Comments (13)
The batch script requires an internet connection to download symbols. I'm not sure what else can cause it to fail (any error messages?), but as a workaround you can copy the relevant files from the guest to the host and run the script on the copied files by adjusting the paths everywhere you see %windir%\system32
in the script.
from cve-2020-0796-rce-poc.
The batch script requires an internet connection to download symbols. I'm not sure what else can cause it to fail (any error messages?), but as a workaround you can copy the relevant files from the guest to the host and run the script on the copied files by adjusting the paths everywhere you see
%windir%\system32
in the script.
I'm sure that my virtual windows has an internet connection because I just downloaded the scripts from github in it. And I tried the ways you recommended, and copied C:Windows/System32
to my host,but it just didn't work, and only output 3 arguments.
Maybe it was because something were lack in the virtual machine , but I don't know what was wrong. Seems really weird.
from cve-2020-0796-rce-poc.
Remove the following part that appears twice in the batch file: | findstr #
, so that the lines only contain %cmd%
. Run the script and post the full output you get.
from cve-2020-0796-rce-poc.
Remove the following part that appears twice in the batch file:
| findstr #
, so that the lines only contain%cmd%
. Run the script and post the full output you get.
Well, I put a " " in the name of .bat, and directly double-clicked the script, and it output all the five arguments! Seems really weird, because when I tried to use cmd line to open the script, it just output three arguments. And before this quote, I tried to directly open it by double-click, but it just show and shut down immediately.
And when I replaced the offsets in the SMBleedingGhost.py, and ran it, then it just succeeded. LOTS OF THANKS!
from cve-2020-0796-rce-poc.
I'm glad that it works. Still, if you can reproduce the issue and remove the part that I mentioned, perhaps we can see what went wrong. Then I'll be able to fix it for other users.
from cve-2020-0796-rce-poc.
1.The photos below is what I got when I'm running the batch file by double-click in my virtual guest
2.This is what I got on my host when I finished running the modified batch file.(after changing the %windir% to real dir) by double-click
Calculating offsets, please wait...
Microsoft (R) Windows Debugger Version 10.0.17763.168 AMD64
Copyright (c) Microsoft Corporation. All rights reserved.
Loading Dump File [G:\UNIVERSITY\system32\drivers\srvnet.sys]
************* Path validation summary **************
Response Time (ms) Location
Deferred SRV*G:\UNIVERSITY\大二下\渗透测试实验\cve漏洞\cve-2020-0796\CVE-2020-0796-RCE-POC-master\tools*https://msdl.microsoft.com/download/symbols
Symbol search path is: SRV*G:\UNIVERSITY\大二下\渗透测试实验\cve漏洞\cve-2020-0796\CVE-2020-0796-RCE-POC-master\tools*https://msdl.microsoft.com/download/symbols
Executable search path is:
Unable to add extension DLL: ntsdexts
Unable to add extension DLL: uext
Unable to add extension DLL: exts
The call to LoadLibrary(ext) failed, Win32 error 0n2
"系统找不到指定的文件。"
Please check your debugger configuration and/or network access.
ModLoad: 00000001`c0000000 00000001`c0053000 G:\UNIVERSITY\system32\drivers\srvnet.sys
srvnet!GsDriverEntry:
00000001`c004d010 48895c2408 mov qword ptr [rsp+8],rbx ss:00000000`00000008=????????????????
0:000> cdb: Reading initial command '.echo ==========; .printf "\OFFSETS = { \x23\n"; .catch { .printf "\ 'srvnet!SrvNetWskConnDispatch': 0x%X, \x23\n", srvnet!SrvNetWskConnDispatch-srvnet }; .catch { .printf "\ 'srvnet!imp_IoSizeofWorkItem': 0x%X, \x23\n", 1C0032210-srvnet+0n0*8 }; .catch { .printf "\ 'srvnet!imp_RtlCopyUnicodeString': 0x%X, \x23\n", 1C0032210-srvnet+0n15*8 }; .echo ==========; q'
==========
OFFSETS = { #
'srvnet!SrvNetWskConnDispatch': 0x2D170, #
'srvnet!imp_IoSizeofWorkItem': 0x32210, #
'srvnet!imp_RtlCopyUnicodeString': 0x32288, #
==========
quit:
Microsoft (R) Windows Debugger Version 10.0.17763.168 AMD64
Copyright (c) Microsoft Corporation. All rights reserved.
Loading Dump File [G:\UNIVERSITY\system32\ntoskrnl.exe]
************* Path validation summary **************
Response Time (ms) Location
Deferred SRV*G:\UNIVERSITY\大二下\渗透测试实验\cve漏洞\cve-2020-0796\CVE-2020-0796-RCE-POC-master\tools*https://msdl.microsoft.com/download/symbols
Symbol search path is: SRV*G:\UNIVERSITY\大二下\渗透测试实验\cve漏洞\cve-2020-0796\CVE-2020-0796-RCE-POC-master\tools*https://msdl.microsoft.com/download/symbols
Executable search path is:
Unable to add extension DLL: ntsdexts
Unable to add extension DLL: uext
Unable to add extension DLL: exts
The call to LoadLibrary(ext) failed, Win32 error 0n2
"系统找不到指定的文件。"
Please check your debugger configuration and/or network access.
