forked from aryanguenthner/365
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathcve-2020-0796.nse
57 lines (49 loc) · 2.58 KB
/
cve-2020-0796.nse
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
local smb = require "smb"
local stdnse = require "stdnse"
local nmap = require "nmap"
local vulns = require "vulns"
description = [[
On 10th March 2020, Microsoft published ADV200005, an advisory for a critical RCE vulnerability in Microsoft Server Message Block 3.1.1 (SMBv3). The vulnerability was initially disclosed accidentally by a vendor’s blogpost related to March 2020 Patch Tuesday. The post was later removed by the vendor, but MalwareHunterTeam seized this accidental disclosure on twitter (https://twitter.com/malwrhunterteam/status/1237438376032251904)
According to Microsoft, the vulnerability exists in the way the Microsoft Server Message Block 3.1.1 (SMBv3) protocol handles certain requests. An attacker who successfully exploited the vulnerability could gain the ability to execute code on the target SMB Server or SMB Client. To exploit the vulnerability against an SMB Server, an unauthenticated attacker could send a specially crafted packet to a targeted SMBv3 Server. To exploit the vulnerability against an SMB Client, an unauthenticated attacker would need to configure a malicious SMBv3 Server and convince a user to connect to it.
Update (12/03/2020): checks for SMB dialect 3.1.1
]]
author = "Sanoop Thomas"
license = "Same as Nmap--See https://nmap.org/book/man-legal.html"
categories = {"safe", "discovery", "vuln"}
hostrule = function(host)
return smb.get_port(host) ~= nil
end
action = function(host,port)
local status, supported_dialects, overrides
overrides = {}
status, supported_dialects = smb.list_dialects(host, overrides)
local vuln_status, err
local vuln = {
title = "Microsoft Server Message Block 3.1.1 (SMBv3) Remote Code Execution vulnerability.",
description = "Microsoft SMBv3 is vulnerable to remote code execution vulnerability in the way that the Microsoft Server Message Block 3.1.1 (SMBv3) protocol handles certain requests.",
risk_factor = "HIGH",
scores = { CVSS = "10.0", },
IDS = {
CVE = "CVE-2020-0796",
Microsoft_Security_Advisory = "ADV200005",
VU = "872016"
},
references = {
"https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/ADV200005",
"https://www.kb.cert.org/vuls/id/872016"
},
dates = {
disclosure = {year = "2020", month = "03", day = "11"},
}
}
local report = vulns.Report:new(SCRIPT_NAME, host, port)
vuln.state = vulns.STATE.NOT_VULN
if status then
for i, v in pairs(supported_dialects) do
if v == "3.11" then
vuln.state = vulns.STATE.VULN
end
end
end
return report:make_output(vuln)
end