Shulou(Shulou.com)06/01 Report--

What this article shares with you is an example analysis of Microsoft SMBv3 protocol RCE testing CVE-2020-0796 vulnerabilities. The editor thinks it is very practical, so I share it with you. I hope you can get something after reading this article. Let's take a look at it.

About 0x01 SMB (full name is Server Message Block) is a protocol name that can be used for Web connections and communication between clients and servers.

Overview of 0x02 vulnerabilities

The flaw is due to an error in the processing of malicious compressed packets by the SMBv3 protocol, which allows remote and unauthenticated attackers to execute arbitrary code on the target system. This vulnerability is similar to Eternal Blue and has the possibility of being exploited by worms.

0x03 affects version

Windows 10 version 1903 for 32-bit systems

Windows 10 version 1903 (for x64-based systems)

Windows 10 version 1903 (for ARM64-based systems)

Windows Server version 1903 (server core installation)

Windows 10 version 1909 for 32-bit systems

Windows 10 version 1909 (for x64-based systems)

Windows 10 version 1909 (for ARM64-based systems)

Windows Server version 1909 (server core installation)

0x04 environment building

Download address:

Https://msdn.itellyou.cn/

0x05 vulnerability detection

Python script:

Https://github.com/ollypwn/SMBGhost/blob/master/scanner.py

Nmap detection script (nse script)

Https://github.com/cyberstruggle/DeltaGroup/blob/master/CVE-2020-0796/CVE-2020-0796.nse

Powershell detection script

Https://github.com/T13nn3s/CVE-2020-0976/blob/master/CVE-2020-0796-Smbv3-checker.ps1

Run the scaner.py file after decompression

0x06 repair mode

1. Install the patch

Https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0796

two。 Disable SMBv3 compression

3. Disable powershell command compression

Set-ItemProperty-Path "HKLM:\ SYSTEM\ CurrentControlSet\ Services\ LanmanServer\ Parameters" DisableCompression-Type DWORD-Value 1-Force above is an example analysis of Microsoft SMBv3 protocol RCE to detect CVE-2020-0796 vulnerabilities. The editor believes that there are some knowledge points that we may see or use in our daily work. I hope you can learn more from this article. For more details, please follow the industry information channel.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.