@echo off

 

REM ===== Get administrator priviliege =====

>nul 2>&1 "%SYSTEMROOT%\system32\cacls.exe" "%SYSTEMROOT%\system32\config\system"

IF '%errorlevel%' NEQ '0' (

   echo Ask for administrator priviliege ...

   goto UACPrompt

) else ( goto gotAdmin )

:UACPrompt

   echo Set UAC = CreateObject^("Shell.Application"^) > "%temp%\getadmin.vbs"

   set params = %*:"=""

   echo UAC.ShellExecute "cmd.exe", "/c %~s0 %params%", "", "runas", 1 >> "%temp%\getadmin.vbs"

   "%temp%\getadmin.vbs"

   REM del "%temp%\getadmin.vbs"

   exit /B

:gotAdmin

 

REM ===== Move to current path =====

pushd "%CD%"

   CD /D "%~dp0"

 

setlocal

set CURPATH=%cd%

set SECUHOST=10.10.10.10

set SECUPORT=80

 

color 2f

 

echo ### ADV200006 Incident response Script by. security group ###

echo ### 1. Change filename atmfd.dll ###

 

systeminfo > systeminfo.txt

type systeminfo.txt | find /i "x64-based" 

if NOT ERRORLEVEL 1 goto x64-based

 

echo ######### windows 32bit check ##########

cd "%windir%\system32"

takeown.exe /f atmfd.dll

IF ERRORLEVEL 1 goto no-atmfd-in-system32-at-32bit

icacls.exe atmfd.dll /save atmfd.dll.acl

icacls.exe atmfd.dll /grant Administrators:(F) 

rename atmfd.dll x-atmfd.dll

SET RESULT="Changed-atmfd.dll-in-32bit-system"

:no-atmfd-in-system32-at-32bit

SET RESULT="Not-exist-atmfd.dll-in-32bit-system"

goto end-change-atmfd

 

:x64-based

echo ######### windows 64bit check ##########

 

cd "%windir%\system32"

takeown.exe /f atmfd.dll

IF ERRORLEVEL 1 goto no-atmfd-in-system32-at-64bit 

icacls.exe atmfd.dll /save atmfd.dll.acl

icacls.exe atmfd.dll /grant Administrators:(F) 

rename atmfd.dll x-atmfd.dll

SET RESULT="Changed-atmfd.dll-in-64bit-system"

:no-atmfd-in-system32-at-64bit

SET RESULT="Not-exist-atmfd.dll-in-64bit-system"

 

cd "%windir%\syswow64"

takeown.exe /f atmfd.dll

IF ERRORLEVEL 1 goto no-atmfd-in-syswow64-at-64bit

icacls.exe atmfd.dll /save atmfd.dll.acl

icacls.exe atmfd.dll /grant Administrators:(F) 

rename atmfd.dll x-atmfd.dll

SET RESULT="Changed-atmfd.dll-in-64bit-system"

:no-atmfd-in-syswow64-at-64bit

SET RESULT="Not-exist-atmfd.dll-in-64bit-system"

 

:end-change-atmfd

echo %RESULT%

 

echo ### 2. Disable WebClient Service ###

net stop WebClient

sc config WebClient start=disabled

 

echo ### 3. Disable icon preview option and Remove check-box field in folder option ###

REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v DisableThumbnails /t REG_DWORD /d 1 /f

REG ADD HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v DisableThumbnails /t REG_DWORD /d 1 /f

REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /v IconsOnly /t REG_DWORD /d 1 /f

echo ### Finished ADV200006 Incident response Script ###

 

PAUSE

::EXIT

 

:: [References]

::  https://portal.msrc.microsoft.com/en-us/security-guidance/advisory/adv200006

:: https://portal.msrc.microsoft.com/ko-kr/security-guidance/advisory/adv200006

:: https://docs.microsoft.com/ko-kr/security-updates/securitybulletins/2015/ms15-077

:: https://docs.microsoft.com/en-us/security-updates/securitybulletins/2015/ms15-077

:: https://blog.alyac.co.kr/381

:: https://blog.alyac.co.kr/2855

:: https://jxo21.tistory.com/14

:: https://www.maketecheasier.com/disable-image-preview-thumbnail-windows/

저작자표시 변경금지

'Exploit?' 카테고리의 다른 글

Oracle WebLogic RCE POC [CVE-2020-2555]  (0) 2020.04.16
CVE-2020-0796 SMBV3 REMOTE CHECK BY BASH  (0) 2020.04.07
CVE-2020-0796 SMBV3 REMOTE CHECK BY PYTHON [KB4551762]  (0) 2020.04.07
CVE-2017-7494 SMB REMOTE EXPLOIT IN METASPLOITMODULE  (0) 2020.04.07
CVE-2017-7494 SMB REMOTE EXPLOIT IN PYTHON  (0) 2020.04.07

https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/adv200005

 

https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/adv200005

 

portal.msrc.microsoft.com

https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0796

 

https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0796

 

portal.msrc.microsoft.com

#!/bin/bash
if [ $# -eq 0 ]
then
echo $'Usage:\n\tscan_vul_smb_v3.11.sh TARGET_IP_or_CIDR'
exit 1
fi
echo "Checking if there's SMB v3.11 in" $1 "..."
nmap -p445 --script smb-protocols -Pn -n $1 | grep -P '\d+\.\d+\.\d+\.\d+|^\|.\s+3.11' | tr '\n' ' ' | replace 'Nmap scan report for' '@' | tr "@" "\n" | grep 3.11 | tr '|' ' ' | tr '_' ' ' | grep -oP '\d+\.\d+\.\d+\.\d+'
if [[ $? != 0 ]]; then
echo "There's no SMB v3.11"
fi
####
# Credit: nikallass
####
저작자표시 변경금지

