Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CVE-2020-0609 PoC — 微软 Microsoft Windows 输入验证错误漏洞

Source
https://github.com/ly4k/BlueGate
Associated Vulnerability
Title:微软 Microsoft Windows 输入验证错误漏洞 (CVE-2020-0609)
Description:Microsoft Windows是美国微软(Microsoft)公司的一套个人设备使用的操作系统。 Microsoft Windows Remote Desktop Gateway (RD Gateway)中存在远程代码执行漏洞。攻击者可通过使用RDP连接到目标系统并发送特制的请求利用该漏洞在目标系统上执行任意代码。以下产品及版本受到影响:Microsoft Windows Server 2012,Windows Server 2012 R2,Windows Server 2016,Windows Se
Description
PoC (DoS + scanner) for CVE-2020-0609 & CVE-2020-0610 - RD Gateway RCE
Readme

#  BlueGate

Proof of Concept (Denial of Service + scanner) for CVE-2020-0609 and CVE-2020-0610.

  

These vulnerabilities allows an unauthenticated attacker to gain remote code execution with highest privileges via RD Gateway for RDP.

  

Please use for research and educational purpose only.

  

##  Usage
Make sure you have [pyOpenSSL](https://www.pyopenssl.org/en/stable/) installed for python3. 

    usage: BlueGate.py [-h] -M {check,dos} [-P PORT] host
    
    positional arguments:
      host                  IP address of host
    
    optional arguments:
      -h, --help            show this help message and exit
      -M {check,dos}, --mode {check,dos}
                            Mode
      -P PORT, --port PORT  UDP port of RDG, default: 3391

  

##  Vulnerability

The vulnerabilities allows an unauthenticated attacker to write forward out-of-bound in the heap, by specifying an unchecked and arbitrary index parameter `(0x00 - 0xFFFF)`. The data to write is also arbitrary with a length up to 1000 bytes at a time and a maximum of 4096 during one session.

  

If you would like to read more about the vulnerabilities, check [this](https://www.kryptoslogic.com/blog/2020/01/rdp-to-rce-when-fragmentation-goes-wrong/) or read my latest tweets on [Twitter](https://twitter.com/ollypwn) with a PoC video as well.

  

##  What is RD Gateway?

RD Gateway acts as a proxy for RDP; i.e. between some internal servers and the internet, so you don't have to expose RDP directly to the internet.

##  Why BlueGate?

  

That was just the working title, and I couldn't come up with a better one at this stage.

  

##  Todo:

- ~~Vulnerability scanner/checker~~ **DONE**

- ~~Python implementation~~ **DONE**
File Snapshot

 [4.0K]  /data/pocs/69c0b5288d808d4802cce0ff5ffa93aec1cfcb43
├── [4.0K]  BlueGate.py
├── [4.0K]  old
│   ├── [4.0K]  BlueGate
│   │   ├── [2.2K]  BlueGate.cpp
│   │   ├── [ 971]  BlueGate.h
│   │   ├── [8.4K]  BlueGate.vcxproj
│   │   ├── [1.0K]  BlueGate.vcxproj.filters
│   │   └── [ 165]  BlueGate.vcxproj.user
│   ├── [1.4K]  BlueGate.sln
│   ├── [1.6K]  README.md
│   └── [4.0K]  Release
│       └── [ 12K]  BlueGate.exe
└── [1.7K]  README.md

3 directories, 10 files
Shenlong Bot has cached this for you
Remarks
    1. It is advised to access via the original source first.
    2. If the original source is unavailable, please email f.jinxu#gmail.com for a local snapshot (replace # with @).
    3. Shenlong has snapshotted the POC code for you. To support long-term maintenance, please consider donating. Thank you for your support.