关联漏洞
标题:
微软 Microsoft SMBv3 缓冲区错误漏洞
(CVE-2020-0796)
描述:Microsoft SMBv3是美国微软(Microsoft)公司的一个为设备提供SMB功能的支持固件。 Microsoft Server Message Block 3.1.1 (SMBv3)版本中存在缓冲区错误漏洞,该漏洞源于SMBv3协议在处理恶意压缩数据包时,进入了错误流程。远程未经身份验证的攻击者可利用该漏洞在应用程序中执行任意代码。以下产品及版本受到影响:Microsoft Windows 10版本1903,Windows Server版本1903,Windows 10版本1909,Windo
描述
SMBGhost (CVE-2020-0796) Automate Exploitation and Detection
介绍
# SMBGhost (CVE-2020-0796) Automate Exploitation and Detection
This python program is a wrapper from the RCE SMBGhost vulnerability. All the credits for the working exploit to [chompie1337][1]. All the credits for the scanner to [ioncodes][2].
I just automate these functions in one program. You need to have in mind the architecture of the Windows target when you are going to create the reverse shell.
This exploit is not **stable**, use at your own. Sometimes it doesn't work at the first time, this is why I added a second retry.
If you are going to put your own shellcode, have in mind that the shellcode max size is **600 bytes**.
* Tested on Windows 10 x64 (Microsoft Windows [Versión 10.0.18362.113]. Build 1903.)
* Tested on Win10 Enterprise (Eng) x64 v1903 Build 18362.30 by @tijldeneut
Windows ISO (x64) vulnerable to test the exploit: [MEGA DOWNLOAD](https://mega.nz/file/FPxQ2BKa#86Dfq3pfb5iCpC5BK9TxfUm5XJLmJoiNm3Pf7Yv_qCc)
# DEMO
**1º Stageless reverse shell (x64) created from msfvenom.**
**2º Trying custom shellcode to add user "di.security" as Administrator in the target. Credits for the shellcode to [rastating][4]**
# Options
```
usage: Smb_Ghost.py [-h] -i IP [-p PORT] [--check] [-e] [--lhost LHOST]
[--lport LPORT] [--arch ARCH] [--silent] [--shellcode]
[--load-shellcode LOAD_SHELLCODE]
SMBGhost Detection and Exploitation
optional arguments:
-h, --help show this help message and exit
-i IP, --ip IP IP address
-p PORT, --port PORT SMB Port
--check Check SMBGhost Vulnerability
-e Directly exploit SMBGhost
--lhost LHOST Lhost for the reverse shell
--lport LPORT Lport for the reverse shell
--arch ARCH Architecture of the target Windows Machine
--silent Silent mode for the scanner
--shellcode Shellcode Menu to import your shell
--load-shellcode LOAD_SHELLCODE
Load shellcode directly from file
```
# Author
* Alberto Barriuso ([@_Barriuso](https://twitter.com/_Barriuso))
# Disclaimer
Any misuse of this software will not be the responsibility of the author. Use it at your own networks and/or with the network owner's permission.
# TODO
* Add more payloads.
* Test on another Windows versions (x86)
* More accurate the scanner. The scanner only detects if SMBv3.1.1 is being used but if the host is patched, it will give you a false positive.
[1]: https://github.com/chompie1337/SMBGhost_RCE_PoC
[2]: https://github.com/ioncodes/SMBGhost
[3]:https://github.com/Veil-Framework/Veil
[4]:https://rastating.github.io/altering-msfvenom-exec-payload-to-work-without-exitfunc/
文件快照
[4.0K] /data/pocs/9352bc1e1baf85d487edc394ad364e5638ac09fb
├── [4.0K] Custom_Shellcodes
│ └── [1.5K] x64_add_user.txt
├── [4.0K] RCE
│ ├── [ 18K] exploit.py
│ ├── [8.0K] kernel_shellcode.asm
│ ├── [4.5K] lznt1.py
│ ├── [ 154] README.md
│ └── [5.5K] smb_win.py
├── [2.9K] README.md
├── [ 13] requirements.txt
├── [4.0K] Scanner
│ ├── [4.1K] logless_scanner.py
│ ├── [ 144] README.md
│ └── [4.4K] scanner.py
└── [ 14K] Smb_Ghost.py
3 directories, 12 files
备注
1. 建议优先通过来源进行访问。
2. 如果因为来源失效或无法访问,请发送邮箱到 f.jinxu#gmail.com 索取本地快照(把 # 换成 @)。
3. 神龙已为您对POC代码进行快照,为了长期维护,请考虑为本地POC付费,感谢您的支持。