SMBGhost

This repository is a Python proof-of-concept/operational exploit for SMBGhost (CVE-2020-0796), the SMBv3 compression integer overflow vulnerability affecting Microsoft Windows systems. The repo contains 4 files: README.md, the main exploit driver exploit.py, and two helper modules lznt1.py and smb_win.py. The code is not a framework module; it is a standalone exploit. Repository structure and purpose: - exploit.py: Main exploit logic. It connects to a remote SMB service on TCP/445, performs SMB negotiation, crafts malicious compressed SMB packets, derives kernel memory layout information, obtains arbitrary read/write-style primitives against kernel memory, clears the NX bit on a kernel page, writes embedded kernel shellcode, and overwrites a HAL interrupt-related pointer to trigger execution. - lznt1.py: Implements LZNT1 compression/decompression helpers, including compress_evil(), which intentionally emits malformed/compressed data and appends a corrupted chunk marker to help trigger the SMB compression bug. - smb_win.py: Builds raw SMB2/NetBIOS packets needed by the exploit, including SMB2 negotiate requests with compression contexts and SMB compressed transform packets. - README.md: Describes the project as a fork of chompie1337's SMBGhost RCE PoC, notes retry logic and a pseudo vulnerability checker, and warns that repeated attempts may crash the target. Main exploit capabilities: - Remote network exploitation over SMB. - SMB2 negotiate packet generation with compression support advertisement. - Delivery of malformed SMB compressed packets to trigger the CVE-2020-0796 bug. - Kernel memory discovery/manipulation workflow, including locating low stub/PML4/HAL heap structures. - Clearing the NX bit for the KUSER_SHARED_DATA page table entry. - Writing a large embedded x64 kernel shellcode blob into target memory. - Overwriting a HAL interrupt-related function pointer to redirect execution to the shellcode. - Using attacker-supplied server IP and port, indicating a callback/reverse-shell style post-exploitation stage. Fingerprintable protocol/target details: - SMB over TCP/445 is the primary network target. - SMB2 protocol markers are present in packet builders: \xfeSMB for SMB2 headers and \xfcSMB for compressed transform packets. - The negotiate request explicitly includes SMB compression context and dialects consistent with SMBv3 negotiation. - The exploit comments explicitly state target: Windows 10 1903. Overall, this is a real remote code execution exploit, not merely a detector. It is operational but brittle: the README warns it is unstable and likely to crash the target after several attempts.

This repository is a Python SMBGhost exploit for CVE-2020-0796, targeting Microsoft Windows 10 1903/1909 systems with SMBv3 compression enabled. It is not a framework module; it is a standalone exploit composed of 4 files: README.md, exploit.py, lznt1.py, and smb_win.py. Repository structure and purpose: - exploit.py: Main exploit logic and entry point. It accepts a target IP, attacker/server IP, and attacker port. It performs vulnerability checking, SMB negotiation, memory corruption, physical memory reads/writes, page table manipulation, shellcode construction, and final control-flow hijack. - lznt1.py: Implements LZNT1 compression/decompression helpers, including compress_evil(), which intentionally produces malformed/compressed data suitable for triggering the SMB compression integer overflow condition. - smb_win.py: Builds raw SMBv3 packets, including SMB2 negotiate requests and compressed transform packets, and sends them over a socket. - README.md: Describes the exploit as a fork of chompie1337's SMBGhost RCE PoC with retry logic and a pseudo vulnerability checker. Main exploit capabilities: - Negotiates SMBv3 with compression support using handcrafted SMB packets. - Uses malformed SMB compression data to trigger the CVE-2020-0796 bug. - Establishes arbitrary read/write-style primitives against kernel/physical memory (based on function names and exploit flow). - Searches for low stub, PML4, and HAL heap/kernel structures needed for reliable exploitation. - Computes the PTE for KUSER_SHARED_DATA, clears the NX bit, and writes kernel shellcode there. - Overwrites a HAL interrupt-related function pointer so execution jumps to the injected shellcode. - Embeds an operator-supplied callback IP/port into the shellcode, indicating a reverse connection payload. Notable network behavior: - Primary target surface is SMB over TCP/445. - The exploit requires an attacker-controlled listener/server IP and port, passed on the command line and incorporated into the shellcode. Assessment: This is a real exploit, not merely a detector. It contains a complete exploitation chain and an embedded payload, though it appears brittle and crash-prone, matching the README warning. Because the payload is present but not highly modularized, the maturity is best classified as OPERATIONAL.

