forked from rsmudge/CVE-2020-0796-BOF
-
Notifications
You must be signed in to change notification settings - Fork 1
/
Copy pathREADME.txt
47 lines (32 loc) · 2.35 KB
/
README.txt
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
This is Raphael's tinkering around with the SMBGhost LPE.
I started with the source code from the Metasploit Framework:
cve-2020-0796: SMBv3 Compression Buffer Overflow (SMBGhost) (CVE 2020-0796)
https://github.com/rapid7/metasploit-framework/tree/master/external/source/exploits/CVE-2020-0796
[BSD Licensed]
And, here's what I did:
1. I converted the Reflective DLL to a Cobalt Strike 4.1 Beacon Object File.
This required declaring several Win32 APIs in the Dynamic Function Resolution MODULE$Function format.
On the bright side, this reduced some of the code to call things in NTDLL since DFR is handling that
for us. :)
I removed the unused 1,000 item ptr array from get_handle_addr. This was causing cl.exe to insert a
__chkstk function due to the local variables exceeding an 8KB limit. BOFs don't have this function
available to them.
I then brought in a few Beacon-specific APIs (e.g., BeaconPrintf, BeaconInjectProcess, etc.) to do
things using the Beacon-native way.
I had to write a few functions to make up for libc stuff I don't have (due to... BOFs).
2. I split the code into two different weaponization paths:
Use the 'smbghost' alias in Beacon, with no arguments, to run this exploit and impact the Beacon
process token only. If the exploit succeeds, your current process token will have super powers it
didn't have before. For example, you can now inject into other processes (even in other desktop
sessions) or spawn a child process under winlogon.exe. You may need to run smbghost multiple times
as the exploit doesn't always succeed on the first run.
Optionally, use 'elevate smbghost' to obtain a new Beacon session using the privilege escalation API
available in Cobalt Strike's Aggressor Script. This is OK for a quick demo, it fits the product's
workflows, etc. but... it injects into winlogon.exe. Injecting into winlogon.exe is not an invariant
of this particular elevation. I suspect all of the public POCs do it because CreateRemoteThread does
not work across process boundaries and who wants to write the extra boiler plate for parent process
spoofing? winlogon.exe is the easy low hanging fruit to demonstrate that we have elevated rights.
To compile this with Visual Studio:
Use make.bat from the x64 Cross Tools Command Prompt.
This will output expoit.x64.o to dist/
I used Visual Studio 2013. Other compilers/versions weren't tested. I did not try/test x86.