来源

关联漏洞

Description

CVE PoC 

介绍

# CVE-2013-3900-PowerShell-PoC
This PoC is provided for educational and research purposes only. 
The author takes no responsibility for misuse or damage caused by this code.



This PowerShell script is a testing tool for simulating the attack described in CVE-2013-3900.
CVE-2013-3900 concerns the Authenticode mechanism in Windows, in which the PE signature (EXE/DLL files) may contain additional data (padding) in the certificate section. In older or default Windows settings, such a modification does not invalidate the signature, allowing malicious code to be added to the file while retaining its “signed” status.
By enabling EnableCertPaddingCheck=1 in the registry, the system begins to treat additional padding as a violation of integrity, rejecting such a file.

Script:
 - Opens the selected signed EXE file.
 - Adds artificial padding to the certificate section.
 - Saves a modified copy of the file.
 - Checks the signature of the original and the copy.
 - Calls the WinVerifyTrust API to see if the system (with the current settings) will accept or reject the modified file.

If protection is enabled, the modified file will be rejected (0x800B0100); if disabled, it will be accepted (0x00000000).

I use MSBuild.exe because it is a Windows system file with an embedded Authenticode signature (not a catalog signature), which allows us to directly modify its certificate section and reliably simulate the CVE-2013-3900 vulnerability.
This makes the test repeatable and works on any Windows Server installation without the need to download additional files.

To run script:
```CMD
CMD C:\>powershell -ExecutionPolicy Bypass -File C:\CVE-2013-3900-PoC-padding-injection.ps1
```

Links:
https://msrc.microsoft.com/update-guide/vulnerability/CVE-2013-3900

文件快照

 [4.0K]  /data/pocs/4a49531f2c913ddfd0a777674daa859e13a47938
├── [5.1K]  CVE-2013-3900-PoC-padding-injection.ps1
├── [1.2K]  LICENSE
├── [1.7K]  README.md
└── [ 257]  remediation-64bit-win.reg

0 directories, 4 files

备注