Add CVE-2020-0796 #12459

Yusuf-Amr · 2025-06-23T20:09:09Z

Template / PR Information

Fixed CVE-2020-XXX / Added CVE-2020-XXX / Updated CVE-2020-XXX
References:

Template Validation

I've validated this template locally?

YES
NO

Additional Details (leave it blank if not applicable)

-During controlled testing in isolated lab environments, please ensure no security software interferes with raw SMB traffic to properly validate the template.

Result Example <Windows 10, version1903> (Vulnerable Machine):

└─$ nuclei -t smb-cve-2020-0796.yaml -u 10.1.1.6 -debug



                     __     _
   ____  __  _______/ /__  (_)
  / __ \/ / / / ___/ / _ \/ /
 / / / / /_/ / /__/ /  __/ /
/_/ /_/\__,_/\___/_/\___/_/   v3.4.5

		projectdiscovery.io

[WRN] Found 1 templates loaded with deprecated protocol syntax, update before v3 for continued support.
[INF] Current nuclei version: v3.4.5 (latest)
[INF] Current nuclei-templates version: v10.2.3 (latest)
[WRN] Scan results upload to cloud is disabled.
[INF] New templates added in latest release: 105
[INF] Templates loaded for current scan: 1
[WRN] Loading 1 unsigned templates for scan. Use with caution.
[INF] Targets loaded for current scan: 1
[INF] [CVE-2020-0796] Dumped Network request for 10.1.1.6:445
00000000  00 00 00 c2 fe 53 4d 42  40 00 00 00 00 00 00 00  |.....SMB@.......|
00000010  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
00000020  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
00000030  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
00000040  00 00 00 00 24 00 08 00  00 00 00 00 7f 00 00 00  |....$...........|
00000050  01 02 ab cd 01 02 ab cd  01 02 ab cd 01 02 ab cd  |................|
00000060  78 00 00 00 02 00 00 00  02 02 10 02 22 02 24 02  |x...........".$.|
00000070  00 03 02 03 10 03 11 03  00 00 00 00 01 00 26 00  |..............&.|
00000080  00 00 00 00 01 00 20 00  01 00 00 00 00 00 00 00  |...... .........|
00000090  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
000000a0  00 00 00 00 00 00 00 00  00 00 00 00 03 00 0a 00  |................|
000000b0  00 00 00 00 01 00 00 00  01 00 00 00 01 00 00 00  |................|
000000c0  00 00 00 00 00 00 00 00  00 a0 fc 53 4d 42 ff ff  |...........SMB..|
000000d0  ff ff 01 00 00 00 80 00  00 00 fe 53 4d 42 40 00  |...........SMB@.|
000000e0  00 00 00 00 00 00 01 00  00 00 00 00 00 00 00 00  |................|
000000f0  00 00 01 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
00000100  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
00000110  00 00 00 00 00 00 00 00  00 00 19 00 00 02 00 00  |................|
00000120  00 00 00 00 00 00 58 00  28 00 00 00 00 00 00 00  |......X.(.......|
00000130  00 00 4e 54 4c 4d 53 53  50 00 01 00 00 00 32 90  |..NTLMSSP.....2.|
00000140  88 e2 00 00 00 00 28 00  00 00 00 00 00 00 28 00  |......(.......(.|
00000150  00 00 06 01 b1 1d 00 00  00 0f 00 00 00 00 00 00  |................|
00000160  00 00 00 00 00 00 00 00  00 00                    |..........| address=10.1.1.6:445
[CVE-2020-0796:binary-2] [tcp] [critical] 10.1.1.6:445
[CVE-2020-0796:binary-1] [tcp] [critical] 10.1.1.6:445
[DBG] [CVE-2020-0796] Dumped Network response for 10.1.1.6:445

