Only output 3 argments when running the .bat file in windows10 1909 running on VMware 14

[99hansling]

I can get all the argments needed on my own windows10, but only 3 on target Windows 10. The three argments are '''srvnet!imp_IoSizeofWorkItem''','''srvnet!imp_RtlCopyUnicodeString''' and '''nt!IoSizeofWorkItem'''.

I also tried adding the rest two argments copied from my local real windows to SMBleedingGhost.py, but when I ran the script, the virtual windows10 would soon got a bluescreen.

So I'm just wonderring what's going on.

I'll be really grateful for your quick response!

[Michael-ZecOps]

The batch script requires an internet connection to download symbols. I'm not sure what else can cause it to fail (any error messages?), but as a workaround you can copy the relevant files from the guest to the host and run the script on the copied files by adjusting the paths everywhere you see %windir%\system32 in the script.

[99hansling]

The batch script requires an internet connection to download symbols. I'm not sure what else can cause it to fail (any error messages?), but as a workaround you can copy the relevant files from the guest to the host and run the script on the copied files by adjusting the paths everywhere you see %windir%\system32 in the script.

I'm sure that my virtual windows has an internet connection because I just downloaded the scripts from github in it. And I tried the ways you recommended, and copied C:Windows/System32 to my host,but it just didn't work, and only output 3 arguments.

Maybe it was because something were lack in the virtual machine , but I don't know what was wrong. Seems really weird.

[Michael-ZecOps]

Remove the following part that appears twice in the batch file: | findstr #, so that the lines only contain %cmd%. Run the script and post the full output you get.

[99hansling]

Remove the following part that appears twice in the batch file: | findstr #, so that the lines only contain %cmd%. Run the script and post the full output you get.

Well, I put a " " in the name of .bat, and directly double-clicked the script, and it output all the five arguments! Seems really weird, because when I tried to use cmd line to open the script, it just output three arguments. And before this quote, I tried to directly open it by double-click, but it just show and shut down immediately.

And when I replaced the offsets in the SMBleedingGhost.py, and ran it, then it just succeeded. LOTS OF THANKS!

[Michael-ZecOps]

I'm glad that it works. Still, if you can reproduce the issue and remove the part that I mentioned, perhaps we can see what went wrong. Then I'll be able to fix it for other users.

[99hansling]

1.The photos below is what I got when I'm running the batch file by double-click in my virtual guest

2.This is what I got on my host when I finished running the modified batch file.(after changing the %windir% to real dir) by double-click

Calculating offsets, please wait...


Microsoft (R) Windows Debugger Version 10.0.17763.168 AMD64
Copyright (c) Microsoft Corporation. All rights reserved.


Loading Dump File [G:\UNIVERSITY\system32\drivers\srvnet.sys]

************* Path validation summary **************
Response                         Time (ms)     Location
Deferred                                       SRV*G:\UNIVERSITY\大二下\渗透测试实验\cve漏洞\cve-2020-0796\CVE-2020-0796-RCE-POC-master\tools*https://msdl.microsoft.com/download/symbols
Symbol search path is: SRV*G:\UNIVERSITY\大二下\渗透测试实验\cve漏洞\cve-2020-0796\CVE-2020-0796-RCE-POC-master\tools*https://msdl.microsoft.com/download/symbols
Executable search path is:
Unable to add extension DLL: ntsdexts
Unable to add extension DLL: uext
Unable to add extension DLL: exts
The call to LoadLibrary(ext) failed, Win32 error 0n2
    "系统找不到指定的文件。"
Please check your debugger configuration and/or network access.
ModLoad: 00000001`c0000000 00000001`c0053000   G:\UNIVERSITY\system32\drivers\srvnet.sys
srvnet!GsDriverEntry:
00000001`c004d010 48895c2408      mov     qword ptr [rsp+8],rbx ss:00000000`00000008=????????????????
0:000> cdb: Reading initial command '.echo ==========; .printf "\OFFSETS = { \x23\n"; .catch { .printf "\    'srvnet!SrvNetWskConnDispatch': 0x%X, \x23\n", srvnet!SrvNetWskConnDispatch-srvnet }; .catch { .printf "\    'srvnet!imp_IoSizeofWorkItem': 0x%X, \x23\n", 1C0032210-srvnet+0n0*8 }; .catch { .printf "\    'srvnet!imp_RtlCopyUnicodeString': 0x%X, \x23\n", 1C0032210-srvnet+0n15*8 }; .echo ==========; q'
==========
OFFSETS = { #
    'srvnet!SrvNetWskConnDispatch': 0x2D170, #
    'srvnet!imp_IoSizeofWorkItem': 0x32210, #
    'srvnet!imp_RtlCopyUnicodeString': 0x32288, #
==========
quit:

Microsoft (R) Windows Debugger Version 10.0.17763.168 AMD64
Copyright (c) Microsoft Corporation. All rights reserved.


