RCE Exploit For CVE-2020-0796 (SMBGhost)

This week our very own Spencer McIntyre has added an exploit for CVE-2020-0796, which leverages a vulnerability within the Microsoft Server Message Block 3.1.1 (SMBv3) protocol to gain unauthenticated remote code execution against unpatched Windows 10 v1903 and v1909 systems. Previously, Metasploit offered an LPE version of this exploit but not RCE support. The exploit is heavily based on the chompie1337/SMBGhost_RCE_PoC PoC.

Note that there is a high probability that, even when the exploit is successful, the remote target will crash within about 90 minutes. It is recommended that after a successful compromise, a persistence mechanism be established and the system be rebooted to avoid a Blue Screen of Death (BSOD).

Improved command history management

Community member pingport80 has made improvements to Metasploit's command history management to now be context aware. The command history for both the main console and sub-shells, such as Pry and Metepreter, will now have their command history separated. This means that pressing the up arrow key within the console in these different contexts will now only show the command history for that specific context sub-shell, which should be more intuitive to users.

New module content (2)

  • SMBv3 Compression Buffer Overflow by Spencer McIntyre, chompie1337, and hugeh0ge, which exploits CVE-2020-0796 - This adds an exploit for CVE-2020-0796 which can be used to gain unauthenticated remote code execution against unpatched Windows 10 v1903 and v1909 systems.
  • Git Ignore Retriever by N!ght Jmp - Adds an OSX Post exploitation module to retrieve .gitignore files that may contain pointers to files of interest

Enhancements and features

  • #15062 from pingport80 - Adds support for separating command history for the various sub-shells such as Meterpreter and Pry
  • #15079 from zeroSteiner - This introduces the meterpreter key to the compat hash to better-provide Meterpreter session compatibility info to users, including printing the required Meterpreter extension(s) to the console in the event of a session incompatibility. Additionally, post modules will automatically load Meterpreter extensions used, provided that the module's Meterpreter compatibility requirements are annotated.
  • #15199 from pingport80 - This improves the get_processes API on non-Windows systems with support that fails back to enumerating the /proc directory when the ps utility is not present.
  • #15220 from bogey3 - This modification adds the ability to retrieve the OS version from
    an NTLMSSP type 2 message.
  • #15242 from adfoster-r7 - This updates the tables displayed by the loot command to be displayed without wrapping. This makes it easier for users to copy and paste the output.
  • #15243 from adfoster-r7 - Adds a check method to the Apache Tomcat Ghostcat module
  • #15246 from jmartin-r7 - This refactors some common functionality into a cross-platform Msf::Post::Process mixin with support for multiple session types.

Bugs fixed

  • #15216 from zeroSteiner - This fixes a mistake in the exploit for CVE-2021-21551 where the version fingerprinting is overly specific. Windows 10 build 18363 failed because it didn't match the explicit build number 18362. This PR changes the fingerprinting to use ranges to fix this problem.
  • #15223 from bwatters-r7 - This updates the exploit/windows/local/tokenmagic module by fixing a crash that occurs on some targets and moves the target validation logic to earlier in the module.
  • #15236 from Apeironic - This adds an additional check to the Linux checkvm module to fix a bug where it was failing to identify certain Xen environments such as those used within AWS.
  • #15240 from mcorybillington - This fixes a typo that was present in the template for GitHub pull requests.
  • #15241 from adfoster-r7 - Removes the previously prototyped RHOST_HTTP_URL module option and feature flag as it had blocking edge cases for being enabled by default. A new implementation is being investigated.
  • #15262 from adfoster-r7 - Improved msfvenom to only wrap output if the output is going to STDOUT.
  • #15267 from e2002e - This fixes a bug that was present within the Shodan search module where certain queries would cause an exception to be raised while processing the results.

Get it

As always, you can update to the latest Metasploit Framework with msfupdate
and you can get more details on the changes since the last blog post from
GitHub:

If you are a git user, you can clone the Metasploit Framework repo (master branch) for the latest.
To install fresh without using git, you can use the open-source-only Nightly Installers or the
binary installers (which also include the commercial edition).