This repository contains a proof-of-concept (PoC) exploit for CVE-2020-0796, also known as SMBGhost, a critical buffer overflow vulnerability in the SMBv3 protocol implementation on Microsoft Windows systems. The main file, 'cve-2020-0796.py', is a Python script that constructs and sends specially crafted SMBv3 negotiation and compressed packets to a target host's TCP port 445. The exploit demonstrates the vulnerability by triggering a buffer overflow via a malformed compression header, but does not include a payload for code execution or shell access. The repository is structured simply, with one code file, a README, and standard git configuration files. The exploit requires the attacker to specify the target IP address and have network access to the SMB port. This PoC is intended for testing and research purposes to verify the presence of the vulnerability.

This repository contains a proof-of-concept (PoC) exploit for CVE-2020-0796, also known as SMBGhost, a critical buffer overflow vulnerability in Microsoft's SMBv3 protocol implementation. The repository consists of a Python script ('cve-2020-0796.py') and a README file. The script constructs and sends a specially crafted SMBv3 compressed packet to a target IP address on port 445, exploiting the vulnerability by manipulating the compression header's offset field. The exploit demonstrates the vulnerability by causing a buffer overflow but does not provide post-exploitation features such as shell access or code execution. The code is structured with classes to build SMB2 headers, negotiate requests, and compressed transform headers, and uses raw socket communication to interact with the target. The only fingerprintable endpoint is the target's SMB service (IP:445). The exploit is a network-based PoC and is intended for testing and demonstration purposes.

This repository contains a single Python script implementing a proof-of-concept (PoC) exploit for CVE-2020-0796, also known as SMBGhost. The exploit targets the SMBv3 protocol on Microsoft Windows systems by sending a specially crafted compressed packet to the target's SMB service (TCP port 445). The script constructs the payload using a fake SMBv3 compressed header and a block of zeroed data, then sends it to a user-specified IP address. If the target is vulnerable, this may result in a denial-of-service condition, causing the SMB service or the system to crash or freeze. The script is safe in the sense that it does not attempt remote code execution, only denial-of-service. The repository is minimal, containing only the exploit script, and is intended for testing and research purposes.

This repository contains a proof-of-concept exploit for CVE-2020-0796 (SMBGhost), a buffer overflow vulnerability in the SMBv3 compression handling on Windows 10 1903. The exploit is implemented in Python (main.py) and is designed to trigger a denial of service (Blue Screen of Death) on a vulnerable target. The code constructs and sends a malformed SMBv3 compressed packet to a user-specified IP address and port (typically port 445 for SMB). The README provides a brief explanation of the vulnerability and references to further information and related exploits. The repository structure is simple, consisting of a single exploit script and a README. No hardcoded IPs or domains are present; the target is specified at runtime. The exploit does not provide remote code execution or privilege escalation, but demonstrates the ability to crash the target system over the network.

This repository provides a comprehensive exploit toolkit for CVE-2020-0796 (SMBGhost), a critical remote code execution vulnerability in Microsoft Windows SMBv3. The structure includes: - Main exploit script (CVE_2020_0796_Payload.py): A Python 3 script that crafts and sends malicious SMBv3 packets to a target Windows system, exploiting the vulnerability to achieve remote code execution. It requires the attacker to specify the target IP, the attacker's IP for the reverse shell, and the listening port. The script uses custom kernel shellcode (provided in smbghost_kshellcode_x64.asm) to spawn a reverse shell from the target to the attacker. - Scanner (Scanner.py): A Python script to check if a target is vulnerable to CVE-2020-0796 by sending a crafted SMB packet and analyzing the response. - Crash test (SystemCrashTest/Crash_Test.py): A Python script that triggers a denial-of-service (BSOD) on the target to demonstrate exploitability without full code execution. - Offset calculation (Offset/offset.bat): A batch script to determine kernel memory offsets required for successful exploitation, which may vary by Windows build. - Documentation (README.md, ATTACK_PLAN.md, Exploitation.md, VULNERABILITY_DETAILS.md, REFERENCES.md): Detailed guides on setup, exploitation steps, affected systems, and references. The exploit targets TCP port 445 (SMB) on vulnerable Windows 10 and Windows Server systems. It is operational, providing a working reverse shell payload, but requires correct environment setup and offset calculation. The repository is intended for educational and research purposes in controlled environments.