Loading Dump File [G:\UNIVERSITY\system32\ntoskrnl.exe]

************* Path validation summary **************
Response                         Time (ms)     Location
Deferred                                       SRV*G:\UNIVERSITY\大二下\渗透测试实验\cve漏洞\cve-2020-0796\CVE-2020-0796-RCE-POC-master\tools*https://msdl.microsoft.com/download/symbols
Symbol search path is: SRV*G:\UNIVERSITY\大二下\渗透测试实验\cve漏洞\cve-2020-0796\CVE-2020-0796-RCE-POC-master\tools*https://msdl.microsoft.com/download/symbols
Executable search path is:
Unable to add extension DLL: ntsdexts
Unable to add extension DLL: uext
Unable to add extension DLL: exts
The call to LoadLibrary(ext) failed, Win32 error 0n2
    "系统找不到指定的文件。"
Please check your debugger configuration and/or network access.
ModLoad: 00000001`40000000 00000001`40ab6000   G:\UNIVERSITY\system32\ntoskrnl.exe
ntoskrnl!KiSystemStartup:
00000001`40597010 4883ec38        sub     rsp,38h
0:000> cdb: Reading initial command '.echo ==========; .catch { .printf "    'nt!IoSizeofWorkItem': 0x%X, \x23\n", ntoskrnl!IoSizeofWorkItem-ntoskrnl }; .catch { .printf "    'nt!MiGetPteAddress': 0x%X \x23\n", ntoskrnl!MiGetPteAddress-ntoskrnl }; .printf "} \x23\n"; .echo ==========; q'
==========
    'nt!IoSizeofWorkItem': 0x12C380, #
    'nt!MiGetPteAddress': 0xBADC8 #
} #
==========
quit:

3. While I mentioned the file name problem and whether-run-directly problem ,but it seems I misunderstood it. Seemed file-name and run directly or not had nothing to do with whether it can give an right output or not. So I just give you the output samples running on guest and host.

Hope I can help you figure out what was going on with it.

[Michael-ZecOps]

The two symbols that failed to load are the one that require symbols. Try the following: add the following lines at the beginning of the batch file, run it, and post the contents of the newly created dbghelp.log file:

set DBGHELP_DBGOUT=1
set DBGHELP_LOG=..\dbghelp.log

[99hansling]

Here is what I got in guest.
dbghelp.log

The two symbols that failed to load are the one that require symbols. Try the following: add the following lines at the beginning of the batch file, run it, and post the contents of the newly created dbghelp.log file:
set DBGHELP_DBGOUT=1
set DBGHELP_LOG=..\dbghelp.log

[Michael-ZecOps]

From the log:

SYMSRV: HttpSendRequest: 800C2EFD - ERROR_INTERNET_CANNOT_CONNECT

So for some reason, guest failed to download from:
https://msdl.microsoft.com/download/symbols/srvnet.pdb/CFE2BF7A30464E7FCE0CC805AA1C96CB1/srvnet.pdb
and:
https://msdl.microsoft.com/download/symbols/ntkrnlmp.pdb/E0093F3AEF15D58168B753C9488A40431/ntkrnlmp.pdb

Somebody on Stack Overflow suggests it can be caused by a mis-configured IE.

[99hansling]

From the log:

SYMSRV: HttpSendRequest: 800C2EFD - ERROR_INTERNET_CANNOT_CONNECT

So for some reason, guest failed to download from:
https://msdl.microsoft.com/download/symbols/srvnet.pdb/CFE2BF7A30464E7FCE0CC805AA1C96CB1/srvnet.pdb
and:
https://msdl.microsoft.com/download/symbols/ntkrnlmp.pdb/E0093F3AEF15D58168B753C9488A40431/ntkrnlmp.pdb

Somebody on Stack Overflow suggests it can be caused by a mis-configured IE.

I have seen the issue mentioned in stackoverflow. But, my IE browser could really connect Internet,and

From the log:

SYMSRV: HttpSendRequest: 800C2EFD - ERROR_INTERNET_CANNOT_CONNECT

So for some reason, guest failed to download from:
https://msdl.microsoft.com/download/symbols/srvnet.pdb/CFE2BF7A30464E7FCE0CC805AA1C96CB1/srvnet.pdb
and:
https://msdl.microsoft.com/download/symbols/ntkrnlmp.pdb/E0093F3AEF15D58168B753C9488A40431/ntkrnlmp.pdb

Somebody on Stack Overflow suggests it can be caused by a mis-configured IE.

You are right. Though I can connect Internet with my IE, but I just can't connect the sites you posted.
It tells me that I can't connect securely.

[Stab1el]

Well, I put a " " in the name of .bat, and directly double-clicked the script, and it output all the five arguments! Seems really weird, because when I tried to use cmd line to open the script, it just output three arguments. And before this quote, I tried to directly open it by double-click, but it just show and shut down immediately.

hello, I got the same question with yours. The script could output 5 arguments in real host win10, but only 3 in VM target win 10, how do you fix this problem?

[99hansling]

Well, I put a " " in the name of .bat, and directly double-clicked the script, and it output all the five arguments! Seems really weird, because when I tried to use cmd line to open the script, it just output three arguments. And before this quote, I tried to directly open it by double-click, but it just show and shut down immediately.

hello, I got the same question with yours. The script could output 5 arguments in real host win10, but only 3 in VM target win 10, how do you fix this problem?

I just copy the system32 files of my guest to my host. And modify the address in the batch file as mentioned above.

[trollyanov]

bat file not work:

OFFSETS = { #
'srvnet!imp_IoSizeofWorkItem': 0x40000000, #
'srvnet!imp_RtlCopyUnicodeString': 0x40000000, #
'nt!IoSizeofWorkItem': 0x12C400, #
} #