id: CVE-2020-0796

info:
  name: Microsoft SMBv3 - Remote Code Execution
  author: Yusuf Amr
  severity: critical
  description: |
    A remote code execution vulnerability exists in the way that the Microsoft Server Message Block 3.1.1 (SMBv3) protocol handles certain requests, aka 'Windows SMBv3 Client/Server Remote Code Execution Vulnerability'.
  impact: |
    Unauthenticated attackers can exploit SMBv3 protocol handling vulnerabilities to execute arbitrary code on Windows 10 and Windows Server systems, enabling complete system compromise.
  remediation: |
    Apply Microsoft security updates that patch the SMBv3 protocol vulnerability in Windows 10 version 1903 and later as documented in Microsoft security advisory CVE-2020-0796.
  reference:
    - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-0796
    - https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0796
    - https://github.com/tdevworks/CVE-2020-0796-SMBGhost-Exploit-Demo
    - http://packetstormsecurity.com/files/156731/CoronaBlue-SMBGhost-Microsoft-Windows-10-SMB-3.1.1-Proof-Of-Concept.html
    - http://packetstormsecurity.com/files/156980/Microsoft-Windows-10-SMB-3.1.1-Local-Privilege-Escalation.html
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
    cvss-score: 10
    cve-id: CVE-2020-0796
    cwe-id: CWE-119
    epss-score: 0.94424
    epss-percentile: 0.99982
    cpe: cpe:2.3:o:microsoft:windows_10_1903:-:*:*:*:*:*:arm64:*
  metadata:
    vendor: microsoft
    product: windows_10_1903
    shodan-query: cpe:"cpe:2.3:o:microsoft:windows_10_1903"
    verified: true
  tags: cve,cve2020,microsoft,smb,kev,vkev,vuln

tcp:
  - host:
      - "{{Hostname}}"

    port: 445

    inputs:
      - data: "{{hex_decode(\"000000c2fe534d4240000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000024000800000000007f0000000102abcd0102abcd0102abcd0102abcd7800000002000000020210022202240200030203100311030000000001002600000000000100200001000000000000000000000000000000000000000000000000000000000000000000000003000a0000000000010000000100000001000000000000000000\")}}"

        read: 8192

      - data: "{{hex_decode(\"000000a0fc534d42ffffffff0100000080000000fe534d424000000000000000010000000000000000000000010000000000000000000000000000000000000000000000000000000000000000000000000000001900000200000000000000005800280000000000000000004e544c4d5353500001000000329088e2000000002800000000000000280000000601b11d0000000f00000000000000000000000000000000\")}}"

    matchers-condition: and
    matchers:
      - type: binary
        part: data
        encoding: hex
        binary:
          - "fc534d4248000000"
          - "0d0000c0"
          - "1000602d00"
        condition: or

      - type: binary
        part: data
        encoding: hex
        binary:
          - "00000031fc534d424800000001000000000000001eb000fe534d4240000000c00d0000c00100011000602d00100103301e28090442"
# digest: 4a0a00473045022100bbbd2412db30f1cecb3ce32ac6a03ebd24027ba14fc533aa8a4768083552cc640220118cfdc66d2845cd6b48e94200ed91e90edb02628ad0c1b5cbc3024b36f7a9cc:922c64590222798bb761d5b6d8e72950