漏洞告之：SMBv3协议远程代码执行漏洞（附自查脚本）

import socketimport structimport sys
pkt = b'x00x00x00xc0xfeSMB@x00x00x00x00x00x00x00x00x00x1fx00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00$x00x08x00x01x00x00x00x7fx00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00xx00x00x00x02x00x00x00x02x02x10x02"x02$x02x00x03x02x03x10x03x11x03x00x00x00x00x01x00&x00x00x00x00x00x01x00 x00x01x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x03x00nx00x00x00x00x00x01x00x00x00x01x00x00x00x01x00x00x00x00x00x00x00'sock = socket.socket(socket.AF_INET)sock.settimeout(3)sock.connect(( sys.argv[1],  445 ))sock.send(pkt)
nb, = struct.unpack(">I", sock.recv(4))res = sock.recv(nb)
if not res[68:70] == b"x11x03":    exit("Not vulnerable.")if not res[70:72] == b"x02x00":    exit("Not vulnerable.")
exit("Vulnerable.")

import socketimport structimport sysfrom netaddr import IPNetwork
pkt = b'x00x00x00xc0xfeSMB@x00x00x00x00x00x00x00x00x00x1fx00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00$x00x08x00x01x00x00x00x7fx00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00xx00x00x00x02x00x00x00x02x02x10x02"x02$x02x00x03x02x03x10x03x11x03x00x00x00x00x01x00&x00x00x00x00x00x01x00 x00x01x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x03x00nx00x00x00x00x00x01x00x00x00x01x00x00x00x01x00x00x00x00x00x00x00'
subnet = sys.argv[1]
for ip in IPNetwork(subnet):
    sock = socket.socket(socket.AF_INET)    sock.settimeout(3)
    try:        sock.connect(( str(ip),  445 ))    except:        sock.close()        continue
    sock.send(pkt)
    nb, = struct.unpack(">I", sock.recv(4))    res = sock.recv(nb)
    if res[68:70] != b"x11x03" or res[70:72] != b"x02x00":        print(f"{ip} Not vulnerable.")    else:        print(f"{ip} Vulnerable")

#!/bin/bashif [ $# -eq 0 ]thenecho $'Usage:ntcheck-smb-v3.11.sh TARGET_IP_or_CIDR {Target Specification - Nmap}'exit 1fi
echo "Checking if there's SMB v3.11 in" $1 "..."
nmap -p445 --script smb-protocols -Pn -n $1 | grep -P 'd+.d+.d+.d+|^|.s+3.11' | tr 'n' ' ' | tr 'Nmap scan report for' '@' | tr "@" "n" | tr '|' ' ' | tr '_' ' ' | grep -oP 'd+.d+.d+.d+'
if [[ $? != 0 ]]; thenecho "There's no SMB v3.11"fi

local smb = require "smb"local nmap = require "nmap"local vulns = require "vulns"
description = [[  Microsoft SMBv3 contains a vulnerability in the handling of compression, which may allow a remote,   unauthenticated attacker to execute arbitrary code on a vulnerable system.  Microsoft Server Message Block 3.1.1 (SMBv3) contains a vulnerability in the way that it handles connections that use compression.   This vulnerability may allow a remote, unauthenticated attacker to execute arbitrary code on a vulnerable system.   It has been reported that this vulnerability is "wormable."  By connecting to a vulnerable Windows machine using SMBv3, or by causing a vulnerable Windows system to initiate a client connection to a SMBv3 server,   a remote, unauthenticated attacker to execute arbitrary code with SYSTEM privileges on a vulnerable system.  we're wating ]]

author = "Hossam Mohamed"license = "Same as Nmap--See https://nmap.org/book/man-legal.html"categories = {"safe", "discovery"}
hostrule = function(host)  return smb.get_port(host) ~= nilend
action = function(host,port)  local status, supported_dialects, overrides  overrides = {}  status, supported_dialects = smb.list_dialects(host, overrides)  local vuln_status, err  local vuln = {      title = "Microsoft SMBv3 compression remote code execution vulnerability",      IDS = {CVE = 'CVE-2020-0796'},      risk_factor = "HIGH",      description = [[        Microsoft SMBv3 contains a vulnerability in the handling of compression, which may allow a remote, unauthenticated attacker to execute arbitrary code on a vulnerable system.      ]],      references = {      'https://portal.msrc.microsoft.com/en-us/security-guidance/advisory/ADV200005'      },      dates = {      disclosure = {year = '2020', month = '03', day = '11'},      }  }  local report = vulns.Report:new(SCRIPT_NAME, host, port)  vuln.state = vulns.STATE.NOT_VULN  if status then    for i, v in pairs(supported_dialects) do -- Mark SMBv1 as insecure      if v == "3.11" then        vuln.state = vulns.STATE.VULN      end    end  end  return report:make_output(vuln)
end