00000000  00 00 02 02 fe 53 4d 42  40 00 00 00 00 00 00 00  |.....SMB@.......|
00000010  00 00 01 00 01 00 00 00  00 00 00 00 00 00 00 00  |................|
00000020  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
00000030  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
00000040  00 00 00 00 41 00 01 00  11 03 02 00 2f 0e a2 92  |....A......./...|
00000050  0d 4e 23 4b 9a f2 76 da  ab 73 e6 1f 2f 00 00 00  |.N#K..v..s../...|
00000060  00 00 80 00 00 00 80 00  00 00 80 00 49 ab 68 33  |............I.h3|
00000070  d3 e4 db 01 00 00 00 00  00 00 00 00 80 00 40 01  |..............@.|
00000080  c0 01 00 00 60 82 01 3c  06 06 2b 06 01 05 05 02  |....`..<..+.....|
00000090  a0 82 01 30 30 82 01 2c  a0 1a 30 18 06 0a 2b 06  |...00..,..0...+.|
000000a0  01 04 01 82 37 02 02 1e  06 0a 2b 06 01 04 01 82  |....7.....+.....|
000000b0  37 02 02 0a a2 82 01 0c  04 82 01 08 4e 45 47 4f  |7...........NEGO|
000000c0  45 58 54 53 01 00 00 00  00 00 00 00 60 00 00 00  |EXTS........`...|
000000d0  70 00 00 00 be c4 c6 d5  38 2d 2c fd 71 67 6e 7e  |p.......8-,.qgn~|
000000e0  17 0a 91 ef 3d 2b 2a a9  5d 4c a0 a5 04 81 f1 4c  |....=+*.]L.....L|
000000f0  19 8f 2b 79 09 72 26 55  b8 68 70 30 00 81 5f ed  |..+y.r&U.hp0.._.|
00000100  e2 a1 2e d6 00 00 00 00  00 00 00 00 60 00 00 00  |............`...|
00000110  01 00 00 00 00 00 00 00  00 00 00 00 5c 33 53 0d  |............\3S.|
00000120  ea f9 0d 4d b2 ec 4a e3  78 6e c3 08 4e 45 47 4f  |...M..J.xn..NEGO|
00000130  45 58 54 53 03 00 00 00  01 00 00 00 40 00 00 00  |EXTS........@...|
00000140  98 00 00 00 be c4 c6 d5  38 2d 2c fd 71 67 6e 7e  |........8-,.qgn~|
00000150  17 0a 91 ef 5c 33 53 0d  ea f9 0d 4d b2 ec 4a e3  |....\3S....M..J.|
00000160  78 6e c3 08 40 00 00 00  58 00 00 00 30 56 a0 54  |[email protected]|
00000170  30 52 30 27 80 25 30 23  31 21 30 1f 06 03 55 04  |0R0'.%0#1!0...U.|
00000180  03 13 18 54 6f 6b 65 6e  20 53 69 67 6e 69 6e 67  |...Token Signing|
00000190  20 50 75 62 6c 69 63 20  4b 65 79 30 27 80 25 30  | Public Key0'.%0|
000001a0  23 31 21 30 1f 06 03 55  04 03 13 18 54 6f 6b 65  |#1!0...U....Toke|
000001b0  6e 20 53 69 67 6e 69 6e  67 20 50 75 62 6c 69 63  |n Signing Public|
000001c0  20 4b 65 79 01 00 26 00  00 00 00 00 01 00 20 00  | Key..&....... .|
000001d0  01 00 1d fd d7 0b c9 24  1a 29 65 db 88 85 07 aa  |.......$.)e.....|
000001e0  bf 06 10 47 ff ff b7 96  21 87 b2 ca 56 cd c2 98  |...G....!...V...|
000001f0  51 9a 00 00 03 00 0a 00  00 00 00 00 01 00 00 00  |Q...............|
00000200  00 00 00 00 01 00 00 00  00 31 fc 53 4d 42 48 00  |.........1.SMBH.|
00000210  00 00 01 00 00 00 00 00  00 00 1e b0 00 fe 53 4d  |..............SM|
00000220  42 40 00 00 00 c0 0d 00  00 c0 01 00 01 10 00 60  |B@.............`|
00000230  2d 00 10 01 03 30 1e 28  09 04 42                 |-....0.(..B|
[INF] Scan completed in 72.219457ms. 2 matches found.

