physical read primitive failed

[Sohimaster]

physical read primitive failed for my host which is vulnerable as it shows this scanner
https://github.com/ollypwn/SMBGhost
is this normal?

[Sohimaster]

It's not working for every vulnerable host I have

[chompie1337]

I haven't been able to replicate this behavior. Can you check to see if this DoS script causes BSOD? Thank you

https://github.com/eerykitty/CVE-2020-0796-PoC

[J1mX]

I get the same error. I will go back though set-up.

[johnseed]

I tried on 1809, 1903, 1909, 2004, all got same error, DoS script does cause BSOD

[chompie1337]

I tried on 1809, 1903, 1909, 2004, all got same error, DoS script does cause BSOD

what is your testing enviorment? meaning, what hypervisor. it seems like the read primitive is not working, it could be that tcpip is not using DMA which the primitive depends on

[johnseed]

I tried on 1809, 1903, 1909, 2004, all got same error, DoS script does cause BSOD

what is your testing enviorment? meaning, what hypervisor. it seems like the read primitive is not working, it could be that tcpip is not using DMA which the primitive depends on

I use Hyper-V on Windows
Found some related pictures.

[leezp]

can you tell me how to fix it

[Q1984]

Same here. Virtualbox W10 1903, physical read primitive failed!

[theLSA]

Same problem, virtualbox+win10 1903 business+python3.7+closed WAF+closed security center
//not patch, blue screen with python2 by exploit.py, and https://github.com/eerykitty/CVE-2020-0796-PoC

[e-fin]

I am having the same error. I tried on a VMWARE Fusion VM running windows and a physical desktop running windows. I tried the physical host to see if it had to do with DMA but neither worked.

I tried the above DoS script and it doesent even blue screen either VM or physical desktop. I feel like I may be missing something

I used this to confirm they are both vulnerable but I don't know how reliable it is https://github.com/ollypwn/SMBGhost

It fails around
if buff[4:8] != b"\xfeSMB":

buff[4:8] always equals b"\xfeSMB" and I'm unsure what it should equal to get the expected output

Edit: what was your lab setup when developing this? Im going to try virtualbox instead of VMWare fusion because ive seen another user have success with that hypervisor

[99hansling]

ive

Hello! I‘m having the same problem with you. Have you succeeded?

[e-fin]

ive

Hello! I‘m having the same problem with you. Have you succeeded?

Not yet, i think the physical system im using for testing has a patch for the issue or the version is not vulnerable. Im really not sure tho

[e-fin]

@99hansling
I Have solved the problem of the read primitive failing! I got it working on a VM running in VMWare fusion, I just had to download an older version of windows 10.

I downloaded version 1903 form here: https://tb.rg-adguard.net/public.php
(the files are downloaded from Microsoft servers so its not sketchy)

Installed in a VM with no internet to make sure no automatic updates happened (idk if this was required but im new to windows internals so I was just bein safe). The exploit worked first try with no issue it seems like, adding my own shellcode now to verify.

Thanks @chompie1337 for an awesome POC and instructions for adding your own shellcode!

[kernelzeroday]

@Fi1o

@99hansling
I Have solved the problem of the read primitive failing! I got it working on a VM running in VMWare fusion, I just had to download an older version of windows 10.

I downloaded version 1903 form here: https://tb.rg-adguard.net/public.php
(the files are downloaded from Microsoft servers so its not sketchy)

Installed in a VM with no internet to make sure no automatic updates happened (idk if this was required but im new to windows internals so I was just bein safe). The exploit worked first try with no issue it seems like, adding my own shellcode now to verify.

Thanks @chompie1337 for an awesome POC and instructions for adding your own shellcode!

Was this with Windows 10 Home or Pro version of 1903? This is also known as 18362, correct? Thanks!

[NullBruce]

Same on a remote Windows 10 Pro 18362.
EDIT: i tested it on a physical local windows 10 and it worked.

