clent413
diff --git a/‎LICENSE.txt
Lines changed: 21 additions & 0 deletions b/‎LICENSE.txt
Lines changed: 21 additions & 0 deletions
diff --git a/‎Plugins/CVE-2020-0796.go
Lines changed: 133 additions & 0 deletions b/‎Plugins/CVE-2020-0796.go
Lines changed: 133 additions & 0 deletions
@@ -0,0 +1,21 @@
+MIT License
+
+Copyright (c) 2021 shadow1ng
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.
@@ -0,0 +1,133 @@
+package Plugins
+
+import (
+	"bytes"
+	"fmt"
+	"time"
+
+	"github.com/shadow1ng/fscan/common"
+)
+
+const (
+	pkt = "\x00" + // session
+		"\x00\x00\xc0" + // legth
+
+		"\xfeSMB@\x00" + // protocol
+
+		//[MS-SMB2]: SMB2 NEGOTIATE Request
+		//https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-smb2/e14db7ff-763a-4263-8b10-0c3944f52fc5
+
+		"\x00\x00" +
+		"\x00\x00" +
+		"\x00\x00" +
+		"\x00\x00" +
+		"\x1f\x00" +
+		"\x00\x00\x00\x00" +
+		"\x00\x00\x00\x00" +
+		"\x00\x00\x00\x00" +
+		"\x00\x00\x00\x00" +
+		"\x00\x00\x00\x00" +
+		"\x00\x00\x00\x00" +
+		"\x00\x00\x00\x00" +
+		"\x00\x00\x00\x00" +
+		"\x00\x00\x00\x00" +
+		"\x00\x00\x00\x00" +
+		"\x00\x00\x00\x00" +
+		"\x00\x00\x00\x00" +
+
+		// [MS-SMB2]: SMB2 NEGOTIATE_CONTEXT
+		// https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-smb2/15332256-522e-4a53-8cd7-0bd17678a2f7
+
+		"$\x00" +
+		"\x08\x00" +
+		"\x01\x00" +
+		"\x00\x00" +
+		"\x7f\x00\x00\x00" +
+		"\x00\x00\x00\x00" +
+		"\x00\x00\x00\x00" +
+		"\x00\x00\x00\x00" +
+		"\x00\x00\x00\x00" +
+		"x\x00" +
+		"\x00\x00" +
+		"\x02\x00" +
+		"\x00\x00" +
+		"\x02\x02" +
+		"\x10\x02" +
+		"\x22\x02" +
+		"$\x02" +
+		"\x00\x03" +
+		"\x02\x03" +
+		"\x10\x03" +
+		"\x11\x03" +
+		"\x00\x00\x00\x00" +
+
+		// [MS-SMB2]: SMB2_PREAUTH_INTEGRITY_CAPABILITIES
+		// https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-smb2/5a07bd66-4734-4af8-abcf-5a44ff7ee0e5
+
+		"\x01\x00" +
+		"&\x00" +
+		"\x00\x00\x00\x00" +
+		"\x01\x00" +
+		"\x20\x00" +
+		"\x01\x00" +
+		"\x00\x00\x00\x00" +
+		"\x00\x00\x00\x00" +
+		"\x00\x00\x00\x00" +
+		"\x00\x00\x00\x00" +
+		"\x00\x00\x00\x00" +
+		"\x00\x00\x00\x00" +
+		"\x00\x00\x00\x00" +
+		"\x00\x00\x00\x00" +
+		"\x00\x00" +
+
+		// [MS-SMB2]: SMB2_COMPRESSION_CAPABILITIES
+		// https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-smb2/78e0c942-ab41-472b-b117-4a95ebe88271
+
+		"\x03\x00" +
+		"\x0e\x00" +
+		"\x00\x00\x00\x00" +
+		"\x01\x00" + //CompressionAlgorithmCount
+		"\x00\x00" +
+		"\x01\x00\x00\x00" +
+		"\x01\x00" + //LZNT1
+		"\x00\x00" +
+		"\x00\x00\x00\x00"
+)
+
+func SmbGhost(info *common.HostInfo) error {
+	if common.IsBrute {
+		return nil
+	}
+	err := SmbGhostScan(info)
+	return err
+}
+
+func SmbGhostScan(info *common.HostInfo) error {
+	ip, port, timeout := info.Host, 445, time.Duration(common.Timeout)*time.Second
+	addr := fmt.Sprintf("%s:%v", info.Host, port)
+	conn, err := common.WrapperTcpWithTimeout("tcp", addr, timeout)
+	defer func() {
+		if conn != nil {
+			conn.Close()
+		}
+	}()
+	if err != nil {
+		return err
+	}
+	_, err = conn.Write([]byte(pkt))
+	if err != nil {
+		return err
+	}
+	buff := make([]byte, 1024)
+	err = conn.SetReadDeadline(time.Now().Add(timeout))
+	n, err := conn.Read(buff)
+	if err != nil {
+		return err
+	}
+	if bytes.Contains(buff[:n], []byte("Public")) == true {
+		result := fmt.Sprintf("[+] %v CVE-2020-0796 SmbGhost Vulnerable", ip)
+		common.LogSuccess(result)
+
+	}
+	return err
+}