关联漏洞
标题:
微软 Microsoft Windows 输入验证错误漏洞
(CVE-2020-0609)
描述:Microsoft Windows是美国微软(Microsoft)公司的一套个人设备使用的操作系统。 Microsoft Windows Remote Desktop Gateway (RD Gateway)中存在远程代码执行漏洞。攻击者可通过使用RDP连接到目标系统并发送特制的请求利用该漏洞在目标系统上执行任意代码。以下产品及版本受到影响:Microsoft Windows Server 2012,Windows Server 2012 R2,Windows Server 2016,Windows Se
描述
PoC (DoS + scanner) for CVE-2020-0609 & CVE-2020-0610 - RD Gateway RCE
介绍
# BlueGate
Proof of Concept (Denial of Service + scanner) for CVE-2020-0609 and CVE-2020-0610.
These vulnerabilities allows an unauthenticated attacker to gain remote code execution with highest privileges via RD Gateway for RDP.
Please use for research and educational purpose only.
## Usage
Make sure you have [pyOpenSSL](https://www.pyopenssl.org/en/stable/) installed for python3.
usage: BlueGate.py [-h] -M {check,dos} [-P PORT] host
positional arguments:
host IP address of host
optional arguments:
-h, --help show this help message and exit
-M {check,dos}, --mode {check,dos}
Mode
-P PORT, --port PORT UDP port of RDG, default: 3391
## Vulnerability
The vulnerabilities allows an unauthenticated attacker to write forward out-of-bound in the heap, by specifying an unchecked and arbitrary index parameter `(0x00 - 0xFFFF)`. The data to write is also arbitrary with a length up to 1000 bytes at a time and a maximum of 4096 during one session.
If you would like to read more about the vulnerabilities, check [this](https://www.kryptoslogic.com/blog/2020/01/rdp-to-rce-when-fragmentation-goes-wrong/) or read my latest tweets on [Twitter](https://twitter.com/ollypwn) with a PoC video as well.
## What is RD Gateway?
RD Gateway acts as a proxy for RDP; i.e. between some internal servers and the internet, so you don't have to expose RDP directly to the internet.
## Why BlueGate?
That was just the working title, and I couldn't come up with a better one at this stage.
## Todo:
- ~~Vulnerability scanner/checker~~ **DONE**
- ~~Python implementation~~ **DONE**
文件快照
[4.0K] /data/pocs/69c0b5288d808d4802cce0ff5ffa93aec1cfcb43
├── [4.0K] BlueGate.py
├── [4.0K] old
│ ├── [4.0K] BlueGate
│ │ ├── [2.2K] BlueGate.cpp
│ │ ├── [ 971] BlueGate.h
│ │ ├── [8.4K] BlueGate.vcxproj
│ │ ├── [1.0K] BlueGate.vcxproj.filters
│ │ └── [ 165] BlueGate.vcxproj.user
│ ├── [1.4K] BlueGate.sln
│ ├── [1.6K] README.md
│ └── [4.0K] Release
│ └── [ 12K] BlueGate.exe
└── [1.7K] README.md
3 directories, 10 files
备注
1. 建议优先通过来源进行访问。
2. 如果因为来源失效或无法访问,请发送邮箱到 f.jinxu#gmail.com 索取本地快照(把 # 换成 @)。
3. 神龙已为您对POC代码进行快照,为了长期维护,请考虑为本地POC付费,感谢您的支持。