This repository is a Proof-of-Concept (POC) exploit for CVE-2020-0796 (SMBGhost), a critical remote code execution vulnerability in the SMBv3 protocol on Windows 10 (versions 1903 and 1909). The exploit consists of a main Python script (SMBleedingGhost.py), a batch script (calc_target_offsets.bat) to calculate necessary kernel offsets on the target, and a custom x64 kernel shellcode (smbghost_kshellcode_x64.asm). The exploit works by sending crafted SMB packets to the target over the network, leveraging the vulnerability to execute arbitrary code in kernel context. The payload is a reverse shell that connects back to the attacker's machine, providing SYSTEM-level access. The exploit requires the attacker to know the correct kernel offsets for the target, which are obtained by running the batch script on the target system. The README provides detailed usage instructions and references. The exploit is intended for educational and testing purposes only.

This repository is a proof-of-concept (PoC) exploit for CVE-2020-0796, also known as SMBGhost or CoronaBlue. The main exploit script is 'CVE-2020-0796.py', which uses a modified version of the 'smbprotocol' Python library (included in the repository) to interact with SMBv3.1.1 servers. The exploit works by registering an SMB session to a target server (provided as a command-line argument) with encryption disabled, and then sending a specially crafted compressed authentication request. The request sets the 'offset' field in the SMB2CompressionTransformHeader to an excessively large value, which triggers a buffer overflow in the Windows kernel's SMB decompression routine, causing a denial of service (system crash). The README and code indicate that this PoC does not achieve remote code execution, but demonstrates the crash. The repository includes the full source for the modified SMB protocol library, supporting SMB 3.1.1 compression/decompression, and is written entirely in Python. The exploit targets Windows 10 1903/1909 systems with SMBv3.1.1 compression enabled and not patched for CVE-2020-0796. The main attack vector is network-based, requiring access to the target's SMB service (typically TCP port 445).

This repository contains a local privilege escalation (LPE) exploit for CVE-2020-0796 (SMBGhost), targeting vulnerable versions of Microsoft Windows 10 with SMBv3 enabled. The main exploit logic resides in 'cve-2020-0796-local/exploit.cpp', which is a C program designed to be built with Visual Studio. The exploit works by connecting to the local SMB service, sending a crafted negotiation request, and then exploiting a vulnerability in the SMBv3 compression handling to overwrite kernel memory. Specifically, it locates the current process's kernel token and modifies its privileges, effectively granting SYSTEM-level access to the attacker. The exploit requires local execution on a vulnerable, unpatched system. The repository includes Visual Studio project files and a README with references and analysis links, but the core exploit is in a single C source file. No network endpoints or remote targets are hardcoded; the attack is purely local, leveraging the SMBv3 service on the same machine.

This repository provides a simple Python 3 proof-of-concept (PoC) exploit and scanner for CVE-2020-0796 (SMBGhost), a critical vulnerability in Microsoft Windows SMBv3.1.1. The main script, 'poc-and-scan.py', can be run in two modes: scan-only (detects if the target is running SMBv3.1.1 with compression) and scan+crash (also sends a malformed packet to crash the target, potentially causing a denial of service). The script restricts usage to private IP ranges to prevent accidental exploitation of public systems. The exploit works by sending a static SMB negotiation packet and, if instructed, a malformed SMB packet to TCP port 445 of the target. The repository contains a license file, a README with usage instructions, and the exploit script itself. No external dependencies are required beyond Python 3.

