-2020-0796 SMB Ghost vulnerability detection and mitigation
This repository documents my practice of detecting and mitigating the SMB Ghost vulnerability, also known as CVE-2020-0796. This vulnerability affects Microsoft Server Message Block 3.1.1 (SMBv3) and can allow attackers to execute arbitrary code with system privileges or launch denial-of-service attacks.
## Tools and Environment
The practice was conducted on the following tools and environment:
* Windows 10 version 1903 (target machine)
* Kali Linux (attacker machine)
* Nmap (network mapper tool)
* Wireshark (packet sniffer tool)
* Windows Firewall Defender
* GitHub repository from https://github.com/chompie1337 (exploit code)
## Detection Method
Several methods were used to detect the CVE-2020-0796 vulnerability:
* Checking the Windows version by typing winver at the command prompt or in the system settings.
* Using Nmap to scan a range of IP addresses and detect the OS and services running, including SMB version and port 445 status.
* Using Wireshark to sniff an SMB transmission and capture packets sent by the exploit code from the attacker machine to the target machine.
* Enabling Windows Firewall logging to monitor TCP and UDP connections and dropped packets.
## Mitigation Method
As no upgrade or patch is available in the short term, a mitigation method was used to disable SMBv3 compression using PowerShell command to prevent unknown attackers from exploiting SMBv3 vulnerabilities.
```Set-ItemProperty-Path "HKLM:\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters" DisableCompression -Type DWORD -Value 1 -Force```
![image](https://user-images.githubusercontent.com/100338414/226348466-db270014-2a33-4fbb-8117-aa84a2a9f845.png)
### or
use windows defender firewall approaches to block all inbound SMB traffic to prevent remote connections from malicious devices (Microsoft, n.d.). 

## References
* Microsoft Security Response Center. (2020, March 12). CVE-2020-0796 | Windows SMBv3 Client/Server Remote Code Execution Vulnerability. https://msrc.microsoft.com/update-guide/vulnerability/CVE-2020-0796
* TrustedSec. (2020, March 15). SMBGhost: Detection and Mitigation. https://www.trustedsec.com/blog/smbghost-detection-and-mitigation/
* Saigal, S. (2017, August 8). Monitoring Firewall Logs in Windows. https://www.manageengine.com/products/eventlog/help/firewall-monitoring/monitor-firewall-logs-windows.html


## Notes
more detail with screen shot in the docx file
File Snapshot

 [4.0K]  /data/pocs/6c77ff3e968eea106981c94d4e9f853789c95492
├── [1.6M]  project implement Report.docx
└── [2.4K]  README.md

0 directories, 2 files
Shenlong Bot has cached this for you
Remarks
    1. It is advised to access via the original source first.
    2. Local POC snapshots are reserved for subscribers — if the original source is unavailable, the local mirror is part of the paid plan.
    3. Mirroring, verifying, and maintaining this POC archive takes ongoing effort, so local snapshots are a paid feature. Your subscription keeps the archive online — thank you for the support. View subscription plans →