Shulou(Shulou.com)05/31 Report--

This article will explain in detail how to reproduce the TCPIP remote code execution vulnerability CVE-2020-16898. The content of the article is of high quality, so the editor shares it for you to do a reference. I hope you will have a certain understanding of the relevant knowledge after reading this article.

Introduction to 0x00

CVE-2020-16898, a remote code execution vulnerability exists when the Windows TCP/IP stack improperly processes ICMPv6 Router Advertisement packets. An attacker who successfully exploits this vulnerability can gain the ability to execute code on the target server or client. To exploit this vulnerability, an attacker must send a specially designed ICMPv6 Router Advertisement packet to a remote Windows computer.

0x01 vulnerability description

Remote attackers can execute arbitrary code on the targeted host by constructing a specially crafted ICMPv6 Router Advertisement (routing advertisement) packet and sending it to a remote Windows host.

An attacker can exploit this vulnerability to send maliciously crafted packets, making it possible to execute arbitrary code on remote systems. The proof of concept shared with MAPP (Microsoft Active Protection Program) members is both simple and reliable. It can lead to an immediate BSOD (blue screen crash), but more seriously, for those who can bypass Windows 10 and Windows Server 2019 mitigation measures, there is the possibility of being exploited. The impact of exploits that can enable remote code execution will be widespread and significant because this type of error can become contagious.

0x02 affected version

Windows 10 Version 1709 for 32-bit Systems

Windows 10 Version 1709 for ARM64-based Systems

Windows 10 Version 1709 for x64-based Systems

Windows 10 Version 1803 for 32-bit Systems

Windows 10 Version 1803 for ARM64-based Systems

Windows 10 Version 1803 for x64-based Systems

Windows 10 Version 1809 for 32-bit Systems

Windows 10 Version 1809 for ARM64-based Systems

Windows 10 Version 1809 for x64-based Systems

Windows 10 Version 1903 for 32-bit Systems

Windows 10 Version 1903 for ARM64-based Systems

Windows 10 Version 1903 for x64-based Systems

Windows 10 Version 1909 for 32-bit Systems

Windows 10 Version 1909 for ARM64-based Systems

Windows 10 Version 1909 for x64-based Systems

Windows 10 Version 2004 for 32-bit Systems

Windows 10 Version 2004 for ARM64-based Systems

Windows 10 Version 2004 for x64-based Systems

Windows Server 2019

Windows Server 2019 (Server Core installation)

Windows Server, version 1903 (Server Core installation)

Windows Server, version 1909 (Server Core installation)

Windows Server, version 2004 (Server Core installation)

0x03 environment building

Enable ipv6 support in the network environment. Here, use vmware,NAT to create a subnet and enable ipv6 support. Click the editor of VM-> Virtual Network Editor, select NAT mode, enable ipv6 support, and click OK, as shown below.

Select an affected version of the windows10 image and install it in the virtual machine.

I am using version 1709 here:

Open the control panel of win10-- > Select Network and sharing Center, and right-click to open Ethernet0

Open the ipv6 version:

Recurrence of 0x04 vulnerabilities

1. Perform ipconfig to view the IPv6 address:

two。 Note: select "ipv6 address" or "temporary ipv6 address" for the IPv6 address of the victim machine.

3. The attacker communicates with the target host (here his own physical machine is used as the attacker)

Execute ipconfig to check the ipv6 address of the attack plane and select "locally linked ipv6 address".

4. The python in the attack plane is 3.7 +, and scapy is installed. After the python is installed, open cmd and enter python. No error is reported, which means it is successful:

Then install scapy:

Install directly using pip:

Pip install scapy

Some extension features are installed, optional:

Pip install matplotlib pyx cryptography

Start scapy interactive shell

Switch to the Scripts folder of Python and start it directly with the scapy command (essentially scapy.bat):

Scapy

The launch interface is shown below:

5. The function of this payload is to construct a specific ipv6 packet and send it to the victim machine so that the victim machine has a blue screen.

CVE-2020-16898-exp1.py:

After the modification, execute on the attacker: python 1.py

The virtual machine is played as a blue screen: as follows

You can use wirkshark to select the corresponding virtual network card to grab packets and view them.

As shown in the following figure:

If you look at the packet, you can see that there is a payload sent inside.

0x05 repair recommendation

1. Upgrade and update. Install the update for this vulnerability immediately and download the latest patch pack for update fixes, as shown below.

Https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-16898

two。 If you cannot upgrade, it is recommended that you disable the RA-based DNS configuration first.

On how to reproduce the TCPIP remote code execution vulnerability CVE-2020-16898 is shared here, I hope the above content can be of some help to you, can learn more knowledge. If you think the article is good, you can share it for more people to see.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.