This repository contains a proof-of-concept exploit for CVE-2020-0796 (SMBGhost), a critical vulnerability in the SMBv3 protocol implementation on Microsoft Windows. The repository consists of two files: a README.md with usage instructions and a single Python script (crash.py) that implements the exploit. The script constructs and sends a specially crafted SMBv3 compressed packet to a target IP address on TCP port 445, exploiting the vulnerability to crash the SMB service (denial-of-service). No authentication is required, and the exploit does not require any external modules. The code is a minimal PoC and does not provide remote code execution or shell access, only service disruption. The exploit is network-based and targets Windows systems with vulnerable SMBv3 enabled.

This repository contains a proof-of-concept (POC) exploit for the SMBGhost (CVE-2020-0796) vulnerability affecting Windows 10 versions 1903 and 1909. The exploit is designed to achieve remote code execution with SYSTEM privileges by exploiting a vulnerability in the SMBv3 protocol implementation. The repository includes: - `README.md`: Detailed usage instructions, including the need to run a batch script (`calc_target_offsets.bat`) on the target to determine kernel structure offsets, which must then be manually set in the exploit script. The README also describes the target environment and limitations (e.g., best reliability on single-processor systems). - `calc_target_offsets.bat`: A batch script that uses Windows debugging tools to extract necessary kernel offsets from the target system. It references system files (`srvnet.sys`, `ntoskrnl.exe`) and the Microsoft symbol server. - `smbghost_kshellcode_x64.asm`: The custom x64 kernel shellcode used as the payload. This shellcode is responsible for privilege escalation and spawning a reverse shell to the attacker's machine. - `tools/cdb.exe`: Placeholder for the Windows debugger used by the batch script. The exploit requires the attacker to set up a listener (e.g., with ncat) and to have the ability to run the batch script on the target to obtain kernel offsets. The exploit is not universal and requires manual adjustment for each target system, making it a POC rather than a weaponized exploit. The main attack vector is network-based, targeting the SMB service on vulnerable Windows 10 systems. The repository does not include the main Python exploit script (`SMBleedingGhost.py`), but the structure and instructions indicate its expected usage.

This repository provides a comprehensive exploit and detection toolkit for the SMBGhost (CVE-2020-0796) vulnerability affecting Windows 10 systems with SMBv3.1.1 and SMB compression enabled. The main entry point is 'Smb_Ghost.py', which automates both scanning (via 'Scanner/scanner.py' and 'Scanner/logless_scanner.py') and exploitation (via 'RCE/exploit.py'). The exploit leverages a kernel shellcode (see 'RCE/kernel_shellcode.asm') to achieve remote code execution as SYSTEM. Users can supply their own shellcode (with a size limit of 600 bytes), such as a reverse shell or a payload to add a new administrator user (example provided in 'Custom_Shellcodes/x64_add_user.txt'). The toolkit includes both detection scripts and a full exploit chain, making it operational and suitable for red teaming or penetration testing. The exploit targets TCP port 445 (SMB) and is specifically tailored for Windows 10 x64 build 1903, but may work on other unpatched versions. The codebase is primarily Python, with assembly for the kernel shellcode, and is not part of a larger exploitation framework.

This repository provides an operational exploit for CVE-2020-0796 (SMBGhost), targeting Windows 10 (versions 1903/1909) and Windows Server 1903/1909. The exploit consists of a reflective DLL (written in C) that leverages the SMBv3 compression vulnerability to escalate local privileges to SYSTEM by leaking and overwriting kernel process tokens. The exploit can also be used to trigger a remote denial of service (BSOD) if used over the network. The repository includes Aggressor Script (.cna) integration for Cobalt Strike, allowing the exploit to be run as a post-exploitation module. The codebase is structured as a Visual Studio C++ project, with core logic in 'ReflectiveDll.c' and loader logic in 'ReflectiveLoader.c'. The README provides detailed affected versions, mitigation steps, and references. No hardcoded IPs or domains are present, but the exploit targets SMB over TCP port 445 and references a registry key for mitigation. The exploit is not weaponized for mass exploitation but is operational and requires compilation and manual deployment.