Result Example <Windows 10, version 22H2 > (Non-vulnerable):

└─$ nuclei -t smb-cve-2020-0796.yaml -u 10.1.1.9 -debug



                     __     _
   ____  __  _______/ /__  (_)
  / __ \/ / / / ___/ / _ \/ /
 / / / / /_/ / /__/ /  __/ /
/_/ /_/\__,_/\___/_/\___/_/   v3.4.5

		projectdiscovery.io

[WRN] Found 1 templates loaded with deprecated protocol syntax, update before v3 for continued support.
[INF] Current nuclei version: v3.4.5 (latest)
[INF] Current nuclei-templates version: v10.2.3 (latest)
[WRN] Scan results upload to cloud is disabled.
[INF] New templates added in latest release: 105
[INF] Templates loaded for current scan: 1
[WRN] Loading 1 unsigned templates for scan. Use with caution.
[INF] Targets loaded for current scan: 1
[INF] [CVE-2020-0796] Dumped Network request for 10.1.1.9:445
00000000  00 00 00 c2 fe 53 4d 42  40 00 00 00 00 00 00 00  |.....SMB@.......|
00000010  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
00000020  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
00000030  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
00000040  00 00 00 00 24 00 08 00  00 00 00 00 7f 00 00 00  |....$...........|
00000050  01 02 ab cd 01 02 ab cd  01 02 ab cd 01 02 ab cd  |................|
00000060  78 00 00 00 02 00 00 00  02 02 10 02 22 02 24 02  |x...........".$.|
00000070  00 03 02 03 10 03 11 03  00 00 00 00 01 00 26 00  |..............&.|
00000080  00 00 00 00 01 00 20 00  01 00 00 00 00 00 00 00  |...... .........|
00000090  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
000000a0  00 00 00 00 00 00 00 00  00 00 00 00 03 00 0a 00  |................|
000000b0  00 00 00 00 01 00 00 00  01 00 00 00 01 00 00 00  |................|
000000c0  00 00 00 00 00 00 00 00  00 a0 fc 53 4d 42 ff ff  |...........SMB..|
000000d0  ff ff 01 00 00 00 80 00  00 00 fe 53 4d 42 40 00  |...........SMB@.|
000000e0  00 00 00 00 00 00 01 00  00 00 00 00 00 00 00 00  |................|
000000f0  00 00 01 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
00000100  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
00000110  00 00 00 00 00 00 00 00  00 00 19 00 00 02 00 00  |................|
00000120  00 00 00 00 00 00 58 00  28 00 00 00 00 00 00 00  |......X.(.......|
00000130  00 00 4e 54 4c 4d 53 53  50 00 01 00 00 00 32 90  |..NTLMSSP.....2.|
00000140  88 e2 00 00 00 00 28 00  00 00 00 00 00 00 28 00  |......(.......(.|
00000150  00 00 06 01 b1 1d 00 00  00 0f 00 00 00 00 00 00  |................|
00000160  00 00 00 00 00 00 00 00  00 00                    |..........| address=10.1.1.9:445
[DBG] [CVE-2020-0796] Dumped Network response for 10.1.1.9:445

