Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1310 CNY

100%
Buy Us a Coffee

CVE-2020-0796 PoC — 微软 Microsoft SMBv3 缓冲区错误漏洞

Source
https://github.com/Barriuso/SMBGhost_AutomateExploitation
Associated Vulnerability
Title:微软 Microsoft SMBv3 缓冲区错误漏洞 (CVE-2020-0796)
Description:A remote code execution vulnerability exists in the way that the Microsoft Server Message Block 3.1.1 (SMBv3) protocol handles certain requests, aka 'Windows SMBv3 Client/Server Remote Code Execution Vulnerability'.
Description
SMBGhost (CVE-2020-0796) Automate Exploitation and Detection
Readme
# SMBGhost (CVE-2020-0796) Automate Exploitation and Detection

This python program is a wrapper from the RCE SMBGhost vulnerability. All the credits for the working exploit to [chompie1337][1]. All the credits for the scanner to [ioncodes][2].

I just automate these functions in one program. You need to have in mind the architecture of the Windows target when you are going to create the reverse shell.

This exploit is not **stable**, use at your own. Sometimes it doesn't work at the first time, this is why I added a second retry.

If you are going to put your own shellcode, have in mind that the shellcode max size is **600 bytes**.

* Tested on Windows 10 x64 (Microsoft Windows [Versión 10.0.18362.113]. Build 1903.)
* Tested on Win10 Enterprise (Eng) x64 v1903 Build 18362.30 by @tijldeneut

Windows ISO (x64) vulnerable to test the exploit: [MEGA DOWNLOAD](https://mega.nz/file/FPxQ2BKa#86Dfq3pfb5iCpC5BK9TxfUm5XJLmJoiNm3Pf7Yv_qCc)

# DEMO
**1º Stageless reverse shell (x64) created from msfvenom.**

![Demo3](https://user-images.githubusercontent.com/16231048/84297744-59c36d80-ab4e-11ea-8f09-ab7aff004bca.gif)

**2º Trying custom shellcode to add user "di.security" as Administrator in the target. Credits for the shellcode to [rastating][4]**

![2020-06-12_11h49_05](https://user-images.githubusercontent.com/16231048/84492127-f8aead80-aca5-11ea-8455-f873fc85231f.png)


# Options
```
usage: Smb_Ghost.py [-h] -i IP [-p PORT] [--check] [-e] [--lhost LHOST]
                    [--lport LPORT] [--arch ARCH] [--silent] [--shellcode]
                    [--load-shellcode LOAD_SHELLCODE]

SMBGhost Detection and Exploitation

optional arguments:
  -h, --help            show this help message and exit
  -i IP, --ip IP        IP address
  -p PORT, --port PORT  SMB Port
  --check               Check SMBGhost Vulnerability
  -e                    Directly exploit SMBGhost
  --lhost LHOST         Lhost for the reverse shell
  --lport LPORT         Lport for the reverse shell
  --arch ARCH           Architecture of the target Windows Machine
  --silent              Silent mode for the scanner
  --shellcode           Shellcode Menu to import your shell
  --load-shellcode LOAD_SHELLCODE
                        Load shellcode directly from file

```

# Author
* Alberto Barriuso ([@_Barriuso](https://twitter.com/_Barriuso))

# Disclaimer

Any misuse of this software will not be the responsibility of the author. Use it at your own networks and/or with the network owner's permission.

# TODO
* Add more payloads.
* Test on another Windows versions (x86)
* More accurate the scanner. The scanner only detects if SMBv3.1.1 is being used but if the host is patched, it will give you a false positive.

[1]: https://github.com/chompie1337/SMBGhost_RCE_PoC
[2]: https://github.com/ioncodes/SMBGhost
[3]:https://github.com/Veil-Framework/Veil
[4]:https://rastating.github.io/altering-msfvenom-exec-payload-to-work-without-exitfunc/
File Snapshot

Log in to view the POC file snapshot cached by Shenlong Bot

Log in to view
Remarks
    1. It is advised to access via the original source first.
    2. Local POC snapshots are reserved for subscribers — if the original source is unavailable, the local mirror is part of the paid plan.
    3. Mirroring, verifying, and maintaining this POC archive takes ongoing effort, so local snapshots are a paid feature. Your subscription keeps the archive online — thank you for the support. View subscription plans →