SMBGhost_RCE_PoC icon indicating copy to clipboard operation
SMBGhost_RCE_PoC copied to clipboard

Published 20 hours ago verified publisher icon chompie1337

Win 1909 Enterprise socket timeout

Open 0xShkk opened this issue 4 years ago • 14 comments

Followup on https://github.com/chompie1337/SMBGhost_RCE_PoC/issues/5#issue-629977267

0xShkk avatar Jun 04 '20 17:06 0xShkk

hi, how many times have you tried? what is the stop code? thank you

chompie1337 avatar Jun 04 '20 18:06 chompie1337

Hi. My stop code is "overwrote HalpInterruptController pointer, should have execution shortly...", but I didn't get shell.

MagicNieh avatar Jun 05 '20 03:06 MagicNieh

Hello,

have tried it like 5 times or so. Everytime the bluescreen was immediately trigged without the python script giving me any output but immediately timeout (because windows was down obviously).

BUT I was trying it again just now and discovered that I have accidentally used python version 2.7.18 which forces the described crash reliably..

Windows error code:

KMODE EXCEPTION NOT HANDLED

Sorry for confusion!

Tried it again then with python3 like 10 times.

Get this result every time:

python3 exploit.py -ip 192.168.100.51 [+] found low stub at phys addr 13000! [+] PML4 at 1aa000 [+] base of HAL heap at fffff7e380000000 [+] found PML4 self-ref entry 162 Traceback (most recent call last): File "exploit.py", line 466, in do_rce(args.ip, args.port) File "exploit.py", line 429, in do_rce search_hal_heap(ip, port) File "exploit.py", line 325, in search_hal_heap phys_addr = get_phys_addr(ip, port, index) File "exploit.py", line 262, in get_phys_addr pte_buff = read_physmem_primitive(ip, port, pte) File "exploit.py", line 206, in read_physmem_primitive buff = try_read_physmem_primitive(ip, port, phys_addr) File "exploit.py", line 221, in try_read_physmem_primitive buff = sock.recv(1000) socket.timeout: timed out

0xShkk avatar Jun 05 '20 14:06 0xShkk

Got Bluescreen now with correct execution (py3)

Win error:

IRQL NOT LESS OR EQUAL

0xShkk avatar Jun 05 '20 14:06 0xShkk

Get BLs now reliable with IRQL NOT LESS OR EQUAL error after second to fourth execution of exploit.py

0xShkk avatar Jun 05 '20 14:06 0xShkk

Hi. My stop code is "overwrote HalpInterruptController pointer, should have execution shortly...", but I didn't get shell.

did you replace payload like it says in the README?

chompie1337 avatar Jun 05 '20 15:06 chompie1337

Thank you for your reply. I have reproduced it successfully.

MagicNieh avatar Jun 07 '20 14:06 MagicNieh

Thank you for your reply. I have reproduced it successfull

could you please show your successful working environment? Since I got read primitive failed on Vmware + win10 1909

Stab1el avatar Jun 12 '20 02:06 Stab1el

hello,I can't find low_stub,can you tell why your code write so,do you study some paper?

wanghualei2 avatar Jun 17 '20 01:06 wanghualei2

what is low stub? why you write so to get it?

wanghualei2 avatar Jun 17 '20 02:06 wanghualei2

Thank you for your reply. I have reproduced it successfull

could you please show your successful working environment? Since I got read primitive failed on Vmware + win10 1909

This exploit code has a low success rate. I tried it more than ten times before it succeeded once.

MagicNieh avatar Jun 17 '20 03:06 MagicNieh

Reducing the number of processor cores in the VM increases reliability due to the physical read primitive.

chompie1337 avatar Jun 17 '20 03:06 chompie1337

what is low stub? why you write so to get it? I got the idea from Alex Ioenscu's research. It is to have a reliable way to defeat KASLR with only a physical read primitive. It may not present on all VMs, but I've seen it on most. Here's the talk, relevant portion @ 38 minutes https://www.youtube.com/watch?v=RSV3f6aEJFY

chompie1337 avatar Jun 17 '20 03:06 chompie1337

I think your code only success on win10 with UEFI,I always failed on win10 with BIOS.DO you have some suggestion?

wanghualei2 avatar Jun 17 '20 08:06 wanghualei2