This repository is a functional local privilege escalation exploit for CVE-2020-0796 (SMBGhost) on Windows 10 systems. The exploit is implemented primarily in Python (poc.py and write_what_where.py), with a C++ DLL payload (spawn_cmd.dll) built from the Visual Studio project in spawn_cmd_src/. The main exploit logic (poc.py) leaks the current process token address, uses a write-what-where primitive over the local SMB service (via write_what_where.py) to overwrite kernel memory and grant full privileges, and then injects a DLL into winlogon.exe to spawn a SYSTEM-level command shell. The exploit requires local code execution and is not a remote exploit. The repository is well-structured, with clear separation between the exploit logic, the SMB write-what-where primitive, and the DLL payload. No external network endpoints are targeted; all exploitation is performed locally via the SMB service on 127.0.0.1:445.

This repository contains a functional proof-of-concept (POC) exploit for CVE-2020-0796 (SMBGhost), a critical remote code execution vulnerability in the SMBv3 protocol implementation on Windows 10 (versions 1903 and 1909). The exploit is implemented in Python (SMBleedingGhost.py) and leverages custom x64 kernel shellcode (smbghost_kshellcode_x64.asm) to achieve code execution in kernel context, ultimately spawning a reverse shell to the attacker's machine. The batch script (calc_target_offsets.bat) is used to calculate necessary kernel structure offsets on the target system, which must be manually set in the Python script before exploitation. The exploit requires the attacker to run ncat to receive the reverse shell. The README provides detailed usage instructions, target requirements, and references to technical writeups. The exploit is operational but not weaponized, as it requires manual offset calculation and is not universal across all Windows 10 builds. The main attack vector is network-based, targeting the SMBv3 service on the victim machine.

This repository contains a proof-of-concept (PoC) exploit for CVE-2020-0796, also known as SMBGhost, a critical buffer overflow vulnerability in Microsoft's SMBv3 protocol implementation. The main file, 'cve-2020-0796.py', is a Python script that constructs and sends specially crafted SMBv3 packets to a target host's port 445. The exploit works by manipulating the compressed transform header's offset field to trigger the overflow. The script does not provide post-exploitation capabilities such as shell access; it is intended to demonstrate the presence of the vulnerability. The repository includes standard project files (.gitattributes, .gitignore, README.md) and the exploit script. The only code file is 'cve-2020-0796.py', which is the entry point and contains all exploit logic. The exploit requires the attacker to specify the target IP address as a command-line argument and attempts to connect to the SMB service on TCP port 445.

This repository is a multi-purpose Python-based network scanner and vulnerability detection toolkit, primarily targeting Windows environments but with some cross-platform capabilities. The main script, 'Ladon.py', acts as a dispatcher and scanner, supporting multiple scanning and detection modules: - 'CVE-2018-2894.py' checks for a Java deserialization vulnerability in Oracle WebLogic servers by probing a specific HTTP endpoint. - 'PhpStudyPoc.py' detects the PhpStudyDoor backdoor by sending crafted HTTP requests to various endpoints on the target. - 'SmbGhostPoc.py' is a scanner for SMBGhost (CVE-2020-0796) and SMBleed (CVE-2020-1206) vulnerabilities in the SMBv3 protocol on Windows systems. - 'Ladon.py' provides a command-line interface to scan for online hosts, enumerate SMB versions, detect MS17-010 (EternalBlue) vulnerabilities, retrieve hostnames, and invoke the above POC modules. It uses multi-threading for network scanning and can load a DLL for advanced scanning on Windows. - 'mysmb.py' is a helper library for SMB protocol operations, used by the main scanner and exploit modules. The toolkit is operational and can be used to detect the presence of several high-profile vulnerabilities (MS17-010, SMBGhost, SMBleed, WebLogic deserialization, PhpStudyDoor) and to gather information about networked Windows hosts. It does not provide weaponized exploitation or post-exploitation payloads, but rather focuses on detection and enumeration. The code is modular, with each vulnerability check implemented as a separate script or function, and the main 'Ladon.py' script orchestrates their use based on user input. The repository is suitable for penetration testers and red teamers conducting vulnerability assessments in Windows-heavy environments.