ModLoad: 00000001`40000000 00000001`40ab6000 G:\UNIVERSITY\system32\ntoskrnl.exe
ntoskrnl!KiSystemStartup:
00000001`40597010 4883ec38 sub rsp,38h
0:000> cdb: Reading initial command '.echo ==========; .catch { .printf " 'nt!IoSizeofWorkItem': 0x%X, \x23\n", ntoskrnl!IoSizeofWorkItem-ntoskrnl }; .catch { .printf " 'nt!MiGetPteAddress': 0x%X \x23\n", ntoskrnl!MiGetPteAddress-ntoskrnl }; .printf "} \x23\n"; .echo ==========; q'
==========
'nt!IoSizeofWorkItem': 0x12C380, #
'nt!MiGetPteAddress': 0xBADC8 #
} #
==========
quit:
- While I mentioned the file name problem and whether-run-directly problem ,but it seems I misunderstood it. Seemed file-name and run directly or not had nothing to do with whether it can give an right output or not. So I just give you the output samples running on guest and host.
Hope I can help you figure out what was going on with it.
from cve-2020-0796-rce-poc.
The two symbols that failed to load are the one that require symbols. Try the following: add the following lines at the beginning of the batch file, run it, and post the contents of the newly created dbghelp.log
file:
set DBGHELP_DBGOUT=1
set DBGHELP_LOG=..\dbghelp.log
from cve-2020-0796-rce-poc.
Here is what I got in guest.
dbghelp.log
The two symbols that failed to load are the one that require symbols. Try the following: add the following lines at the beginning of the batch file, run it, and post the contents of the newly created dbghelp.log file:
set DBGHELP_DBGOUT=1
set DBGHELP_LOG=..\dbghelp.log
from cve-2020-0796-rce-poc.
From the log:
SYMSRV: HttpSendRequest: 800C2EFD - ERROR_INTERNET_CANNOT_CONNECT
So for some reason, guest failed to download from:
https://msdl.microsoft.com/download/symbols/srvnet.pdb/CFE2BF7A30464E7FCE0CC805AA1C96CB1/srvnet.pdb
and:
https://msdl.microsoft.com/download/symbols/ntkrnlmp.pdb/E0093F3AEF15D58168B753C9488A40431/ntkrnlmp.pdb
Somebody on Stack Overflow suggests it can be caused by a mis-configured IE.
from cve-2020-0796-rce-poc.
From the log:
SYMSRV: HttpSendRequest: 800C2EFD - ERROR_INTERNET_CANNOT_CONNECT
So for some reason, guest failed to download from:
https://msdl.microsoft.com/download/symbols/srvnet.pdb/CFE2BF7A30464E7FCE0CC805AA1C96CB1/srvnet.pdb
and:
https://msdl.microsoft.com/download/symbols/ntkrnlmp.pdb/E0093F3AEF15D58168B753C9488A40431/ntkrnlmp.pdbSomebody on Stack Overflow suggests it can be caused by a mis-configured IE.
I have seen the issue mentioned in stackoverflow. But, my IE browser could really connect Internet,and
From the log:
SYMSRV: HttpSendRequest: 800C2EFD - ERROR_INTERNET_CANNOT_CONNECT
So for some reason, guest failed to download from:
https://msdl.microsoft.com/download/symbols/srvnet.pdb/CFE2BF7A30464E7FCE0CC805AA1C96CB1/srvnet.pdb
and:
https://msdl.microsoft.com/download/symbols/ntkrnlmp.pdb/E0093F3AEF15D58168B753C9488A40431/ntkrnlmp.pdbSomebody on Stack Overflow suggests it can be caused by a mis-configured IE.
You are right. Though I can connect Internet with my IE, but I just can't connect the sites you posted.
It tells me that I can't connect securely.
from cve-2020-0796-rce-poc.
Well, I put a " " in the name of .bat, and directly double-clicked the script, and it output all the five arguments! Seems really weird, because when I tried to use cmd line to open the script, it just output three arguments. And before this quote, I tried to directly open it by double-click, but it just show and shut down immediately.
hello, I got the same question with yours. The script could output 5 arguments in real host win10, but only 3 in VM target win 10, how do you fix this problem?
from cve-2020-0796-rce-poc.
Well, I put a " " in the name of .bat, and directly double-clicked the script, and it output all the five arguments! Seems really weird, because when I tried to use cmd line to open the script, it just output three arguments. And before this quote, I tried to directly open it by double-click, but it just show and shut down immediately.
hello, I got the same question with yours. The script could output 5 arguments in real host win10, but only 3 in VM target win 10, how do you fix this problem?
I just copy the system32 files of my guest to my host. And modify the address in the batch file as mentioned above.
from cve-2020-0796-rce-poc.
bat file not work:
OFFSETS = { #
'srvnet!imp_IoSizeofWorkItem': 0x40000000, #
'srvnet!imp_RtlCopyUnicodeString': 0x40000000, #
'nt!IoSizeofWorkItem': 0x12C400, #
} #
from cve-2020-0796-rce-poc.
Related Issues (9)
- blue screen in virtualbox win10 1903 HOT 1
- No KB4512941, but target not vulnerable. HOT 1
- 1909 Leak failed, retrying HOT 2
- Target is not vulnerable and Target VM is Windows 10 Pro version: 1909 HOT 1
- AttributeError: module 'ctypes' has no attribute 'windll' HOT 9
- Works but I get bluescreen after a few minutes on VM windows 10 1909 HOT 3
- Remote code execution POC HOT 1
- CVE 2020-0796
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from cve-2020-0796-rce-poc.