'Exploit?' 카테고리의 다른 글

Oracle WebLogic RCE POC [CVE-2020-2555]  (0) 2020.04.16
RESPONSE ZERO-DAY IN THE ADOBE TYPE MANAGER LIBRARY  (0) 2020.04.07
CVE-2020-0796 SMBV3 REMOTE CHECK BY PYTHON [KB4551762]  (0) 2020.04.07
CVE-2017-7494 SMB REMOTE EXPLOIT IN METASPLOITMODULE  (0) 2020.04.07
CVE-2017-7494 SMB REMOTE EXPLOIT IN PYTHON  (0) 2020.04.07

https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/adv200005

 

https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/adv200005

 

portal.msrc.microsoft.com

https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0796

 

https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0796

 

portal.msrc.microsoft.com

import socket
import struct
import sys

pkt = b'\x00\x00\x00\xc0\xfeSMB@\x00\x00\x00\x00\x00\x00\x00\x00\x00\x1f\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00$\x00\x08\x00\x01\x00\x00\x00\x7f\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00x\x00\x00\x00\x02\x00\x00\x00\x02\x02\x10\x02"\x02$\x02\x00\x03\x02\x03\x10\x03\x11\x03\x00\x00\x00\x00\x01\x00&\x00\x00\x00\x00\x00\x01\x00 \x00\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x03\x00\n\x00\x00\x00\x00\x00\x01\x00\x00\x00\x01\x00\x00\x00\x01\x00\x00\x00\x00\x00\x00\x00'
sock = socket.socket(socket.AF_INET)
sock.settimeout(3)
sock.connect(( sys.argv[1],  445 ))
sock.send(pkt)

nb, = struct.unpack(">I", sock.recv(4))
res = sock.recv(nb)

if not res[68:70] == b"\x11\x03":
    exit("Not vulnerable.")
if not res[70:72] == b"\x02\x00":
    exit("Not vulnerable.")

exit("Vulnerable.")

 

# Credit: ollypwn

 

 

import socket
import struct

pkt = b'\x00\x00\x00\xc0\xfeSMB@\x00\x00\x00\x00\x00\x00\x00\x00\x00\x1f\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00'\
b'\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00'\
b'\x00\x00\x00\x00$\x00\x08\x00\x01\x00\x00\x00\x7f\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00'\
b'x\x00\x00\x00\x02\x00\x00\x00\x02\x02\x10\x02"\x02$\x02\x00\x03\x02\x03\x10\x03\x11\x03\x00\x00\x00\x00\x01\x00&\x00'\
b'\x00\x00\x00\x00\x01\x00 \x00\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00'\
b'\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x03\x00\n\x00\x00\x00\x00\x00\x01\x00\x00\x00\x01\x00\x00\x00\x01\x00\x00\x00'\
b'\x00\x00\x00\x00'

 

print("=========[Show send packet]=========")

print("Sending packet size :" + str(pkt.__len__()) + " bytes")
print("Sending 1st Field:", pkt[0:32])
print("Sending 2st Field:", pkt[32:64])
print("Sending 3st Field:", pkt[64:96])
print("Sending 4st Field:", pkt[96:128])
print("Sending 5st Field:", pkt[128:160])
print("Sending 6st Field:", pkt[160:192])
print("Sending 7st Field:", pkt[192:196])

sock = socket.socket(socket.AF_INET)
sock.settimeout(3)
sock.connect(('192.168.0.0', 445))
# sock.connect(( sys.argv[1], 445 ))
sock.send(pkt)

nb, = struct.unpack(">I", sock.recv(4))
res = sock.recv(nb)
print("=========[Show received packet]=========")
print(res)
print("Received packet size:",nb," bytes [",hex(nb), "]")
print("Received Version Info :", res[68:70])
print("Received Compression Info :", res[70:72])

print("=========[Results]=========")
if not res[68:70] == b"\x11\x03":
exit("Not vulnerable smb version.")
if not res[70:72] == b"\x02\x00":
exit("Not vulnerable compression flag setting.")

exit("Vulnerable.")

# Credit: ollypwn

@References

https://github.com/eerykitty/CVE-2020-0796-PoC
https://github.com/cve-2020-0796/cve-2020-0796#5-exploit-script-1
https://www.mcafee.com/blogs/other-blogs/mcafee-labs/smbghost-analysis-of-cve-2020-0796/

https://www.synacktiv.com/posts/exploit/im-smbghost-daba-dee-daba-da.html
https://www.mcafee.com/blogs/other-blogs/mcafee-labs/smbghost-analysis-of-cve-2020-0796/
https://support.microsoft.com/en-us/help/4551762/windows-10-update-kb4551762
https://www.reddit.com/r/security/comments/fi266z/smbv3_ghost_cve20200796_poc/
https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-smb2/5606ad47-5ee0-437a-817e-70c366052962

저작자표시 변경금지

'Exploit?' 카테고리의 다른 글

Oracle WebLogic RCE POC [CVE-2020-2555]  (0) 2020.04.16
RESPONSE ZERO-DAY IN THE ADOBE TYPE MANAGER LIBRARY  (0) 2020.04.07
CVE-2020-0796 SMBV3 REMOTE CHECK BY BASH  (0) 2020.04.07
CVE-2017-7494 SMB REMOTE EXPLOIT IN METASPLOITMODULE  (0) 2020.04.07
CVE-2017-7494 SMB REMOTE EXPLOIT IN PYTHON  (0) 2020.04.07

+ Recent posts

티스토리툴바