> For the complete documentation index, see [llms.txt](https://capcap-1.gitbook.io/capcap/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://capcap-1.gitbook.io/capcap/readme/ctf-modules/exploitation/service-exploitation/smb-139-445/latest-smb-vulnerabilities.md).

# Latest SMB Vulnerabilities

#### SMBGhost — CVE-2020-0796

| Field         | Detail                     |
| ------------- | -------------------------- |
| Affected      | Windows 10 v1903 and v1909 |
| Protocol      | SMBv3.1.1                  |
| Auth required | None (unauthenticated)     |
| Impact        | RCE + full system access   |

**Root cause:** Integer overflow in the SMB driver's compression handling during session negotiation. No bounds check on compressed data size → buffer overflow → CPU instruction overwrite → attacker-controlled code execution.

> Integer overflow = CPU tries to store a number larger than the allocated memory space allows → wraps around → unexpected value written to adjacent memory.

***

#### Attack Flow

**Phase 1 — Trigger the overflow**

| Step | What happens                                                        | Category    |
| ---- | ------------------------------------------------------------------- | ----------- |
| 1    | Attacker sends malformed compressed request to SMB server (TCP/445) | Source      |
| 2    | Server processes compressed packet per negotiated protocol response | Process     |
| 3    | Runs with SYSTEM/admin privileges                                   | Privileges  |
| 4    | Local SMB process is the target                                     | Destination |

**Phase 2 — Achieve RCE**

| Step | What happens                                                                             | Category    |
| ---- | ---------------------------------------------------------------------------------------- | ----------- |
| 5    | Output of Phase 1 used as input                                                          | Source      |
| 6    | Integer overflow triggers → buffer overwritten with attacker shellcode → CPU executes it | Process     |
| 7    | Same SYSTEM privileges inherited                                                         | Privileges  |
| 8    | Attacker's remote machine gets access                                                    | Destination |

***

#### Key Takeaway

Even complex memory corruption exploits follow the same Source → Process → Privileges → Destination cycle. The complexity is in the *how* (integer overflow, buffer manipulation), not the *concept*.

**Prereqs to go deeper:** Stack-Based Buffer Overflows on Linux x86 + Windows x86 modules (HTB Academy).


---

# Agent Instructions
This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com.

## Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter, and the optional `goal` query parameter:

```
GET https://capcap-1.gitbook.io/capcap/readme/ctf-modules/exploitation/service-exploitation/smb-139-445/latest-smb-vulnerabilities.md?ask=<question>&goal=<endgoal>
```

`ask` is the immediate question: it should be specific, self-contained, and written in natural language.
`goal` is optional and describes the broader end goal you are ultimately trying to accomplish on behalf of the user. GitBook uses it to tailor the answer towards what is most useful for that goal.

The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.
