关联漏洞
标题:
微软 Microsoft Windows 输入验证错误漏洞
(CVE-2020-0609)
描述:Microsoft Windows是美国微软(Microsoft)公司的一套个人设备使用的操作系统。 Microsoft Windows Remote Desktop Gateway (RD Gateway)中存在远程代码执行漏洞。攻击者可通过使用RDP连接到目标系统并发送特制的请求利用该漏洞在目标系统上执行任意代码。以下产品及版本受到影响:Microsoft Windows Server 2012,Windows Server 2012 R2,Windows Server 2016,Windows Se
描述
PoC for the Remote Desktop Gateway vulnerability - CVE-2020-0609 & CVE-2020-0610
介绍
# BlueGate
PoC for the Remote Desktop Gateway vulnerability - CVE-2020-0609 & CVE-2020-0610. Thanks to [ollypwn](https://twitter.com/ollypwn) for pointing out my silly mistake!
## Setup
I'm using a patched version of `pydtls` as the original repository wouldn't build properly.
```
cd pydtls
sudo python setup.py install
```
## Denial of Service
A PoC for the DoS attack can be found in [dos.py](https://github.com/ioncodes/BlueGate/blob/master/dos.py). This essentially crashes the Remote Desktop Gateway service. The initial PoC can be found in the commits or [here](https://github.com/ioncodes/BlueGate/blob/91ad3951c0db0944a5f8ade8c4af1ae6bd69836e/dos.py).
### Usage
```
python dos.py 192.168.8.133 3391
```
### Result
Before:
After:
## Scanner
A scanner that is able to determin whether the target is vulnerable or not. The script can be found in [check.py](https://github.com/ioncodes/BlueGate/blob/master/check.py). The timeout is set to 3 seconds by default but can be adjusted in the source code.
### Usage
```
python check.py 192.168.8.134 3391
```
### Result
It says either `Vulnerable!` or `Not vulnerable!`.
文件快照
[4.0K] /data/pocs/9040c0116af354003eb80e68296a9c91cc0f5cbe
├── [1.4K] check.py
├── [1.1K] dos.py
├── [4.0K] images
│ ├── [115K] after_dos.png
│ └── [116K] before_dos.png
├── [4.0K] pydtls
│ ├── [ 12K] ChangeLog
│ ├── [4.0K] dtls
│ │ ├── [4.0K] demux
│ │ │ ├── [2.1K] __init__.py
│ │ │ ├── [4.0K] osnet.py
│ │ │ └── [6.7K] router.py
│ │ ├── [4.0K] err.py
│ │ ├── [2.4K] __init__.py
│ │ ├── [ 39K] openssl.py
│ │ ├── [ 12K] patch.py
│ │ ├── [4.0K] prebuilt
│ │ │ ├── [4.0K] win32-x86
│ │ │ │ ├── [1.2M] libeay32.dll
│ │ │ │ ├── [1.2K] manifest.pycfg
│ │ │ │ └── [270K] ssleay32.dll
│ │ │ └── [4.0K] win32-x86_64
│ │ │ ├── [2.0M] libeay32.dll
│ │ │ ├── [1.2K] manifest.pycfg
│ │ │ └── [354K] ssleay32.dll
│ │ ├── [ 36K] sslconnection.py
│ │ ├── [4.0K] test
│ │ │ ├── [4.0K] certs
│ │ │ │ ├── [1.9K] badcert.pem
│ │ │ │ ├── [2.1K] badkey.pem
│ │ │ │ ├── [ 587] ca-cert_ec.pem
│ │ │ │ ├── [ 769] ca-cert.pem
│ │ │ │ ├── [ 893] keycert_ec.pem
│ │ │ │ ├── [1.7K] keycert.pem
│ │ │ │ ├── [ 0] nullcert.pem
│ │ │ │ ├── [ 591] server-cert_ec.pem
│ │ │ │ ├── [ 774] server-cert.pem
│ │ │ │ ├── [1.8K] wrongcert.pem
│ │ │ │ └── [1.7K] yahoo-cert.pem
│ │ │ ├── [3.8K] echo_seq.py
│ │ │ ├── [ 783] __init__.py
│ │ │ ├── [1.4K] makecerts
│ │ │ ├── [1.1K] makecerts_ec.bat
│ │ │ ├── [ 315] openssl_ca.cnf
│ │ │ ├── [ 317] openssl_server.cnf
│ │ │ ├── [1.3K] rl.py
│ │ │ ├── [ 533] simple_client.py
│ │ │ ├── [ 14K] test_perf.py
│ │ │ ├── [ 56K] unit.py
│ │ │ └── [ 25K] unit_wrapper.py
│ │ ├── [1.9K] tlock.py
│ │ ├── [1.8K] util.py
│ │ ├── [ 13K] wrapper.py
│ │ └── [5.1K] x509.py
│ ├── [9.9K] LICENSE
│ ├── [ 476] NOTICE
│ ├── [ 17K] README.md
│ └── [5.0K] setup.py
└── [1.3K] README.md
9 directories, 50 files
备注
1. 建议优先通过来源进行访问。
2. 如果因为来源失效或无法访问,请发送邮箱到 f.jinxu#gmail.com 索取本地快照(把 # 换成 @)。
3. 神龙已为您对POC代码进行快照,为了长期维护,请考虑为本地POC付费,感谢您的支持。