https://blog.csdn.net/qq_45372008/article/details/106980409
https://zhuanlan.zhihu.com/p/374949632
SMB 3.1.1协议处理某些请求的方式中存在远程执行代码漏洞,可能被攻击者利用远程执行任意代码。该漏洞的后果十分接近永恒之蓝系列,都利用Windows SMB漏洞远程攻击获取系统最高权限,故也称永恒之黑。
影响范围
Windows 10 Version 1903 for 32-bit Systems
Windows 10 Version 1903 for x64-based Systems
Windows 10 Version 1903 for ARM64-based Systems
Windows Server, Version 1903 (Server Core installation)
Windows 10 Version 1909 for 32-bit Systems
Windows 10 Version 1909 for x64-based Systems
Windows 10 Version 1909 for ARM64-based Systems
Windows Server, Version 1909 (Server Core installation)
下载windows10靶机
ed2k://|file|cn_windows_10_consumer_editions_version_1903_updated_aug_2019_x64_dvd_4c9cbf0b.iso|5306406912|D061699FE76029369A7BEC3622A564BA|/
关闭靶机防火墙
https://github.com/ly4k/SMBGhost/blob/master/scanner.py
https://github.com/chompie1337/SMBGhost_RCE_PoC 漏洞利用的exp
https://link.zhihu.com/?target=http%3A//dl.qianxin.com/skylar6/CVE-2020-0796-Scanner.zip 奇安信漏洞检测工具
https://github.com/shengshengli/LadonGo/blob/main/smb/SmbGhost.go
测试我的本机
但https://github.com/ly4k/SMBGhost/blob/master/scanner.py仍然显示漏洞,所以这个poc是有问题的
https://github.com/shengshengli/LadonGo/blob/main/smb/SmbGhost.go微调了下得到下面的代码
package smb
import (
"bytes"
"fmt"
"net"
"strconv"
"strings"
"time"
)
const (
pkt = "\x00" + // session
"\x00\x00\xc0" + // legth
"\xfeSMB@\x00" + // protocol
//[MS-SMB2]: SMB2 NEGOTIATE Request
//https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-smb2/e14db7ff-763a-4263-8b10-0c3944f52fc5
"\x00\x00" +
"\x00\x00" +
"\x00\x00" +
"\x00\x00" +
"\x1f\x00" +
"\x00\x00\x00\x00" +
"\x00\x00\x00\x00" +
"\x00\x00\x00\x00" +
"\x00\x00\x00\x00" +
"\x00\x00\x00\x00" +
"\x00\x00\x00\x00" +
"\x00\x00\x00\x00" +
"\x00\x00\x00\x00" +
"\x00\x00\x00\x00" +
"\x00\x00\x00\x00" +
"\x00\x00\x00\x00" +
"\x00\x00\x00\x00" +
// [MS-SMB2]: SMB2 NEGOTIATE_CONTEXT
// https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-smb2/15332256-522e-4a53-8cd7-0bd17678a2f7
"$\x00" +
"\x08\x00" +
"\x01\x00" +
"\x00\x00" +
"\x7f\x00\x00\x00" +
"\x00\x00\x00\x00" +
"\x00\x00\x00\x00" +
"\x00\x00\x00\x00" +
"\x00\x00\x00\x00" +
"x\x00" +
"\x00\x00" +
"\x02\x00" +
"\x00\x00" +
"\x02\x02" +
"\x10\x02" +
"\x22\x02" +
"$\x02" +
"\x00\x03" +
"\x02\x03" +
"\x10\x03" +
"\x11\x03" +
"\x00\x00\x00\x00" +
// [MS-SMB2]: SMB2_PREAUTH_INTEGRITY_CAPABILITIES
// https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-smb2/5a07bd66-4734-4af8-abcf-5a44ff7ee0e5
"\x01\x00" +
"&\x00" +
"\x00\x00\x00\x00" +
"\x01\x00" +
"\x20\x00" +
"\x01\x00" +
"\x00\x00\x00\x00" +
"\x00\x00\x00\x00" +
"\x00\x00\x00\x00" +
"\x00\x00\x00\x00" +
"\x00\x00\x00\x00" +
"\x00\x00\x00\x00" +
"\x00\x00\x00\x00" +
"\x00\x00\x00\x00" +
"\x00\x00" +
// [MS-SMB2]: SMB2_COMPRESSION_CAPABILITIES
// https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-smb2/78e0c942-ab41-472b-b117-4a95ebe88271
"\x03\x00" +
"\x0e\x00" +
"\x00\x00\x00\x00" +
"\x01\x00" + //CompressionAlgorithmCount
"\x00\x00" +
"\x01\x00\x00\x00" +
"\x01\x00" + //LZNT1
"\x00\x00" +
"\x00\x00\x00\x00"
)
func SmbGhost(ip string, port int) (isExist bool, err error) {
isExist = false
addr := strings.Join([]string{ip, strconv.Itoa(port)}, ":")
conn, err := net.DialTimeout("tcp", addr, 2*time.Second)
if err != nil {
return isExist, err
} else {
defer conn.Close()
conn.Write([]byte(pkt))
buff := make([]byte, 1024)
err = conn.SetReadDeadline(time.Now().Add(2 * time.Second))
n, err := conn.Read(buff)
if err != nil {
return isExist, err
}
if bytes.Contains([]byte(buff[:n]), []byte("Public")) == true {
isExist = true
fmt.Println(ip + " CVE-2020-0796 SmbGhost Vulnerable")
return isExist, nil
} else {
return isExist, nil
}
}
return isExist, nil
}
测试了靶机和本机,结果均正确。在fofa上找了几个样例测试,也是扫不出来,结果应该无误