This repository contains a working proof-of-concept exploit for CVE-2020-0796 (SMBGhost), a critical remote code execution vulnerability in Microsoft Windows SMBv3. The main file, 'CVE-2020-0796-POC.py', is a Python 2.7 script that takes a target IP address and attacker-controlled local IP/port as arguments. It constructs and sends a payload to the target, exploiting the vulnerability to execute obfuscated Python shellcode that establishes a reverse shell from the target back to the attacker's machine. The exploit provides SYSTEM-level access if successful. The repository also includes a README with usage instructions and a requirements.txt listing necessary Python dependencies. The attack vector is network-based, targeting Windows systems vulnerable to CVE-2020-0796. The script is operational, providing a working reverse shell payload, but is not part of a larger exploitation framework.

This repository contains a Metasploit local privilege escalation module targeting the SMBGhost (CVE-2020-0796) vulnerability on Windows 10 (versions 1903-1909, x64). The main file, 'smbghost_PrivEsc.rb', is a Ruby script implementing the exploit as a Metasploit module. It is designed to be run from an existing shell (meterpreter session) on a vulnerable system. The exploit works by uploading a custom executable ('cve_2020_0796_payload.exe') and a DLL payload ('shell.dll') to the target, then executing the exploit to inject the DLL into the winlogon.exe process, thereby elevating privileges to SYSTEM. The module checks for the correct Windows version and ensures SMBv3 compression is enabled via a registry key. The payload is customizable, allowing the user to specify their own DLL shellcode. The repository structure is simple, consisting of the exploit module and a README with usage notes and references.

This repository contains a Cobalt Strike Beacon Object File (BOF) implementation of the SMBGhost (CVE-2020-0796) local privilege escalation exploit, adapted from the Metasploit Framework's original code. The exploit targets Windows 10 versions 1903 and 1909 (builds 18362 and 18363) and requires SMBv3 compression to be disabled (DisableCompression registry value). The main exploit logic is implemented in C (src/exploit.c, src/exploit.h, src/libc.c), compiled into a BOF (dist/exploit.x64.o) using make.bat. The Aggressor Script (dist/exploit.cna) registers the 'smbghost' command in Cobalt Strike, allowing operators to elevate the current Beacon process or inject a new Beacon session into winlogon.exe. The exploit leverages Windows APIs and process token manipulation to achieve SYSTEM privileges. The repository is structured for use within Cobalt Strike and is not a standalone exploit; it is intended for post-exploitation scenarios where an attacker already has code execution on a vulnerable host.

This repository contains a Python proof-of-concept (POC) exploit for CVE-2020-0796, also known as SMBGhost, a critical vulnerability in Microsoft's SMBv3 protocol. The main file, 'CVE-2020-0796-POC.py', constructs and sends a malformed SMBv3 compressed packet to a specified target IP address on TCP port 445. The exploit demonstrates the ability to trigger the vulnerability by manipulating the SMBv3 compression transform header, specifically by setting an invalid offset. The code does not provide a shell or further post-exploitation capabilities; it is intended as a POC to show the presence of the bug. The README provides references to other related tools and exploits but does not contain additional code. The repository is structured simply, with one Python exploit file and a README. The exploit targets Windows systems with SMBv3 enabled and accessible over the network.

This repository is a Rust-based local privilege escalation (LPE) exploit for CVE-2020-0796 (SMBGhost) on Windows. The main exploit logic resides in 'src/main.rs', which constructs and sends specially crafted SMBv3 packets to exploit the vulnerability locally. The exploit leverages Windows API calls (via the 'winapi' and 'ntapi' crates) to manipulate process memory and privileges. Upon successful exploitation, it injects shellcode into a process and spawns a SYSTEM shell, granting the attacker elevated privileges. The repository includes build instructions in the README and is structured as a standard Rust project with a single main source file. No external network endpoints or hardcoded IPs/domains are present; the attack is performed locally on the vulnerable host.