CVE-2020-0796: Microsoft SMBv3 - Remote Code Execution

日期: 2025-08-01 | 影响软件: Microsoft SMBv3 | POC: 已公开

漏洞描述

A remote code execution vulnerability exists in the way that the Microsoft Server Message Block 3.1.1 (SMBv3) protocol handles certain requests, aka 'Windows SMBv3 Client/Server Remote Code Execution Vulnerability'.

PoC代码[已公开]

id: CVE-2020-0796

info:
  name: Microsoft SMBv3 - Remote Code Execution
  author: Yusuf Amr
  severity: critical
  description: |
    A remote code execution vulnerability exists in the way that the Microsoft Server Message Block 3.1.1 (SMBv3) protocol handles certain requests, aka 'Windows SMBv3 Client/Server Remote Code Execution Vulnerability'.
  reference:
    - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-0796
    - https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0796
    - https://github.com/tdevworks/CVE-2020-0796-SMBGhost-Exploit-Demo
    - http://packetstormsecurity.com/files/156731/CoronaBlue-SMBGhost-Microsoft-Windows-10-SMB-3.1.1-Proof-Of-Concept.html
    - http://packetstormsecurity.com/files/156980/Microsoft-Windows-10-SMB-3.1.1-Local-Privilege-Escalation.html
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
    cvss-score: 10
    cve-id: CVE-2020-0796
    cwe-id: CWE-119
    epss-score: 0.94417
    epss-percentile: 0.99977
    cpe: cpe:2.3:o:microsoft:windows_10_1903:-:*:*:*:*:*:arm64:*
  metadata:
    vendor: microsoft
    product: windows_10_1903
    shodan-query: cpe:"cpe:2.3:o:microsoft:windows_10_1903"
    verified: true
  tags: cve,cve2020,microsoft,smb,kev

tcp:
  - host:
      - "{{Hostname}}"

    port: 445

    inputs:
      - data: "{{hex_decode(\"000000c2fe534d4240000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000024000800000000007f0000000102abcd0102abcd0102abcd0102abcd7800000002000000020210022202240200030203100311030000000001002600000000000100200001000000000000000000000000000000000000000000000000000000000000000000000003000a0000000000010000000100000001000000000000000000\")}}"

        read: 8192

      - data: "{{hex_decode(\"000000a0fc534d42ffffffff0100000080000000fe534d424000000000000000010000000000000000000000010000000000000000000000000000000000000000000000000000000000000000000000000000001900000200000000000000005800280000000000000000004e544c4d5353500001000000329088e2000000002800000000000000280000000601b11d0000000f00000000000000000000000000000000\")}}"

    matchers-condition: and
    matchers:
      - type: binary
        part: data
        encoding: hex
        binary:
          - "fc534d4248000000"
          - "0d0000c0"
          - "1000602d00"
        condition: or

      - type: binary
        part: data
        encoding: hex
        binary:
          - "00000031fc534d424800000001000000000000001eb000fe534d4240000000c00d0000c00100011000602d00100103301e28090442"
# digest: 4a0a004730450220753d7210e88431eb2ed477c79b2d1d5897e1db994fdfdb834b00afc31f205817022100f981d856acb0521ef89760bd38e64e126e8818460824df699d2019dae71025cd:922c64590222798bb761d5b6d8e72950
来源: https://github.com/projectdiscovery/nuclei-templates/blob/main/network/cves/2020/CVE-2020-0796.yaml