[whitehat9090]

I tried on 1809, 1903, 1909, 2004, all got same error, DoS script does cause BSOD

what is your testing enviorment? meaning, what hypervisor. it seems like the read primitive is not working, it could be that tcpip is not using DMA which the primitive depends on

hello!
i tested on windows 10 1903 vm, it works as follow result.
[+] found low stub at phys addr 11000!
[+] PML4 at 1aa000
[+] base of HAL heap at fffff788c0000000
[+] found PML4 self-ref entry 1e7
[+] found HalpInterruptController at fffff788c0000680
[+] found HalpApicRequestInterrupt at fffff80035eb3bb0
[+] built shellcode!
[+] KUSER_SHARED_DATA PTE at fffff3fbc0000000
[+] KUSER_SHARED_DATA PTE NX bit cleared!
[+] Wrote shellcode at fffff78000000950!
[+] Press a key to execute shellcode!
[+] overwrote HalpInterruptController pointer, should have execution shortly...

but bluescreen was trigged.i
i debuged by using windbg.

hal!HalpApicRequestInterrupt+0xa4:
fffff800`35eb3c54 4584e4 test r12b,r12b
3: kd> t
KDTARGET: Refreshing KD connection

A fatal system error has occurred.
Debugger entered on first try; Bugcheck callbacks have not been invoked.

A fatal system error has occurred.

For analysis of this file, run !analyze -v
nt!DbgBreakPointWithStatus:
fffff800`355c4580 cc int 3
0: kd> !analyze -v
The debuggee is ready to run
WARNING: This break is not a step/trace completion.
The last command has been cleared to prevent
accidental continuation of this unrelated event.
Check the event, location and thread before resuming.
Break instruction exception - code 80000003 (first chance)

A fatal system error has occurred.
Debugger entered on first try; Bugcheck callbacks have not been invoked.

A fatal system error has occurred.

0: kd> r
rax=0000000000000000 rbx=0000000000000003 rcx=0000000000000003
rdx=0000000000000000 rsi=0000000000000000 rdi=fffff80031a5b180
rip=fffff800355c4580 rsp=fffff800386813b8 rbp=fffff80038681520
r8=0000000000000000 r9=0000000000000000 r10=000001539738d27d
r11=fffff80038681370 r12=0000000000000003 r13=00000000004f4454
r14=0000000000000000 r15=ffffbf0ce8ca8040
iopl=0 nv up di ng nz na po nc
cs=0010 ss=0018 ds=002b es=002b fs=0053 gs=002b efl=00000086

[wxh0000mm]

Windows10 1903 18362.30
The virtual machine USES VMWARE Wotkstation 14

root@bogon:~/Desktop/SMBGhost_RCE_PoC-master# python3 exploit.py -ip 192.168.83.130
[-] physical read primitive failed!

Who can tell me how to set it up to be successful. thanks

[NullBruce]

Windows10 1903 18362.30
The virtual machine USES VMWARE Wotkstation 14

root@bogon:~/Desktop/SMBGhost_RCE_PoC-master# python3 exploit.py -ip 192.168.83.130
[-] physical read primitive failed!

Who can tell me how to set it up to be successful. thanks

@wxh0000mm are you sure you can reach the windows 10 machine ? try: ping 192.168.83.130 if there is a respond try using https://github.com/ollypwn/SMBGhost with: python3 scanner.py 192.168.83.130 then post the result

[barrett092]

this is the error I continually get as well

[EdgeSync]

What i noted when testing, was that using python3 caused this error "physical read primitive failed" but using python2 triggered the bsod. Haven't looked into why yet, but try python2 if you are getting this error.

[ranseljorge]

Windows10 1903 18362.356

C:\Users\Ransel\Desktop> python3 exploit.py -ip 192.168.83.130
[-] physical read primitive failed!

[L0daW]

help ! please help ! its 2022 and i cant fix it
win 10 1906 ,vulnerable

[kirsten-1]

try othor version of python!I failed to use Python 3.9, but Python 3.10 succeeded!

[alexrotaru891]

Windows10 1903 18362.30
The virtual machine USES VMWARE Wotkstation 14
root@bogon:~/Desktop/SMBGhost_RCE_PoC-master# python3 exploit.py -ip 192.168.83.130
[-] physical read primitive failed!
Who can tell me how to set it up to be successful. thanks

