CVE-2020-0796-RCE-POC
CVE-2020-0796-RCE-POC copied to clipboard
jamf
Only output 3 argments when running the .bat file in windows10 1909 running on VMware 14
I can get all the argments needed on my own windows10, but only 3 on target Windows 10. The three argments are '''srvnet!imp_IoSizeofWorkItem''','''srvnet!imp_RtlCopyUnicodeString''' and '''nt!IoSizeofWorkItem'''.
I also tried adding the rest two argments copied from my local real windows to SMBleedingGhost.py, but when I ran the script, the virtual windows10 would soon got a bluescreen.
So I'm just wonderring what's going on.
I'll be really grateful for your quick response!
The batch script requires an internet connection to download symbols. I'm not sure what else can cause it to fail (any error messages?), but as a workaround you can copy the relevant files from the guest to the host and run the script on the copied files by adjusting the paths everywhere you see %windir%\system32 in the script.
The batch script requires an internet connection to download symbols. I'm not sure what else can cause it to fail (any error messages?), but as a workaround you can copy the relevant files from the guest to the host and run the script on the copied files by adjusting the paths everywhere you see
%windir%\system32in the script.
I'm sure that my virtual windows has an internet connection because I just downloaded the scripts from github in it. And I tried the ways you recommended, and copied C:Windows/System32 to my host,but it just didn't work, and only output 3 arguments.
Maybe it was because something were lack in the virtual machine , but I don't know what was wrong. Seems really weird.
Remove the following part that appears twice in the batch file: | findstr #, so that the lines only contain %cmd%. Run the script and post the full output you get.
Remove the following part that appears twice in the batch file:
| findstr #, so that the lines only contain%cmd%. Run the script and post the full output you get.
Well, I put a " " in the name of .bat, and directly double-clicked the script, and it output all the five arguments! Seems really weird, because when I tried to use cmd line to open the script, it just output three arguments. And before this quote, I tried to directly open it by double-click, but it just show and shut down immediately.
And when I replaced the offsets in the SMBleedingGhost.py, and ran it, then it just succeeded. LOTS OF THANKS!
I'm glad that it works. Still, if you can reproduce the issue and remove the part that I mentioned, perhaps we can see what went wrong. Then I'll be able to fix it for other users.
1.The photos below is what I got when I'm running the batch file by double-click in my virtual guest
2.This is what I got on my host when I finished running the modified batch file.(after changing the %windir% to real dir) by double-click
Calculating offsets, please wait...
Microsoft (R) Windows Debugger Version 10.0.17763.168 AMD64
Copyright (c) Microsoft Corporation. All rights reserved.
Loading Dump File [G:\UNIVERSITY\system32\drivers\srvnet.sys]
************* Path validation summary **************
Response Time (ms) Location
Deferred SRV*G:\UNIVERSITY\大二下\渗透测试实验\cve漏洞\cve-2020-0796\CVE-2020-0796-RCE-POC-master\tools*https://msdl.microsoft.com/download/symbols
Symbol search path is: SRV*G:\UNIVERSITY\大二下\渗透测试实验\cve漏洞\cve-2020-0796\CVE-2020-0796-RCE-POC-master\tools*https://msdl.microsoft.com/download/symbols
Executable search path is:
Unable to add extension DLL: ntsdexts
Unable to add extension DLL: uext
Unable to add extension DLL: exts
The call to LoadLibrary(ext) failed, Win32 error 0n2
"系统找不到指定的文件。"
Please check your debugger configuration and/or network access.
ModLoad: 00000001`c0000000 00000001`c0053000 G:\UNIVERSITY\system32\drivers\srvnet.sys
srvnet!GsDriverEntry:
00000001`c004d010 48895c2408 mov qword ptr [rsp+8],rbx ss:00000000`00000008=????????????????
0:000> cdb: Reading initial command '.echo ==========; .printf "\OFFSETS = { \x23\n"; .catch { .printf "\ 'srvnet!SrvNetWskConnDispatch': 0x%X, \x23\n", srvnet!SrvNetWskConnDispatch-srvnet }; .catch { .printf "\ 'srvnet!imp_IoSizeofWorkItem': 0x%X, \x23\n", 1C0032210-srvnet+0n0*8 }; .catch { .printf "\ 'srvnet!imp_RtlCopyUnicodeString': 0x%X, \x23\n", 1C0032210-srvnet+0n15*8 }; .echo ==========; q'
==========
OFFSETS = { #
'srvnet!SrvNetWskConnDispatch': 0x2D170, #
'srvnet!imp_IoSizeofWorkItem': 0x32210, #
'srvnet!imp_RtlCopyUnicodeString': 0x32288, #
==========
quit:
Microsoft (R) Windows Debugger Version 10.0.17763.168 AMD64
Copyright (c) Microsoft Corporation. All rights reserved.
