Exploiting Windows SMB v3.1.1 | CVE-2020-0796 | SMBGhost | CORONABLUE

Description

A remote code execution vulnerability exists in the way that the Microsoft Server Message Block 3.1.1 (SMBv3) protocol handles certain requests. An attacker who successfully exploited the vulnerability could gain the ability to execute code on the target server or client.

CVE ID

CVE-2020-0796

FIG: Brief info about CVE-2020-0796

Why it is wormable?

FIG: News from thehackernews.com that said about “Wormable” malware

Remember MS17-010??? ok.. Remember wannaCry!!!!!! yes… that is it. Whenever there is any vulnerability that might be used by any malicious hacker group to spread any kind of malware/computer virus/worm, then the vulnerability can be called as “Wormable“.

Targets

  • Windows 10 Version 1903 for 32-bit Systems
  • Windows 10 Version 1903 for ARM64-based Systems
  • Windows 10 Version 1903 for x64-based Systems
  • Windows 10 Version 1909 for 32-bit Systems
  • Windows 10 Version 1909 for ARM64-based Systems
  • Windows 10 Version 1909 for x64-based Systems
  • Windows Server, version 1903 (Server Core installation)
  • Windows Server, version 1909 (Server Core installation)

Agenda

  • Vulnerability Detection via Python Script
  • Vulnerability Detection via unofficial Nmap script
  • Exploitation using python script that will cause DoS
  • Workaround

Disclaimer: This video is ONLY for educational & research purpose. Any misuse of the content of this video is strictly prohibited. BugTestLab or me will not be accountable for any illegal activities.

Our Target

FIG: Version of target

Tools Required

  • Python 3.0+
  • Nmap

How to detect

FIG: GITHUB page of cve-2020-0796 scanner in Python3

FIG: After execution of python scanning script for cve-2020-0796
FIG: GITHUB page for nmap script; it is not offical nmap script for cve-2020-0796
FIG: SMBGhost detected by newly nmap script

Exploitation

Currently there is no public exploit available for Remote Code Execution (RCE) but there are couple of scripts available which can cause Denial of Services (DoS) to the target system.

Exploit Code

FIG: GITHUB page for exploit code that can cause DoS

Below is the screenshot which is showing DoS process using existing exploit code:

FIG: Clone and execution of exploit code that cases DoS
FIG: DOS!!!!!!!!!!!!! BinGo!!!!!!!!

Research Areas

  • Remote Code Execution : TO DO
  • MSF Module for RCE/PrivEsc

Workarounds

ADV200005 | Microsoft Guidance for Disabling SMBv3 Compression

Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters" DisableCompression -Type DWORD -Value 1 -Force

References

  • https://github.com/ollypwn/SMBGhost
  • https://packetstormsecurity.com/files/156731/CoronaBlue-SMBGhost-Microsoft-Windows-10-SMB-3.1.1-Proof-Of-Concept.html
  • https://packetstormsecurity.com/files/156732/Microsoft-Windows-SMB-3.1.1-Remote-Code-Execution.html
  • https://thehackernews.com/2020/03/patch-wormable-smb-vulnerability.html

YouTube Video

Video tutorial for scanning, identifing and exploiting CVE-2020-0796 SMBGhost

Happy Learning… Happy Hacking…

~~~PEACE~~~

Leave a Reply

Your email address will not be published. Required fields are marked *

Secured By miniOrange