@wxh0000mm are you sure you can reach the windows 10 machine ? try: ping 192.168.83.130 if there is a respond try using https://github.com/ollypwn/SMBGhost with: python3 scanner.py 192.168.83.130 then post the result

import socket
import struct
import sys

def scanner_smb_ghost_silent(ip,port):
header = b"\xfeSMB" # magic
header += struct.pack("H", 64) # header size
header += struct.pack("H", 0) # credit charge
header += struct.pack("H", 0) # channel sequence
header += struct.pack("H", 0) # reserved
header += struct.pack("H", 0) # negotiate protocol command
header += struct.pack("H", 31) # credits requested
header += struct.pack("I", 0) # flags
header += struct.pack("I", 0) # chain offset
header += struct.pack("Q", 0) # message id
header += struct.pack("I", 0) # process id
header += struct.pack("I", 0) # tree id
header += struct.pack("Q", 0) # session id
header += struct.pack("QQ", (0 >> 64) & 0xffffffffffffffff, 0 & 0xffffffffffffffff) # signature

negotiation = b""
negotiation += struct.pack("H", 0x24) # struct size
negotiation += struct.pack("H", 8) # amount of dialects
negotiation += struct.pack("H", 1) # enable signing
negotiation += struct.pack("H", 0) # reserved
negotiation += struct.pack("I", 0x7f) # capabilities
negotiation += struct.pack("QQ", (0 >> 64) & 0xffffffffffffffff, 0 & 0xffffffffffffffff) # client guid
negotiation += struct.pack("I", 0x78) # negotiation offset
negotiation += struct.pack("H", 2) # negotiation context count
negotiation += struct.pack("H", 0) # reserved
negotiation += struct.pack("H", 0x0202) # smb 2.0.2 dialect
negotiation += struct.pack("H", 0x0210) # smb 2.1.0 dialect
negotiation += struct.pack("H", 0x0222) # smb 2.2.2 dialect
negotiation += struct.pack("H", 0x0224) # smb 2.2.4 dialect
negotiation += struct.pack("H", 0x0300) # smb 3.0.0 dialect
negotiation += struct.pack("H", 0x0302) # smb 3.0.2 dialect
negotiation += struct.pack("H", 0x0310) # smb 3.1.0 dialect
negotiation += struct.pack("H", 0x0311) # smb 3.1.1 dialect
negotiation += struct.pack("I", 0) # padding
negotiation += struct.pack("H", 1) # negotiation context type
negotiation += struct.pack("H", 38) # negotiation data length
negotiation += struct.pack("I", 0) # reserved
negotiation += struct.pack("H", 1) # negotiation hash algorithm count
negotiation += struct.pack("H", 32) # negotiation salt length
negotiation += struct.pack("H", 1) # negotiation hash algorithm SHA512
negotiation += struct.pack("H", 1) # negotiation hash algorithm SHA512
negotiation += struct.pack("QQ", (0 >> 64) & 0xffffffffffffffff, 0 & 0xffffffffffffffff) # salt part 1
negotiation += struct.pack("QQ", (0 >> 64) & 0xffffffffffffffff, 0 & 0xffffffffffffffff) # salt part 2
negotiation += struct.pack("H", 3) # unknown??
negotiation += struct.pack("H", 10) # data length unknown??
negotiation += struct.pack("I", 0) # reserved unknown??
negotiation += b"\x01\x00\x00\x00\x01\x00\x00\x00\x01\x00\x00\x00\x00\x00\x00\x00" # unknown??

packet = header + negotiation

netbios = b""
netbios += struct.pack("H", 0) # NetBIOS sessions message (should be 1 byte but whatever)
netbios += struct.pack("B", 0) # just a pad to make it 3 bytes
netbios += struct.pack("B", len(packet)) # NetBIOS length (should be 3 bytes but whatever, as long as the packet isn't 0xff+ bytes)

packet = netbios + packet

io = socket.socket(socket.AF_INET)
io.connect((str(ip), int(port)))
io.send(packet)
size = struct.unpack("I", io.recv(4))[0]
response = io.recv(size)

version = struct.unpack("H", response[68:70])[0]
context = struct.unpack("H", response[70:72])[0]

if version != 0x0311:
    print(f"SMB version {hex(version)} was found which is not vulnerable!")
    return False
elif context != 2:
    print(
        f"Server answered with context {hex(context)} which indicates that the target may not have SMB compression enabled and is therefore not vulnerable!")
    return False
else:
    print(
        f"SMB version {hex(version)} with context {hex(context)} was found which indicates SMBv3.1.1 is being used and SMB compression is enabled, therefore being vulnerable to CVE-2020-0796!")
    return True

hi guys! can anyone help?