Loading Dump File [G:\UNIVERSITY\system32\ntoskrnl.exe]
************* Path validation summary **************
Response Time (ms) Location
Deferred SRV*G:\UNIVERSITY\大二下\渗透测试实验\cve漏洞\cve-2020-0796\CVE-2020-0796-RCE-POC-master\tools*https://msdl.microsoft.com/download/symbols
Symbol search path is: SRV*G:\UNIVERSITY\大二下\渗透测试实验\cve漏洞\cve-2020-0796\CVE-2020-0796-RCE-POC-master\tools*https://msdl.microsoft.com/download/symbols
Executable search path is:
Unable to add extension DLL: ntsdexts
Unable to add extension DLL: uext
Unable to add extension DLL: exts
The call to LoadLibrary(ext) failed, Win32 error 0n2
"系统找不到指定的文件。"
Please check your debugger configuration and/or network access.
ModLoad: 00000001`40000000 00000001`40ab6000 G:\UNIVERSITY\system32\ntoskrnl.exe
ntoskrnl!KiSystemStartup:
00000001`40597010 4883ec38 sub rsp,38h
0:000> cdb: Reading initial command '.echo ==========; .catch { .printf " 'nt!IoSizeofWorkItem': 0x%X, \x23\n", ntoskrnl!IoSizeofWorkItem-ntoskrnl }; .catch { .printf " 'nt!MiGetPteAddress': 0x%X \x23\n", ntoskrnl!MiGetPteAddress-ntoskrnl }; .printf "} \x23\n"; .echo ==========; q'
==========
'nt!IoSizeofWorkItem': 0x12C380, #
'nt!MiGetPteAddress': 0xBADC8 #
} #
==========
quit:
- While I mentioned the file name problem and whether-run-directly problem ,but it seems I misunderstood it. Seemed file-name and run directly or not had nothing to do with whether it can give an right output or not. So I just give you the output samples running on guest and host.
Hope I can help you figure out what was going on with it.
The two symbols that failed to load are the one that require symbols. Try the following: add the following lines at the beginning of the batch file, run it, and post the contents of the newly created dbghelp.log file:
set DBGHELP_DBGOUT=1
set DBGHELP_LOG=..\dbghelp.log
Here is what I got in guest. dbghelp.log
The two symbols that failed to load are the one that require symbols. Try the following: add the following lines at the beginning of the batch file, run it, and post the contents of the newly created dbghelp.log file: set DBGHELP_DBGOUT=1 set DBGHELP_LOG=..\dbghelp.log
From the log:
SYMSRV: HttpSendRequest: 800C2EFD - ERROR_INTERNET_CANNOT_CONNECT
So for some reason, guest failed to download from: https://msdl.microsoft.com/download/symbols/srvnet.pdb/CFE2BF7A30464E7FCE0CC805AA1C96CB1/srvnet.pdb and: https://msdl.microsoft.com/download/symbols/ntkrnlmp.pdb/E0093F3AEF15D58168B753C9488A40431/ntkrnlmp.pdb
Somebody on Stack Overflow suggests it can be caused by a mis-configured IE.
From the log:
SYMSRV: HttpSendRequest: 800C2EFD - ERROR_INTERNET_CANNOT_CONNECT
So for some reason, guest failed to download from: https://msdl.microsoft.com/download/symbols/srvnet.pdb/CFE2BF7A30464E7FCE0CC805AA1C96CB1/srvnet.pdb and: https://msdl.microsoft.com/download/symbols/ntkrnlmp.pdb/E0093F3AEF15D58168B753C9488A40431/ntkrnlmp.pdb
Somebody on Stack Overflow suggests it can be caused by a mis-configured IE.
I have seen the issue mentioned in stackoverflow. But, my IE browser could really connect Internet,and
From the log:
SYMSRV: HttpSendRequest: 800C2EFD - ERROR_INTERNET_CANNOT_CONNECT
So for some reason, guest failed to download from: https://msdl.microsoft.com/download/symbols/srvnet.pdb/CFE2BF7A30464E7FCE0CC805AA1C96CB1/srvnet.pdb and: https://msdl.microsoft.com/download/symbols/ntkrnlmp.pdb/E0093F3AEF15D58168B753C9488A40431/ntkrnlmp.pdb
Somebody on Stack Overflow suggests it can be caused by a mis-configured IE.
You are right. Though I can connect Internet with my IE, but I just can't connect the sites you posted.
It tells me that I can't connect securely.
Well, I put a " " in the name of .bat, and directly double-clicked the script, and it output all the five arguments! Seems really weird, because when I tried to use cmd line to open the script, it just output three arguments. And before this quote, I tried to directly open it by double-click, but it just show and shut down immediately.
hello, I got the same question with yours. The script could output 5 arguments in real host win10, but only 3 in VM target win 10, how do you fix this problem?
Well, I put a " " in the name of .bat, and directly double-clicked the script, and it output all the five arguments! Seems really weird, because when I tried to use cmd line to open the script, it just output three arguments. And before this quote, I tried to directly open it by double-click, but it just show and shut down immediately.
hello, I got the same question with yours. The script could output 5 arguments in real host win10, but only 3 in VM target win 10, how do you fix this problem?
I just copy the system32 files of my guest to my host. And modify the address in the batch file as mentioned above.
bat file not work:
OFFSETS = { # 'srvnet!imp_IoSizeofWorkItem': 0x40000000, # 'srvnet!imp_RtlCopyUnicodeString': 0x40000000, # 'nt!IoSizeofWorkItem': 0x12C400, # } #