<#.SYNOPSIS    Checks your SMBv3 Compression setting as mitigation for CVE-2020-0796, also known as SMBGhost..DESCRIPTION    This Powershell Script determines whether SMBv3 Compression is enabled or not. As mitigation on the CVE-2020-0796, the SMBv3 compression should be disabled. This script can disable SMBv3 for you automatically.    Script is also checking if the CVE-2020-0976 is applicable to your Windows version and whether the Windows Update KB4551762 is installed or not..EXAMPLE    PS C:> .CVE-2020-0796-Smbv3-checker.ps1.NOTES    Created by: T13nn3s    Date: 11-03-2020    Check my blog: https://binsec.nl    Last update: 13-03-2020#>
If (-NOT ([Security.Principal.WindowsPrincipal][Security.Principal.WindowsIdentity]::GetCurrent()).IsInRole([Security.Principal.WindowsBuiltInRole] "Administrator")) {       $arguments = "& '" + $myinvocation.mycommand.definition + "'"    Start-Process powershell -Verb runAs -ArgumentList $arguments    Break}function CheckWindowsVersion {    Write-Host "[*] Checking Windows Version..."    $WindowsVersion = Get-ComputerInfo | Select-Object -ExpandProperty WindowsVersion    Write-Host "[*] Windows version $WindowsVersion found."    if ($WindowsVersion -eq 1903) {        Write-Host "[*] CVE-2020-0976 is applicable to your Windows Version."    }    Elseif ($WindowsVersion -eq 1909) {        Write-Host "[*] CVE-2020-0976 is applicable to your Windows Version."    }    Else {        Write-Host "[+] CVE-2020-0976 is not applicable to your Windows Version." -ForegroundColor Green        pause        return    }} # End function CheckWindowsVersion
function CheckIfWindowsIsCore {    [string]$regkey = "HKLM:SoftwareMicrosoftWindows NTCurrentVersion"    Write-Host "[*] Checking if you're running Windows is Server Core"    $installtype = (Get-ItemProperty -Path $regkey -Name "InstallationType").InstallationType    if ($installtype -eq "Server") {        Write-Host "[*] You running the Desktop Experience from Windows Server. CVE-2020-0976 isn't applicable for this version of Windows Server."    }    Elseif ($installtype -eq "Client") {        Write-Host "[*] You running the Desktop Experience from Windows Server. CVE-2020-0976 isn't applicable for this version of Windows Server."    }    Elseif ($installtype -eq "Server Core") {        Write-Host "[*] You running the Server Core from Windows Server."    }} # End CheckIfWindowsIsCore function
function CheckIfUpdateIsInstalled {    Write-Host "[*] Check if KB4551762 is installed..."
    $fix = Get-HotFix -Id KB4551762 -ErrorAction SilentlyContinue        if ($fix) {        Write-Host "[+] *** Windows Update $($fix.HotFixID) is installed on $($fix.InstalledOn). You're not vulnerable ***"        Write-Host "[+] No workaround needed, you can still customize the SMBv3 compression if you like."        return    }    Else {        Write-Host "[-] Windows Update $($kb) is not installed."    }} # End function CheckIfUpdateIsInstalledfunction Get-Menu {    param (        [string]$title = "Workaround for CVE-2020-0796 (CoronaBlue)"    )    Write-Host ""    Write-Host "================ $title ================"
    Write-Host "1: Press '1' for check your current SMBv3 Compression setting"     Write-Host "2: Press '2' to disable SMBv3 Compression <= This is the mitigation for CVE-2020-0796"    Write-Host "3: Press '3' Enable SMBv3 Compression"    Write-Host "Q: Press 'Q' to quit."
} # End function Get-Menufunction CheckRegSmbv3Compression {    param (        [string]$reg = "HKLM:SYSTEMCurrentControlSetServicesLanmanServerParameters"    )
    $check = Get-ItemProperty -Path $reg -Name "DisableCompression" -ErrorAction SilentlyContinue
    if ($check -eq $null) {        Write-Host "SMBv3 Compression is not configued. SMBv3 Compression is set to enabled by default."        Write-Host "You're vulnerable" -f yellow    }    Elseif ($check.DisableCompression -eq 0) {        Write-Host "SMBv3 Compression is set to enabled."    }    Elseif ($check.DisableCompression -eq 1) {        Write-Host "SMBv3 Compression is disabled."    }} # End function CheckRegSmbv3Compression 
function SetkRegSmbv3Compression {    param (        [string]$reg = "HKLM:SYSTEMCurrentControlSetServicesLanmanServerParameters",        [string]$value    )    try {        Set-ItemProperty -Path $reg DisableCompression -Type DWORD -Value $value -Force    }    Catch {        $err = $_.Exception.Message        Write-Error $err    }    CheckRegSmbv3Compression} #End function SetRegSmbv3Compression
CheckWindowsVersionCheckIfUpdateIsInstalled
Do {    Get-Menu    $input = Read-Host "Please make a selection"    switch ($input) {        '1' {            Write-Host 'You chose option #1'            CheckRegSmbv3Compression        } '2' {            Write-Host 'You chose option #2'            SetkRegSmbv3Compression -value 1        } '3' {            Write-Host 'You chose option #3'            SetkRegSmbv3Compression -value 0        } 'Q' {            return        }    }    pause}until ($input -eq 'q')

Set-ItemProperty -Path "HKLM:SYSTEMCurrentControlSetServicesLanman

Set-ItemProperty -Path "HKLM:SYSTEMCurrentControlSetServicesLanmanS