Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CVE-2020-0609 PoC — 微软 Microsoft Windows 输入验证错误漏洞

Source
https://github.com/ioncodes/BlueGate
Associated Vulnerability
Title:微软 Microsoft Windows 输入验证错误漏洞 (CVE-2020-0609)
Description:Microsoft Windows是美国微软(Microsoft)公司的一套个人设备使用的操作系统。 Microsoft Windows Remote Desktop Gateway (RD Gateway)中存在远程代码执行漏洞。攻击者可通过使用RDP连接到目标系统并发送特制的请求利用该漏洞在目标系统上执行任意代码。以下产品及版本受到影响:Microsoft Windows Server 2012,Windows Server 2012 R2,Windows Server 2016,Windows Se
Description
PoC for the Remote Desktop Gateway vulnerability - CVE-2020-0609 & CVE-2020-0610
Readme
# BlueGate
PoC for the Remote Desktop Gateway vulnerability - CVE-2020-0609 & CVE-2020-0610. Thanks to [ollypwn](https://twitter.com/ollypwn) for pointing out my silly mistake!

## Setup
I'm using a patched version of `pydtls` as the original repository wouldn't build properly.
```
cd pydtls
sudo python setup.py install
```

## Denial of Service
A PoC for the DoS attack can be found in [dos.py](https://github.com/ioncodes/BlueGate/blob/master/dos.py). This essentially crashes the Remote Desktop Gateway service. The initial PoC can be found in the commits or [here](https://github.com/ioncodes/BlueGate/blob/91ad3951c0db0944a5f8ade8c4af1ae6bd69836e/dos.py).

### Usage
```
python dos.py 192.168.8.133 3391
```

### Result
Before:
![before](https://github.com/ioncodes/BlueGate/blob/master/images/before_dos.png?raw=true)

After:
![after](https://github.com/ioncodes/BlueGate/blob/master/images/after_dos.png?raw=true)


## Scanner
A scanner that is able to determin whether the target is vulnerable or not. The script can be found in [check.py](https://github.com/ioncodes/BlueGate/blob/master/check.py). The timeout is set to 3 seconds by default but can be adjusted in the source code.

### Usage
```
python check.py 192.168.8.134 3391
```

### Result
It says either `Vulnerable!` or `Not vulnerable!`.
File Snapshot

 [4.0K]  /data/pocs/9040c0116af354003eb80e68296a9c91cc0f5cbe
├── [1.4K]  check.py
├── [1.1K]  dos.py
├── [4.0K]  images
│   ├── [115K]  after_dos.png
│   └── [116K]  before_dos.png
├── [4.0K]  pydtls
│   ├── [ 12K]  ChangeLog
│   ├── [4.0K]  dtls
│   │   ├── [4.0K]  demux
│   │   │   ├── [2.1K]  __init__.py
│   │   │   ├── [4.0K]  osnet.py
│   │   │   └── [6.7K]  router.py
│   │   ├── [4.0K]  err.py
│   │   ├── [2.4K]  __init__.py
│   │   ├── [ 39K]  openssl.py
│   │   ├── [ 12K]  patch.py
│   │   ├── [4.0K]  prebuilt
│   │   │   ├── [4.0K]  win32-x86
│   │   │   │   ├── [1.2M]  libeay32.dll
│   │   │   │   ├── [1.2K]  manifest.pycfg
│   │   │   │   └── [270K]  ssleay32.dll
│   │   │   └── [4.0K]  win32-x86_64
│   │   │       ├── [2.0M]  libeay32.dll
│   │   │       ├── [1.2K]  manifest.pycfg
│   │   │       └── [354K]  ssleay32.dll
│   │   ├── [ 36K]  sslconnection.py
│   │   ├── [4.0K]  test
│   │   │   ├── [4.0K]  certs
│   │   │   │   ├── [1.9K]  badcert.pem
│   │   │   │   ├── [2.1K]  badkey.pem
│   │   │   │   ├── [ 587]  ca-cert_ec.pem
│   │   │   │   ├── [ 769]  ca-cert.pem
│   │   │   │   ├── [ 893]  keycert_ec.pem
│   │   │   │   ├── [1.7K]  keycert.pem
│   │   │   │   ├── [   0]  nullcert.pem
│   │   │   │   ├── [ 591]  server-cert_ec.pem
│   │   │   │   ├── [ 774]  server-cert.pem
│   │   │   │   ├── [1.8K]  wrongcert.pem
│   │   │   │   └── [1.7K]  yahoo-cert.pem
│   │   │   ├── [3.8K]  echo_seq.py
│   │   │   ├── [ 783]  __init__.py
│   │   │   ├── [1.4K]  makecerts
│   │   │   ├── [1.1K]  makecerts_ec.bat
│   │   │   ├── [ 315]  openssl_ca.cnf
│   │   │   ├── [ 317]  openssl_server.cnf
│   │   │   ├── [1.3K]  rl.py
│   │   │   ├── [ 533]  simple_client.py
│   │   │   ├── [ 14K]  test_perf.py
│   │   │   ├── [ 56K]  unit.py
│   │   │   └── [ 25K]  unit_wrapper.py
│   │   ├── [1.9K]  tlock.py
│   │   ├── [1.8K]  util.py
│   │   ├── [ 13K]  wrapper.py
│   │   └── [5.1K]  x509.py
│   ├── [9.9K]  LICENSE
│   ├── [ 476]  NOTICE
│   ├── [ 17K]  README.md
│   └── [5.0K]  setup.py
└── [1.3K]  README.md

9 directories, 50 files
Shenlong Bot has cached this for you
Remarks
    1. It is advised to access via the original source first.
    2. If the original source is unavailable, please email f.jinxu#gmail.com for a local snapshot (replace # with @).
    3. Shenlong has snapshotted the POC code for you. To support long-term maintenance, please consider donating. Thank you for your support.