CVE-2020-0796-BOF

CVE-2020-0796-BOF copied to clipboard

This is Raphael's tinkering around with the SMBGhost LPE.

I started with the source code from the Metasploit Framework:

cve-2020-0796: SMBv3 Compression Buffer Overflow (SMBGhost) (CVE 2020-0796) https://github.com/rapid7/metasploit-framework/tree/master/external/source/exploits/CVE-2020-0796 [BSD Licensed]

And, here's what I did:

1. I converted the Reflective DLL to a Cobalt Strike 4.1 Beacon Object File.

This required declaring several Win32 APIs in the Dynamic Function Resolution MODULE$Function format. On the bright side, this reduced some of the code to call things in NTDLL since DFR is handling that for us. :)

I removed the unused 1,000 item ptr array from get_handle_addr. This was causing cl.exe to insert a __chkstk function due to the local variables exceeding an 8KB limit. BOFs don't have this function available to them.

I then brought in a few Beacon-specific APIs (e.g., BeaconPrintf, BeaconInjectProcess, etc.) to do things using the Beacon-native way.

I had to write a few functions to make up for libc stuff I don't have (due to... BOFs).

2. I split the code into two different weaponization paths:

Use the 'smbghost' alias in Beacon, with no arguments, to run this exploit and impact the Beacon process token only. If the exploit succeeds, your current process token will have super powers it didn't have before. For example, you can now inject into other processes (even in other desktop sessions) or spawn a child process under winlogon.exe. You may need to run smbghost multiple times as the exploit doesn't always succeed on the first run.

Optionally, use 'elevate smbghost' to obtain a new Beacon session using the privilege escalation API available in Cobalt Strike's Aggressor Script. This is OK for a quick demo, it fits the product's workflows, etc. but... it injects into winlogon.exe. Injecting into winlogon.exe is not an invariant of this particular elevation. I suspect all of the public POCs do it because CreateRemoteThread does not work across process boundaries and who wants to write the extra boiler plate for parent process spoofing? winlogon.exe is the easy low hanging fruit to demonstrate that we have elevated rights.

To compile this with Visual Studio:

Use make.bat from the x64 Cross Tools Command Prompt.

This will output expoit.x64.o to dist/

I used Visual Studio 2013. Other compilers/versions weren't tested. I did not try/test x86.