POC详情: 5004aba6c062724ca45529499d3f1add46881012

来源
https://github.com/corelight/CVE-2022-23270-PPTP
关联漏洞
标题: Microsoft Windows Point-to-Point Tunneling Protocol 竞争条件问题漏洞 (CVE-2022-23270)
描述:Microsoft Windows Point-to-Point Tunneling Protocol(PPTP)是美国微软(Microsoft)公司的一种网络协议,通过在基于 TCP/IP 的数据网络上创建虚拟专用网络 (VPN),可以将数据从远程客户端安全传输到私有企业服务器。 Microsoft Windows Point-to-Point Tunneling Protocol 竞争条件问题漏洞中存在漏洞。以下产品及版本受到影响:Windows Server 2012 R2 (Server Core
描述
A Zeek package to detect CVE-2022-23270, a PPTP vulnerability in Windows.
介绍
# CVE-2022-23270

A package to detect CVE-2022-23270, a vulnerability in Microsoft's PPTP implementation.

## Example

You can run this logic on the included PCAP in the `testing\traces` directory:

```
$ zeek -Cr CVE-2022-23270-exploited.pcap packages

$ cat notice.log 
#separator \x09
#set_separator	,
#empty_field	(empty)
#unset_field	-
#path	notice
#open	2022-05-10-23-03-47
#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	fuid	file_mime_type	file_desc	proto	note	msg	sub	src	dst	p	n	peer_descr	actions	email_dest	suppress_for	remote_location.country_code	remote_location.region	remote_location.city	remote_location.latitude	remote_location.longitude
#types	time	string	addr	port	addr	port	string	string	string	enum	enum	string	string	addr	addr	port	count	string	set[enum]	set[string]	interval	string	string	string	double	double
1652212222.744235	CHhAvVGS1DHFjwGM9	192.168.88.166	51143	192.168.88.157	1723	-	-	-	tcp	CVE202223270::CVE_2022_23270_Attempt	Potential PPTP CVE-2022-23270 exploit attempt: 192.168.88.166 attempted exploit against 192.168.88.157	-	192.168.88.166	192.168.88.157	1723	-	-	Notice::ACTION_LOG	(empty)	3600.000000	-	-	-	-	-
1652212222.744235	CHhAvVGS1DHFjwGM9	192.168.88.166	51143	192.168.88.157	1723	-	-	-	tcp	CVE202223270::CVE_2022_23270_Success	PPTP CVE-2022-23270 exploit success: 192.168.88.166 exploited 192.168.88.157	-	192.168.88.166	192.168.88.157	1723	-	-	Notice::ACTION_LOG	(empty)	3600.000000	-	-	-	-	-
#close	2022-05-10-23-03-47
```

## RFCs
- https://datatracker.ietf.org/doc/html/rfc2637
文件快照

 [4.0K]  /data/pocs/5004aba6c062724ca45529499d3f1add46881012
├── [1.5K]  LICENSE
├── [1.5K]  README.md
├── [4.0K]  scripts
│   ├── [  41]  __load__.zeek
│   ├── [ 974]  main.zeek
│   └── [ 420]  signatures.sig
├── [4.0K]  testing
│   ├── [4.0K]  Baseline
│   │   └── [4.0K]  cve202223270.run-pcap
│   │       ├── [ 746]  conn.log
│   │       ├── [1.3K]  notice.log
│   │       └── [ 115]  output
│   ├── [ 565]  btest.cfg
│   ├── [4.0K]  cve202223270
│   │   └── [ 269]  run-pcap.zeek
│   ├── [4.0K]  Files
│   │   └── [ 192]  random.seed
│   ├── [  28]  Makefile
│   ├── [4.0K]  Scripts
│   │   ├── [ 383]  diff-remove-timestamps
│   │   ├── [1.3K]  get-zeek-env
│   │   └── [ 303]  README
│   └── [4.0K]  Traces
│       └── [5.8M]  CVE-2022-23270-exploited.pcap
└── [ 315]  zkg.meta

8 directories, 17 files
神龙机器人已为您缓存
备注
    1. 建议优先通过来源进行访问。
    2. 如果因为来源失效或无法访问,请发送邮箱到 f.jinxu#gmail.com 索取本地快照(把 # 换成 @)。
    3. 神龙已为您对POC代码进行快照,为了长期维护,请考虑为本地POC付费,感谢您的支持。