00000000  00 00 02 02 fe 53 4d 42  40 00 00 00 00 00 00 00  |.....SMB@.......|
00000010  00 00 01 00 01 00 00 00  00 00 00 00 00 00 00 00  |................|
00000020  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
00000030  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
00000040  00 00 00 00 41 00 01 00  11 03 02 00 88 23 8a 24  |....A........#.$|
00000050  2f d4 10 43 b1 e3 b8 b2  7c 5f 33 46 2f 00 00 00  |/..C....|_3F/...|
00000060  00 00 80 00 00 00 80 00  00 00 80 00 22 ea 57 19  |............".W.|
00000070  d5 e4 db 01 00 00 00 00  00 00 00 00 80 00 40 01  |..............@.|
00000080  c0 01 00 00 60 82 01 3c  06 06 2b 06 01 05 05 02  |....`..<..+.....|
00000090  a0 82 01 30 30 82 01 2c  a0 1a 30 18 06 0a 2b 06  |...00..,..0...+.|
000000a0  01 04 01 82 37 02 02 1e  06 0a 2b 06 01 04 01 82  |....7.....+.....|
000000b0  37 02 02 0a a2 82 01 0c  04 82 01 08 4e 45 47 4f  |7...........NEGO|
000000c0  45 58 54 53 01 00 00 00  00 00 00 00 60 00 00 00  |EXTS........`...|
000000d0  70 00 00 00 97 a4 6e cd  dd 44 a8 6b 42 9d 68 c3  |p.....n..D.kB.h.|
000000e0  ef 02 e8 21 a2 03 56 6d  24 65 68 80 3a 63 90 e6  |...!..Vm$eh.:c..|
000000f0  f5 5d 75 45 a9 c8 20 cb  43 e3 9f 45 b2 f2 17 f2  |.]uE.. .C..E....|
00000100  03 4b aa e0 00 00 00 00  00 00 00 00 60 00 00 00  |.K..........`...|
00000110  01 00 00 00 00 00 00 00  00 00 00 00 5c 33 53 0d  |............\3S.|
00000120  ea f9 0d 4d b2 ec 4a e3  78 6e c3 08 4e 45 47 4f  |...M..J.xn..NEGO|
00000130  45 58 54 53 03 00 00 00  01 00 00 00 40 00 00 00  |EXTS........@...|
00000140  98 00 00 00 97 a4 6e cd  dd 44 a8 6b 42 9d 68 c3  |......n..D.kB.h.|
00000150  ef 02 e8 21 5c 33 53 0d  ea f9 0d 4d b2 ec 4a e3  |...!\3S....M..J.|
00000160  78 6e c3 08 40 00 00 00  58 00 00 00 30 56 a0 54  |[email protected]|
00000170  30 52 30 27 80 25 30 23  31 21 30 1f 06 03 55 04  |0R0'.%0#1!0...U.|
00000180  03 13 18 54 6f 6b 65 6e  20 53 69 67 6e 69 6e 67  |...Token Signing|
00000190  20 50 75 62 6c 69 63 20  4b 65 79 30 27 80 25 30  | Public Key0'.%0|
000001a0  23 31 21 30 1f 06 03 55  04 03 13 18 54 6f 6b 65  |#1!0...U....Toke|
000001b0  6e 20 53 69 67 6e 69 6e  67 20 50 75 62 6c 69 63  |n Signing Public|
000001c0  20 4b 65 79 01 00 26 00  00 00 00 00 01 00 20 00  | Key..&....... .|
000001d0  01 00 a7 55 56 e2 ee a1  8d 82 8a f5 c5 e2 45 0a  |...UV.........E.|
000001e0  7c 99 6f 74 ef b5 ea 7f  ac c1 e7 e1 06 f8 66 09  ||.ot..........f.|
000001f0  94 34 00 00 03 00 0a 00  00 00 00 00 01 00 00 00  |.4..............|
00000200  01 00 00 00 01 00                                 |......|
[INF] Scan completed in 2.436977378s. No results found.

Additional References:

princechaddha · 2025-06-23T20:09:19Z

Automated PR Review (Experimental)

Thank you for your contribution! You can join our Discord server. It's a great place to connect with fellow contributors and stay updated with the latest developments. Thank you once again.

