Vulnerability - remote
# Author: nu11secur1ty
# Date: 2020-03-14
# Vendor: https://smb.wsu.edu/
# Link:
https://github.com/nu11secur1ty/Windows10Exploits/tree/master/Undefined/CVE-2020-0796
# CVE: CVE-2020-0796
[+] Credits: Ventsislav Varbanovski (@ nu11secur1ty)
[+] Website: https://www.nu11secur1ty.com/
[+] Source: readme from GitHUB
[+] twitter.com/nu11secur1ty
[Exploit Program Code]
--------------------------------------
import socket
import struct
import sys
smbsuckmickey_mouse =
b'\x00\x00\x00\xc0\xfeSMB@\x00\x00\x00\x00\x00\x00\x00\x00\x00\x1f\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00$\x00\x08\x00\x01\x00\x00\x00\x7f\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00x\x00\x00\x00\x02\x00\x00\x00\x02\x02\x10\x02"\x02$\x02\x00\x03\x02\x03\x10\x03\x11\x03\x00\x00\x00\x00\x01\x00&\x00\x00\x00\x00\x00\x01\x00
\x00\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x03\x00\n\x00\x00\x00\x00\x00\x01\x00\x00\x00\x01\x00\x00\x00\x01\x00\x00\x00\x00\x00\x00\x00'
sock = socket.socket(socket.AF_INET)
sock.settimeout(3)
sock.connect(( sys.argv[1], 445 ))
sock.send(smbsuckmickey_mouse)
nb, = struct.unpack(">I", sock.recv(4))
res = sock.recv(nb)
if not res[68:70] == b"\x11\x03":
exit("Not vulnerable.")
if not res[70:72] == b"\x02\x00":
exit("Not vulnerable.")
exit("Vulnerable.")
--------------------------------------
#!/usr/bin/bash
if [ $# -eq 0 ]
then
echo $'Usage:\n\vulnsmb.sh TARGET_IP_or_CIDR'
exit 1
fi
echo "Checking if there's SMB v3.11 in" $1 "..."
nmap -p445 --script smb-protocols -Pn -n $1 | grep -P
'\d+\.\d+\.\d+\.\d+|^\|.\s+3.11' | tr '\n' ' ' | replace 'Nmap scan
report
for' '@' | tr "@" "\n" | grep 3.11 | tr '|' ' ' | tr '_' ' ' | grep
-oP
'\d+\.\d+\.\d+\.\d+'
if [[ $? != 0 ]]; then
echo "There's no SMB v3.11"
fi
-------------------------------------
[Vendor]
Microsoft
[Product]
https://smb.wsu.edu/
[Vulnerability Type]
Remote + Layer 2
[Security Issue]
The security update addresses the vulnerability by correcting how
the SMBv3
protocol handles these specially crafted requests.
[References]
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-0796
A remote code execution vulnerability exists in the way that the
Microsoft
Server Message Block 3.1.1 (SMBv3) protocol handles certain
requests.
An attacker who successfully exploited the vulnerability could gain
the
ability to execute code on the target server or client.
To exploit the vulnerability against a server, an unauthenticated
attacker
could send a specially crafted packet to a targeted SMBv3
server.
To exploit the vulnerability against a client, an unauthenticated
attacker
would need to configure a malicious SMBv3 server and convince a
user to
connect to it.
The security update addresses the vulnerability by correcting how
the SMBv3
protocol handles these specially crafted requests.
[Network Access]
Remote + Layer 2
[Disclosure Timeline]
Published: 03/12/2020
[+] Disclaimer
The entry creation date may reflect when the CVE ID was allocated
or
reserved,
and does not necessarily indicate when this vulnerability was
discovered,
shared
with the affected vendor, publicly disclosed, or updated in
CVE.
--
hiPEnIMR0v7QCo/+SEH9gBclAAYWGnPoBIQ75sCj60E=
nu11secur1ty <http://nu11secur1ty.blogspot.com/>
