xax007/CVE-2020-0796-Scanner

Inspired by ollypwn's SMBGhost script, I wrote my own script and shared it.

import socket
import binascii
import sys

payload = binascii.unhexlify('000000c8fe534d42400000000000000000001f0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000024000500010000007f0000000000000000000000000000000000000070000000030000000202100200030203110300000100260000000000010020000100000000000000000000000000000000000000000000000000000000000000000000000200060000000000020002000100000003000e000000000003000000000000000200030001000000'.encode())


#       Value         Meaning
# NONE 0x0000         No compression
# LZNT1 0x0001        LZNT1 compression algorithm
# LZ77 0x0002         LZ77 compression algorithm
# LZ77+Huffman 0x0003 LZ77+Huffman compression algorithm

try:
    sock = socket.socket(socket.AF_INET)
    sock.settimeout(3)
    sock.connect(( sys.argv[1],  445 ))
    sock.send(payload)
    response = sock.recv(2020)
    sock.close()
    # Detect support SMB version 
    # 1103 -> 3.1.1
    if binascii.hexlify(response)[144:148].startswith('1103'): 
        print(sys.argv[1] + " support SMB protocol version 3.1.1")
    # See above Value:Meaning comment
    if binascii.hexlify(response)[-36:].startswith('03'):
        if response[-2:] == b'\x01\x00':
            exit(sys.argv[1] + "\tVulnerable!!!\tTarget support LZNT1 compression algorithm")
        if response[-2:] == b'\x02\x00':
            exit(sys.argv[1] + "\tVulnerable!!!\tTarget support LZ77 compression algorithm")
        if response[-2:] == b'\x03\x00':
            exit(sys.argv[1] + "\tVulnerable!!!\tTarget support LZ77+Huffman compression algorithm")
except Exception as identifier:
    exit(sys.argv[1] + " " + str(identifier))

exit(sys.argv[1] + "[*] Not vulnerable.")

above codes do two things:

Send SMB negotiate request with supported SMB version and compression algorithm
check response packet detect supported smb version and compression algorithm

xax007/CVE-2020-0796-Scanner

Contributors