Required Fixes

Fix the indentation for the matchers section to ensure consistency with other templates.

Other Suggestions

Consider adding verified: true in the metadata section once the template has been tested and confirmed to work correctly.
Ensure that there are multiple matchers to minimize false positives, which may enhance the validation process.

Please note that I am an AI Template bot, which is still experimental, and the team will review the PR shortly.

iamnoooob · 2025-06-24T12:56:20Z

Validated this template on Windows 10 1903 build (x64), It works well:

Confirmed that after applying a registry hot fix, it is not detected:

DhiyaneshGeek · 2025-06-24T13:27:24Z

Hi @Yusuf-Amr

Thank you for sharing the template and contributing to the Template Project. We appreciate your participation in the Bounty Claim Program!

As a token of appreciation for your valuable contribution, you can grab some cool PD Stickers from here http://nux.gg/stickers.

You can join our discord server. It's a great place to connect with fellow contributors and stay updated with the latest developments. Thank you once again!

Yusuf-Amr · 2025-06-26T11:39:54Z

Thank you so much everyone for reviewing and validating my submission. I appreciate the team's effort and I'm glad to be part of this community.

Add CVE-2020-0796 SMBGhost template

1e58f80

algora-pbc bot added the 🙋 Bounty claim label Jun 23, 2025

princechaddha assigned pussycat0x Jun 23, 2025

algora-pbc bot mentioned this pull request Jun 23, 2025

CVE-2020-0796 - Microsoft SMBv3 - Remote Code Execution 💰 #12271

Closed

princechaddha requested a review from ritikchaddha June 23, 2025 20:09

ehsandeep requested a review from iamnoooob June 24, 2025 00:00

Yusuf-Amr changed the title ~~Add CVE-2020-0796 SMBGhost template~~ Add CVE-2020-0796 Jun 24, 2025

DhiyaneshGeek added the good first issue Good for newcomers label Jun 24, 2025

fix-template

353a568

DhiyaneshGeek added the Done Ready to merge label Jun 24, 2025

DhiyaneshGeek added 4 commits June 24, 2025 19:02

fix-template

1aff3d5

fix-template

1f78175

fix-lint-error

4040809

Update CVE-2020-0796.yaml

eaab7de

iamnoooob approved these changes Jun 26, 2025

View reviewed changes

ritikchaddha approved these changes Jun 28, 2025

View reviewed changes

ritikchaddha merged commit e39e3f9 into projectdiscovery:main Jun 28, 2025
3 checks passed

princechaddha linked an issue Jul 1, 2025 that may be closed by this pull request

CVE-2020-0796 - Microsoft SMBv3 - Remote Code Execution 💰 #12271

Closed

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Add CVE-2020-0796 #12459

Add CVE-2020-0796 #12459

Uh oh!

Yusuf-Amr commented Jun 23, 2025 •

edited

Loading

Uh oh!

princechaddha commented Jun 23, 2025

Uh oh!

iamnoooob commented Jun 24, 2025

Uh oh!

DhiyaneshGeek commented Jun 24, 2025

Uh oh!

Yusuf-Amr commented Jun 26, 2025

Uh oh!

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

6 participants

Add CVE-2020-0796 #12459

Add CVE-2020-0796 #12459

Uh oh!

Conversation

Yusuf-Amr commented Jun 23, 2025 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Template / PR Information

Template Validation

Additional Details (leave it blank if not applicable)

Additional References:

Uh oh!

princechaddha commented Jun 23, 2025

Automated PR Review (Experimental)

Required Fixes

Other Suggestions

Uh oh!

iamnoooob commented Jun 24, 2025

Uh oh!

DhiyaneshGeek commented Jun 24, 2025

Uh oh!

Yusuf-Amr commented Jun 26, 2025

Uh oh!

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

6 participants

Yusuf-Amr commented Jun 23, 2025 •

edited

Loading